Analysis Report Payment Advice Note from 02.04.2021 to 608761.exe

Overview

General Information

Sample Name: Payment Advice Note from 02.04.2021 to 608761.exe
Analysis ID: 385340
MD5: 65e28f2d01fc1d21e9d6632b85ce197c
SHA1: 80314bd15640f1fa2219d984f8dfbf57e31c2305
SHA256: 12b9e3e3878aed00a346cfbe1cbcfe58d52af8a7b27a0420ef91d3b8395ffb19
Tags: AgentTesla
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains very large array initializations
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates processes with suspicious names
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection:

barindex
Found malware configuration
Source: 1.2.Payment Advice Note from 02.04.2021 to 608761.exe.4455738.3.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "jackie@ascobahkk.comxXlyWel0smtp.ascobahkk.com"}
Machine Learning detection for sample
Source: Payment Advice Note from 02.04.2021 to 608761.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 2.2.Payment Advice Note from 02.04.2021 to 608761.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8

Compliance:

barindex
Uses 32bit PE files
Source: Payment Advice Note from 02.04.2021 to 608761.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: Payment Advice Note from 02.04.2021 to 608761.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 1_2_0BDCC6D8

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49737 -> 208.91.199.223:587
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49737 -> 208.91.199.223:587
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 208.91.199.223 208.91.199.223
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.3:49737 -> 208.91.199.223:587
Source: unknown DNS traffic detected: queries for: smtp.ascobahkk.com
Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000002.00000002.480501378.0000000002DC1000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000002.00000002.480501378.0000000002DC1000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000002.00000002.480501378.0000000002DC1000.00000004.00000001.sdmp, Payment Advice Note from 02.04.2021 to 608761.exe, 00000002.00000002.483013632.0000000003085000.00000004.00000001.sdmp, Payment Advice Note from 02.04.2021 to 608761.exe, 00000002.00000003.431612776.0000000000FB4000.00000004.00000001.sdmp String found in binary or memory: http://TpBEZpmhMLGhKCamPG.org
Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000001.00000002.220578954.0000000003310000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000002.00000002.482832070.0000000003079000.00000004.00000001.sdmp String found in binary or memory: http://smtp.ascobahkk.com
Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000002.00000002.480501378.0000000002DC1000.00000004.00000001.sdmp String found in binary or memory: http://tzGfKE.com
Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000002.00000002.482832070.0000000003079000.00000004.00000001.sdmp String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000001.00000002.220556345.00000000032F1000.00000004.00000001.sdmp String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000001.00000002.221029733.00000000043B3000.00000004.00000001.sdmp, Payment Advice Note from 02.04.2021 to 608761.exe, 00000002.00000002.476337979.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000002.00000002.480501378.0000000002DC1000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a global keyboard hook
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Jump to behavior
Creates a DirectInput object (often for capturing keystrokes)
Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000001.00000002.220356084.00000000017CB000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

System Summary:

barindex
.NET source code contains very large array initializations
Source: 2.2.Payment Advice Note from 02.04.2021 to 608761.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bAFD082BBu002d4CDFu002d4607u002d9597u002d398070181BBEu007d/u00326701077u002dE73Du002d4C41u002d8F9Au002d8BC4114C6284.cs Large array initialization: .cctor: array initializer size 11931
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Payment Advice Note from 02.04.2021 to 608761.exe
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Code function: 1_2_0BDC3C50 NtQueryInformationProcess, 1_2_0BDC3C50
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Code function: 1_2_0BDC3C49 NtQueryInformationProcess, 1_2_0BDC3C49
Detected potential crypto function
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Code function: 1_2_0BDC3F18 1_2_0BDC3F18
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Code function: 1_2_0BDCBE78 1_2_0BDCBE78
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Code function: 1_2_0BDC2900 1_2_0BDC2900
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Code function: 1_2_0BDC2BC0 1_2_0BDC2BC0
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Code function: 1_2_0BDC5F17 1_2_0BDC5F17
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Code function: 1_2_0BDC3F08 1_2_0BDC3F08
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Code function: 1_2_0BDC5F28 1_2_0BDC5F28
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Code function: 1_2_0BDC9AE8 1_2_0BDC9AE8
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Code function: 1_2_0BDC9A86 1_2_0BDC9A86
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Code function: 1_2_0BDC9AB8 1_2_0BDC9AB8
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Code function: 1_2_0BDC94C0 1_2_0BDC94C0
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Code function: 1_2_0BDC28F0 1_2_0BDC28F0
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Code function: 1_2_0BDC9897 1_2_0BDC9897
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Code function: 1_2_0BDC0040 1_2_0BDC0040
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Code function: 1_2_0BDC0007 1_2_0BDC0007
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Code function: 1_2_0BDC5830 1_2_0BDC5830
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Code function: 1_2_0BDC5820 1_2_0BDC5820
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Code function: 1_2_00FC8D25 1_2_00FC8D25
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Code function: 1_2_00FC6261 1_2_00FC6261
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Code function: 2_2_00BC0448 2_2_00BC0448
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Code function: 2_2_00BCEA30 2_2_00BCEA30
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Code function: 2_2_00BC5A31 2_2_00BC5A31
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Code function: 2_2_00BC4E28 2_2_00BC4E28
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Code function: 2_2_00BCABE0 2_2_00BCABE0
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Code function: 2_2_00BC2360 2_2_00BC2360
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Code function: 2_2_00BCBCD8 2_2_00BCBCD8
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Code function: 2_2_00BC0438 2_2_00BC0438
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Code function: 2_2_00BC3F08 2_2_00BC3F08
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Code function: 2_2_011D6858 2_2_011D6858
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Code function: 2_2_011D5AF8 2_2_011D5AF8
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Code function: 2_2_011DB511 2_2_011DB511
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Code function: 2_2_011DD840 2_2_011DD840
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Code function: 2_2_011DB467 2_2_011DB467
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Code function: 2_2_011DC098 2_2_011DC098
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Code function: 2_2_011DB4AF 2_2_011DB4AF
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Code function: 2_2_011DB0E0 2_2_011DB0E0
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Code function: 2_2_011DB7BE 2_2_011DB7BE
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Code function: 2_2_011E476C 2_2_011E476C
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Code function: 2_2_011EE360 2_2_011EE360
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Code function: 2_2_011E82F0 2_2_011E82F0
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Code function: 2_2_011E39F8 2_2_011E39F8
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Code function: 2_2_011E0318 2_2_011E0318
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Code function: 2_2_011E82EB 2_2_011E82EB
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Code function: 2_2_012D46A0 2_2_012D46A0
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Code function: 2_2_012D3D50 2_2_012D3D50
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Code function: 2_2_012D4673 2_2_012D4673
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Code function: 2_2_012D4690 2_2_012D4690
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Code function: 2_2_009F9818 2_2_009F9818
Sample file is different than original file name gathered from version info
Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000001.00000002.221029733.00000000043B3000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameoKQWTCJBfBrkKhkxWyGnH.exe4 vs Payment Advice Note from 02.04.2021 to 608761.exe
Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000001.00000002.221029733.00000000043B3000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameDSASignature.dll" vs Payment Advice Note from 02.04.2021 to 608761.exe
Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000001.00000002.220356084.00000000017CB000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Payment Advice Note from 02.04.2021 to 608761.exe
Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000001.00000002.220613531.0000000003357000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSimpleUI.dll2 vs Payment Advice Note from 02.04.2021 to 608761.exe
Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000001.00000002.219947553.000000000107B000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameReturnMessage.exeL vs Payment Advice Note from 02.04.2021 to 608761.exe
Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000002.00000000.217926360.0000000000AAB000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameReturnMessage.exeL vs Payment Advice Note from 02.04.2021 to 608761.exe
Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000002.00000002.480124208.0000000001270000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewshom.ocx vs Payment Advice Note from 02.04.2021 to 608761.exe
Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000002.00000002.480048660.00000000011F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs Payment Advice Note from 02.04.2021 to 608761.exe
Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000002.00000002.476337979.0000000000402000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameoKQWTCJBfBrkKhkxWyGnH.exe4 vs Payment Advice Note from 02.04.2021 to 608761.exe
Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000002.00000002.480139451.0000000001280000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewshom.ocx.mui vs Payment Advice Note from 02.04.2021 to 608761.exe
Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000002.00000002.477469018.0000000000EF8000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Payment Advice Note from 02.04.2021 to 608761.exe
Source: Payment Advice Note from 02.04.2021 to 608761.exe Binary or memory string: OriginalFilenameReturnMessage.exeL vs Payment Advice Note from 02.04.2021 to 608761.exe
Uses 32bit PE files
Source: Payment Advice Note from 02.04.2021 to 608761.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: Payment Advice Note from 02.04.2021 to 608761.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 2.2.Payment Advice Note from 02.04.2021 to 608761.exe.400000.0.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 2.2.Payment Advice Note from 02.04.2021 to 608761.exe.400000.0.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/1@2/1
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment Advice Note from 02.04.2021 to 608761.exe.log Jump to behavior
Source: Payment Advice Note from 02.04.2021 to 608761.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000001.00000002.220556345.00000000032F1000.00000004.00000001.sdmp Binary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000001.00000002.220556345.00000000032F1000.00000004.00000001.sdmp Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000001.00000002.220556345.00000000032F1000.00000004.00000001.sdmp Binary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000001.00000002.220556345.00000000032F1000.00000004.00000001.sdmp Binary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000001.00000002.220556345.00000000032F1000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000001.00000002.220556345.00000000032F1000.00000004.00000001.sdmp Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000001.00000002.220556345.00000000032F1000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: unknown Process created: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe 'C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe'
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process created: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process created: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: Payment Advice Note from 02.04.2021 to 608761.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Payment Advice Note from 02.04.2021 to 608761.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Code function: 1_2_0BDC65E8 push esp; retf 1_2_0BDC65E9
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Code function: 1_2_0BDC656B push cs; retf 1_2_0BDC6573
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Code function: 1_2_00FC6261 push es; retf 1_2_00FC6BE3
Source: initial sample Static PE information: section name: .text entropy: 7.60186559741

Persistence and Installation Behavior:

barindex
Creates processes with suspicious names
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe File created: \payment advice note from 02.04.2021 to 608761.exe
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe File created: \payment advice note from 02.04.2021 to 608761.exe Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 00000001.00000002.220556345.00000000032F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Payment Advice Note from 02.04.2021 to 608761.exe PID: 6088, type: MEMORY
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000001.00000002.220556345.00000000032F1000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000001.00000002.220556345.00000000032F1000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Window / User API: threadDelayed 2031 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Window / User API: threadDelayed 7835 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe TID: 6072 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe TID: 6136 Thread sleep time: -102829s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe TID: 1528 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe TID: 4180 Thread sleep time: -12912720851596678s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe TID: 5840 Thread sleep count: 2031 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe TID: 5840 Thread sleep count: 7835 > 30 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Thread delayed: delay time: 102829 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000001.00000002.220556345.00000000032F1000.00000004.00000001.sdmp Binary or memory string: vmware
Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000001.00000002.220556345.00000000032F1000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000001.00000002.220556345.00000000032F1000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000001.00000002.220556345.00000000032F1000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000001.00000002.220556345.00000000032F1000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000001.00000002.220556345.00000000032F1000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000001.00000002.220556345.00000000032F1000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000001.00000002.220556345.00000000032F1000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000001.00000002.220556345.00000000032F1000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000001.00000003.211851985.0000000001846000.00000004.00000001.sdmp, Payment Advice Note from 02.04.2021 to 608761.exe, 00000002.00000002.479927391.0000000001195000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Code function: 2_2_00BC2360 LdrInitializeThunk, 2_2_00BC2360
Enables debug privileges
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Memory written: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Process created: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Jump to behavior
Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000002.00000002.480370384.00000000017C0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000002.00000002.480370384.00000000017C0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000002.00000002.480370384.00000000017C0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: Payment Advice Note from 02.04.2021 to 608761.exe, 00000002.00000002.480370384.00000000017C0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Queries volume information: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Queries volume information: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000001.00000002.221029733.00000000043B3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.476337979.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.480501378.0000000002DC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Payment Advice Note from 02.04.2021 to 608761.exe PID: 6088, type: MEMORY
Source: Yara match File source: Process Memory Space: Payment Advice Note from 02.04.2021 to 608761.exe PID: 1064, type: MEMORY
Source: Yara match File source: 1.2.Payment Advice Note from 02.04.2021 to 608761.exe.4455738.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Payment Advice Note from 02.04.2021 to 608761.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Payment Advice Note from 02.04.2021 to 608761.exe.4455738.3.raw.unpack, type: UNPACKEDPE
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\Desktop\Payment Advice Note from 02.04.2021 to 608761.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000002.00000002.480501378.0000000002DC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Payment Advice Note from 02.04.2021 to 608761.exe PID: 1064, type: MEMORY

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000001.00000002.221029733.00000000043B3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.476337979.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.480501378.0000000002DC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Payment Advice Note from 02.04.2021 to 608761.exe PID: 6088, type: MEMORY
Source: Yara match File source: Process Memory Space: Payment Advice Note from 02.04.2021 to 608761.exe PID: 1064, type: MEMORY
Source: Yara match File source: 1.2.Payment Advice Note from 02.04.2021 to 608761.exe.4455738.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Payment Advice Note from 02.04.2021 to 608761.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Payment Advice Note from 02.04.2021 to 608761.exe.4455738.3.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 385340 Sample: Payment Advice Note from 02... Startdate: 12/04/2021 Architecture: WINDOWS Score: 100 20 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->20 22 Found malware configuration 2->22 24 Yara detected AgentTesla 2->24 26 7 other signatures 2->26 6 Payment Advice Note from 02.04.2021 to 608761.exe 3 2->6         started        process3 file4 14 Payment Advice Not...1 to 608761.exe.log, ASCII 6->14 dropped 28 Injects a PE file into a foreign processes 6->28 10 Payment Advice Note from 02.04.2021 to 608761.exe 2 6->10         started        signatures5 process6 dnsIp7 16 smtp.ascobahkk.com 10->16 18 us2.smtp.mailhostbox.com 208.91.199.223, 49737, 587 PUBLIC-DOMAIN-REGISTRYUS United States 10->18 30 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 10->30 32 Tries to steal Mail credentials (via file access) 10->32 34 Tries to harvest and steal ftp login credentials 10->34 36 2 other signatures 10->36 signatures8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
208.91.199.223
 us2.smtp.mailhostbox.com United States
394695 PUBLIC-DOMAIN-REGISTRYUS false

Contacted Domains

Name IP Active
us2.smtp.mailhostbox.com 208.91.199.223 true
smtp.ascobahkk.com unknown unknown