Analysis Report RQF 100021790.exe

Overview

General Information

Sample Name:	RQF 100021790.exe
Analysis ID:	385385
MD5:	31f58bbbd330f886e422d44e9c21dbf4
SHA1:	1795b60a6f387dec4ac7a6c38119efa0138bdff7
SHA256:	c289703ef1a3645d2c1653c0f571a9abdeec2b404df429196c2523b0b17d9c4c
Tags:	AgentTesla
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AgentTesla

Yara detected AntiVM3

.NET source code contains very large array initializations

Machine Learning detection for sample

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Antivirus or Machine Learning detection for unpacked file

Binary contains a suspicious time stamp

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Signatures

AV Detection:

Found malware configuration

Source: 3.2.RQF 100021790.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "ekwe@yillyenterprise.com^1.kk2[?w-Yzmail.yillyenterprise.com"}

Multi AV Scanner detection for submitted file

Source: RQF 100021790.exe	Virustotal: Detection: 31%			Perma Link
Source: RQF 100021790.exe	ReversingLabs: Detection: 14%

Machine Learning detection for sample

Source: RQF 100021790.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 3.2.RQF 100021790.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Compliance:

Uses 32bit PE files

Source: RQF 100021790.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: RQF 100021790.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49753 -> 103.6.198.237:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49754 -> 103.6.198.237:587

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.3:49753 -> 103.6.198.237:587

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 103.6.198.237 103.6.198.237

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: EXABYTES-AS-APExaBytesNetworkSdnBhdMY EXABYTES-AS-APExaBytesNetworkSdnBhdMY

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.3:49753 -> 103.6.198.237:587

Source: unknown

DNS traffic detected: queries for: mail.yillyenterprise.com

Source: RQF 100021790.exe, 00000003.00000002.471510302.0000000002971000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RQF 100021790.exe, 00000003.00000002.471510302.0000000002971000.00000004.00000001.sdmp	String found in binary or memory: http://BtAllR.com
Source: RQF 100021790.exe, 00000003.00000002.471510302.0000000002971000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: RQF 100021790.exe, 00000003.00000002.473589734.0000000002BDD000.00000004.00000001.sdmp	String found in binary or memory: http://Lt3kEzuSCIaIDgvv.com
Source: RQF 100021790.exe, 00000003.00000002.474061943.0000000002C46000.00000004.00000001.sdmp	String found in binary or memory: http://mail.yillyenterprise.com
Source: RQF 100021790.exe, 00000003.00000002.474061943.0000000002C46000.00000004.00000001.sdmp	String found in binary or memory: http://yillyenterprise.com
Source: RQF 100021790.exe, 00000000.00000002.207282678.0000000003F89000.00000004.00000001.sdmp, RQF 100021790.exe, 00000003.00000002.466065951.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: RQF 100021790.exe, 00000003.00000002.471510302.0000000002971000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

System Summary:

.NET source code contains very large array initializations

Source: 3.2.RQF 100021790.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b64D54FA0u002dDCE6u002d4D17u002d90E5u002d01D5DCD649E7u007d/E665D213u002dE6B6u002d4438u002d9BD5u002d2DBC4037211B.cs

Large array initialization: .cctor: array initializer size 11944

Detected potential crypto function

Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 0_2_00BC929D	0_2_00BC929D
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 0_2_014DC164	0_2_014DC164
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 0_2_014DE5A0	0_2_014DE5A0
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 0_2_014DE5B0	0_2_014DE5B0
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 0_2_00BC9BE6	0_2_00BC9BE6
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 2_2_0001929D	2_2_0001929D
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 2_2_00019BE6	2_2_00019BE6
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_0053929D	3_2_0053929D
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_027F46A0	3_2_027F46A0
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_027F45B0	3_2_027F45B0
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_027FDA00	3_2_027FDA00
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_05C77540	3_2_05C77540
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_05C794F8	3_2_05C794F8
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_05C76C70	3_2_05C76C70
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_05C76928	3_2_05C76928
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_05F326B8	3_2_05F326B8
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_05F3A1A0	3_2_05F3A1A0
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_05F3AC49	3_2_05F3AC49
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_05F3F4B0	3_2_05F3F4B0
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_05F38C50	3_2_05F38C50
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_05F5A7D0	3_2_05F5A7D0
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_05F57E20	3_2_05F57E20
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_05F5007A	3_2_05F5007A
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_05F5AF30	3_2_05F5AF30
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_05F5E818	3_2_05F5E818
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_05F552D0	3_2_05F552D0
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_00539BE6	3_2_00539BE6

Sample file is different than original file name gathered from version info

Source: RQF 100021790.exe, 00000000.00000002.206602241.0000000000C6E000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamewuF vs RQF 100021790.exe
Source: RQF 100021790.exe, 00000000.00000002.210669766.00000000061A1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs RQF 100021790.exe
Source: RQF 100021790.exe, 00000000.00000002.210669766.00000000061A1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameexoUqrJZudHREjogRnRvJGlrAcwRCcAwmeAsDDz.exe4 vs RQF 100021790.exe
Source: RQF 100021790.exe, 00000000.00000002.207175183.0000000002F61000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMetroFramework.dll> vs RQF 100021790.exe
Source: RQF 100021790.exe, 00000002.00000002.205016490.00000000000BE000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamewuF vs RQF 100021790.exe
Source: RQF 100021790.exe, 00000003.00000002.467328872.0000000000978000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs RQF 100021790.exe
Source: RQF 100021790.exe, 00000003.00000002.466065951.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameexoUqrJZudHREjogRnRvJGlrAcwRCcAwmeAsDDz.exe4 vs RQF 100021790.exe
Source: RQF 100021790.exe, 00000003.00000000.205748466.00000000005DE000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamewuF vs RQF 100021790.exe
Source: RQF 100021790.exe, 00000003.00000002.470208674.0000000000E90000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx.mui vs RQF 100021790.exe
Source: RQF 100021790.exe, 00000003.00000002.470101404.0000000000E10000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs RQF 100021790.exe
Source: RQF 100021790.exe, 00000003.00000002.470191907.0000000000E80000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx vs RQF 100021790.exe
Source: RQF 100021790.exe	Binary or memory string: OriginalFilenamewuF vs RQF 100021790.exe

Uses 32bit PE files

Source: RQF 100021790.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: RQF 100021790.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 3.2.RQF 100021790.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.2.RQF 100021790.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/2@4/1

Source: C:\Users\user\Desktop\RQF 100021790.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RQF 100021790.exe.log

Jump to behavior

Source: RQF 100021790.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\RQF 100021790.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\RQF 100021790.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\RQF 100021790.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\RQF 100021790.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\RQF 100021790.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\RQF 100021790.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: RQF 100021790.exe	Virustotal: Detection: 31%
Source: RQF 100021790.exe	ReversingLabs: Detection: 14%

Source: unknown	Process created: C:\Users\user\Desktop\RQF 100021790.exe 'C:\Users\user\Desktop\RQF 100021790.exe'
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process created: C:\Users\user\Desktop\RQF 100021790.exe {path}
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process created: C:\Users\user\Desktop\RQF 100021790.exe {path}
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process created: C:\Users\user\Desktop\RQF 100021790.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process created: C:\Users\user\Desktop\RQF 100021790.exe {path}	Jump to behavior

Source: C:\Users\user\Desktop\RQF 100021790.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\RQF 100021790.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\RQF 100021790.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: RQF 100021790.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: RQF 100021790.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: RQF 100021790.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation:

Binary contains a suspicious time stamp

Source: RQF 100021790.exe

Static PE information: 0xCB6A8586 [Tue Feb 22 11:44:06 2078 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 0_2_00BCB02F push cs; iretd	0_2_00BCB032
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 0_2_00BCAEE0 push cs; iretd	0_2_00BCAEE2
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 0_2_00BCB023 push cs; iretd	0_2_00BCB024
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 2_2_0001AEE0 push cs; iretd	2_2_0001AEE2
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 2_2_0001B023 push cs; iretd	2_2_0001B024
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 2_2_0001B02F push cs; iretd	2_2_0001B032
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_0053B023 push cs; iretd	3_2_0053B024
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_0053AEE0 push cs; iretd	3_2_0053AEE2
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_0053B02F push cs; iretd	3_2_0053B032
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_027F8BED push ebx; retf 0000h	3_2_027F8C02
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_027F8C27 push ebx; retf 0000h	3_2_027F8C32
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_05C725C7 push ebx; retn 0005h	3_2_05C725D2
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_05C725D7 push esp; retn 0005h	3_2_05C725E2
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_05C725E7 push edx; retn 0005h	3_2_05C725B2
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_05C725E7 push ebp; retn 0005h	3_2_05C725F2
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_05C725F7 push ebp; retn 0005h	3_2_05C72602
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_05C72597 push ecx; retn 0005h	3_2_05C725A2
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_05C725A7 push edx; retn 0005h	3_2_05C725B2
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_05C725B7 push ebx; retn 0005h	3_2_05C725C2
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_05C7257B push eax; retn 0005h	3_2_05C72582
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_05C7571F pushad ; retn 0005h	3_2_05C7572A
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_05C7572F pushad ; retn 0005h	3_2_05C7573A
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_05C72657 push edi; retn 0005h	3_2_05C72622
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_05C7260A push esi; retn 0005h	3_2_05C72612
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_05C72617 push edi; retn 0005h	3_2_05C72622
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_05F534EC push eax; retf	3_2_05F534ED

Source: initial sample

Static PE information: section name: .text entropy: 7.89427057508

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\RQF 100021790.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: RQF 100021790.exe PID: 5380, type: MEMORY

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\RQF 100021790.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\RQF 100021790.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: RQF 100021790.exe, 00000000.00000002.211322093.000000000663E000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: RQF 100021790.exe, 00000000.00000002.211322093.000000000663E000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\RQF 100021790.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\RQF 100021790.exe	Window / User API: threadDelayed 2491			Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Window / User API: threadDelayed 7356			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\RQF 100021790.exe TID: 5528	Thread sleep time: -31500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe TID: 5376	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe TID: 1288	Thread sleep time: -11068046444225724s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe TID: 5580	Thread sleep count: 2491 > 30	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe TID: 5580	Thread sleep count: 7356 > 30	Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\RQF 100021790.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\RQF 100021790.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\RQF 100021790.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\RQF 100021790.exe	Thread delayed: delay time: 31500	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: RQF 100021790.exe, 00000000.00000002.211322093.000000000663E000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: RQF 100021790.exe, 00000000.00000002.211322093.000000000663E000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: RQF 100021790.exe, 00000000.00000002.211322093.000000000663E000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: RQF 100021790.exe, 00000000.00000002.211322093.000000000663E000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: RQF 100021790.exe, 00000000.00000002.211322093.000000000663E000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: RQF 100021790.exe, 00000000.00000002.211322093.000000000663E000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: RQF 100021790.exe, 00000000.00000002.211322093.000000000663E000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: RQF 100021790.exe, 00000000.00000002.211322093.000000000663E000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: RQF 100021790.exe, 00000000.00000002.211322093.000000000663E000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\user\Desktop\RQF 100021790.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\RQF 100021790.exe

Code function: 3_2_05C7C5A8 KiUserExceptionDispatcher,KiUserExceptionDispatcher,KiUserExceptionDispatcher,LdrInitializeThunk,

3_2_05C7C5A8

Enables debug privileges

Source: C:\Users\user\Desktop\RQF 100021790.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\RQF 100021790.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\RQF 100021790.exe	Process created: C:\Users\user\Desktop\RQF 100021790.exe {path}			Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process created: C:\Users\user\Desktop\RQF 100021790.exe {path}			Jump to behavior

Source: RQF 100021790.exe, 00000003.00000002.470486675.00000000012F0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: RQF 100021790.exe, 00000003.00000002.470486675.00000000012F0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RQF 100021790.exe, 00000003.00000002.470486675.00000000012F0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: RQF 100021790.exe, 00000003.00000002.470486675.00000000012F0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\RQF 100021790.exe	Queries volume information: C:\Users\user\Desktop\RQF 100021790.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Queries volume information: C:\Users\user\Desktop\RQF 100021790.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\RQF 100021790.exe

Code function: 3_2_05C75A94 GetUserNameW,

3_2_05C75A94

Source: C:\Users\user\Desktop\RQF 100021790.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 00000003.00000002.466065951.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.207282678.0000000003F89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RQF 100021790.exe PID: 5380, type: MEMORY
Source: Yara match	File source: Process Memory Space: RQF 100021790.exe PID: 6020, type: MEMORY
Source: Yara match	File source: 3.2.RQF 100021790.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RQF 100021790.exe.41acc10.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RQF 100021790.exe.41acc10.2.raw.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\RQF 100021790.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\RQF 100021790.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\RQF 100021790.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to steal Mail credentials (via file access)

Source: C:\Users\user\Desktop\RQF 100021790.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000003.00000002.471510302.0000000002971000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RQF 100021790.exe PID: 6020, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Source: Yara match	File source: 00000003.00000002.466065951.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.207282678.0000000003F89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RQF 100021790.exe PID: 5380, type: MEMORY
Source: Yara match	File source: Process Memory Space: RQF 100021790.exe PID: 6020, type: MEMORY
Source: Yara match	File source: 3.2.RQF 100021790.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RQF 100021790.exe.41acc10.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RQF 100021790.exe.41acc10.2.raw.unpack, type: UNPACKEDPE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
103.6.198.237	yillyenterprise.com	Malaysia		46015	EXABYTES-AS-APExaBytesNetworkSdnBhdMY	true

Contacted Domains

Name	IP	Active
yillyenterprise.com	103.6.198.237	true
mail.yillyenterprise.com	unknown	unknown

AV Detection:

Found malware configuration

Source: 3.2.RQF 100021790.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "ekwe@yillyenterprise.com^1.kk2[?w-Yzmail.yillyenterprise.com"}

Multi AV Scanner detection for submitted file

Source: RQF 100021790.exe	Virustotal: Detection: 31%			Perma Link
Source: RQF 100021790.exe	ReversingLabs: Detection: 14%

Machine Learning detection for sample

Source: RQF 100021790.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 3.2.RQF 100021790.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Compliance:

Uses 32bit PE files

Source: RQF 100021790.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: RQF 100021790.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49753 -> 103.6.198.237:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49754 -> 103.6.198.237:587

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.3:49753 -> 103.6.198.237:587

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 103.6.198.237 103.6.198.237

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: EXABYTES-AS-APExaBytesNetworkSdnBhdMY EXABYTES-AS-APExaBytesNetworkSdnBhdMY

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.3:49753 -> 103.6.198.237:587

Source: unknown

DNS traffic detected: queries for: mail.yillyenterprise.com

Source: RQF 100021790.exe, 00000003.00000002.471510302.0000000002971000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RQF 100021790.exe, 00000003.00000002.471510302.0000000002971000.00000004.00000001.sdmp	String found in binary or memory: http://BtAllR.com
Source: RQF 100021790.exe, 00000003.00000002.471510302.0000000002971000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: RQF 100021790.exe, 00000003.00000002.473589734.0000000002BDD000.00000004.00000001.sdmp	String found in binary or memory: http://Lt3kEzuSCIaIDgvv.com
Source: RQF 100021790.exe, 00000003.00000002.474061943.0000000002C46000.00000004.00000001.sdmp	String found in binary or memory: http://mail.yillyenterprise.com
Source: RQF 100021790.exe, 00000003.00000002.474061943.0000000002C46000.00000004.00000001.sdmp	String found in binary or memory: http://yillyenterprise.com
Source: RQF 100021790.exe, 00000000.00000002.207282678.0000000003F89000.00000004.00000001.sdmp, RQF 100021790.exe, 00000003.00000002.466065951.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: RQF 100021790.exe, 00000003.00000002.471510302.0000000002971000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

System Summary:

.NET source code contains very large array initializations

Large array initialization: .cctor: array initializer size 11944

Detected potential crypto function

Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 0_2_00BC929D	0_2_00BC929D
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 0_2_014DC164	0_2_014DC164
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 0_2_014DE5A0	0_2_014DE5A0
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 0_2_014DE5B0	0_2_014DE5B0
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 0_2_00BC9BE6	0_2_00BC9BE6
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 2_2_0001929D	2_2_0001929D
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 2_2_00019BE6	2_2_00019BE6
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_0053929D	3_2_0053929D
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_027F46A0	3_2_027F46A0
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_027F45B0	3_2_027F45B0
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_027FDA00	3_2_027FDA00
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_05C77540	3_2_05C77540
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_05C794F8	3_2_05C794F8
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_05C76C70	3_2_05C76C70
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_05C76928	3_2_05C76928
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_05F326B8	3_2_05F326B8
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_05F3A1A0	3_2_05F3A1A0
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_05F3AC49	3_2_05F3AC49
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_05F3F4B0	3_2_05F3F4B0
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_05F38C50	3_2_05F38C50
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_05F5A7D0	3_2_05F5A7D0
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_05F57E20	3_2_05F57E20
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_05F5007A	3_2_05F5007A
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_05F5AF30	3_2_05F5AF30
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_05F5E818	3_2_05F5E818
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_05F552D0	3_2_05F552D0
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_00539BE6	3_2_00539BE6

Sample file is different than original file name gathered from version info

Source: RQF 100021790.exe, 00000000.00000002.206602241.0000000000C6E000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamewuF vs RQF 100021790.exe
Source: RQF 100021790.exe, 00000000.00000002.210669766.00000000061A1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs RQF 100021790.exe
Source: RQF 100021790.exe, 00000000.00000002.210669766.00000000061A1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameexoUqrJZudHREjogRnRvJGlrAcwRCcAwmeAsDDz.exe4 vs RQF 100021790.exe
Source: RQF 100021790.exe, 00000000.00000002.207175183.0000000002F61000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMetroFramework.dll> vs RQF 100021790.exe
Source: RQF 100021790.exe, 00000002.00000002.205016490.00000000000BE000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamewuF vs RQF 100021790.exe
Source: RQF 100021790.exe, 00000003.00000002.467328872.0000000000978000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs RQF 100021790.exe
Source: RQF 100021790.exe, 00000003.00000002.466065951.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameexoUqrJZudHREjogRnRvJGlrAcwRCcAwmeAsDDz.exe4 vs RQF 100021790.exe
Source: RQF 100021790.exe, 00000003.00000000.205748466.00000000005DE000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamewuF vs RQF 100021790.exe
Source: RQF 100021790.exe, 00000003.00000002.470208674.0000000000E90000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx.mui vs RQF 100021790.exe
Source: RQF 100021790.exe, 00000003.00000002.470101404.0000000000E10000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs RQF 100021790.exe
Source: RQF 100021790.exe, 00000003.00000002.470191907.0000000000E80000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx vs RQF 100021790.exe
Source: RQF 100021790.exe	Binary or memory string: OriginalFilenamewuF vs RQF 100021790.exe

Uses 32bit PE files

Source: RQF 100021790.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: RQF 100021790.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 3.2.RQF 100021790.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.2.RQF 100021790.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/2@4/1

Source: C:\Users\user\Desktop\RQF 100021790.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RQF 100021790.exe.log

Jump to behavior

Source: RQF 100021790.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\RQF 100021790.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\RQF 100021790.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\RQF 100021790.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\RQF 100021790.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\RQF 100021790.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\RQF 100021790.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: RQF 100021790.exe	Virustotal: Detection: 31%
Source: RQF 100021790.exe	ReversingLabs: Detection: 14%

Source: unknown	Process created: C:\Users\user\Desktop\RQF 100021790.exe 'C:\Users\user\Desktop\RQF 100021790.exe'
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process created: C:\Users\user\Desktop\RQF 100021790.exe {path}
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process created: C:\Users\user\Desktop\RQF 100021790.exe {path}
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process created: C:\Users\user\Desktop\RQF 100021790.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process created: C:\Users\user\Desktop\RQF 100021790.exe {path}	Jump to behavior

Source: C:\Users\user\Desktop\RQF 100021790.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\RQF 100021790.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\RQF 100021790.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: RQF 100021790.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: RQF 100021790.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: RQF 100021790.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation:

Binary contains a suspicious time stamp

Source: RQF 100021790.exe

Static PE information: 0xCB6A8586 [Tue Feb 22 11:44:06 2078 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 0_2_00BCB02F push cs; iretd	0_2_00BCB032
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 0_2_00BCAEE0 push cs; iretd	0_2_00BCAEE2
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 0_2_00BCB023 push cs; iretd	0_2_00BCB024
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 2_2_0001AEE0 push cs; iretd	2_2_0001AEE2
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 2_2_0001B023 push cs; iretd	2_2_0001B024
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 2_2_0001B02F push cs; iretd	2_2_0001B032
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_0053B023 push cs; iretd	3_2_0053B024
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_0053AEE0 push cs; iretd	3_2_0053AEE2
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_0053B02F push cs; iretd	3_2_0053B032
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_027F8BED push ebx; retf 0000h	3_2_027F8C02
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_027F8C27 push ebx; retf 0000h	3_2_027F8C32
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_05C725C7 push ebx; retn 0005h	3_2_05C725D2
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_05C725D7 push esp; retn 0005h	3_2_05C725E2
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_05C725E7 push edx; retn 0005h	3_2_05C725B2
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_05C725E7 push ebp; retn 0005h	3_2_05C725F2
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_05C725F7 push ebp; retn 0005h	3_2_05C72602
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_05C72597 push ecx; retn 0005h	3_2_05C725A2
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_05C725A7 push edx; retn 0005h	3_2_05C725B2
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_05C725B7 push ebx; retn 0005h	3_2_05C725C2
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_05C7257B push eax; retn 0005h	3_2_05C72582
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_05C7571F pushad ; retn 0005h	3_2_05C7572A
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_05C7572F pushad ; retn 0005h	3_2_05C7573A
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_05C72657 push edi; retn 0005h	3_2_05C72622
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_05C7260A push esi; retn 0005h	3_2_05C72612
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_05C72617 push edi; retn 0005h	3_2_05C72622
Source: C:\Users\user\Desktop\RQF 100021790.exe	Code function: 3_2_05F534EC push eax; retf	3_2_05F534ED

Source: initial sample

Static PE information: section name: .text entropy: 7.89427057508

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\RQF 100021790.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: RQF 100021790.exe PID: 5380, type: MEMORY

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\RQF 100021790.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\RQF 100021790.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: RQF 100021790.exe, 00000000.00000002.211322093.000000000663E000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: RQF 100021790.exe, 00000000.00000002.211322093.000000000663E000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\RQF 100021790.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\RQF 100021790.exe	Window / User API: threadDelayed 2491			Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Window / User API: threadDelayed 7356			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\RQF 100021790.exe TID: 5528	Thread sleep time: -31500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe TID: 5376	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe TID: 1288	Thread sleep time: -11068046444225724s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe TID: 5580	Thread sleep count: 2491 > 30	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe TID: 5580	Thread sleep count: 7356 > 30	Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\RQF 100021790.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\RQF 100021790.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\RQF 100021790.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\RQF 100021790.exe	Thread delayed: delay time: 31500	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: RQF 100021790.exe, 00000000.00000002.211322093.000000000663E000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: RQF 100021790.exe, 00000000.00000002.211322093.000000000663E000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: RQF 100021790.exe, 00000000.00000002.211322093.000000000663E000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: RQF 100021790.exe, 00000000.00000002.211322093.000000000663E000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: RQF 100021790.exe, 00000000.00000002.211322093.000000000663E000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: RQF 100021790.exe, 00000000.00000002.211322093.000000000663E000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: RQF 100021790.exe, 00000000.00000002.211322093.000000000663E000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: RQF 100021790.exe, 00000000.00000002.211322093.000000000663E000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: RQF 100021790.exe, 00000000.00000002.211322093.000000000663E000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Source: C:\Users\user\Desktop\RQF 100021790.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\RQF 100021790.exe

Code function: 3_2_05C7C5A8 KiUserExceptionDispatcher,KiUserExceptionDispatcher,KiUserExceptionDispatcher,LdrInitializeThunk,

3_2_05C7C5A8

Enables debug privileges

Source: C:\Users\user\Desktop\RQF 100021790.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\RQF 100021790.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\RQF 100021790.exe	Process created: C:\Users\user\Desktop\RQF 100021790.exe {path}			Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Process created: C:\Users\user\Desktop\RQF 100021790.exe {path}			Jump to behavior

Source: RQF 100021790.exe, 00000003.00000002.470486675.00000000012F0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: RQF 100021790.exe, 00000003.00000002.470486675.00000000012F0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RQF 100021790.exe, 00000003.00000002.470486675.00000000012F0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: RQF 100021790.exe, 00000003.00000002.470486675.00000000012F0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\RQF 100021790.exe	Queries volume information: C:\Users\user\Desktop\RQF 100021790.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Queries volume information: C:\Users\user\Desktop\RQF 100021790.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\RQF 100021790.exe

Code function: 3_2_05C75A94 GetUserNameW,

3_2_05C75A94

Source: C:\Users\user\Desktop\RQF 100021790.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 00000003.00000002.466065951.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.207282678.0000000003F89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RQF 100021790.exe PID: 5380, type: MEMORY
Source: Yara match	File source: Process Memory Space: RQF 100021790.exe PID: 6020, type: MEMORY
Source: Yara match	File source: 3.2.RQF 100021790.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RQF 100021790.exe.41acc10.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RQF 100021790.exe.41acc10.2.raw.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\RQF 100021790.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\RQF 100021790.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\RQF 100021790.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to steal Mail credentials (via file access)

Source: C:\Users\user\Desktop\RQF 100021790.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Users\user\Desktop\RQF 100021790.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000003.00000002.471510302.0000000002971000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RQF 100021790.exe PID: 6020, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Source: Yara match	File source: 00000003.00000002.466065951.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.207282678.0000000003F89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RQF 100021790.exe PID: 5380, type: MEMORY
Source: Yara match	File source: Process Memory Space: RQF 100021790.exe PID: 6020, type: MEMORY
Source: Yara match	File source: 3.2.RQF 100021790.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RQF 100021790.exe.41acc10.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RQF 100021790.exe.41acc10.2.raw.unpack, type: UNPACKEDPE

ID:	385385
Product:	CloudBasic
Start time:	12:13:12
Start date:	12.04.2021
Sample:	RQF 100021790.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	31f58bbbd330f886e422d44e9c21dbf4
SHA1:	1795b60a6f387dec4ac7a6c38119efa0138bdff7
SHA256:	c289703ef1a3645d2c1653c0f571a9abdeec2b404df429196c2523b0b17d9c4c
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RQF 100021790.exe.log	ASCII text, with CRLF line terminators	FED34146BF2F2FA59DCF8702FCC8232E	B03BFEA175989D989850CF06FE5E7BBF56EAA00A	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
C:\Users\user\AppData\Roaming\bwxcnuey.tk5\Chrome\Default\Cookies	SQLite 3.x database, last written using SQLite version 3032001	00681D89EDDB6AD25E6F4BD2E66C61C6	14B2FBFB460816155190377BBC66AB5D2A15F7AB	8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85

Analysis Report RQF 100021790.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains