Analysis Report Purchase Inquiry 040521.exe

Overview

General Information

Sample Name:	Purchase Inquiry 040521.exe
Analysis ID:	404251
MD5:	23495a6a0fd6123653dea6900654b7f6
SHA1:	ecc59be83b68aeb85b32ba2d317cd08b87054756
SHA256:	670722e76eb0821959829571a7e70310d97b254abeba166950e39df1443482f9
Tags:	AgentTeslaexesigned
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AgentTesla

.NET source code contains very large strings

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Antivirus or Machine Learning detection for unpacked file

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses SMTP (mail sending)

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Signatures

AV Detection:

Found malware configuration

Source: 0.2.Purchase Inquiry 040521.exe.6349038.6.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "logs@phuboatrading-vn.comof2ZCW1li4ipTfyEsmtp.phuboatrading-vn.commylogs@phuboatrading-vn.com"}

Multi AV Scanner detection for submitted file

Source: Purchase Inquiry 040521.exe	Virustotal: Detection: 27%			Perma Link
Source: Purchase Inquiry 040521.exe	ReversingLabs: Detection: 29%

Machine Learning detection for sample

Source: Purchase Inquiry 040521.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 3.2.Purchase Inquiry 040521.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Source: Purchase Inquiry 040521.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.7:49707 -> 79.141.164.23:25
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.7:49708 -> 79.141.164.23:25

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: HZ-NL-ASGB HZ-NL-ASGB

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.7:49707 -> 79.141.164.23:25

Source: unknown

DNS traffic detected: queries for: smtp.phuboatrading-vn.com

Source: Purchase Inquiry 040521.exe, 00000003.00000002.510693698.00000000035C1000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: Purchase Inquiry 040521.exe, 00000003.00000002.510693698.00000000035C1000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: Purchase Inquiry 040521.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Purchase Inquiry 040521.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Purchase Inquiry 040521.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Purchase Inquiry 040521.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Purchase Inquiry 040521.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Purchase Inquiry 040521.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Purchase Inquiry 040521.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: Purchase Inquiry 040521.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: Purchase Inquiry 040521.exe, 00000003.00000002.512221865.0000000003893000.00000004.00000001.sdmp	String found in binary or memory: http://smtp.phuboatrading-vn.com
Source: Purchase Inquiry 040521.exe, 00000003.00000002.510693698.00000000035C1000.00000004.00000001.sdmp	String found in binary or memory: http://wcmZQs.com
Source: Purchase Inquiry 040521.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: Purchase Inquiry 040521.exe, 00000003.00000002.510693698.00000000035C1000.00000004.00000001.sdmp, Purchase Inquiry 040521.exe, 00000003.00000002.512252947.00000000038A0000.00000004.00000001.sdmp, Purchase Inquiry 040521.exe, 00000003.00000003.469438441.0000000001634000.00000004.00000001.sdmp	String found in binary or memory: https://1GkG9ex28fjVgSi6.org
Source: Purchase Inquiry 040521.exe, 00000003.00000002.510693698.00000000035C1000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: Purchase Inquiry 040521.exe, 00000003.00000002.510693698.00000000035C1000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%t
Source: Purchase Inquiry 040521.exe	String found in binary or memory: https://www.digicert.com/CPS0
Source: Purchase Inquiry 040521.exe, 00000000.00000002.266804598.0000000006414000.00000004.00000001.sdmp, Purchase Inquiry 040521.exe, 00000003.00000002.504601701.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: Purchase Inquiry 040521.exe, 00000003.00000002.510693698.00000000035C1000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\Purchase Inquiry 040521.exe

Jump to behavior

Creates a DirectInput object (often for capturing keystrokes)

Source: Purchase Inquiry 040521.exe, 00000000.00000002.263411623.00000000016CB000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Creates a window with clipboard capturing capabilities

Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary:

.NET source code contains very large strings

Source: Purchase Inquiry 040521.exe, ??????????????????????????????????????/???????????????????????????.cs	Long String: Length: 913158
Source: 0.2.Purchase Inquiry 040521.exe.d70000.0.unpack, ??????????????????????????????????????/???????????????????????????.cs	Long String: Length: 913158
Source: 0.0.Purchase Inquiry 040521.exe.d70000.0.unpack, ??????????????????????????????????????/???????????????????????????.cs	Long String: Length: 913158
Source: 2.0.Purchase Inquiry 040521.exe.2e0000.0.unpack, ??????????????????????????????????????/???????????????????????????.cs	Long String: Length: 913158
Source: 2.2.Purchase Inquiry 040521.exe.2e0000.0.unpack, ??????????????????????????????????????/???????????????????????????.cs	Long String: Length: 913158
Source: 3.0.Purchase Inquiry 040521.exe.fc0000.0.unpack, ??????????????????????????????????????/???????????????????????????.cs	Long String: Length: 913158
Source: 3.2.Purchase Inquiry 040521.exe.fc0000.1.unpack, ??????????????????????????????????????/???????????????????????????.cs	Long String: Length: 913158

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Purchase Inquiry 040521.exe

Detected potential crypto function

Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Code function: 0_2_016B2450	0_2_016B2450
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Code function: 0_2_016B04B0	0_2_016B04B0
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Code function: 0_2_016B2A68	0_2_016B2A68
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Code function: 0_2_016B04A0	0_2_016B04A0

PE / OLE file has an invalid certificate

Source: Purchase Inquiry 040521.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: Purchase Inquiry 040521.exe	Binary or memory string: OriginalFilename vs Purchase Inquiry 040521.exe
Source: Purchase Inquiry 040521.exe, 00000000.00000000.238107067.0000000000D72000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename*^,^4^I^+^N^T^ vs Purchase Inquiry 040521.exe
Source: Purchase Inquiry 040521.exe, 00000000.00000002.266804598.0000000006414000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDLRV WZV.exe2 vs Purchase Inquiry 040521.exe
Source: Purchase Inquiry 040521.exe, 00000000.00000002.266680605.0000000006321000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSHIT.dll* vs Purchase Inquiry 040521.exe
Source: Purchase Inquiry 040521.exe	Binary or memory string: OriginalFilename vs Purchase Inquiry 040521.exe
Source: Purchase Inquiry 040521.exe, 00000002.00000002.256543404.00000000002E2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename*^,^4^I^+^N^T^ vs Purchase Inquiry 040521.exe
Source: Purchase Inquiry 040521.exe, 00000003.00000002.507965536.0000000001890000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs Purchase Inquiry 040521.exe
Source: Purchase Inquiry 040521.exe, 00000003.00000000.257704057.0000000000FC2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename*^,^4^I^+^N^T^ vs Purchase Inquiry 040521.exe
Source: Purchase Inquiry 040521.exe, 00000003.00000002.506690785.0000000001538000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Purchase Inquiry 040521.exe
Source: Purchase Inquiry 040521.exe, 00000003.00000002.504601701.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameDLRV WZV.exe2 vs Purchase Inquiry 040521.exe
Source: Purchase Inquiry 040521.exe, 00000003.00000002.507872968.0000000001850000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx.mui vs Purchase Inquiry 040521.exe
Source: Purchase Inquiry 040521.exe	Binary or memory string: OriginalFilename*^,^4^I^+^N^T^ vs Purchase Inquiry 040521.exe

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/2@1/2

Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase Inquiry 040521.exe.log

Jump to behavior

Source: Purchase Inquiry 040521.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Purchase Inquiry 040521.exe	Virustotal: Detection: 27%
Source: Purchase Inquiry 040521.exe	ReversingLabs: Detection: 29%

Source: unknown	Process created: C:\Users\user\Desktop\Purchase Inquiry 040521.exe 'C:\Users\user\Desktop\Purchase Inquiry 040521.exe'
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process created: C:\Users\user\Desktop\Purchase Inquiry 040521.exe C:\Users\user\Desktop\Purchase Inquiry 040521.exe
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process created: C:\Users\user\Desktop\Purchase Inquiry 040521.exe C:\Users\user\Desktop\Purchase Inquiry 040521.exe
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process created: C:\Users\user\Desktop\Purchase Inquiry 040521.exe C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process created: C:\Users\user\Desktop\Purchase Inquiry 040521.exe C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Jump to behavior

Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Purchase Inquiry 040521.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Purchase Inquiry 040521.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Purchase Inquiry 040521.exe

Static file information: File size 1842016 > 1048576

Source: Purchase Inquiry 040521.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1bfa00

Source: Purchase Inquiry 040521.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

Binary contains a suspicious time stamp

Source: Purchase Inquiry 040521.exe

Static PE information: 0xB19AE11D [Tue Jun 3 11:16:45 2064 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe

Code function: 0_2_016B606C pushfd ; ret

0_2_016B6081

Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Window / User API: threadDelayed 1334			Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Window / User API: threadDelayed 8483			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe TID: 6092	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe TID: 1744	Thread sleep time: -12912720851596678s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe TID: 2172	Thread sleep count: 1334 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe TID: 2172	Thread sleep count: 8483 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe TID: 1744	Thread sleep count: 39 > 30	Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: Purchase Inquiry 040521.exe, 00000003.00000002.514848871.0000000007430000.00000004.00000001.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Enables debug privileges

Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe

Memory written: C:\Users\user\Desktop\Purchase Inquiry 040521.exe base: 400000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process created: C:\Users\user\Desktop\Purchase Inquiry 040521.exe C:\Users\user\Desktop\Purchase Inquiry 040521.exe			Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process created: C:\Users\user\Desktop\Purchase Inquiry 040521.exe C:\Users\user\Desktop\Purchase Inquiry 040521.exe			Jump to behavior

Source: Purchase Inquiry 040521.exe, 00000003.00000002.510088195.0000000002030000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: Purchase Inquiry 040521.exe, 00000003.00000002.510088195.0000000002030000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Purchase Inquiry 040521.exe, 00000003.00000002.510088195.0000000002030000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Purchase Inquiry 040521.exe, 00000003.00000002.510088195.0000000002030000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Queries volume information: C:\Users\user\Desktop\Purchase Inquiry 040521.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Queries volume information: C:\Users\user\Desktop\Purchase Inquiry 040521.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 00000003.00000002.510693698.00000000035C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.266804598.0000000006414000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.504601701.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.266680605.0000000006321000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Purchase Inquiry 040521.exe PID: 2148, type: MEMORY
Source: Yara match	File source: Process Memory Space: Purchase Inquiry 040521.exe PID: 2764, type: MEMORY
Source: Yara match	File source: 3.2.Purchase Inquiry 040521.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Inquiry 040521.exe.6349038.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Inquiry 040521.exe.6414a78.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Inquiry 040521.exe.6349038.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Inquiry 040521.exe.6414a78.7.raw.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to steal Mail credentials (via file access)

Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000003.00000002.510693698.00000000035C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Purchase Inquiry 040521.exe PID: 2148, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Source: Yara match	File source: 00000003.00000002.510693698.00000000035C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.266804598.0000000006414000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.504601701.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.266680605.0000000006321000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Purchase Inquiry 040521.exe PID: 2148, type: MEMORY
Source: Yara match	File source: Process Memory Space: Purchase Inquiry 040521.exe PID: 2764, type: MEMORY
Source: Yara match	File source: 3.2.Purchase Inquiry 040521.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Inquiry 040521.exe.6349038.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Inquiry 040521.exe.6414a78.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Inquiry 040521.exe.6349038.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Inquiry 040521.exe.6414a78.7.raw.unpack, type: UNPACKEDPE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
79.141.164.23	smtp.phuboatrading-vn.com	Bulgaria		59711	HZ-NL-ASGB	true

Private

IP
192.168.2.1

Contacted Domains

Name	IP	Active
smtp.phuboatrading-vn.com	79.141.164.23	true

AV Detection:

Found malware configuration

Source: 0.2.Purchase Inquiry 040521.exe.6349038.6.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "logs@phuboatrading-vn.comof2ZCW1li4ipTfyEsmtp.phuboatrading-vn.commylogs@phuboatrading-vn.com"}

Multi AV Scanner detection for submitted file

Source: Purchase Inquiry 040521.exe	Virustotal: Detection: 27%			Perma Link
Source: Purchase Inquiry 040521.exe	ReversingLabs: Detection: 29%

Machine Learning detection for sample

Source: Purchase Inquiry 040521.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 3.2.Purchase Inquiry 040521.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Source: Purchase Inquiry 040521.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.7:49707 -> 79.141.164.23:25
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.7:49708 -> 79.141.164.23:25

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: HZ-NL-ASGB HZ-NL-ASGB

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.7:49707 -> 79.141.164.23:25

Source: unknown

DNS traffic detected: queries for: smtp.phuboatrading-vn.com

Source: Purchase Inquiry 040521.exe, 00000003.00000002.510693698.00000000035C1000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: Purchase Inquiry 040521.exe, 00000003.00000002.510693698.00000000035C1000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: Purchase Inquiry 040521.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Purchase Inquiry 040521.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Purchase Inquiry 040521.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Purchase Inquiry 040521.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Purchase Inquiry 040521.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Purchase Inquiry 040521.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Purchase Inquiry 040521.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: Purchase Inquiry 040521.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: Purchase Inquiry 040521.exe, 00000003.00000002.512221865.0000000003893000.00000004.00000001.sdmp	String found in binary or memory: http://smtp.phuboatrading-vn.com
Source: Purchase Inquiry 040521.exe, 00000003.00000002.510693698.00000000035C1000.00000004.00000001.sdmp	String found in binary or memory: http://wcmZQs.com
Source: Purchase Inquiry 040521.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: Purchase Inquiry 040521.exe, 00000003.00000002.510693698.00000000035C1000.00000004.00000001.sdmp, Purchase Inquiry 040521.exe, 00000003.00000002.512252947.00000000038A0000.00000004.00000001.sdmp, Purchase Inquiry 040521.exe, 00000003.00000003.469438441.0000000001634000.00000004.00000001.sdmp	String found in binary or memory: https://1GkG9ex28fjVgSi6.org
Source: Purchase Inquiry 040521.exe, 00000003.00000002.510693698.00000000035C1000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: Purchase Inquiry 040521.exe, 00000003.00000002.510693698.00000000035C1000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%t
Source: Purchase Inquiry 040521.exe	String found in binary or memory: https://www.digicert.com/CPS0
Source: Purchase Inquiry 040521.exe, 00000000.00000002.266804598.0000000006414000.00000004.00000001.sdmp, Purchase Inquiry 040521.exe, 00000003.00000002.504601701.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: Purchase Inquiry 040521.exe, 00000003.00000002.510693698.00000000035C1000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe

Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\Purchase Inquiry 040521.exe

Jump to behavior

Creates a DirectInput object (often for capturing keystrokes)

Source: Purchase Inquiry 040521.exe, 00000000.00000002.263411623.00000000016CB000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Creates a window with clipboard capturing capabilities

Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary:

.NET source code contains very large strings

Source: Purchase Inquiry 040521.exe, ??????????????????????????????????????/???????????????????????????.cs	Long String: Length: 913158
Source: 0.2.Purchase Inquiry 040521.exe.d70000.0.unpack, ??????????????????????????????????????/???????????????????????????.cs	Long String: Length: 913158
Source: 0.0.Purchase Inquiry 040521.exe.d70000.0.unpack, ??????????????????????????????????????/???????????????????????????.cs	Long String: Length: 913158
Source: 2.0.Purchase Inquiry 040521.exe.2e0000.0.unpack, ??????????????????????????????????????/???????????????????????????.cs	Long String: Length: 913158
Source: 2.2.Purchase Inquiry 040521.exe.2e0000.0.unpack, ??????????????????????????????????????/???????????????????????????.cs	Long String: Length: 913158
Source: 3.0.Purchase Inquiry 040521.exe.fc0000.0.unpack, ??????????????????????????????????????/???????????????????????????.cs	Long String: Length: 913158
Source: 3.2.Purchase Inquiry 040521.exe.fc0000.1.unpack, ??????????????????????????????????????/???????????????????????????.cs	Long String: Length: 913158

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Purchase Inquiry 040521.exe

Detected potential crypto function

Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Code function: 0_2_016B2450	0_2_016B2450
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Code function: 0_2_016B04B0	0_2_016B04B0
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Code function: 0_2_016B2A68	0_2_016B2A68
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Code function: 0_2_016B04A0	0_2_016B04A0

PE / OLE file has an invalid certificate

Source: Purchase Inquiry 040521.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: Purchase Inquiry 040521.exe	Binary or memory string: OriginalFilename vs Purchase Inquiry 040521.exe
Source: Purchase Inquiry 040521.exe, 00000000.00000000.238107067.0000000000D72000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename*^,^4^I^+^N^T^ vs Purchase Inquiry 040521.exe
Source: Purchase Inquiry 040521.exe, 00000000.00000002.266804598.0000000006414000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDLRV WZV.exe2 vs Purchase Inquiry 040521.exe
Source: Purchase Inquiry 040521.exe, 00000000.00000002.266680605.0000000006321000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSHIT.dll* vs Purchase Inquiry 040521.exe
Source: Purchase Inquiry 040521.exe	Binary or memory string: OriginalFilename vs Purchase Inquiry 040521.exe
Source: Purchase Inquiry 040521.exe, 00000002.00000002.256543404.00000000002E2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename*^,^4^I^+^N^T^ vs Purchase Inquiry 040521.exe
Source: Purchase Inquiry 040521.exe, 00000003.00000002.507965536.0000000001890000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs Purchase Inquiry 040521.exe
Source: Purchase Inquiry 040521.exe, 00000003.00000000.257704057.0000000000FC2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename*^,^4^I^+^N^T^ vs Purchase Inquiry 040521.exe
Source: Purchase Inquiry 040521.exe, 00000003.00000002.506690785.0000000001538000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Purchase Inquiry 040521.exe
Source: Purchase Inquiry 040521.exe, 00000003.00000002.504601701.0000000000402000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameDLRV WZV.exe2 vs Purchase Inquiry 040521.exe
Source: Purchase Inquiry 040521.exe, 00000003.00000002.507872968.0000000001850000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamewshom.ocx.mui vs Purchase Inquiry 040521.exe
Source: Purchase Inquiry 040521.exe	Binary or memory string: OriginalFilename*^,^4^I^+^N^T^ vs Purchase Inquiry 040521.exe

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/2@1/2

Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase Inquiry 040521.exe.log

Jump to behavior

Source: Purchase Inquiry 040521.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Purchase Inquiry 040521.exe	Virustotal: Detection: 27%
Source: Purchase Inquiry 040521.exe	ReversingLabs: Detection: 29%

Source: unknown	Process created: C:\Users\user\Desktop\Purchase Inquiry 040521.exe 'C:\Users\user\Desktop\Purchase Inquiry 040521.exe'
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process created: C:\Users\user\Desktop\Purchase Inquiry 040521.exe C:\Users\user\Desktop\Purchase Inquiry 040521.exe
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process created: C:\Users\user\Desktop\Purchase Inquiry 040521.exe C:\Users\user\Desktop\Purchase Inquiry 040521.exe
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process created: C:\Users\user\Desktop\Purchase Inquiry 040521.exe C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process created: C:\Users\user\Desktop\Purchase Inquiry 040521.exe C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Jump to behavior

Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Purchase Inquiry 040521.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Purchase Inquiry 040521.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Purchase Inquiry 040521.exe

Static file information: File size 1842016 > 1048576

Source: Purchase Inquiry 040521.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1bfa00

Source: Purchase Inquiry 040521.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

Binary contains a suspicious time stamp

Source: Purchase Inquiry 040521.exe

Static PE information: 0xB19AE11D [Tue Jun 3 11:16:45 2064 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe

Code function: 0_2_016B606C pushfd ; ret

0_2_016B6081

Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Window / User API: threadDelayed 1334			Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Window / User API: threadDelayed 8483			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe TID: 6092	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe TID: 1744	Thread sleep time: -12912720851596678s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe TID: 2172	Thread sleep count: 1334 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe TID: 2172	Thread sleep count: 8483 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe TID: 1744	Thread sleep count: 39 > 30	Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: Purchase Inquiry 040521.exe, 00000003.00000002.514848871.0000000007430000.00000004.00000001.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Enables debug privileges

Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe

Memory written: C:\Users\user\Desktop\Purchase Inquiry 040521.exe base: 400000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process created: C:\Users\user\Desktop\Purchase Inquiry 040521.exe C:\Users\user\Desktop\Purchase Inquiry 040521.exe			Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Process created: C:\Users\user\Desktop\Purchase Inquiry 040521.exe C:\Users\user\Desktop\Purchase Inquiry 040521.exe			Jump to behavior

Source: Purchase Inquiry 040521.exe, 00000003.00000002.510088195.0000000002030000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: Purchase Inquiry 040521.exe, 00000003.00000002.510088195.0000000002030000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Purchase Inquiry 040521.exe, 00000003.00000002.510088195.0000000002030000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Purchase Inquiry 040521.exe, 00000003.00000002.510088195.0000000002030000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Queries volume information: C:\Users\user\Desktop\Purchase Inquiry 040521.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Queries volume information: C:\Users\user\Desktop\Purchase Inquiry 040521.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 00000003.00000002.510693698.00000000035C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.266804598.0000000006414000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.504601701.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.266680605.0000000006321000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Purchase Inquiry 040521.exe PID: 2148, type: MEMORY
Source: Yara match	File source: Process Memory Space: Purchase Inquiry 040521.exe PID: 2764, type: MEMORY
Source: Yara match	File source: 3.2.Purchase Inquiry 040521.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Inquiry 040521.exe.6349038.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Inquiry 040521.exe.6414a78.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Inquiry 040521.exe.6349038.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Inquiry 040521.exe.6414a78.7.raw.unpack, type: UNPACKEDPE

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to steal Mail credentials (via file access)

Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\Desktop\Purchase Inquiry 040521.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000003.00000002.510693698.00000000035C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Purchase Inquiry 040521.exe PID: 2148, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Source: Yara match	File source: 00000003.00000002.510693698.00000000035C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.266804598.0000000006414000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.504601701.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.266680605.0000000006321000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Purchase Inquiry 040521.exe PID: 2148, type: MEMORY
Source: Yara match	File source: Process Memory Space: Purchase Inquiry 040521.exe PID: 2764, type: MEMORY
Source: Yara match	File source: 3.2.Purchase Inquiry 040521.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Inquiry 040521.exe.6349038.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Inquiry 040521.exe.6414a78.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Inquiry 040521.exe.6349038.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Purchase Inquiry 040521.exe.6414a78.7.raw.unpack, type: UNPACKEDPE

ID:	404251
Product:	CloudBasic
Start time:	20:49:14
Start date:	04.05.2021
Sample:	Purchase Inquiry 040521.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	23495a6a0fd6123653dea6900654b7f6
SHA1:	ecc59be83b68aeb85b32ba2d317cd08b87054756
SHA256:	670722e76eb0821959829571a7e70310d97b254abeba166950e39df1443482f9
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase Inquiry 040521.exe.log	ASCII text, with CRLF line terminators	338D0004A254F4F1EB5A622B3FAF7E88	9583DBB0574416109507127BF9B8E153690B8C46	3A7D5065DF406B210D72D7A927C2DE7F5A6F83B286D2C9915EDEB9A055C8C9D8
C:\Users\user\AppData\Roaming\bzofdkc2.d2q\Chrome\Default\Cookies	SQLite 3.x database, last written using SQLite version 3032001	A9DBC7B8E523ABE3B02D77DBF2FCD645	DF5EE16ECF4B3B02E312F935AE81D4C5D2E91CA8	39B4E45A062DEA6F541C18FA1A15C5C0DB43A59673A26E2EB5B8A4345EE767AE

Analysis Report Purchase Inquiry 040521.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains