Analysis Report 4019223246.exe

Overview

General Information

Sample Name: 4019223246.exe
Analysis ID: 358326
MD5: 87e6882bcebf4823afb4303aac3628b1
SHA1: fa6df79dd667fcbb97c6ffbf947ee356512b292d
SHA256: 369d92b64ee7b40f1679b98499e6d2b3470f9d477a8c35256508ae5715516194
Tags: exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM_3
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection:

barindex
Found malware configuration
Source: 4.2.4019223246.exe.29f0ee8.6.raw.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "FTP Info": "systems@krenterprisesindia.comparida@1971@us2.smtp.mailhostbox.com"}
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\WZXjvtGBEKK.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: 4019223246.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: 4019223246.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Uses new MSVCR Dlls
Source: C:\Users\user\Desktop\4019223246.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Contains modern PE file flags such as dynamic base (ASLR) or NX
Source: 4019223246.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Binary contains paths to debug symbols
Source: Binary string: _.pdb source: 4019223246.exe, 00000004.00000003.657876207.0000000000C2F000.00000004.00000001.sdmp

Networking:

barindex
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49767 -> 208.91.198.143:587
Source: global traffic TCP traffic: 192.168.2.4:49769 -> 208.91.199.224:587
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 208.91.198.143 208.91.198.143
Source: Joe Sandbox View IP Address: 208.91.199.224 208.91.199.224
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.4:49767 -> 208.91.198.143:587
Source: global traffic TCP traffic: 192.168.2.4:49769 -> 208.91.199.224:587
Source: C:\Users\user\Desktop\4019223246.exe Code function: 4_2_026BB0B2 recv, 4_2_026BB0B2
Source: unknown DNS traffic detected: queries for: us2.smtp.mailhostbox.com
Source: 4019223246.exe, 00000004.00000002.913196902.0000000002E21000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: 4019223246.exe, 00000004.00000002.913196902.0000000002E21000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: 4019223246.exe, 00000004.00000002.913196902.0000000002E21000.00000004.00000001.sdmp String found in binary or memory: http://qpQMsG.com
Source: 4019223246.exe, 00000001.00000002.658704693.0000000002C41000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 4019223246.exe, 00000004.00000002.913312856.0000000002ED4000.00000004.00000001.sdmp String found in binary or memory: http://wg3NmRd1lkGGL4Op.org
Source: 4019223246.exe, 00000004.00000002.913312856.0000000002ED4000.00000004.00000001.sdmp String found in binary or memory: http://wg3NmRd1lkGGL4Op.orghb
Source: 4019223246.exe, 00000001.00000002.658750521.0000000002C95000.00000004.00000001.sdmp String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: 4019223246.exe, 00000004.00000002.913196902.0000000002E21000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\Desktop\4019223246.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

System Summary:

barindex
Contains functionality to call native functions
Source: C:\Users\user\Desktop\4019223246.exe Code function: 4_2_026BB9BA NtQuerySystemInformation, 4_2_026BB9BA
Source: C:\Users\user\Desktop\4019223246.exe Code function: 4_2_026BB9A8 NtQuerySystemInformation, 4_2_026BB9A8
Creates files inside the system directory
Source: C:\Users\user\Desktop\4019223246.exe File created: C:\Windows\assembly\Desktop.ini Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\4019223246.exe Code function: 1_2_012FCF78 1_2_012FCF78
Source: C:\Users\user\Desktop\4019223246.exe Code function: 1_2_012F9754 1_2_012F9754
Source: C:\Users\user\Desktop\4019223246.exe Code function: 1_2_012F9F80 1_2_012F9F80
Source: C:\Users\user\Desktop\4019223246.exe Code function: 4_2_00406C50 4_2_00406C50
Source: C:\Users\user\Desktop\4019223246.exe Code function: 4_2_00402860 4_2_00402860
Source: C:\Users\user\Desktop\4019223246.exe Code function: 4_2_0041A47E 4_2_0041A47E
Source: C:\Users\user\Desktop\4019223246.exe Code function: 4_2_00408C10 4_2_00408C10
Source: C:\Users\user\Desktop\4019223246.exe Code function: 4_2_00418C8C 4_2_00418C8C
Source: C:\Users\user\Desktop\4019223246.exe Code function: 4_2_00401650 4_2_00401650
Source: C:\Users\user\Desktop\4019223246.exe Code function: 4_2_00418204 4_2_00418204
Source: C:\Users\user\Desktop\4019223246.exe Code function: 4_2_00402ED0 4_2_00402ED0
Source: C:\Users\user\Desktop\4019223246.exe Code function: 4_2_00402B40 4_2_00402B40
Source: C:\Users\user\Desktop\4019223246.exe Code function: 4_2_00418748 4_2_00418748
Source: C:\Users\user\Desktop\4019223246.exe Code function: 4_2_00407350 4_2_00407350
Source: C:\Users\user\Desktop\4019223246.exe Code function: 4_2_00402F39 4_2_00402F39
Source: C:\Users\user\Desktop\4019223246.exe Code function: 4_2_0040DBD1 4_2_0040DBD1
Source: C:\Users\user\Desktop\4019223246.exe Code function: 4_2_00407BEF 4_2_00407BEF
Source: C:\Users\user\Desktop\4019223246.exe Code function: 4_2_00419384 4_2_00419384
Source: C:\Users\user\Desktop\4019223246.exe Code function: 4_2_026C8F4B 4_2_026C8F4B
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\4019223246.exe Code function: String function: 0040E198 appears 42 times
Sample file is different than original file name gathered from version info
Source: 4019223246.exe, 00000001.00000002.658750521.0000000002C95000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameAsyncState.dllF vs 4019223246.exe
Source: 4019223246.exe, 00000001.00000002.662251646.0000000005EF6000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameObjectIDGenerator.exe< vs 4019223246.exe
Source: 4019223246.exe, 00000001.00000002.661981197.0000000005E70000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameLegacyPathHandling.dllN vs 4019223246.exe
Source: 4019223246.exe, 00000001.00000002.662685824.0000000006720000.00000002.00000001.sdmp Binary or memory string: originalfilename vs 4019223246.exe
Source: 4019223246.exe, 00000001.00000002.662685824.0000000006720000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs 4019223246.exe
Source: 4019223246.exe, 00000001.00000002.662459335.0000000006620000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs 4019223246.exe
Source: 4019223246.exe, 00000004.00000003.657876207.0000000000C2F000.00000004.00000001.sdmp Binary or memory string: OriginalFilename_.dll4 vs 4019223246.exe
Source: 4019223246.exe, 00000004.00000000.656009800.000000000054E000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameObjectIDGenerator.exe< vs 4019223246.exe
Source: 4019223246.exe, 00000004.00000002.914172803.0000000003E21000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameVYolEChnIaesWIMZgVfbCHvjTeMwVa.exe4 vs 4019223246.exe
Source: 4019223246.exe, 00000004.00000002.914766360.00000000051B0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs 4019223246.exe
Source: 4019223246.exe Binary or memory string: OriginalFilenameObjectIDGenerator.exe< vs 4019223246.exe
Uses 32bit PE files
Source: 4019223246.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@6/6@2/2
Source: C:\Users\user\Desktop\4019223246.exe Code function: 4_2_026BA9DA AdjustTokenPrivileges, 4_2_026BA9DA
Source: C:\Users\user\Desktop\4019223246.exe Code function: 4_2_026BA9A3 AdjustTokenPrivileges, 4_2_026BA9A3
Source: C:\Users\user\Desktop\4019223246.exe Code function: 4_2_00401980 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,CorBindToRuntimeEx,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,InterlockedDecrement,InterlockedDecrement,SysFreeString,VariantClear,InterlockedDecrement,SysFreeString, 4_2_00401980
Source: C:\Users\user\Desktop\4019223246.exe Code function: 4_2_00401980 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,CorBindToRuntimeEx,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,InterlockedDecrement,InterlockedDecrement,SysFreeString,VariantClear,InterlockedDecrement,SysFreeString, 4_2_00401980
Source: C:\Users\user\Desktop\4019223246.exe File created: C:\Users\user\AppData\Roaming\WZXjvtGBEKK.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3436:120:WilError_01
Source: C:\Users\user\Desktop\4019223246.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\Desktop\4019223246.exe File created: C:\Users\user\AppData\Local\Temp\tmp35E.tmp Jump to behavior
Source: 4019223246.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\4019223246.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\4019223246.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\4019223246.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\4019223246.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: 4019223246.exe, 00000001.00000002.658750521.0000000002C95000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: 4019223246.exe, 00000001.00000002.658750521.0000000002C95000.00000004.00000001.sdmp Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: C:\Users\user\Desktop\4019223246.exe File read: C:\Users\user\Desktop\4019223246.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\4019223246.exe 'C:\Users\user\Desktop\4019223246.exe'
Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\WZXjvtGBEKK' /XML 'C:\Users\user\AppData\Local\Temp\tmp35E.tmp'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\Desktop\4019223246.exe C:\Users\user\Desktop\4019223246.exe
Source: C:\Users\user\Desktop\4019223246.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\WZXjvtGBEKK' /XML 'C:\Users\user\AppData\Local\Temp\tmp35E.tmp' Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process created: C:\Users\user\Desktop\4019223246.exe C:\Users\user\Desktop\4019223246.exe Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe File written: C:\Windows\assembly\Desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: 4019223246.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: C:\Users\user\Desktop\4019223246.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: 4019223246.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: _.pdb source: 4019223246.exe, 00000004.00000003.657876207.0000000000C2F000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\4019223246.exe Code function: 4_2_00401980 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,CorBindToRuntimeEx,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,InterlockedDecrement,InterlockedDecrement,SysFreeString,VariantClear,InterlockedDecrement,SysFreeString, 4_2_00401980
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\4019223246.exe Code function: 1_2_00858D0C push es; iretd 1_2_00858F8B
Source: C:\Users\user\Desktop\4019223246.exe Code function: 4_2_0041C40C push cs; iretd 4_2_0041C4E2
Source: C:\Users\user\Desktop\4019223246.exe Code function: 4_2_00423149 push eax; ret 4_2_00423179
Source: C:\Users\user\Desktop\4019223246.exe Code function: 4_2_0041C50E push cs; iretd 4_2_0041C4E2
Source: C:\Users\user\Desktop\4019223246.exe Code function: 4_2_004231C8 push eax; ret 4_2_00423179
Source: C:\Users\user\Desktop\4019223246.exe Code function: 4_2_0040E1DD push ecx; ret 4_2_0040E1F0
Source: C:\Users\user\Desktop\4019223246.exe Code function: 4_2_004211B8 push ebx; retf 4_2_004211B9
Source: C:\Users\user\Desktop\4019223246.exe Code function: 4_2_0041C6BE push ebx; ret 4_2_0041C6BF
Source: C:\Users\user\Desktop\4019223246.exe Code function: 4_2_00468D0C push es; iretd 4_2_00468F8B
Source: C:\Users\user\Desktop\4019223246.exe Code function: 4_2_026C9974 push ebp; iretd 4_2_026C9975
Source: C:\Users\user\Desktop\4019223246.exe Code function: 4_2_026C2C60 push edi; ret 4_2_026C2C76
Source: initial sample Static PE information: section name: .text entropy: 7.13411382713
Source: initial sample Static PE information: section name: .text entropy: 7.13411382713

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\4019223246.exe File created: C:\Users\user\AppData\Roaming\WZXjvtGBEKK.exe Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\WZXjvtGBEKK' /XML 'C:\Users\user\AppData\Local\Temp\tmp35E.tmp'

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\4019223246.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM_3
Source: Yara match File source: 00000001.00000002.658750521.0000000002C95000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.658704693.0000000002C41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 4019223246.exe PID: 7056, type: MEMORY
Source: Yara match File source: 1.2.4019223246.exe.2c70544.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.4019223246.exe.2ca93cc.2.raw.unpack, type: UNPACKEDPE
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Source: C:\Users\user\Desktop\4019223246.exe Function Chain: systemQueried,threadCreated,threadResumed,threadDelayed,threadDelayed,threadDelayed,systemQueried,systemQueried,systemQueried,threadDelayed,systemQueried,threadDelayed,threadDelayed,systemQueried,threadDelayed,systemQueried,threadDelayed,threadDelayed,processSet,processSet,memAlloc,memAlloc,memAlloc,memAlloc,threadDelayed
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\4019223246.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\4019223246.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: 4019223246.exe, 00000001.00000002.658750521.0000000002C95000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: 4019223246.exe, 00000001.00000002.658750521.0000000002C95000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\4019223246.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\Desktop\4019223246.exe Code function: 4_2_00401980 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,CorBindToRuntimeEx,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,InterlockedDecrement,InterlockedDecrement,SysFreeString,VariantClear,InterlockedDecrement,SysFreeString, 4_2_00401980
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\4019223246.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\4019223246.exe Window / User API: threadDelayed 619 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\4019223246.exe TID: 7060 Thread sleep time: -102727s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe TID: 7096 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe TID: 3524 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe TID: 3524 Thread sleep count: 619 > 30 Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe TID: 3524 Thread sleep time: -18570000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe TID: 3524 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe TID: 3524 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\4019223246.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\4019223246.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\4019223246.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\4019223246.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\4019223246.exe Last function: Thread delayed
Source: 4019223246.exe, 00000001.00000002.658750521.0000000002C95000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: 4019223246.exe, 00000004.00000002.914766360.00000000051B0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: 4019223246.exe, 00000001.00000002.658750521.0000000002C95000.00000004.00000001.sdmp Binary or memory string: vmware
Source: 4019223246.exe, 00000004.00000002.912265760.0000000000C57000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: 4019223246.exe, 00000004.00000002.914766360.00000000051B0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: 4019223246.exe, 00000004.00000002.914766360.00000000051B0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: 4019223246.exe, 00000001.00000002.658750521.0000000002C95000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: 4019223246.exe, 00000001.00000002.658750521.0000000002C95000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: 4019223246.exe, 00000004.00000002.914766360.00000000051B0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\4019223246.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\4019223246.exe Code function: 4_2_0040CDC9 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_0040CDC9
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\Desktop\4019223246.exe Code function: 4_2_00401980 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,CorBindToRuntimeEx,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,InterlockedDecrement,InterlockedDecrement,SysFreeString,VariantClear,InterlockedDecrement,SysFreeString, 4_2_00401980
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\4019223246.exe Code function: 4_2_00401980 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,CorBindToRuntimeEx,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,InterlockedDecrement,InterlockedDecrement,SysFreeString,VariantClear,InterlockedDecrement,SysFreeString, 4_2_00401980
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\4019223246.exe Code function: 4_2_0040AD70 GetProcessHeap,HeapFree, 4_2_0040AD70
Enables debug privileges
Source: C:\Users\user\Desktop\4019223246.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Code function: 4_2_0040CDC9 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_0040CDC9
Source: C:\Users\user\Desktop\4019223246.exe Code function: 4_2_0040E5DC _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_0040E5DC
Source: C:\Users\user\Desktop\4019223246.exe Code function: 4_2_00416F2A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_00416F2A
Source: C:\Users\user\Desktop\4019223246.exe Code function: 4_2_004123B1 SetUnhandledExceptionFilter, 4_2_004123B1
Source: C:\Users\user\Desktop\4019223246.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\4019223246.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\WZXjvtGBEKK' /XML 'C:\Users\user\AppData\Local\Temp\tmp35E.tmp' Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Process created: C:\Users\user\Desktop\4019223246.exe C:\Users\user\Desktop\4019223246.exe Jump to behavior
Source: 4019223246.exe, 00000004.00000002.912349471.0000000001170000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: 4019223246.exe, 00000004.00000002.912349471.0000000001170000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: 4019223246.exe, 00000004.00000002.912349471.0000000001170000.00000002.00000001.sdmp Binary or memory string: Progman
Source: 4019223246.exe, 00000004.00000002.912349471.0000000001170000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\4019223246.exe Code function: GetLocaleInfoA, 4_2_004179E0
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\4019223246.exe Queries volume information: C:\Users\user\Desktop\4019223246.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Code function: 4_2_004129D5 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 4_2_004129D5
Source: C:\Users\user\Desktop\4019223246.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000004.00000002.913312856.0000000002ED4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.914172803.0000000003E21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.914560852.0000000004FE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.913196902.0000000002E21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.657508762.0000000000BE4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.912388878.00000000025A2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.912715120.00000000029F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 4019223246.exe PID: 6104, type: MEMORY
Source: Yara match File source: 4.2.4019223246.exe.25e301e.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.4019223246.exe.3e23258.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.4019223246.exe.3e24140.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.4019223246.exe.25e2136.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.4019223246.exe.be4648.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.4019223246.exe.25e2136.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.4019223246.exe.be4648.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.4019223246.exe.4fe0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.4019223246.exe.29f0ee8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.4019223246.exe.3e73010.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.4019223246.exe.25e301e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.4019223246.exe.3e23258.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.4019223246.exe.29f0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.4019223246.exe.29f0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.4019223246.exe.3e73010.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.4019223246.exe.3e24140.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.4019223246.exe.29f0ee8.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.4019223246.exe.4fe0000.11.raw.unpack, type: UNPACKEDPE
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\4019223246.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\4019223246.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\4019223246.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Users\user\Desktop\4019223246.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\Desktop\4019223246.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000004.00000002.913196902.0000000002E21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 4019223246.exe PID: 6104, type: MEMORY

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000004.00000002.913312856.0000000002ED4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.914172803.0000000003E21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.914560852.0000000004FE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.913196902.0000000002E21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.657508762.0000000000BE4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.912388878.00000000025A2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.912715120.00000000029F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 4019223246.exe PID: 6104, type: MEMORY
Source: Yara match File source: 4.2.4019223246.exe.25e301e.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.4019223246.exe.3e23258.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.4019223246.exe.3e24140.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.4019223246.exe.25e2136.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.4019223246.exe.be4648.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.4019223246.exe.25e2136.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.4019223246.exe.be4648.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.4019223246.exe.4fe0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.4019223246.exe.29f0ee8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.4019223246.exe.3e73010.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.4019223246.exe.25e301e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.4019223246.exe.3e23258.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.4019223246.exe.29f0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.4019223246.exe.29f0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.4019223246.exe.3e73010.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.4019223246.exe.3e24140.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.4019223246.exe.29f0ee8.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.4019223246.exe.4fe0000.11.raw.unpack, type: UNPACKEDPE
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\4019223246.exe Code function: 4_2_00401980 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,CorBindToRuntimeEx,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,InterlockedDecrement,InterlockedDecrement,SysFreeString,VariantClear,InterlockedDecrement,SysFreeString, 4_2_00401980
Source: C:\Users\user\Desktop\4019223246.exe Code function: 4_2_00401EB6 _memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,CorBindToRuntimeEx,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,InterlockedDecrement,InterlockedDecrement,SysFreeString,VariantClear,InterlockedDecrement,SysFreeString, 4_2_00401EB6
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 358326 Sample: 4019223246.exe Startdate: 25/02/2021 Architecture: WINDOWS Score: 100 31 Found malware configuration 2->31 33 Sigma detected: Scheduled temp file as task from temp location 2->33 35 Yara detected AgentTesla 2->35 37 5 other signatures 2->37 7 4019223246.exe 7 2->7         started        process3 file4 19 C:\Users\user\AppData\...\WZXjvtGBEKK.exe, PE32 7->19 dropped 21 C:\Users\...\WZXjvtGBEKK.exe:Zone.Identifier, ASCII 7->21 dropped 23 C:\Users\user\AppData\Local\Temp\tmp35E.tmp, XML 7->23 dropped 25 C:\Users\user\AppData\...\4019223246.exe.log, ASCII 7->25 dropped 39 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->39 41 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->41 43 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 7->43 11 4019223246.exe 10 7->11         started        15 schtasks.exe 1 7->15         started        signatures5 process6 dnsIp7 27 us2.smtp.mailhostbox.com 208.91.198.143, 49767, 587 PUBLIC-DOMAIN-REGISTRYUS United States 11->27 29 208.91.199.224, 49769, 587 PUBLIC-DOMAIN-REGISTRYUS United States 11->29 45 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->45 47 Tries to steal Mail credentials (via file access) 11->47 49 Tries to harvest and steal ftp login credentials 11->49 51 Tries to harvest and steal browser information (history, passwords, etc) 11->51 17 conhost.exe 15->17         started        signatures8 process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
208.91.198.143
 unknown United States
394695 PUBLIC-DOMAIN-REGISTRYUS false
208.91.199.224
 unknown United States
394695 PUBLIC-DOMAIN-REGISTRYUS false

Contacted Domains

Name IP Active
us2.smtp.mailhostbox.com 208.91.198.143 true