Analysis Report Ko4zQgTBHv.exe

Overview

General Information

Sample Name: Ko4zQgTBHv.exe
Analysis ID: 412502
MD5: 02bc365a934e558eb634e19dd2d33e64
SHA1: a7fcb0381c4f68ebea3dda4508a789a23eb9f637
SHA256: bd97a138f3c0b9b078c119bcb59793ceca55120411c95635cc4d12c01406c2cd
Tags: AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AgentTesla
Yara detected AntiVM3
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000004.00000002.595056596.0000000002B01000.00000004.00000001.sdmp Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "jojo@glimpse-it.co@Mexico1.,mail.privateemail.com"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\vZvprBd.exe ReversingLabs: Detection: 34%
Multi AV Scanner detection for submitted file
Source: Ko4zQgTBHv.exe Virustotal: Detection: 21% Perma Link
Source: Ko4zQgTBHv.exe ReversingLabs: Detection: 34%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\vZvprBd.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Ko4zQgTBHv.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 4.2.Ko4zQgTBHv.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8

Compliance:

barindex
Uses 32bit PE files
Source: Ko4zQgTBHv.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: Ko4zQgTBHv.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\BILGqcSRbt\src\obj\Debug\ScopelessEnumAttribute.pdb source: Ko4zQgTBHv.exe

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 0_2_0B58CAD8

Networking:

barindex
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49752 -> 198.54.122.60:587
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 198.54.122.60 198.54.122.60
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.6:49752 -> 198.54.122.60:587
Source: unknown DNS traffic detected: queries for: mail.privateemail.com
Source: Ko4zQgTBHv.exe, 00000004.00000002.595056596.0000000002B01000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: Ko4zQgTBHv.exe, 00000004.00000002.595056596.0000000002B01000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: Ko4zQgTBHv.exe, 00000004.00000002.595056596.0000000002B01000.00000004.00000001.sdmp String found in binary or memory: http://bplSZH.com
Source: Ko4zQgTBHv.exe String found in binary or memory: http://checkip.dyndns.org/
Source: Ko4zQgTBHv.exe, 00000004.00000002.599388925.0000000006690000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: Ko4zQgTBHv.exe, 00000004.00000002.599485446.00000000066CB000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: Ko4zQgTBHv.exe, 00000004.00000002.599388925.0000000006690000.00000004.00000001.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSA
Source: Ko4zQgTBHv.exe, 00000004.00000002.599388925.0000000006690000.00000004.00000001.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: Ko4zQgTBHv.exe, 00000004.00000002.596057980.0000000002C3C000.00000004.00000001.sdmp String found in binary or memory: http://mail.privateemail.com
Source: Ko4zQgTBHv.exe, 00000004.00000002.599388925.0000000006690000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: Ko4zQgTBHv.exe, 00000004.00000002.599388925.0000000006690000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.sectigo.com0
Source: Ko4zQgTBHv.exe, 00000000.00000002.342093039.0000000002D01000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Ko4zQgTBHv.exe String found in binary or memory: http://servermanager.miixit.org/
Source: Ko4zQgTBHv.exe String found in binary or memory: http://servermanager.miixit.org/E
Source: Ko4zQgTBHv.exe String found in binary or memory: http://servermanager.miixit.org/downloads/
Source: Ko4zQgTBHv.exe String found in binary or memory: http://servermanager.miixit.org/hits/hit_index.php?k=
Source: Ko4zQgTBHv.exe String found in binary or memory: http://servermanager.miixit.org/hits/hit_index.php?k=1
Source: Ko4zQgTBHv.exe String found in binary or memory: http://servermanager.miixit.org/index_ru.html
Source: Ko4zQgTBHv.exe String found in binary or memory: http://servermanager.miixit.org/index_ru.htmlk
Source: Ko4zQgTBHv.exe String found in binary or memory: http://servermanager.miixit.org/report/reporter_index.php?name=
Source: Ko4zQgTBHv.exe, 00000004.00000002.595643681.0000000002BB0000.00000004.00000001.sdmp String found in binary or memory: https://o3u5ap5OYRcXqxyqT.org
Source: Ko4zQgTBHv.exe, 00000004.00000002.595643681.0000000002BB0000.00000004.00000001.sdmp String found in binary or memory: https://o3u5ap5OYRcXqxyqT.org8
Source: Ko4zQgTBHv.exe, 00000004.00000002.599388925.0000000006690000.00000004.00000001.sdmp String found in binary or memory: https://sectigo.c
Source: Ko4zQgTBHv.exe, 00000004.00000002.599388925.0000000006690000.00000004.00000001.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: Ko4zQgTBHv.exe, 00000000.00000002.342175940.0000000002D4E000.00000004.00000001.sdmp String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: Ko4zQgTBHv.exe String found in binary or memory: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=CJU3DBQXBUQPC
Source: Ko4zQgTBHv.exe, 00000000.00000002.343072283.0000000003D01000.00000004.00000001.sdmp, Ko4zQgTBHv.exe, 00000004.00000002.591708318.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: Ko4zQgTBHv.exe, 00000004.00000002.595056596.0000000002B01000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a global keyboard hook
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\Ko4zQgTBHv.exe Jump to behavior
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

System Summary:

barindex
Detected potential crypto function
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 0_2_00807DA2 0_2_00807DA2
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 0_2_0B583B18 0_2_0B583B18
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 0_2_0B5893A0 0_2_0B5893A0
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 0_2_0B588660 0_2_0B588660
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 0_2_0B58A218 0_2_0B58A218
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 0_2_0B588D08 0_2_0B588D08
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 0_2_0B583B09 0_2_0B583B09
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 0_2_0B585BD0 0_2_0B585BD0
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 0_2_0B585BCB 0_2_0B585BCB
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 0_2_0B589390 0_2_0B589390
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 0_2_0B588651 0_2_0B588651
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 0_2_0B589E48 0_2_0B589E48
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 0_2_0B58A207 0_2_0B58A207
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 0_2_0B589E39 0_2_0B589E39
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 0_2_0B5866C8 0_2_0B5866C8
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 0_2_0B5842F0 0_2_0B5842F0
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 0_2_0B5842E1 0_2_0B5842E1
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 0_2_0B5866B8 0_2_0B5866B8
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 0_2_0B58A539 0_2_0B58A539
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 0_2_0B584998 0_2_0B584998
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 0_2_0B584993 0_2_0B584993
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 0_2_0B58A450 0_2_0B58A450
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 0_2_0B580040 0_2_0B580040
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 0_2_0B584010 0_2_0B584010
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 0_2_0B580006 0_2_0B580006
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 0_2_0B584020 0_2_0B584020
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 0_2_0B588CFB 0_2_0B588CFB
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 0_2_0B58A4A7 0_2_0B58A4A7
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 4_2_006C7DA2 4_2_006C7DA2
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 4_2_029146A0 4_2_029146A0
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 4_2_029145B0 4_2_029145B0
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 4_2_0291DA01 4_2_0291DA01
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 4_2_05D07540 4_2_05D07540
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 4_2_05D094F8 4_2_05D094F8
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 4_2_05D06C70 4_2_05D06C70
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 4_2_05D06928 4_2_05D06928
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 4_2_06195608 4_2_06195608
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 4_2_061906D0 4_2_061906D0
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\vZvprBd.exe BD97A138F3C0B9B078C119BCB59793CECA55120411C95635CC4D12C01406C2CD
Sample file is different than original file name gathered from version info
Source: Ko4zQgTBHv.exe Binary or memory string: OriginalFilename vs Ko4zQgTBHv.exe
Source: Ko4zQgTBHv.exe, 00000000.00000002.346803709.000000000BB10000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs Ko4zQgTBHv.exe
Source: Ko4zQgTBHv.exe, 00000000.00000002.347104132.000000000BC00000.00000002.00000001.sdmp Binary or memory string: originalfilename vs Ko4zQgTBHv.exe
Source: Ko4zQgTBHv.exe, 00000000.00000002.347104132.000000000BC00000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs Ko4zQgTBHv.exe
Source: Ko4zQgTBHv.exe, 00000000.00000002.342175940.0000000002D4E000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameScopelessEnumAttribute.exeF vs Ko4zQgTBHv.exe
Source: Ko4zQgTBHv.exe, 00000000.00000002.342175940.0000000002D4E000.00000004.00000001.sdmp Binary or memory string: l,\\StringFileInfo\\000004B0\\OriginalFilename vs Ko4zQgTBHv.exe
Source: Ko4zQgTBHv.exe, 00000000.00000002.342228241.0000000002D99000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSimpleUI.dll( vs Ko4zQgTBHv.exe
Source: Ko4zQgTBHv.exe, 00000000.00000002.342093039.0000000002D01000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameCYbtWKpyduSheqLLdYLNwktYyalD.exe4 vs Ko4zQgTBHv.exe
Source: Ko4zQgTBHv.exe, 00000000.00000002.343072283.0000000003D01000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameDSASignature.dll@ vs Ko4zQgTBHv.exe
Source: Ko4zQgTBHv.exe Binary or memory string: OriginalFilename vs Ko4zQgTBHv.exe
Source: Ko4zQgTBHv.exe, 00000004.00000002.593856787.0000000001010000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewshom.ocx vs Ko4zQgTBHv.exe
Source: Ko4zQgTBHv.exe, 00000004.00000002.592490851.0000000000B58000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Ko4zQgTBHv.exe
Source: Ko4zQgTBHv.exe, 00000004.00000002.591708318.0000000000402000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameCYbtWKpyduSheqLLdYLNwktYyalD.exe4 vs Ko4zQgTBHv.exe
Source: Ko4zQgTBHv.exe, 00000004.00000002.593872285.0000000001020000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewshom.ocx.mui vs Ko4zQgTBHv.exe
Source: Ko4zQgTBHv.exe, 00000004.00000002.593770195.0000000000F50000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs Ko4zQgTBHv.exe
Source: Ko4zQgTBHv.exe Binary or memory string: OriginalFilenameScopelessEnumAttribute.exeF vs Ko4zQgTBHv.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Uses 32bit PE files
Source: Ko4zQgTBHv.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: Ko4zQgTBHv.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: vZvprBd.exe.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@6/4@1/1
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe File created: C:\Users\user\AppData\Roaming\vZvprBd.exe Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Mutant created: \Sessions\1\BaseNamedObjects\QUCIgI
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6668:120:WilError_01
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe File created: C:\Users\user\AppData\Local\Temp\tmpF3F1.tmp Jump to behavior
Source: Ko4zQgTBHv.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Ko4zQgTBHv.exe, 00000000.00000002.342175940.0000000002D4E000.00000004.00000001.sdmp Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: Ko4zQgTBHv.exe, 00000000.00000002.342175940.0000000002D4E000.00000004.00000001.sdmp Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: Ko4zQgTBHv.exe, 00000000.00000002.342175940.0000000002D4E000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: Ko4zQgTBHv.exe, 00000000.00000002.342175940.0000000002D4E000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: Ko4zQgTBHv.exe, 00000000.00000002.342175940.0000000002D4E000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: Ko4zQgTBHv.exe, 00000000.00000002.342175940.0000000002D4E000.00000004.00000001.sdmp Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: Ko4zQgTBHv.exe, 00000000.00000002.342175940.0000000002D4E000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: Ko4zQgTBHv.exe, 00000000.00000002.342175940.0000000002D4E000.00000004.00000001.sdmp Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: Ko4zQgTBHv.exe, 00000000.00000002.342175940.0000000002D4E000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
Source: Ko4zQgTBHv.exe Virustotal: Detection: 21%
Source: Ko4zQgTBHv.exe ReversingLabs: Detection: 34%
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe File read: C:\Users\user\Desktop\Ko4zQgTBHv.exe:Zone.Identifier Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Ko4zQgTBHv.exe 'C:\Users\user\Desktop\Ko4zQgTBHv.exe'
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\vZvprBd' /XML 'C:\Users\user\AppData\Local\Temp\tmpF3F1.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process created: C:\Users\user\Desktop\Ko4zQgTBHv.exe C:\Users\user\Desktop\Ko4zQgTBHv.exe
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\vZvprBd' /XML 'C:\Users\user\AppData\Local\Temp\tmpF3F1.tmp' Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process created: C:\Users\user\Desktop\Ko4zQgTBHv.exe C:\Users\user\Desktop\Ko4zQgTBHv.exe Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: Ko4zQgTBHv.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Ko4zQgTBHv.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Ko4zQgTBHv.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\BILGqcSRbt\src\obj\Debug\ScopelessEnumAttribute.pdb source: Ko4zQgTBHv.exe

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 0_2_0080761D push es; retf 0_2_0080764E
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 0_2_00807656 push es; retf 0_2_00807684
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 0_2_0B5847DB push esi; retf 0_2_0B5847E4
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 4_2_006C7656 push es; retf 4_2_006C7684
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 4_2_006C761D push es; retf 4_2_006C764E
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 4_2_05D025C3 push esp; retf 4_2_05D025E2
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 4_2_05D025F3 push ebp; retf 4_2_05D02602
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 4_2_05D025B3 push ebx; retf 4_2_05D025C2
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 4_2_05D025A3 push edx; retf 4_2_05D025B2
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 4_2_05D0257C push eax; retf 4_2_05D02582
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 4_2_05D02663 push 0A6405CAh; retf 4_2_05D0267E
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 4_2_05D02603 push edi; retf 4_2_05D02622
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 4_2_05D021C9 push ecx; retf 0005h 4_2_05D021CA
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 4_2_05D01140 push ds; retf 4_2_05D0114E
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 4_2_05D050F7 push edi; retf 4_2_05D050FE
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 4_2_05D01048 push ds; retf 4_2_05D0105A
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 4_2_05D01077 push ds; retf 4_2_05D01078
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 4_2_05D01068 push ds; retf 4_2_05D01069
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 4_2_05D0B374 push 968C00CCh; retf 0005h 4_2_05D0B37A
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 4_2_05D052D0 push edi; retf 4_2_05D052D6
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 4_2_05D0122B push ds; retf 4_2_05D01236
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 4_2_05D0BCC0 pushfd ; retf 0005h 4_2_05D0BEBA
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 4_2_05D0BF08 pushfd ; retf 0005h 4_2_05D0BF0A
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 4_2_05D04EEC push ebp; retf 4_2_05D04EF6
Source: initial sample Static PE information: section name: .text entropy: 7.89033690485
Source: initial sample Static PE information: section name: .text entropy: 7.89033690485

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe File created: C:\Users\user\AppData\Roaming\vZvprBd.exe Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\vZvprBd' /XML 'C:\Users\user\AppData\Local\Temp\tmpF3F1.tmp'

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 00000000.00000002.342175940.0000000002D4E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Ko4zQgTBHv.exe PID: 6484, type: MEMORY
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Ko4zQgTBHv.exe, 00000000.00000002.342175940.0000000002D4E000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Ko4zQgTBHv.exe, 00000000.00000002.342175940.0000000002D4E000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Window / User API: threadDelayed 355 Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Window / User API: threadDelayed 9462 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe TID: 6488 Thread sleep time: -104535s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe TID: 6488 Thread sleep time: -40000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe TID: 6512 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe TID: 6720 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe TID: 6920 Thread sleep time: -14757395258967632s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe TID: 6924 Thread sleep count: 355 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe TID: 6924 Thread sleep count: 9462 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe TID: 6920 Thread sleep count: 39 > 30 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Thread delayed: delay time: 104535 Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Thread delayed: delay time: 40000 Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: Ko4zQgTBHv.exe, 00000000.00000002.342175940.0000000002D4E000.00000004.00000001.sdmp Binary or memory string: vmware
Source: Ko4zQgTBHv.exe, 00000000.00000002.342175940.0000000002D4E000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Ko4zQgTBHv.exe, 00000000.00000002.342175940.0000000002D4E000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Ko4zQgTBHv.exe, 00000000.00000002.342175940.0000000002D4E000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: Ko4zQgTBHv.exe, 00000000.00000002.342175940.0000000002D4E000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: Ko4zQgTBHv.exe, 00000000.00000002.342175940.0000000002D4E000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Ko4zQgTBHv.exe, 00000000.00000002.342175940.0000000002D4E000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: Ko4zQgTBHv.exe, 00000000.00000002.342175940.0000000002D4E000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: Ko4zQgTBHv.exe, 00000000.00000002.342175940.0000000002D4E000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: Ko4zQgTBHv.exe, 00000004.00000002.599388925.0000000006690000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Memory written: C:\Users\user\Desktop\Ko4zQgTBHv.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\vZvprBd' /XML 'C:\Users\user\AppData\Local\Temp\tmpF3F1.tmp' Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Process created: C:\Users\user\Desktop\Ko4zQgTBHv.exe C:\Users\user\Desktop\Ko4zQgTBHv.exe Jump to behavior
Source: Ko4zQgTBHv.exe, 00000004.00000002.594238544.00000000014F0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: Ko4zQgTBHv.exe, 00000004.00000002.594238544.00000000014F0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: Ko4zQgTBHv.exe, 00000004.00000002.594238544.00000000014F0000.00000002.00000001.sdmp Binary or memory string: &Program Manager
Source: Ko4zQgTBHv.exe, 00000004.00000002.594238544.00000000014F0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Queries volume information: C:\Users\user\Desktop\Ko4zQgTBHv.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Queries volume information: C:\Users\user\Desktop\Ko4zQgTBHv.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Code function: 4_2_05D05A94 GetUserNameW, 4_2_05D05A94
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000004.00000002.591708318.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.343072283.0000000003D01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0.2.Ko4zQgTBHv.exe.3daed20.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Ko4zQgTBHv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Ko4zQgTBHv.exe.3daed20.3.raw.unpack, type: UNPACKEDPE
Yara detected AgentTesla
Source: Yara match File source: 00000004.00000002.591708318.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.595056596.0000000002B01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.595643681.0000000002BB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.343072283.0000000003D01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Ko4zQgTBHv.exe PID: 6704, type: MEMORY
Source: Yara match File source: Process Memory Space: Ko4zQgTBHv.exe PID: 6484, type: MEMORY
Source: Yara match File source: 0.2.Ko4zQgTBHv.exe.3daed20.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Ko4zQgTBHv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Ko4zQgTBHv.exe.3daed20.3.raw.unpack, type: UNPACKEDPE
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\Desktop\Ko4zQgTBHv.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000004.00000002.595056596.0000000002B01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.595643681.0000000002BB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Ko4zQgTBHv.exe PID: 6704, type: MEMORY

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000004.00000002.591708318.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.343072283.0000000003D01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0.2.Ko4zQgTBHv.exe.3daed20.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Ko4zQgTBHv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Ko4zQgTBHv.exe.3daed20.3.raw.unpack, type: UNPACKEDPE
Yara detected AgentTesla
Source: Yara match File source: 00000004.00000002.591708318.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.595056596.0000000002B01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.595643681.0000000002BB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.343072283.0000000003D01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Ko4zQgTBHv.exe PID: 6704, type: MEMORY
Source: Yara match File source: Process Memory Space: Ko4zQgTBHv.exe PID: 6484, type: MEMORY
Source: Yara match File source: 0.2.Ko4zQgTBHv.exe.3daed20.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Ko4zQgTBHv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Ko4zQgTBHv.exe.3daed20.3.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 412502 Sample: Ko4zQgTBHv.exe Startdate: 12/05/2021 Architecture: WINDOWS Score: 100 29 Found malware configuration 2->29 31 Multi AV Scanner detection for dropped file 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 6 other signatures 2->35 7 Ko4zQgTBHv.exe 7 2->7         started        process3 file4 19 C:\Users\user\AppData\Roaming\vZvprBd.exe, PE32 7->19 dropped 21 C:\Users\user\...\vZvprBd.exe:Zone.Identifier, ASCII 7->21 dropped 23 C:\Users\user\AppData\Local\...\tmpF3F1.tmp, XML 7->23 dropped 25 C:\Users\user\AppData\...\Ko4zQgTBHv.exe.log, ASCII 7->25 dropped 37 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->37 39 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->39 41 Uses schtasks.exe or at.exe to add and modify task schedules 7->41 43 Injects a PE file into a foreign processes 7->43 11 Ko4zQgTBHv.exe 2 7->11         started        15 schtasks.exe 1 7->15         started        signatures5 process6 dnsIp7 27 mail.privateemail.com 198.54.122.60, 49752, 587 NAMECHEAP-NETUS United States 11->27 45 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->45 47 Tries to steal Mail credentials (via file access) 11->47 49 Tries to harvest and steal ftp login credentials 11->49 51 2 other signatures 11->51 17 conhost.exe 15->17         started        signatures8 process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
198.54.122.60
 mail.privateemail.com United States
22612 NAMECHEAP-NETUS false

Contacted Domains

Name IP Active
mail.privateemail.com 198.54.122.60 true