Play interactive tour

Edit tour

Analysis Report RFQ No A'4762QHTECHNICAL DETAILS.exe

Overview

General Information

Sample Name:	RFQ No A'4762QHTECHNICAL DETAILS.exe
Analysis ID:	385367
MD5:	229efbbb09801172c9d35851a3ce484e
SHA1:	bfa35ba04c7cce63dc1fdf161cebfa7bd9e63cd2
SHA256:	3744807c95cb27f6e9c5ef01f2b5b32a78ceef7016fb54babe6a797977b72763
Infos:
Most interesting Screenshot:

Detection

AgentTesla Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected MultiObfuscated

Yara detected Snake Keylogger

Machine Learning detection for dropped file

Machine Learning detection for sample

May check the online IP address of the machine

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Beds Obfuscator

Binary contains a suspicious time stamp

Contains capabilities to detect virtual machines

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Startup

System is w10x64

RFQ No A'4762QHTECHNICAL DETAILS.exe (PID: 5584 cmdline: 'C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe' MD5: 229EFBBB09801172C9D35851A3CE484E)

schtasks.exe (PID: 5992 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\QscoSjjAofYnyT' /XML 'C:\Users\user\AppData\Local\Temp\tmp9C1F.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "SMTP Info": {"Port": "587", "SMTP Credential": "glory@alyamamha.comuzzNhLK6smtp.alyamamha.com"}}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.473634820.0000000002CE8000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.472526143.0000000002C11000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.475988745.0000000003C39000.00000004.00000001.sdmp	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
00000000.00000002.475988745.0000000003C39000.00000004.00000001.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000000.00000002.479390065.000000000BCC0000.00000004.00000001.sdmp	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
00000000.00000002.479390065.000000000BCC0000.00000004.00000001.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: RFQ No A'4762QHTECHNICAL DETAILS.exe PID: 5584	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
Process Memory Space: RFQ No A'4762QHTECHNICAL DETAILS.exe PID: 5584	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RFQ No A'4762QHTECHNICAL DETAILS.exe PID: 5584	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Process Memory Space: RFQ No A'4762QHTECHNICAL DETAILS.exe PID: 5584	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RFQ No A'4762QHTECHNICAL DETAILS.exe PID: 5584	JoeSecurity_MultiObfuscated	Yara detected MultiObfuscated	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.2c90320.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.3ec0ca0.4.unpack	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.3ec0ca0.4.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.bcc0000.10.raw.unpack	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.bcc0000.10.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.bcc0000.10.unpack	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.bcc0000.10.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.3ec0ca0.4.raw.unpack	JoeSecurity_BedsObfuscator	Yara detected Beds Obfuscator	Joe Security
0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.3ec0ca0.4.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
Click to see the 4 entries

Sigma Overview

System Summary:

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\QscoSjjAofYnyT' /XML 'C:\Users\user\AppData\Local\Temp\tmp9C1F.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\QscoSjjAofYnyT' /XML 'C:\Users\user\AppData\Local\Temp\tmp9C1F.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe' , ParentImage: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe, ParentProcessId: 5584, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\QscoSjjAofYnyT' /XML 'C:\Users\user\AppData\Local\Temp\tmp9C1F.tmp', ProcessId: 5992

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000000.00000002.475988745.0000000003C39000.00000004.00000001.sdmp

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "SMTP Info": {"Port": "587", "SMTP Credential": "glory@alyamamha.comuzzNhLK6smtp.alyamamha.com"}}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\QscoSjjAofYnyT.exe

ReversingLabs: Detection: 20%

Multi AV Scanner detection for submitted file

Show sources

Source: RFQ No A'4762QHTECHNICAL DETAILS.exe	Virustotal: Detection: 22%			Perma Link
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe	ReversingLabs: Detection: 20%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\QscoSjjAofYnyT.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: RFQ No A'4762QHTECHNICAL DETAILS.exe

Joe Sandbox ML: detected

Source: RFQ No A'4762QHTECHNICAL DETAILS.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: unknown

HTTPS traffic detected: 172.67.188.154:443 -> 192.168.2.3:49718 version: TLS 1.0

Source: RFQ No A'4762QHTECHNICAL DETAILS.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

May check the online IP address of the machine

Show sources

Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	DNS query: name: checkip.dyndns.org

Source: Joe Sandbox View	IP Address: 131.186.113.70 131.186.113.70
Source: Joe Sandbox View	IP Address: 172.67.188.154 172.67.188.154

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

HTTPS traffic detected: 172.67.188.154:443 -> 192.168.2.3:49718 version: TLS 1.0

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

DNS traffic detected: queries for: checkip.dyndns.org

Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473542067.0000000002CC9000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndn
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.474638080.0000000002E97000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.org/HB
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.474638080.0000000002E97000.00000004.00000001.sdmp	String found in binary or memory: http://checkip.dyndns.orgD8
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473542067.0000000002CC9000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.479925894.000000000C1E0000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473542067.0000000002CC9000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.474638080.0000000002E97000.00000004.00000001.sdmp	String found in binary or memory: http://freegeoip.app
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473542067.0000000002CC9000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.479925894.000000000C1E0000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp	String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=Createutf-8
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473542067.0000000002CC9000.00000004.00000001.sdmp	String found in binary or memory: https://freegeoip.app
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473542067.0000000002CC9000.00000004.00000001.sdmp	String found in binary or memory: https://freegeoip.app/xml/
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473542067.0000000002CC9000.00000004.00000001.sdmp	String found in binary or memory: https://freegeoip.app/xml/84.17.52.3
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.474638080.0000000002E97000.00000004.00000001.sdmp	String found in binary or memory: https://freegeoip.app/xml/84.17.52.3x
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp	String found in binary or memory: https://freegeoip.app/xml/LoadCountryNameClipboard
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473634820.0000000002CE8000.00000004.00000001.sdmp, RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473542067.0000000002CC9000.00000004.00000001.sdmp	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473542067.0000000002CC9000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443

System Summary:

Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_0087929D
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_012BC164
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_012BE5AB
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_012BE5B0
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC54D8
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC6490
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC97A8
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC3F28
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC46E0
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC2113
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CCEB80
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CCABA0
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CCDB50
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC8581
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC8590
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC54CA
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC9CC0
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC9CE0
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC8C40
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC6453
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC2C30
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC8C32
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC6433
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC87A0
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC87B0
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC9749
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC4F68
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC4F78
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CCDED8
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC7ED8
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC46D0
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC7EE8
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC3E7D
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC81D8
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC81E8
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CCB068
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CCAB91
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC6377
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC7300
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC5318
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC32EA
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC32F8
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC72F0
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CCE2B0
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC8A51
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_05CC8A60
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_0BE4C880
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_0BE4D2D0
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_0BE4E010
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_0BE44458
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_0BE4D2CB
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_0BE422A0

Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.478928457.0000000006020000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs RFQ No A'4762QHTECHNICAL DETAILS.exe
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.472526143.0000000002C11000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMetroFramework.dll> vs RFQ No A'4762QHTECHNICAL DETAILS.exe
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.479237220.000000000BA90000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs RFQ No A'4762QHTECHNICAL DETAILS.exe
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.469874287.0000000000908000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamer8 vs RFQ No A'4762QHTECHNICAL DETAILS.exe
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.475988745.0000000003C39000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameYE18D5SL.exe4 vs RFQ No A'4762QHTECHNICAL DETAILS.exe
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.469960912.0000000000CF6000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSystem.Web.Extensions.dllT vs RFQ No A'4762QHTECHNICAL DETAILS.exe
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.479602095.000000000BE70000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs RFQ No A'4762QHTECHNICAL DETAILS.exe
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe	Binary or memory string: OriginalFilenamer8 vs RFQ No A'4762QHTECHNICAL DETAILS.exe

Source: RFQ No A'4762QHTECHNICAL DETAILS.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: RFQ No A'4762QHTECHNICAL DETAILS.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: QscoSjjAofYnyT.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/2@3/2

Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe

File created: C:\Users\user\AppData\Roaming\QscoSjjAofYnyT.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6004:120:WilError_01

Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe

File created: C:\Users\user\AppData\Local\Temp\tmp9C1F.tmp

Jump to behavior

Source: RFQ No A'4762QHTECHNICAL DETAILS.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: RFQ No A'4762QHTECHNICAL DETAILS.exe	Virustotal: Detection: 22%
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe	ReversingLabs: Detection: 20%

Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe

File read: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe 'C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe'
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\QscoSjjAofYnyT' /XML 'C:\Users\user\AppData\Local\Temp\tmp9C1F.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\QscoSjjAofYnyT' /XML 'C:\Users\user\AppData\Local\Temp\tmp9C1F.tmp'

Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: RFQ No A'4762QHTECHNICAL DETAILS.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: RFQ No A'4762QHTECHNICAL DETAILS.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: RFQ No A'4762QHTECHNICAL DETAILS.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation:

Yara detected Beds Obfuscator

Show sources

Source: Yara match	File source: 00000000.00000002.475988745.0000000003C39000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.479390065.000000000BCC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ No A'4762QHTECHNICAL DETAILS.exe PID: 5584, type: MEMORY
Source: Yara match	File source: 0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.3ec0ca0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.bcc0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.bcc0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.3ec0ca0.4.raw.unpack, type: UNPACKEDPE

Source: RFQ No A'4762QHTECHNICAL DETAILS.exe

Static PE information: 0x8EA81DF5 [Sat Nov 4 04:26:29 2045 UTC]

Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_012B5553 push edx; ret
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_012BF65A push 0000003Ah; iretd
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_0BE40B68 pushad ; ret
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_0BE46B30 pushfd ; iretd
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_0BE46B33 pushfd ; iretd
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_0BE40B00 pushad ; ret
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_0BE409E8 push edi; iretd
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_0BE409D7 push edi; iretd
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_0BE40910 push edi; iretd
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_0BE40913 push edi; iretd
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_0BE408F1 push edi; iretd
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_0BE40841 push edi; iretd
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_0BE40858 push edi; iretd
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Code function: 0_2_0BE4085B push edi; iretd

Source: initial sample	Static PE information: section name: .text entropy: 7.86754540187
Source: initial sample	Static PE information: section name: .text entropy: 7.86754540187

Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe

File created: C:\Users\user\AppData\Roaming\QscoSjjAofYnyT.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\QscoSjjAofYnyT' /XML 'C:\Users\user\AppData\Local\Temp\tmp9C1F.tmp'

Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match

File source: Process Memory Space: RFQ No A'4762QHTECHNICAL DETAILS.exe PID: 5584, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Yara detected Beds Obfuscator

Show sources

Source: Yara match	File source: 00000000.00000002.475988745.0000000003C39000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.479390065.000000000BCC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ No A'4762QHTECHNICAL DETAILS.exe PID: 5584, type: MEMORY
Source: Yara match	File source: 0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.3ec0ca0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.bcc0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.bcc0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.3ec0ca0.4.raw.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe TID: 6136

Thread sleep time: -31500s >= -30000s

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe

Thread delayed: delay time: 31500

Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.479602095.000000000BE70000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.479602095.000000000BE70000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.479602095.000000000BE70000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.479602095.000000000BE70000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe

Code function: 0_2_0BE4C880 LdrInitializeThunk,

Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe

Memory allocated: page read and write | page guard

Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\QscoSjjAofYnyT' /XML 'C:\Users\user\AppData\Local\Temp\tmp9C1F.tmp'

Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.472024904.00000000016A0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.472024904.00000000016A0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.472024904.00000000016A0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.472024904.00000000016A0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Queries volume information: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe VolumeInformation
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation

Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match

File source: 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp, type: MEMORY

Yara detected Snake Keylogger

Show sources

Source: Yara match	File source: 00000000.00000002.475988745.0000000003C39000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.479390065.000000000BCC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ No A'4762QHTECHNICAL DETAILS.exe PID: 5584, type: MEMORY
Source: Yara match	File source: 0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.3ec0ca0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.bcc0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.bcc0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.3ec0ca0.4.raw.unpack, type: UNPACKEDPE

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Tries to harvest and steal ftp login credentials

Show sources

Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 00000000.00000002.473634820.0000000002CE8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.472526143.0000000002C11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ No A'4762QHTECHNICAL DETAILS.exe PID: 5584, type: MEMORY
Source: Yara match	File source: 0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.2c90320.2.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match

File source: 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp, type: MEMORY

Yara detected Snake Keylogger

Show sources

Source: Yara match	File source: 00000000.00000002.475988745.0000000003C39000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.479390065.000000000BCC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ No A'4762QHTECHNICAL DETAILS.exe PID: 5584, type: MEMORY
Source: Yara match	File source: 0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.3ec0ca0.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.bcc0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.bcc0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ No A'4762QHTECHNICAL DETAILS.exe.3ec0ca0.4.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scheduled Task/Job1	Scheduled Task/Job1	Process Injection12	Masquerading1	OS Credential Dumping2	Security Software Discovery211	Remote Services	Email Collection1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Disable or Modify Tools1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion21	Security Account Manager	Virtualization/Sandbox Evasion21	SMB/Windows Admin Shares	Data from Local System2	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection12	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information2	LSA Secrets	System Network Configuration Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing2	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Timestomp1	DCSync	System Information Discovery13	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
RFQ No A'4762QHTECHNICAL DETAILS.exe	22%	Virustotal		Browse
RFQ No A'4762QHTECHNICAL DETAILS.exe	21%	ReversingLabs	ByteCode-MSIL.Trojan.Taskun
RFQ No A'4762QHTECHNICAL DETAILS.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\QscoSjjAofYnyT.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\QscoSjjAofYnyT.exe	21%	ReversingLabs	ByteCode-MSIL.Trojan.Taskun

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Link
freegeoip.app	1%	Virustotal	Browse
checkip.dyndns.com	0%	Virustotal	Browse
checkip.dyndns.org	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://freegeoip.app/xml/	0%	URL Reputation	safe
https://freegeoip.app/xml/	0%	URL Reputation	safe
https://freegeoip.app/xml/	0%	URL Reputation	safe
https://freegeoip.app/xml/	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	Virustotal		Browse
http://checkip.dyndns.org/	0%	Avira URL Cloud	safe
http://checkip.dyndns.org/HB	0%	Avira URL Cloud	safe
https://freegeoip.app	0%	URL Reputation	safe
https://freegeoip.app	0%	URL Reputation	safe
https://freegeoip.app	0%	URL Reputation	safe
https://freegeoip.app	0%	URL Reputation	safe
https://freegeoip.app/xml/84.17.52.3x	0%	Avira URL Cloud	safe
http://checkip.dyndns.org	0%	Avira URL Cloud	safe
http://checkip.dyndns.com	0%	Avira URL Cloud	safe
https://freegeoip.app/xml/LoadCountryNameClipboard	0%	URL Reputation	safe
https://freegeoip.app/xml/LoadCountryNameClipboard	0%	URL Reputation	safe
https://freegeoip.app/xml/LoadCountryNameClipboard	0%	URL Reputation	safe
https://freegeoip.app/xml/84.17.52.3	0%	Avira URL Cloud	safe
http://freegeoip.app	0%	URL Reputation	safe
http://freegeoip.app	0%	URL Reputation	safe
http://freegeoip.app	0%	URL Reputation	safe
http://checkip.dyndn	0%	URL Reputation	safe
http://checkip.dyndn	0%	URL Reputation	safe
http://checkip.dyndn	0%	URL Reputation	safe
http://checkip.dyndns.orgD8	0%	URL Reputation	safe
http://checkip.dyndns.orgD8	0%	URL Reputation	safe
http://checkip.dyndns.orgD8	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
freegeoip.app	172.67.188.154	true	false	1%, Virustotal, Browse	unknown
checkip.dyndns.com	131.186.113.70	true	false	0%, Virustotal, Browse	unknown
checkip.dyndns.org	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://freegeoip.app/xml/	RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473542067.0000000002CC9000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://checkip.dyndns.org/HB	RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://freegeoip.app	RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473542067.0000000002CC9000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.telegram.org/bot/sendMessage?chat_id=&text=Createutf-8	RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp	false		high
https://freegeoip.app/xml/84.17.52.3x	RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.474638080.0000000002E97000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.org	RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.dyndns.com	RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.474638080.0000000002E97000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp	false		high
https://freegeoip.app/xml/LoadCountryNameClipboard	RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://freegeoip.app/xml/84.17.52.3	RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473542067.0000000002CC9000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://freegeoip.app	RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.474638080.0000000002E97000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://checkip.dyndn	RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://checkip.dyndns.orgD8	RFQ No A'4762QHTECHNICAL DETAILS.exe, 00000000.00000002.474638080.0000000002E97000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
131.186.113.70	checkip.dyndns.com	United States		33517	DYNDNSUS	false
172.67.188.154	freegeoip.app	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	385367
Start date:	12.04.2021
Start time:	11:36:20
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 46s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	RFQ No A'4762QHTECHNICAL DETAILS.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/2@3/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.1% (good quality ratio 0%) Quality average: 43.2% Quality standard deviation: 43.3%
HCA Information:	Successful, ratio: 98% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 13.88.21.125, 131.253.33.200, 13.107.22.200, 93.184.220.29, 92.122.145.220, 168.61.161.212, 13.64.90.137, 20.50.102.62, 184.30.24.56, 92.122.213.194, 92.122.213.247, 52.155.217.156, 20.54.26.129, 20.82.210.154 Excluded domains from analysis (whitelisted): cs9.wac.phicdn.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, ocsp.digicert.com, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, consumerrp-displaycatalog-aks2eap.md.mp.microsoft.com.akadns.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:37:10	API Interceptor	1x Sleep call for process: RFQ No A'4762QHTECHNICAL DETAILS.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
131.186.113.70	Confirm Order for SK TRIMS & INDUSTRIES_DK4571,pdf.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	JSTCG21040600210 xlxs.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	fyi.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Trojan.DownloaderNET.154.8159.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	PURCHASE ORDER - XIFFA55,pdf.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	cricket.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Artemis34DBCAD2CB5A.27289.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	Yeni siparis _WJO-001, pdf.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	Yeni siparis _WJO-001, pdf.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	Payment Slip E05060_47.doc	Get hash	malicious	Browse	checkip.dyndns.org/
	Urgent RFQ_AP65425652_040621,pdf.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	PURCHASE ORDER - XIFFA55.PDF.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	AD1-2001028L.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	PO XIFFA55,pdf.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	PURCHASE ORDER - E3007921.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	SWIFT copy.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	Inquiries.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	8090800.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	IMG_501_367_089.doc	Get hash	malicious	Browse	checkip.dyndns.org/
	CE90343555.exe	Get hash	malicious	Browse	checkip.dyndns.org/
172.67.188.154	3MndTUzGQn.exe	Get hash	malicious	Browse	freegeoip.app/json

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
freegeoip.app	Confirm Order for SK TRIMS & INDUSTRIES_DK4571,pdf.exe	Get hash	malicious	Browse	172.67.188.154
	SOA.exe	Get hash	malicious	Browse	104.21.19.200
	RFQ No A'4762GHTECHNICAL DETAILS.exe	Get hash	malicious	Browse	104.21.19.200
	JSTCG21040600210 xlxs.exe	Get hash	malicious	Browse	104.21.19.200
	PAYMENT RECEIPT.exe	Get hash	malicious	Browse	172.67.188.154
	fyi.exe	Get hash	malicious	Browse	172.67.188.154
	reconocer PO #700-20 D462021,pdf.exe	Get hash	malicious	Browse	172.67.188.154
	EJ000.exe	Get hash	malicious	Browse	172.67.188.154
	KOCjBQexoH.exe	Get hash	malicious	Browse	172.67.188.154
	36crb2VRQn.exe	Get hash	malicious	Browse	172.67.188.154
	Message Body.exe	Get hash	malicious	Browse	104.21.19.200
	RFQ 100400806 SUPPLY.exe	Get hash	malicious	Browse	172.67.188.154
	PANORAMICA,pdf.exe	Get hash	malicious	Browse	172.67.188.154
	Purchase_skyN39331,pdf.exe	Get hash	malicious	Browse	104.21.19.200
	SecuriteInfo.com.Trojan.DownloaderNET.154.8159.exe	Get hash	malicious	Browse	172.67.188.154
	PRODUCT_INQUIRY_PO_0009044_PDF.exe	Get hash	malicious	Browse	104.21.19.200
	ETL_126_072_60.doc	Get hash	malicious	Browse	104.21.19.200
	MT103_YIU LIAN08042021_Xerox Scan_202104_.exe	Get hash	malicious	Browse	172.67.188.154
	lfQuSBwdSf.exe	Get hash	malicious	Browse	172.67.188.154
	PURCHASE ORDER - XIFFA55,pdf.exe	Get hash	malicious	Browse	172.67.188.154
checkip.dyndns.com	Confirm Order for SK TRIMS & INDUSTRIES_DK4571,pdf.exe	Get hash	malicious	Browse	131.186.113.70
	SOA.exe	Get hash	malicious	Browse	131.186.161.70
	RFQ No A'4762GHTECHNICAL DETAILS.exe	Get hash	malicious	Browse	216.146.43.70
	JSTCG21040600210 xlxs.exe	Get hash	malicious	Browse	131.186.113.70
	PAYMENT RECEIPT.exe	Get hash	malicious	Browse	131.186.161.70
	fyi.exe	Get hash	malicious	Browse	131.186.113.70
	reconocer PO #700-20 D462021,pdf.exe	Get hash	malicious	Browse	162.88.193.70
	EJ000.exe	Get hash	malicious	Browse	131.186.161.70
	KOCjBQexoH.exe	Get hash	malicious	Browse	131.186.161.70
	36crb2VRQn.exe	Get hash	malicious	Browse	162.88.193.70
	Message Body.exe	Get hash	malicious	Browse	216.146.43.71
	RFQ 100400806 SUPPLY.exe	Get hash	malicious	Browse	216.146.43.71
	PANORAMICA,pdf.exe	Get hash	malicious	Browse	216.146.43.70
	Purchase_skyN39331,pdf.exe	Get hash	malicious	Browse	131.186.161.70
	SecuriteInfo.com.Trojan.DownloaderNET.154.8159.exe	Get hash	malicious	Browse	131.186.113.70
	PRODUCT_INQUIRY_PO_0009044_PDF.exe	Get hash	malicious	Browse	216.146.43.70
	ETL_126_072_60.doc	Get hash	malicious	Browse	216.146.43.70
	MT103_YIU LIAN08042021_Xerox Scan_202104_.exe	Get hash	malicious	Browse	216.146.43.71
	lfQuSBwdSf.exe	Get hash	malicious	Browse	162.88.193.70
	PURCHASE ORDER - XIFFA55,pdf.exe	Get hash	malicious	Browse	131.186.113.70

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DYNDNSUS	Confirm Order for SK TRIMS & INDUSTRIES_DK4571,pdf.exe	Get hash	malicious	Browse	131.186.113.70
	SOA.exe	Get hash	malicious	Browse	131.186.161.70
	RFQ No A'4762GHTECHNICAL DETAILS.exe	Get hash	malicious	Browse	216.146.43.70
	JSTCG21040600210 xlxs.exe	Get hash	malicious	Browse	131.186.113.70
	PAYMENT RECEIPT.exe	Get hash	malicious	Browse	131.186.161.70
	fyi.exe	Get hash	malicious	Browse	131.186.113.70
	reconocer PO #700-20 D462021,pdf.exe	Get hash	malicious	Browse	162.88.193.70
	EJ000.exe	Get hash	malicious	Browse	131.186.161.70
	KOCjBQexoH.exe	Get hash	malicious	Browse	131.186.161.70
	36crb2VRQn.exe	Get hash	malicious	Browse	162.88.193.70
	Message Body.exe	Get hash	malicious	Browse	216.146.43.71
	RFQ 100400806 SUPPLY.exe	Get hash	malicious	Browse	216.146.43.71
	PANORAMICA,pdf.exe	Get hash	malicious	Browse	216.146.43.70
	Purchase_skyN39331,pdf.exe	Get hash	malicious	Browse	131.186.161.70
	SecuriteInfo.com.Trojan.DownloaderNET.154.8159.exe	Get hash	malicious	Browse	131.186.113.70
	PRODUCT_INQUIRY_PO_0009044_PDF.exe	Get hash	malicious	Browse	216.146.43.70
	MT103_YIU LIAN08042021_Xerox Scan_202104_.exe	Get hash	malicious	Browse	216.146.43.71
	lfQuSBwdSf.exe	Get hash	malicious	Browse	162.88.193.70
	PURCHASE ORDER - XIFFA55,pdf.exe	Get hash	malicious	Browse	131.186.113.70
	PRICE_QUOTATION_RFQ_000988_PDF.exe	Get hash	malicious	Browse	131.186.113.70
CLOUDFLARENETUS	Rechung-2021.12.04.2021.pdf.exe	Get hash	malicious	Browse	162.159.130.233
	INV_0008434567987.doc	Get hash	malicious	Browse	172.67.222.176
	mfalomirm@gentalia.eu.HTM	Get hash	malicious	Browse	104.19.133.58
	KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Get hash	malicious	Browse	104.21.17.57
	YNzE2QUkvaTK7kd.exe	Get hash	malicious	Browse	172.67.148.14
	NdBLyH2h5d.exe	Get hash	malicious	Browse	23.227.38.74
	s6G3ZtvHZg.exe	Get hash	malicious	Browse	172.67.130.43
	4oItdZkNOZ.exe	Get hash	malicious	Browse	23.227.38.74
	ieuHgdpuPo.exe	Get hash	malicious	Browse	104.21.17.57
	Cobro Juridico_0420198202_326828_4985792583130360_300690_8122300886764676459_5190713730838_pdf.exe	Get hash	malicious	Browse	172.67.222.176
	Payment Slip.doc	Get hash	malicious	Browse	104.21.17.57
	Cobro Juridico_0291662728_7023446_452487041454723_016698_5192136884256735776_2301761820735_pdf.exe	Get hash	malicious	Browse	104.21.17.57
	INQUIRY 1820521 pdf.exe	Get hash	malicious	Browse	104.21.82.58
	PaymentCopy.vbs	Get hash	malicious	Browse	172.67.222.131
	PAYMENT COPY.exe	Get hash	malicious	Browse	104.21.28.135
	PO NUMBER 3120386 3120393 SIGNED.exe	Get hash	malicious	Browse	1.2.3.4
	Cobro Juridico_07223243630_5643594_539661009070075_49874359_5059639084170590400_7272781644_pdf.exe	Get hash	malicious	Browse	172.67.222.176
	BL2659618800638119374.xls.exe	Get hash	malicious	Browse	172.67.222.176
	Purchase order and quote confirmation.exe	Get hash	malicious	Browse	172.67.222.176
	Confirm Order for SK TRIMS & INDUSTRIES_DK4571,pdf.exe	Get hash	malicious	Browse	172.67.188.154

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	Rechung-2021.12.04.2021.pdf.exe	Get hash	malicious	Browse	172.67.188.154
	KHAWATMI CO.IMPORT & EXPORT_PDF.exe	Get hash	malicious	Browse	172.67.188.154
	ieuHgdpuPo.exe	Get hash	malicious	Browse	172.67.188.154
	Cobro Juridico_0420198202_326828_4985792583130360_300690_8122300886764676459_5190713730838_pdf.exe	Get hash	malicious	Browse	172.67.188.154
	Cobro Juridico_0291662728_7023446_452487041454723_016698_5192136884256735776_2301761820735_pdf.exe	Get hash	malicious	Browse	172.67.188.154
	Cobro Juridico_07223243630_5643594_539661009070075_49874359_5059639084170590400_7272781644_pdf.exe	Get hash	malicious	Browse	172.67.188.154
	BL2659618800638119374.xls.exe	Get hash	malicious	Browse	172.67.188.154
	Purchase order and quote confirmation.exe	Get hash	malicious	Browse	172.67.188.154
	Confirm Order for SK TRIMS & INDUSTRIES_DK4571,pdf.exe	Get hash	malicious	Browse	172.67.188.154
	Re Confirm#U00ffthe invoice#U00ffthe payment slip.exe	Get hash	malicious	Browse	172.67.188.154
	SOA.exe	Get hash	malicious	Browse	172.67.188.154
	RFQ No A'4762GHTECHNICAL DETAILS.exe	Get hash	malicious	Browse	172.67.188.154
	GQ5JvPEI6c.exe	Get hash	malicious	Browse	172.67.188.154
	JSTCG21040600210 xlxs.exe	Get hash	malicious	Browse	172.67.188.154
	PAYMENT RECEIPT.exe	Get hash	malicious	Browse	172.67.188.154
	COMMERCIAL INVOICE N#U00c2#U00ba 0001792E21.exe	Get hash	malicious	Browse	172.67.188.154
	9479_pdf.exe	Get hash	malicious	Browse	172.67.188.154
	fyi.exe	Get hash	malicious	Browse	172.67.188.154
	MINUSCA P01-21.exe	Get hash	malicious	Browse	172.67.188.154
	Invoice-ID-(87656532).vbs	Get hash	malicious	Browse	172.67.188.154

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\tmp9C1F.tmp Download File
Process:	C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1647
Entropy (8bit):	5.197683476639004
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBuBtn:cbh47TlNQ//rydbz9I3YODOLNdq3I
MD5:	37FC4BD0D262FDAF006E8C7A4B7468F3
SHA1:	899AA212659232891A464070114278B24C7AADBA
SHA-256:	381DA5EA1C882FEDC5BCA004457C3EFE5773D6AA7632C83F6601C11422256F8F
SHA-512:	1D498AFB062EBCF83A625A02E2CED603D58257B2B52E0B61EDD9BE43065BFC2A2C47146320FE7D4FA145FE15F90FCE5C1C6CFC7B7EFF6AC62C871EE45BD93C7B
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Roaming\QscoSjjAofYnyT.exe Download File
Process:	C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	611328
Entropy (8bit):	7.859751813686353
Encrypted:	false
SSDEEP:	12288:XaRN/cqUrIyKEiFzxpETMWMFUcl0qtxc1y:Xac9OEibSTMCcl09o
MD5:	229EFBBB09801172C9D35851A3CE484E
SHA1:	BFA35BA04C7CCE63DC1FDF161CEBFA7BD9E63CD2
SHA-256:	3744807C95CB27F6E9C5EF01F2B5B32A78CEEF7016FB54BABE6A797977B72763
SHA-512:	F59E194C95CF1BCE01AC97AB989CC69AAA95E87A18E1C640BB0196FA479ADD9754D7EE77F26562B0CEC0D66A4BEE535703CAFCDA4F7359B546D785190A7CADCA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 21%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..J..........Nh... ........@.. ....................................@..................................g..O....................................g............................................... ............... ..H............text...TH... ...J.................. ..`.rsrc................L..............@..@.reloc...............R..............@..B................0h......H...........@o......1........T..........................................".(......r...p.......{...."..}......{...."..}....".(......0...........r...p.+....0...........r...p.+..".(.......{...."..}......{...."..}....".(.....^..}.....(.......(.......0............o......,y.s.......{....o....o.......{....o....o.....~......,....(......+....(...........,..(....o.....s....(......+..r...p(....&......0..5.........o....r...p(....,..o....r...p(....+....,....+...+......0..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.859751813686353
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	RFQ No A'4762QHTECHNICAL DETAILS.exe
File size:	611328
MD5:	229efbbb09801172c9d35851a3ce484e
SHA1:	bfa35ba04c7cce63dc1fdf161cebfa7bd9e63cd2
SHA256:	3744807c95cb27f6e9c5ef01f2b5b32a78ceef7016fb54babe6a797977b72763
SHA512:	f59e194c95cf1bce01ac97ab989cc69aaa95e87a18e1c640bb0196fa479add9754d7ee77f26562b0cec0d66a4bee535703cafcda4f7359b546d785190a7cadca
SSDEEP:	12288:XaRN/cqUrIyKEiFzxpETMWMFUcl0qtxc1y:Xac9OEibSTMCcl09o
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..J..........Nh... ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x49684e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x8EA81DF5 [Sat Nov 4 04:26:29 2045 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x967fc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x98000	0x5f8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x9a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x967e0	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x94854	0x94a00	False	0.889575339045	data	7.86754540187	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x98000	0x5f8	0x600	False	0.440755208333	data	4.258989477	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x9a000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x98090	0x366	data
RT_MANIFEST	0x98408	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright Integra Wealth
Assembly Version	1.8.9.10
InternalName	r.exe
FileVersion	1.9.1.0
CompanyName	Integra Wealth
LegalTrademarks
Comments
ProductName	ReplacementFallback
ProductVersion	1.9.1.0
FileDescription	ReplacementFallback
OriginalFilename	r.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 12, 2021 11:37:14.259453058 CEST	49716	80	192.168.2.3	131.186.113.70
Apr 12, 2021 11:37:14.321317911 CEST	80	49716	131.186.113.70	192.168.2.3
Apr 12, 2021 11:37:14.321487904 CEST	49716	80	192.168.2.3	131.186.113.70
Apr 12, 2021 11:37:14.322391987 CEST	49716	80	192.168.2.3	131.186.113.70
Apr 12, 2021 11:37:14.382623911 CEST	80	49716	131.186.113.70	192.168.2.3
Apr 12, 2021 11:37:14.382662058 CEST	80	49716	131.186.113.70	192.168.2.3
Apr 12, 2021 11:37:14.382684946 CEST	80	49716	131.186.113.70	192.168.2.3
Apr 12, 2021 11:37:14.382833004 CEST	49716	80	192.168.2.3	131.186.113.70
Apr 12, 2021 11:37:14.383936882 CEST	49716	80	192.168.2.3	131.186.113.70
Apr 12, 2021 11:37:14.444139004 CEST	80	49716	131.186.113.70	192.168.2.3
Apr 12, 2021 11:37:14.475239992 CEST	49717	80	192.168.2.3	131.186.113.70
Apr 12, 2021 11:37:14.536591053 CEST	80	49717	131.186.113.70	192.168.2.3
Apr 12, 2021 11:37:14.536684990 CEST	49717	80	192.168.2.3	131.186.113.70
Apr 12, 2021 11:37:14.537447929 CEST	49717	80	192.168.2.3	131.186.113.70
Apr 12, 2021 11:37:14.598752022 CEST	80	49717	131.186.113.70	192.168.2.3
Apr 12, 2021 11:37:14.598804951 CEST	80	49717	131.186.113.70	192.168.2.3
Apr 12, 2021 11:37:14.598855019 CEST	80	49717	131.186.113.70	192.168.2.3
Apr 12, 2021 11:37:14.599024057 CEST	49717	80	192.168.2.3	131.186.113.70
Apr 12, 2021 11:37:14.599848986 CEST	49717	80	192.168.2.3	131.186.113.70
Apr 12, 2021 11:37:14.661312103 CEST	80	49717	131.186.113.70	192.168.2.3
Apr 12, 2021 11:37:15.636893988 CEST	49718	443	192.168.2.3	172.67.188.154
Apr 12, 2021 11:37:15.688484907 CEST	443	49718	172.67.188.154	192.168.2.3
Apr 12, 2021 11:37:15.688607931 CEST	49718	443	192.168.2.3	172.67.188.154
Apr 12, 2021 11:37:15.728559017 CEST	49718	443	192.168.2.3	172.67.188.154
Apr 12, 2021 11:37:15.780066967 CEST	443	49718	172.67.188.154	192.168.2.3
Apr 12, 2021 11:37:15.785190105 CEST	443	49718	172.67.188.154	192.168.2.3
Apr 12, 2021 11:37:15.785211086 CEST	443	49718	172.67.188.154	192.168.2.3
Apr 12, 2021 11:37:15.785406113 CEST	49718	443	192.168.2.3	172.67.188.154
Apr 12, 2021 11:37:15.795664072 CEST	49718	443	192.168.2.3	172.67.188.154
Apr 12, 2021 11:37:15.849005938 CEST	443	49718	172.67.188.154	192.168.2.3
Apr 12, 2021 11:37:15.849282980 CEST	443	49718	172.67.188.154	192.168.2.3
Apr 12, 2021 11:37:15.891508102 CEST	49718	443	192.168.2.3	172.67.188.154
Apr 12, 2021 11:37:15.896435976 CEST	49718	443	192.168.2.3	172.67.188.154
Apr 12, 2021 11:37:15.948019028 CEST	443	49718	172.67.188.154	192.168.2.3
Apr 12, 2021 11:37:16.004017115 CEST	443	49718	172.67.188.154	192.168.2.3
Apr 12, 2021 11:37:16.004048109 CEST	443	49718	172.67.188.154	192.168.2.3
Apr 12, 2021 11:37:16.004134893 CEST	49718	443	192.168.2.3	172.67.188.154
Apr 12, 2021 11:38:56.038856030 CEST	49718	443	192.168.2.3	172.67.188.154
Apr 12, 2021 11:38:56.092046976 CEST	443	49718	172.67.188.154	192.168.2.3
Apr 12, 2021 11:38:56.092129946 CEST	49718	443	192.168.2.3	172.67.188.154

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 12, 2021 11:37:02.075067043 CEST	49199	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:37:02.123822927 CEST	53	49199	8.8.8.8	192.168.2.3
Apr 12, 2021 11:37:02.197729111 CEST	50620	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:37:02.272211075 CEST	53	50620	8.8.8.8	192.168.2.3
Apr 12, 2021 11:37:02.481626987 CEST	64938	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:37:02.535183907 CEST	53	64938	8.8.8.8	192.168.2.3
Apr 12, 2021 11:37:02.751250029 CEST	60152	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:37:02.811563969 CEST	53	60152	8.8.8.8	192.168.2.3
Apr 12, 2021 11:37:03.355627060 CEST	57544	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:37:03.405927896 CEST	53	57544	8.8.8.8	192.168.2.3
Apr 12, 2021 11:37:04.256092072 CEST	55984	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:37:04.304872036 CEST	53	55984	8.8.8.8	192.168.2.3
Apr 12, 2021 11:37:05.209270954 CEST	64185	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:37:05.262332916 CEST	53	64185	8.8.8.8	192.168.2.3
Apr 12, 2021 11:37:06.623615026 CEST	65110	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:37:06.672255993 CEST	53	65110	8.8.8.8	192.168.2.3
Apr 12, 2021 11:37:07.755645990 CEST	58361	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:37:07.804367065 CEST	53	58361	8.8.8.8	192.168.2.3
Apr 12, 2021 11:37:08.631408930 CEST	63492	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:37:08.682194948 CEST	53	63492	8.8.8.8	192.168.2.3
Apr 12, 2021 11:37:09.757807970 CEST	60831	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:37:09.808001041 CEST	53	60831	8.8.8.8	192.168.2.3
Apr 12, 2021 11:37:10.705699921 CEST	60100	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:37:10.761672974 CEST	53	60100	8.8.8.8	192.168.2.3
Apr 12, 2021 11:37:11.649863958 CEST	53195	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:37:11.698684931 CEST	53	53195	8.8.8.8	192.168.2.3
Apr 12, 2021 11:37:14.106566906 CEST	50141	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:37:14.158390999 CEST	53	50141	8.8.8.8	192.168.2.3
Apr 12, 2021 11:37:14.180814028 CEST	53023	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:37:14.229562044 CEST	53	53023	8.8.8.8	192.168.2.3
Apr 12, 2021 11:37:15.572236061 CEST	49563	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:37:15.634001017 CEST	53	49563	8.8.8.8	192.168.2.3
Apr 12, 2021 11:37:15.944880009 CEST	51352	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:37:15.996675014 CEST	53	51352	8.8.8.8	192.168.2.3
Apr 12, 2021 11:37:16.948900938 CEST	59349	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:37:17.006350040 CEST	53	59349	8.8.8.8	192.168.2.3
Apr 12, 2021 11:37:18.056193113 CEST	57084	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:37:18.108208895 CEST	53	57084	8.8.8.8	192.168.2.3
Apr 12, 2021 11:37:19.183157921 CEST	58823	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:37:19.232482910 CEST	53	58823	8.8.8.8	192.168.2.3
Apr 12, 2021 11:37:21.441648006 CEST	57568	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:37:21.490380049 CEST	53	57568	8.8.8.8	192.168.2.3
Apr 12, 2021 11:37:22.368689060 CEST	50540	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:37:22.417583942 CEST	53	50540	8.8.8.8	192.168.2.3
Apr 12, 2021 11:37:37.004416943 CEST	54366	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:37:37.053208113 CEST	53	54366	8.8.8.8	192.168.2.3
Apr 12, 2021 11:37:37.394790888 CEST	53034	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:37:37.457628012 CEST	53	53034	8.8.8.8	192.168.2.3
Apr 12, 2021 11:37:37.914904118 CEST	57762	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:37:37.966495991 CEST	53	57762	8.8.8.8	192.168.2.3
Apr 12, 2021 11:37:39.009825945 CEST	55435	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:37:39.069066048 CEST	53	55435	8.8.8.8	192.168.2.3
Apr 12, 2021 11:37:46.512948036 CEST	50713	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:37:46.572705984 CEST	53	50713	8.8.8.8	192.168.2.3
Apr 12, 2021 11:38:03.394474983 CEST	56132	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:38:03.510359049 CEST	53	56132	8.8.8.8	192.168.2.3
Apr 12, 2021 11:38:04.072164059 CEST	58987	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:38:04.129156113 CEST	53	58987	8.8.8.8	192.168.2.3
Apr 12, 2021 11:38:04.483156919 CEST	56579	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:38:04.548268080 CEST	53	56579	8.8.8.8	192.168.2.3
Apr 12, 2021 11:38:04.703880072 CEST	60633	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:38:04.761075974 CEST	53	60633	8.8.8.8	192.168.2.3
Apr 12, 2021 11:38:05.216237068 CEST	61292	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:38:05.276561975 CEST	53	61292	8.8.8.8	192.168.2.3
Apr 12, 2021 11:38:05.792805910 CEST	63619	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:38:05.941467047 CEST	53	63619	8.8.8.8	192.168.2.3
Apr 12, 2021 11:38:06.527621984 CEST	64938	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:38:06.612879992 CEST	53	64938	8.8.8.8	192.168.2.3
Apr 12, 2021 11:38:07.184705019 CEST	61946	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:38:07.293843031 CEST	53	61946	8.8.8.8	192.168.2.3
Apr 12, 2021 11:38:09.072093010 CEST	64910	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:38:09.121021032 CEST	53	64910	8.8.8.8	192.168.2.3
Apr 12, 2021 11:38:10.160310984 CEST	52123	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:38:10.218971968 CEST	53	52123	8.8.8.8	192.168.2.3
Apr 12, 2021 11:38:10.689018965 CEST	56130	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:38:10.747669935 CEST	53	56130	8.8.8.8	192.168.2.3
Apr 12, 2021 11:38:16.009843111 CEST	56338	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:38:16.070530891 CEST	53	56338	8.8.8.8	192.168.2.3
Apr 12, 2021 11:38:46.866910934 CEST	59420	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:38:47.476486921 CEST	53	59420	8.8.8.8	192.168.2.3
Apr 12, 2021 11:38:48.745969057 CEST	58784	53	192.168.2.3	8.8.8.8
Apr 12, 2021 11:38:48.803812027 CEST	53	58784	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 12, 2021 11:37:14.106566906 CEST	192.168.2.3	8.8.8.8	0x8dad	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)
Apr 12, 2021 11:37:14.180814028 CEST	192.168.2.3	8.8.8.8	0x97e1	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)
Apr 12, 2021 11:37:15.572236061 CEST	192.168.2.3	8.8.8.8	0xe9dc	Standard query (0)	freegeoip.app	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Apr 12, 2021 11:37:14.158390999 CEST	8.8.8.8	192.168.2.3	0x8dad	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)
Apr 12, 2021 11:37:14.158390999 CEST	8.8.8.8	192.168.2.3	0x8dad	No error (0)	checkip.dyndns.com		131.186.113.70	A (IP address)	IN (0x0001)
Apr 12, 2021 11:37:14.158390999 CEST	8.8.8.8	192.168.2.3	0x8dad	No error (0)	checkip.dyndns.com		216.146.43.71	A (IP address)	IN (0x0001)
Apr 12, 2021 11:37:14.158390999 CEST	8.8.8.8	192.168.2.3	0x8dad	No error (0)	checkip.dyndns.com		131.186.161.70	A (IP address)	IN (0x0001)
Apr 12, 2021 11:37:14.158390999 CEST	8.8.8.8	192.168.2.3	0x8dad	No error (0)	checkip.dyndns.com		216.146.43.70	A (IP address)	IN (0x0001)
Apr 12, 2021 11:37:14.158390999 CEST	8.8.8.8	192.168.2.3	0x8dad	No error (0)	checkip.dyndns.com		162.88.193.70	A (IP address)	IN (0x0001)
Apr 12, 2021 11:37:14.229562044 CEST	8.8.8.8	192.168.2.3	0x97e1	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)
Apr 12, 2021 11:37:14.229562044 CEST	8.8.8.8	192.168.2.3	0x97e1	No error (0)	checkip.dyndns.com		216.146.43.71	A (IP address)	IN (0x0001)
Apr 12, 2021 11:37:14.229562044 CEST	8.8.8.8	192.168.2.3	0x97e1	No error (0)	checkip.dyndns.com		131.186.113.70	A (IP address)	IN (0x0001)
Apr 12, 2021 11:37:14.229562044 CEST	8.8.8.8	192.168.2.3	0x97e1	No error (0)	checkip.dyndns.com		131.186.161.70	A (IP address)	IN (0x0001)
Apr 12, 2021 11:37:14.229562044 CEST	8.8.8.8	192.168.2.3	0x97e1	No error (0)	checkip.dyndns.com		216.146.43.70	A (IP address)	IN (0x0001)
Apr 12, 2021 11:37:14.229562044 CEST	8.8.8.8	192.168.2.3	0x97e1	No error (0)	checkip.dyndns.com		162.88.193.70	A (IP address)	IN (0x0001)
Apr 12, 2021 11:37:15.634001017 CEST	8.8.8.8	192.168.2.3	0xe9dc	No error (0)	freegeoip.app		172.67.188.154	A (IP address)	IN (0x0001)
Apr 12, 2021 11:37:15.634001017 CEST	8.8.8.8	192.168.2.3	0xe9dc	No error (0)	freegeoip.app		104.21.19.200	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49716	131.186.113.70	80	C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe

Timestamp	kBytes transferred	Direction	Data
Apr 12, 2021 11:37:14.322391987 CEST	1081	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Apr 12, 2021 11:37:14.382662058 CEST	1081	IN	HTTP/1.1 200 OK Content-Type: text/html Server: DynDNS-CheckIP/1.0.1 Connection: close Cache-Control: no-cache Pragma: no-cache Content-Length: 102 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 84.17.52.3</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49717	131.186.113.70	80	C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe

Timestamp	kBytes transferred	Direction	Data
Apr 12, 2021 11:37:14.537447929 CEST	1082	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Apr 12, 2021 11:37:14.598804951 CEST	1082	IN	HTTP/1.1 200 OK Content-Type: text/html Server: DynDNS-CheckIP/1.0.1 Connection: close Cache-Control: no-cache Pragma: no-cache Content-Length: 102 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 84.17.52.3</body></html>

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Apr 12, 2021 11:37:15.785211086 CEST	172.67.188.154	443	192.168.2.3	49718	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Aug 10 02:00:00 CEST 2020 Mon Jan 27 13:48:08 CET 2020	Tue Aug 10 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025	769,49162-49161-49172-49171-53-47-10,0-10-11-35-23-65281,29-23-24,0	54328bd36c14bd82ddaa0c04b25ed9ad
Apr 12, 2021 11:37:15.785211086 CEST	172.67.188.154	443	192.168.2.3	49718	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		54328bd36c14bd82ddaa0c04b25ed9ad

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: RFQ No A'4762QHTECHNICAL DETAILS.exe PID: 5584 Parent PID: 5776

General

Start time:	11:37:09
Start date:	12/04/2021
Path:	C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\RFQ No A'4762QHTECHNICAL DETAILS.exe'
Imagebase:	0x870000
File size:	611328 bytes
MD5 hash:	229EFBBB09801172C9D35851A3CE484E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.473634820.0000000002CE8000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.473678406.0000000002CF2000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.472526143.0000000002C11000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000000.00000002.475988745.0000000003C39000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.475988745.0000000003C39000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_BedsObfuscator, Description: Yara detected Beds Obfuscator, Source: 00000000.00000002.479390065.000000000BCC0000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.479390065.000000000BCC0000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: schtasks.exe PID: 5992 Parent PID: 5584

General

Start time:	11:37:12
Start date:	12/04/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\QscoSjjAofYnyT' /XML 'C:\Users\user\AppData\Local\Temp\tmp9C1F.tmp'
Imagebase:	0x1190000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 6004 Parent PID: 5992

General

Start time:	11:37:12
Start date:	12/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report RFQ No A'4762QHTECHNICAL DETAILS.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Snake Keylogger

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre