Analysis Report PRODUCT RANGE # 363688.exe

Overview

General Information

Sample Name: PRODUCT RANGE # 363688.exe
Analysis ID: 412789
MD5: ae217283accb5243c9eac64b4d6499da
SHA1: 9ce75c3fc7cb467a12cb0eb33d4db39b09b76e39
SHA256: 5c1f080fef21aead48710426ee2f010fedd606a33deadf5c51dc18a2149cac33
Tags: exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains very large array initializations
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000005.00000002.470087094.0000000003221000.00000004.00000001.sdmp Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "aseel.albiaty@rvwtechno.comlDRsz!u1us2.smtp.mailhostbox.com"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\IhyLRJs.exe ReversingLabs: Detection: 31%
Multi AV Scanner detection for submitted file
Source: PRODUCT RANGE # 363688.exe Virustotal: Detection: 18% Perma Link
Source: PRODUCT RANGE # 363688.exe ReversingLabs: Detection: 31%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\IhyLRJs.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: PRODUCT RANGE # 363688.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 5.2.PRODUCT RANGE # 363688.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8

Compliance:

barindex
Uses 32bit PE files
Source: PRODUCT RANGE # 363688.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: PRODUCT RANGE # 363688.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 0_2_00CC8600
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 0_2_00CC85FF
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 0_2_00CC86B4

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49747 -> 208.91.199.224:587
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49748 -> 208.91.199.225:587
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49747 -> 208.91.199.224:587
Source: global traffic TCP traffic: 192.168.2.3:49748 -> 208.91.199.225:587
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 208.91.199.225 208.91.199.225
Source: Joe Sandbox View IP Address: 208.91.199.224 208.91.199.224
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.3:49747 -> 208.91.199.224:587
Source: global traffic TCP traffic: 192.168.2.3:49748 -> 208.91.199.225:587
Source: unknown DNS traffic detected: queries for: us2.smtp.mailhostbox.com
Source: PRODUCT RANGE # 363688.exe, 00000005.00000002.470087094.0000000003221000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: PRODUCT RANGE # 363688.exe, 00000005.00000002.470087094.0000000003221000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: PRODUCT RANGE # 363688.exe, 00000000.00000002.210350921.00000000028F1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: PRODUCT RANGE # 363688.exe, 00000005.00000002.472730285.00000000034D8000.00000004.00000001.sdmp String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: PRODUCT RANGE # 363688.exe, 00000005.00000002.470087094.0000000003221000.00000004.00000001.sdmp String found in binary or memory: http://wQPGdS.com
Source: PRODUCT RANGE # 363688.exe, 00000005.00000002.470087094.0000000003221000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: PRODUCT RANGE # 363688.exe, 00000005.00000002.470087094.0000000003221000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.org%H
Source: PRODUCT RANGE # 363688.exe, 00000005.00000002.470087094.0000000003221000.00000004.00000001.sdmp, PRODUCT RANGE # 363688.exe, 00000005.00000003.421329124.0000000001454000.00000004.00000001.sdmp, PRODUCT RANGE # 363688.exe, 00000005.00000002.472779536.00000000034E6000.00000004.00000001.sdmp String found in binary or memory: https://ebGG0GqWTIe5USzGG5.net
Source: PRODUCT RANGE # 363688.exe, 00000000.00000002.210350921.00000000028F1000.00000004.00000001.sdmp String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: PRODUCT RANGE # 363688.exe, 00000000.00000002.211414964.0000000003A67000.00000004.00000001.sdmp, PRODUCT RANGE # 363688.exe, 00000005.00000002.465675526.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: PRODUCT RANGE # 363688.exe, 00000005.00000002.470087094.0000000003221000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a global keyboard hook
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Jump to behavior
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

System Summary:

barindex
.NET source code contains very large array initializations
Source: 5.2.PRODUCT RANGE # 363688.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b3A4239B4u002dDDBEu002d48D7u002d91D9u002d0CEC4E5279BAu007d/C7FD085Cu002d9C50u002d467Bu002d99D7u002d4CDD1975C770.cs Large array initialization: .cctor: array initializer size 12034
Detected potential crypto function
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Code function: 0_2_00BAC508 0_2_00BAC508
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Code function: 0_2_00BA99D8 0_2_00BA99D8
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Code function: 0_2_00CC5B48 0_2_00CC5B48
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Code function: 0_2_00CC5D02 0_2_00CC5D02
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Code function: 0_2_00CC7510 0_2_00CC7510
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Code function: 0_2_00CC4D28 0_2_00CC4D28
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Code function: 0_2_00CC4678 0_2_00CC4678
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Code function: 0_2_00CC8E00 0_2_00CC8E00
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Code function: 0_2_00CC0040 0_2_00CC0040
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Code function: 0_2_00CC2001 0_2_00CC2001
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Code function: 0_2_00CC0011 0_2_00CC0011
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Code function: 0_2_00CC3A20 0_2_00CC3A20
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Code function: 0_2_00CC0351 0_2_00CC0351
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Code function: 0_2_00CC0360 0_2_00CC0360
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Code function: 0_2_00CC5B39 0_2_00CC5B39
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Code function: 0_2_00CC0403 0_2_00CC0403
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Code function: 0_2_00CC5D54 0_2_00CC5D54
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Code function: 0_2_00CC4D18 0_2_00CC4D18
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Code function: 0_2_00CC4667 0_2_00CC4667
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Code function: 0_2_00CC7616 0_2_00CC7616
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Code function: 0_2_00CC5788 0_2_00CC5788
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Code function: 0_2_00CC5778 0_2_00CC5778
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Code function: 5_2_01438108 5_2_01438108
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Code function: 5_2_0143D328 5_2_0143D328
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Code function: 5_2_0143DE38 5_2_0143DE38
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Code function: 5_2_0143BAC8 5_2_0143BAC8
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Code function: 5_2_01430CC0 5_2_01430CC0
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Code function: 5_2_01432FA8 5_2_01432FA8
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Code function: 5_2_016B48E0 5_2_016B48E0
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Code function: 5_2_016B55B3 5_2_016B55B3
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Code function: 5_2_016B3E1C 5_2_016B3E1C
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Code function: 5_2_016B47EF 5_2_016B47EF
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Code function: 5_2_016B4813 5_2_016B4813
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Code function: 5_2_016B4890 5_2_016B4890
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Code function: 5_2_016B55D0 5_2_016B55D0
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Code function: 5_2_0170F108 5_2_0170F108
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Code function: 5_2_017068F8 5_2_017068F8
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Code function: 5_2_01705B98 5_2_01705B98
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Code function: 5_2_0172D96D 5_2_0172D96D
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Code function: 5_2_017299F4 5_2_017299F4
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Code function: 5_2_017257F8 5_2_017257F8
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Code function: 5_2_0172D8AD 5_2_0172D8AD
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Code function: 5_2_01720286 5_2_01720286
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Code function: 5_2_01727160 5_2_01727160
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Code function: 5_2_0172F3FF 5_2_0172F3FF
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Code function: 5_2_0172F053 5_2_0172F053
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Code function: 5_2_01727210 5_2_01727210
Sample file is different than original file name gathered from version info
Source: PRODUCT RANGE # 363688.exe Binary or memory string: OriginalFilename vs PRODUCT RANGE # 363688.exe
Source: PRODUCT RANGE # 363688.exe, 00000000.00000002.213283971.000000000BAB0000.00000002.00000001.sdmp Binary or memory string: originalfilename vs PRODUCT RANGE # 363688.exe
Source: PRODUCT RANGE # 363688.exe, 00000000.00000002.213283971.000000000BAB0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs PRODUCT RANGE # 363688.exe
Source: PRODUCT RANGE # 363688.exe, 00000000.00000000.197182444.00000000002A2000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameSizedReference.exeP vs PRODUCT RANGE # 363688.exe
Source: PRODUCT RANGE # 363688.exe, 00000000.00000002.210350921.00000000028F1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSimpleUI.dll( vs PRODUCT RANGE # 363688.exe
Source: PRODUCT RANGE # 363688.exe, 00000000.00000002.210350921.00000000028F1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamencTtYjWGTqUzfocYuUOOQzyjmolRNMGkwCU.exe4 vs PRODUCT RANGE # 363688.exe
Source: PRODUCT RANGE # 363688.exe, 00000000.00000002.212652375.0000000005950000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameDSASignature.dll@ vs PRODUCT RANGE # 363688.exe
Source: PRODUCT RANGE # 363688.exe, 00000000.00000002.212926363.000000000B9B0000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs PRODUCT RANGE # 363688.exe
Source: PRODUCT RANGE # 363688.exe Binary or memory string: OriginalFilename vs PRODUCT RANGE # 363688.exe
Source: PRODUCT RANGE # 363688.exe, 00000004.00000002.206929920.0000000000152000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameSizedReference.exeP vs PRODUCT RANGE # 363688.exe
Source: PRODUCT RANGE # 363688.exe Binary or memory string: OriginalFilename vs PRODUCT RANGE # 363688.exe
Source: PRODUCT RANGE # 363688.exe, 00000005.00000002.475755268.0000000006760000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs PRODUCT RANGE # 363688.exe
Source: PRODUCT RANGE # 363688.exe, 00000005.00000002.469751251.00000000016D0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewshom.ocx.mui vs PRODUCT RANGE # 363688.exe
Source: PRODUCT RANGE # 363688.exe, 00000005.00000002.465675526.0000000000402000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamencTtYjWGTqUzfocYuUOOQzyjmolRNMGkwCU.exe4 vs PRODUCT RANGE # 363688.exe
Source: PRODUCT RANGE # 363688.exe, 00000005.00000000.207624426.0000000000E92000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameSizedReference.exeP vs PRODUCT RANGE # 363688.exe
Source: PRODUCT RANGE # 363688.exe, 00000005.00000002.466719814.00000000012F8000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs PRODUCT RANGE # 363688.exe
Source: PRODUCT RANGE # 363688.exe Binary or memory string: OriginalFilenameSizedReference.exeP vs PRODUCT RANGE # 363688.exe
Uses 32bit PE files
Source: PRODUCT RANGE # 363688.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: PRODUCT RANGE # 363688.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: IhyLRJs.exe.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 5.2.PRODUCT RANGE # 363688.exe.400000.0.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.2.PRODUCT RANGE # 363688.exe.400000.0.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@8/5@2/2
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe File created: C:\Users\user\AppData\Roaming\IhyLRJs.exe Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Mutant created: \Sessions\1\BaseNamedObjects\nwSPKEeHwaiSDzFrUCUuogB
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3088:120:WilError_01
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe File created: C:\Users\user\AppData\Local\Temp\tmpD303.tmp Jump to behavior
Source: PRODUCT RANGE # 363688.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: PRODUCT RANGE # 363688.exe, 00000000.00000002.210350921.00000000028F1000.00000004.00000001.sdmp Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: PRODUCT RANGE # 363688.exe, 00000000.00000002.210350921.00000000028F1000.00000004.00000001.sdmp Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: PRODUCT RANGE # 363688.exe, 00000000.00000002.210350921.00000000028F1000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: PRODUCT RANGE # 363688.exe, 00000000.00000002.210350921.00000000028F1000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: PRODUCT RANGE # 363688.exe, 00000000.00000002.210350921.00000000028F1000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: PRODUCT RANGE # 363688.exe, 00000000.00000002.210350921.00000000028F1000.00000004.00000001.sdmp Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: PRODUCT RANGE # 363688.exe, 00000000.00000002.210350921.00000000028F1000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: PRODUCT RANGE # 363688.exe, 00000000.00000002.210350921.00000000028F1000.00000004.00000001.sdmp Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: PRODUCT RANGE # 363688.exe, 00000000.00000002.210350921.00000000028F1000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
Source: PRODUCT RANGE # 363688.exe Virustotal: Detection: 18%
Source: PRODUCT RANGE # 363688.exe ReversingLabs: Detection: 31%
Source: PRODUCT RANGE # 363688.exe String found in binary or memory: ^(Male|Female)$-Add Student Details :-
Source: PRODUCT RANGE # 363688.exe String found in binary or memory: Teacher Name-Add Teacher Details :-
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe File read: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe 'C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe'
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\IhyLRJs' /XML 'C:\Users\user\AppData\Local\Temp\tmpD303.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process created: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process created: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\IhyLRJs' /XML 'C:\Users\user\AppData\Local\Temp\tmpD303.tmp' Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process created: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process created: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: PRODUCT RANGE # 363688.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: PRODUCT RANGE # 363688.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Code function: 5_2_016BD491 push esp; iretd 5_2_016BD49D
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Code function: 5_2_0170B5DF push edi; retn 0000h 5_2_0170B5E1
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Code function: 5_2_0170D5A3 push cs; iretd 5_2_0170D5A9
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Code function: 5_2_0170D650 pushad ; iretd 5_2_0170D651
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Code function: 5_2_0170D6E0 pushad ; iretd 5_2_0170D6E1
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Code function: 5_2_0170D6E8 pushad ; iretd 5_2_0170D6E9
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Code function: 5_2_0170D6D0 pushad ; iretd 5_2_0170D6D1
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Code function: 5_2_0170D6D8 pushad ; iretd 5_2_0170D6D9
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Code function: 5_2_01724782 push 8BFFFFFFh; retf 5_2_01724788
Source: initial sample Static PE information: section name: .text entropy: 7.61432599861
Source: initial sample Static PE information: section name: .text entropy: 7.61432599861

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe File created: C:\Users\user\AppData\Roaming\IhyLRJs.exe Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\IhyLRJs' /XML 'C:\Users\user\AppData\Local\Temp\tmpD303.tmp'

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 00000000.00000002.210350921.00000000028F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PRODUCT RANGE # 363688.exe PID: 1564, type: MEMORY
Source: Yara match File source: 0.2.PRODUCT RANGE # 363688.exe.2918f34.1.raw.unpack, type: UNPACKEDPE
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: PRODUCT RANGE # 363688.exe, 00000000.00000002.210350921.00000000028F1000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: PRODUCT RANGE # 363688.exe, 00000000.00000002.210350921.00000000028F1000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Window / User API: threadDelayed 2140 Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Window / User API: threadDelayed 7681 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe TID: 6076 Thread sleep time: -100855s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe TID: 6120 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe TID: 5440 Thread sleep time: -8301034833169293s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe TID: 6056 Thread sleep count: 2140 > 30 Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe TID: 6056 Thread sleep count: 7681 > 30 Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe TID: 5440 Thread sleep count: 44 > 30 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Thread delayed: delay time: 100855 Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: PRODUCT RANGE # 363688.exe, 00000000.00000002.210350921.00000000028F1000.00000004.00000001.sdmp Binary or memory string: vmware
Source: PRODUCT RANGE # 363688.exe, 00000000.00000002.210350921.00000000028F1000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: PRODUCT RANGE # 363688.exe, 00000000.00000002.210350921.00000000028F1000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: PRODUCT RANGE # 363688.exe, 00000000.00000002.210350921.00000000028F1000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: PRODUCT RANGE # 363688.exe, 00000000.00000002.210350921.00000000028F1000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: PRODUCT RANGE # 363688.exe, 00000000.00000002.210350921.00000000028F1000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: PRODUCT RANGE # 363688.exe, 00000000.00000002.210350921.00000000028F1000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: PRODUCT RANGE # 363688.exe, 00000000.00000002.210350921.00000000028F1000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: PRODUCT RANGE # 363688.exe, 00000000.00000002.210350921.00000000028F1000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Code function: 5_2_01438BE0 LdrInitializeThunk, 5_2_01438BE0
Enables debug privileges
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Memory written: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\IhyLRJs' /XML 'C:\Users\user\AppData\Local\Temp\tmpD303.tmp' Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process created: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Process created: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Jump to behavior
Source: PRODUCT RANGE # 363688.exe, 00000005.00000002.469941869.0000000001C60000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: PRODUCT RANGE # 363688.exe, 00000005.00000002.469941869.0000000001C60000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: PRODUCT RANGE # 363688.exe, 00000005.00000002.469941869.0000000001C60000.00000002.00000001.sdmp Binary or memory string: Progman
Source: PRODUCT RANGE # 363688.exe, 00000005.00000002.469941869.0000000001C60000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Queries volume information: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Queries volume information: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000000.00000002.211190142.00000000038F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.465675526.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.211414964.0000000003A67000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0.2.PRODUCT RANGE # 363688.exe.3a10c18.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PRODUCT RANGE # 363688.exe.3a10c18.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.PRODUCT RANGE # 363688.exe.400000.0.unpack, type: UNPACKEDPE
Yara detected AgentTesla
Source: Yara match File source: 00000000.00000002.211190142.00000000038F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.465675526.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.211414964.0000000003A67000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.470087094.0000000003221000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PRODUCT RANGE # 363688.exe PID: 6116, type: MEMORY
Source: Yara match File source: Process Memory Space: PRODUCT RANGE # 363688.exe PID: 1564, type: MEMORY
Source: Yara match File source: 0.2.PRODUCT RANGE # 363688.exe.3a10c18.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PRODUCT RANGE # 363688.exe.3a10c18.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.PRODUCT RANGE # 363688.exe.400000.0.unpack, type: UNPACKEDPE
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT RANGE # 363688.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000005.00000002.470087094.0000000003221000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PRODUCT RANGE # 363688.exe PID: 6116, type: MEMORY

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000000.00000002.211190142.00000000038F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.465675526.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.211414964.0000000003A67000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0.2.PRODUCT RANGE # 363688.exe.3a10c18.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PRODUCT RANGE # 363688.exe.3a10c18.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.PRODUCT RANGE # 363688.exe.400000.0.unpack, type: UNPACKEDPE
Yara detected AgentTesla
Source: Yara match File source: 00000000.00000002.211190142.00000000038F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.465675526.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.211414964.0000000003A67000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.470087094.0000000003221000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PRODUCT RANGE # 363688.exe PID: 6116, type: MEMORY
Source: Yara match File source: Process Memory Space: PRODUCT RANGE # 363688.exe PID: 1564, type: MEMORY
Source: Yara match File source: 0.2.PRODUCT RANGE # 363688.exe.3a10c18.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PRODUCT RANGE # 363688.exe.3a10c18.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.PRODUCT RANGE # 363688.exe.400000.0.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 412789 Sample: PRODUCT RANGE # 363688.exe Startdate: 12/05/2021 Architecture: WINDOWS Score: 100 33 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->33 35 Found malware configuration 2->35 37 Multi AV Scanner detection for dropped file 2->37 39 11 other signatures 2->39 7 PRODUCT RANGE # 363688.exe 7 2->7         started        process3 file4 21 C:\Users\user\AppData\Roaming\IhyLRJs.exe, PE32 7->21 dropped 23 C:\Users\user\...\IhyLRJs.exe:Zone.Identifier, ASCII 7->23 dropped 25 C:\Users\user\AppData\Local\...\tmpD303.tmp, XML 7->25 dropped 27 C:\Users\...\PRODUCT RANGE # 363688.exe.log, ASCII 7->27 dropped 41 Injects a PE file into a foreign processes 7->41 11 PRODUCT RANGE # 363688.exe 6 7->11         started        15 schtasks.exe 1 7->15         started        17 PRODUCT RANGE # 363688.exe 7->17         started        signatures5 process6 dnsIp7 29 208.91.199.225, 49748, 587 PUBLIC-DOMAIN-REGISTRYUS United States 11->29 31 us2.smtp.mailhostbox.com 208.91.199.224, 49747, 587 PUBLIC-DOMAIN-REGISTRYUS United States 11->31 43 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->43 45 Tries to steal Mail credentials (via file access) 11->45 47 Tries to harvest and steal ftp login credentials 11->47 49 2 other signatures 11->49 19 conhost.exe 15->19         started        signatures8 process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
208.91.199.225
 unknown United States
394695 PUBLIC-DOMAIN-REGISTRYUS true
208.91.199.224
 us2.smtp.mailhostbox.com United States
394695 PUBLIC-DOMAIN-REGISTRYUS false

Contacted Domains

Name IP Active
us2.smtp.mailhostbox.com 208.91.199.224 true