Analysis Report RFQ No A'4762QHTECHNICAL DETAILS.exe

Overview

General Information

Sample Name: RFQ No A'4762QHTECHNICAL DETAILS.exe
Analysis ID: 385367
MD5: 229efbbb09801172c9d35851a3ce484e
SHA1: bfa35ba04c7cce63dc1fdf161cebfa7bd9e63cd2
SHA256: 3744807c95cb27f6e9c5ef01f2b5b32a78ceef7016fb54babe6a797977b72763
Infos:

Most interesting Screenshot:

Detection

AgentTesla Snake Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected MultiObfuscated
Yara detected Snake Keylogger
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Beds Obfuscator
Binary contains a suspicious time stamp
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.475988745.0000000003C39000.00000004.00000001.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "SMTP Info": {"Port": "587", "SMTP Credential": "glory@alyamamha.comuzzNhLK6smtp.alyamamha.com"}}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\QscoSjjAofYnyT.exe ReversingLabs: Detection: 20%
Multi AV Scanner detection for submitted file
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe Virustotal: Detection: 22% Perma Link
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe ReversingLabs: Detection: 20%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\QscoSjjAofYnyT.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 172.67.188.154:443 -> 192.168.2.3:49718 version: TLS 1.0
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

barindex
May check the online IP address of the machine
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe DNS query: name: checkip.dyndns.org
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe DNS query: name: checkip.dyndns.org
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe DNS query: name: checkip.dyndns.org
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe DNS query: name: checkip.dyndns.org
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 131.186.113.70 131.186.113.70
Source: Joe Sandbox View IP Address: 172.67.188.154 172.67.188.154
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 172.67.188.154:443 -> 192.168.2.3:49718 version: TLS 1.0
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: unknown DNS traffic detected: queries for: checkip.dyndns.org
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473542067.0000000002CC9000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp String found in binary or memory: http://checkip.dyndn
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.474638080.0000000002E97000.00000004.00000001.sdmp String found in binary or memory: http://checkip.dyndns.com
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp String found in binary or memory: http://checkip.dyndns.org/HB
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.474638080.0000000002E97000.00000004.00000001.sdmp String found in binary or memory: http://checkip.dyndns.orgD8
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473542067.0000000002CC9000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.479925894.000000000C1E0000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473542067.0000000002CC9000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.474638080.0000000002E97000.00000004.00000001.sdmp String found in binary or memory: http://freegeoip.app
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473542067.0000000002CC9000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.479925894.000000000C1E0000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=Createutf-8
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473542067.0000000002CC9000.00000004.00000001.sdmp String found in binary or memory: https://freegeoip.app
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473542067.0000000002CC9000.00000004.00000001.sdmp String found in binary or memory: https://freegeoip.app/xml/
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473542067.0000000002CC9000.00000004.00000001.sdmp String found in binary or memory: https://freegeoip.app/xml/84.17.52.3
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.474638080.0000000002E97000.00000004.00000001.sdmp String found in binary or memory: https://freegeoip.app/xml/84.17.52.3x
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp String found in binary or memory: https://freegeoip.app/xml/LoadCountryNameClipboard
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473634820.0000000002CE8000.00000004.00000001.sdmp, RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473542067.0000000002CC9000.00000004.00000001.sdmp String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473542067.0000000002CC9000.00000004.00000001.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443

System Summary:

barindex
Detected potential crypto function
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_0087929D 0_2_0087929D
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_012BC164 0_2_012BC164
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_012BE5AB 0_2_012BE5AB
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_012BE5B0 0_2_012BE5B0
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_05CC54D8 0_2_05CC54D8
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_05CC6490 0_2_05CC6490
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_05CC97A8 0_2_05CC97A8
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_05CC3F28 0_2_05CC3F28
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_05CC46E0 0_2_05CC46E0
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_05CC2113 0_2_05CC2113
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_05CCEB80 0_2_05CCEB80
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_05CCABA0 0_2_05CCABA0
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_05CCDB50 0_2_05CCDB50
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_05CC8581 0_2_05CC8581
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_05CC8590 0_2_05CC8590
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_05CC54CA 0_2_05CC54CA
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_05CC9CC0 0_2_05CC9CC0
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_05CC9CE0 0_2_05CC9CE0
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_05CC8C40 0_2_05CC8C40
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_05CC6453 0_2_05CC6453
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_05CC2C30 0_2_05CC2C30
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_05CC8C32 0_2_05CC8C32
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_05CC6433 0_2_05CC6433
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_05CC87A0 0_2_05CC87A0
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_05CC87B0 0_2_05CC87B0
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_05CC9749 0_2_05CC9749
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_05CC4F68 0_2_05CC4F68
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_05CC4F78 0_2_05CC4F78
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_05CCDED8 0_2_05CCDED8
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_05CC7ED8 0_2_05CC7ED8
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_05CC46D0 0_2_05CC46D0
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_05CC7EE8 0_2_05CC7EE8
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_05CC3E7D 0_2_05CC3E7D
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_05CC81D8 0_2_05CC81D8
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_05CC81E8 0_2_05CC81E8
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_05CCB068 0_2_05CCB068
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_05CCAB91 0_2_05CCAB91
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_05CC6377 0_2_05CC6377
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_05CC7300 0_2_05CC7300
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_05CC5318 0_2_05CC5318
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_05CC32EA 0_2_05CC32EA
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_05CC32F8 0_2_05CC32F8
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_05CC72F0 0_2_05CC72F0
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_05CCE2B0 0_2_05CCE2B0
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_05CC8A51 0_2_05CC8A51
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_05CC8A60 0_2_05CC8A60
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_0BE4C880 0_2_0BE4C880
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_0BE4D2D0 0_2_0BE4D2D0
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_0BE4E010 0_2_0BE4E010
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_0BE44458 0_2_0BE44458
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_0BE4D2CB 0_2_0BE4D2CB
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_0BE422A0 0_2_0BE422A0
Sample file is different than original file name gathered from version info
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.478928457.0000000006020000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs RFQ No A'4762QHTECHNICAL DETAILS.exe
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.472526143.0000000002C11000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameMetroFramework.dll> vs RFQ No A'4762QHTECHNICAL DETAILS.exe
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.479237220.000000000BA90000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs RFQ No A'4762QHTECHNICAL DETAILS.exe
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.469874287.0000000000908000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamer8 vs RFQ No A'4762QHTECHNICAL DETAILS.exe
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.475988745.0000000003C39000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameYE18D5SL.exe4 vs RFQ No A'4762QHTECHNICAL DETAILS.exe
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.469960912.0000000000CF6000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSystem.Web.Extensions.dllT vs RFQ No A'4762QHTECHNICAL DETAILS.exe
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.479602095.000000000BE70000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs RFQ No A'4762QHTECHNICAL DETAILS.exe
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe Binary or memory string: OriginalFilenamer8 vs RFQ No A'4762QHTECHNICAL DETAILS.exe
Uses 32bit PE files
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: QscoSjjAofYnyT.exe.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@4/2@3/2
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe File created: C:\Users\user\AppData\Roaming\QscoSjjAofYnyT.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6004:120:WilError_01
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe File created: C:\Users\user\AppData\Local\Temp\tmp9C1F.tmp Jump to behavior
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe Virustotal: Detection: 22%
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe File read: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe 'C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe'
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\QscoSjjAofYnyT' /XML 'C:\Users\user\AppData\Local\Temp\tmp9C1F.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\QscoSjjAofYnyT' /XML 'C:\Users\user\AppData\Local\Temp\tmp9C1F.tmp' Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation:

barindex
Yara detected Beds Obfuscator
Source: Yara match File source: 00000000.00000002.475988745.0000000003C39000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.479390065.000000000BCC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RFQ No A'4762QHTECHNICAL DETAILS.exe PID: 5584, type: MEMORY
Source: Yara match File source: 0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.3ec0ca0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.bcc0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.bcc0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.3ec0ca0.4.raw.unpack, type: UNPACKEDPE
Binary contains a suspicious time stamp
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe Static PE information: 0x8EA81DF5 [Sat Nov 4 04:26:29 2045 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_012B5553 push edx; ret 0_2_012B5554
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_012BF65A push 0000003Ah; iretd 0_2_012BF65C
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_0BE40B68 pushad ; ret 0_2_0BE40BB5
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_0BE46B30 pushfd ; iretd 0_2_0BE46B32
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_0BE46B33 pushfd ; iretd 0_2_0BE46B3A
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_0BE40B00 pushad ; ret 0_2_0BE40BB5
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_0BE409E8 push edi; iretd 0_2_0BE40A2A
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_0BE409D7 push edi; iretd 0_2_0BE409DA
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_0BE40910 push edi; iretd 0_2_0BE40912
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_0BE40913 push edi; iretd 0_2_0BE4091A
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_0BE408F1 push edi; iretd 0_2_0BE408F2
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_0BE40841 push edi; iretd 0_2_0BE40842
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_0BE40858 push edi; iretd 0_2_0BE4085A
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_0BE4085B push edi; iretd 0_2_0BE40862
Source: initial sample Static PE information: section name: .text entropy: 7.86754540187
Source: initial sample Static PE information: section name: .text entropy: 7.86754540187

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe File created: C:\Users\user\AppData\Roaming\QscoSjjAofYnyT.exe Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\QscoSjjAofYnyT' /XML 'C:\Users\user\AppData\Local\Temp\tmp9C1F.tmp'
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: RFQ No A'4762QHTECHNICAL DETAILS.exe PID: 5584, type: MEMORY
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Yara detected Beds Obfuscator
Source: Yara match File source: 00000000.00000002.475988745.0000000003C39000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.479390065.000000000BCC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RFQ No A'4762QHTECHNICAL DETAILS.exe PID: 5584, type: MEMORY
Source: Yara match File source: 0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.3ec0ca0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.bcc0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.bcc0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.3ec0ca0.4.raw.unpack, type: UNPACKEDPE
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe TID: 6136 Thread sleep time: -31500s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Thread delayed: delay time: 31500 Jump to behavior
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.479602095.000000000BE70000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp Binary or memory string: vmware
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.479602095.000000000BE70000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.479602095.000000000BE70000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.479602095.000000000BE70000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Code function: 0_2_0BE4C880 LdrInitializeThunk, 0_2_0BE4C880
Enables debug privileges
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\QscoSjjAofYnyT' /XML 'C:\Users\user\AppData\Local\Temp\tmp9C1F.tmp' Jump to behavior
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.472024904.00000000016A0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.472024904.00000000016A0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.472024904.00000000016A0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.472024904.00000000016A0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Queries volume information: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp, type: MEMORY
Yara detected Snake Keylogger
Source: Yara match File source: 00000000.00000002.475988745.0000000003C39000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.479390065.000000000BCC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RFQ No A'4762QHTECHNICAL DETAILS.exe PID: 5584, type: MEMORY
Source: Yara match File source: 0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.3ec0ca0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.bcc0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.bcc0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.3ec0ca0.4.raw.unpack, type: UNPACKEDPE
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000000.00000002.473634820.0000000002CE8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.472526143.0000000002C11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RFQ No A'4762QHTECHNICAL DETAILS.exe PID: 5584, type: MEMORY
Source: Yara match File source: 0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.2c90320.2.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp, type: MEMORY
Yara detected Snake Keylogger
Source: Yara match File source: 00000000.00000002.475988745.0000000003C39000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.479390065.000000000BCC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RFQ No A'4762QHTECHNICAL DETAILS.exe PID: 5584, type: MEMORY
Source: Yara match File source: 0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.3ec0ca0.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.bcc0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.bcc0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.3ec0ca0.4.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 385367 Sample: RFQ No A'4762QHTECHNICAL DE... Startdate: 12/04/2021 Architecture: WINDOWS Score: 100 26 Found malware configuration 2->26 28 Multi AV Scanner detection for dropped file 2->28 30 Sigma detected: Scheduled temp file as task from temp location 2->30 32 11 other signatures 2->32 7 RFQ No A'4762QHTECHNICAL DETAILS.exe 15 5 2->7         started        process3 dnsIp4 20 checkip.dyndns.org 7->20 22 checkip.dyndns.com 131.186.113.70, 49716, 49717, 80 DYNDNSUS United States 7->22 24 freegeoip.app 172.67.188.154, 443, 49718 CLOUDFLARENETUS United States 7->24 16 C:\Users\user\AppData\...\QscoSjjAofYnyT.exe, PE32 7->16 dropped 18 C:\Users\user\AppData\Local\...\tmp9C1F.tmp, XML 7->18 dropped 34 Tries to steal Mail credentials (via file access) 7->34 36 Tries to harvest and steal ftp login credentials 7->36 38 Tries to harvest and steal browser information (history, passwords, etc) 7->38 12 schtasks.exe 1 7->12         started        file5 signatures6 process7 process8 14 conhost.exe 12->14         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
131.186.113.70
 checkip.dyndns.com United States
33517 DYNDNSUS false
172.67.188.154
 freegeoip.app United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
freegeoip.app 172.67.188.154 true
checkip.dyndns.com 131.186.113.70 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://checkip.dyndns.org/ false
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown