Analysis Report supply us this product.exe

Overview

General Information

Sample Name: supply us this product.exe
Analysis ID: 432673
MD5: 958f243581dc2eda4e763086875e9a0b
SHA1: cd163dd563fa0cda762ab9c5df8743f053fed612
SHA256: ae44346a0297d8a9deab5419ff2b4679b83646abbed05b835c90fc33eb3ce2d5
Tags: exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Yara detected AgentTesla
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains very large array initializations
Injects a PE file into a foreign processes
Installs a global keyboard hook
Modifies the hosts file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection:

barindex
Found malware configuration
Source: 1.2.supply us this product.exe.3770470.2.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "ideshow@eflownutrition.com", "Password": "ngozi8989", "Host": "mail.scottbyscott.com"}
Antivirus or Machine Learning detection for unpacked file
Source: 5.2.supply us this product.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 5.0.supply us this product.exe.400000.1.unpack Avira: Label: TR/Spy.Gen8

Compliance:

barindex
Uses 32bit PE files
Source: supply us this product.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: supply us this product.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\kzeyDVBhkY\src\obj\Debug\MultiProducerMultiConsumerQueue.pdb<O source: supply us this product.exe
Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\kzeyDVBhkY\src\obj\Debug\MultiProducerMultiConsumerQueue.pdb source: supply us this product.exe

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\supply us this product.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 1_2_0B12AC58
Source: C:\Users\user\Desktop\supply us this product.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 1_2_0B12BF78

Networking:

barindex
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49759 -> 50.87.146.199:587
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.3:49759 -> 50.87.146.199:587
Source: unknown DNS traffic detected: queries for: mail.scottbyscott.com
Source: supply us this product.exe, 00000005.00000002.476764881.0000000002881000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: supply us this product.exe, 00000005.00000002.476764881.0000000002881000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: supply us this product.exe, 00000005.00000002.474926872.0000000000BB3000.00000004.00000020.sdmp String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: supply us this product.exe, 00000005.00000002.474926872.0000000000BB3000.00000004.00000020.sdmp String found in binary or memory: http://cps.letsencrypt.org0
Source: supply us this product.exe, 00000005.00000002.474926872.0000000000BB3000.00000004.00000020.sdmp String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: supply us this product.exe, 00000005.00000002.474926872.0000000000BB3000.00000004.00000020.sdmp String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: supply us this product.exe, 00000005.00000002.478257571.0000000002AF7000.00000004.00000001.sdmp, supply us this product.exe, 00000005.00000002.478643570.0000000002B54000.00000004.00000001.sdmp String found in binary or memory: http://htwqxRSsZE4FT.org
Source: supply us this product.exe, 00000005.00000002.478483716.0000000002B30000.00000004.00000001.sdmp String found in binary or memory: http://mail.scottbyscott.com
Source: supply us this product.exe, 00000005.00000002.474926872.0000000000BB3000.00000004.00000020.sdmp String found in binary or memory: http://r3.i.lencr.org/0
Source: supply us this product.exe, 00000005.00000002.474926872.0000000000BB3000.00000004.00000020.sdmp String found in binary or memory: http://r3.o.lencr.org0
Source: supply us this product.exe, 00000001.00000002.216030237.00000000024F1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: supply us this product.exe, 00000005.00000002.478483716.0000000002B30000.00000004.00000001.sdmp String found in binary or memory: http://scottbyscott.com
Source: supply us this product.exe, 00000005.00000002.476764881.0000000002881000.00000004.00000001.sdmp String found in binary or memory: http://vmyBzt.com
Source: supply us this product.exe, 00000005.00000002.474926872.0000000000BB3000.00000004.00000020.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: supply us this product.exe, 00000005.00000002.474926872.0000000000BB3000.00000004.00000020.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: supply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmp String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: supply us this product.exe, 00000001.00000002.216940516.00000000034F9000.00000004.00000001.sdmp, supply us this product.exe, 00000005.00000000.212702747.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: supply us this product.exe, 00000005.00000002.476764881.0000000002881000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a global keyboard hook
Source: C:\Users\user\Desktop\supply us this product.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\supply us this product.exe Jump to behavior
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\Desktop\supply us this product.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

Spam, unwanted Advertisements and Ransom Demands:

barindex
Modifies the hosts file
Source: C:\Users\user\Desktop\supply us this product.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior

System Summary:

barindex
.NET source code contains very large array initializations
Source: 5.2.supply us this product.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b9AB3E9B2u002dCCCAu002d4F7Du002d85E1u002d8625B6C7A3E5u007d/u003129E41EDu002d6F52u002d4B23u002d9F03u002d59879E427C5D.cs Large array initialization: .cctor: array initializer size 11994
Source: 5.0.supply us this product.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007b9AB3E9B2u002dCCCAu002d4F7Du002d85E1u002d8625B6C7A3E5u007d/u003129E41EDu002d6F52u002d4B23u002d9F03u002d59879E427C5D.cs Large array initialization: .cctor: array initializer size 11994
Detected potential crypto function
Source: C:\Users\user\Desktop\supply us this product.exe Code function: 1_2_024B94A8 1_2_024B94A8
Source: C:\Users\user\Desktop\supply us this product.exe Code function: 1_2_024BC148 1_2_024BC148
Source: C:\Users\user\Desktop\supply us this product.exe Code function: 1_2_024BA758 1_2_024BA758
Source: C:\Users\user\Desktop\supply us this product.exe Code function: 1_2_054FB440 1_2_054FB440
Source: C:\Users\user\Desktop\supply us this product.exe Code function: 1_2_054FF3B0 1_2_054FF3B0
Source: C:\Users\user\Desktop\supply us this product.exe Code function: 1_2_054FACF0 1_2_054FACF0
Source: C:\Users\user\Desktop\supply us this product.exe Code function: 1_2_054FBE70 1_2_054FBE70
Source: C:\Users\user\Desktop\supply us this product.exe Code function: 1_2_054F7B00 1_2_054F7B00
Source: C:\Users\user\Desktop\supply us this product.exe Code function: 1_2_054F7548 1_2_054F7548
Source: C:\Users\user\Desktop\supply us this product.exe Code function: 1_2_054F7550 1_2_054F7550
Source: C:\Users\user\Desktop\supply us this product.exe Code function: 1_2_054FB433 1_2_054FB433
Source: C:\Users\user\Desktop\supply us this product.exe Code function: 1_2_054FA179 1_2_054FA179
Source: C:\Users\user\Desktop\supply us this product.exe Code function: 1_2_054FA188 1_2_054FA188
Source: C:\Users\user\Desktop\supply us this product.exe Code function: 1_2_054FF1B8 1_2_054FF1B8
Source: C:\Users\user\Desktop\supply us this product.exe Code function: 1_2_054F0040 1_2_054F0040
Source: C:\Users\user\Desktop\supply us this product.exe Code function: 1_2_054F003E 1_2_054F003E
Source: C:\Users\user\Desktop\supply us this product.exe Code function: 1_2_054FACEB 1_2_054FACEB
Source: C:\Users\user\Desktop\supply us this product.exe Code function: 1_2_054FECE8 1_2_054FECE8
Source: C:\Users\user\Desktop\supply us this product.exe Code function: 1_2_054FEF20 1_2_054FEF20
Source: C:\Users\user\Desktop\supply us this product.exe Code function: 1_2_054FBE6E 1_2_054FBE6E
Source: C:\Users\user\Desktop\supply us this product.exe Code function: 1_2_054FDB60 1_2_054FDB60
Source: C:\Users\user\Desktop\supply us this product.exe Code function: 1_2_054F7AFB 1_2_054F7AFB
Source: C:\Users\user\Desktop\supply us this product.exe Code function: 1_2_0B12B510 1_2_0B12B510
Source: C:\Users\user\Desktop\supply us this product.exe Code function: 1_2_0B124500 1_2_0B124500
Source: C:\Users\user\Desktop\supply us this product.exe Code function: 1_2_0B1289E7 1_2_0B1289E7
Source: C:\Users\user\Desktop\supply us this product.exe Code function: 1_2_0B124018 1_2_0B124018
Source: C:\Users\user\Desktop\supply us this product.exe Code function: 1_2_0B1247F8 1_2_0B1247F8
Source: C:\Users\user\Desktop\supply us this product.exe Code function: 1_2_0B1247E9 1_2_0B1247E9
Source: C:\Users\user\Desktop\supply us this product.exe Code function: 1_2_0B128A4E 1_2_0B128A4E
Source: C:\Users\user\Desktop\supply us this product.exe Code function: 1_2_0B1236DC 1_2_0B1236DC
Source: C:\Users\user\Desktop\supply us this product.exe Code function: 1_2_0B123110 1_2_0B123110
Source: C:\Users\user\Desktop\supply us this product.exe Code function: 1_2_0B128810 1_2_0B128810
Source: C:\Users\user\Desktop\supply us this product.exe Code function: 1_2_0B126810 1_2_0B126810
Source: C:\Users\user\Desktop\supply us this product.exe Code function: 1_2_0B128801 1_2_0B128801
Source: C:\Users\user\Desktop\supply us this product.exe Code function: 1_2_0B120006 1_2_0B120006
Source: C:\Users\user\Desktop\supply us this product.exe Code function: 1_2_0B124008 1_2_0B124008
Source: C:\Users\user\Desktop\supply us this product.exe Code function: 1_2_0B125C31 1_2_0B125C31
Source: C:\Users\user\Desktop\supply us this product.exe Code function: 1_2_0B128450 1_2_0B128450
Source: C:\Users\user\Desktop\supply us this product.exe Code function: 1_2_0B120040 1_2_0B120040
Source: C:\Users\user\Desktop\supply us this product.exe Code function: 1_2_0B125C40 1_2_0B125C40
Source: C:\Users\user\Desktop\supply us this product.exe Code function: 1_2_0B128441 1_2_0B128441
Source: C:\Users\user\Desktop\supply us this product.exe Code function: 1_2_0B1230C9 1_2_0B1230C9
Source: C:\Users\user\Desktop\supply us this product.exe Code function: 1_2_0B1244EF 1_2_0B1244EF
Source: C:\Users\user\Desktop\supply us this product.exe Code function: 5_2_00D147A0 5_2_00D147A0
Source: C:\Users\user\Desktop\supply us this product.exe Code function: 5_2_00D14790 5_2_00D14790
Source: C:\Users\user\Desktop\supply us this product.exe Code function: 5_2_00D383B0 5_2_00D383B0
Source: C:\Users\user\Desktop\supply us this product.exe Code function: 5_2_00D3A778 5_2_00D3A778
Source: C:\Users\user\Desktop\supply us this product.exe Code function: 5_2_00D35940 5_2_00D35940
Source: C:\Users\user\Desktop\supply us this product.exe Code function: 5_2_00D32EC8 5_2_00D32EC8
Source: C:\Users\user\Desktop\supply us this product.exe Code function: 5_2_00D32F3A 5_2_00D32F3A
Source: C:\Users\user\Desktop\supply us this product.exe Code function: 5_2_00D66818 5_2_00D66818
Source: C:\Users\user\Desktop\supply us this product.exe Code function: 5_2_00D65AB8 5_2_00D65AB8
Source: C:\Users\user\Desktop\supply us this product.exe Code function: 5_2_00D66230 5_2_00D66230
PE file contains strange resources
Source: supply us this product.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: supply us this product.exe, 00000001.00000002.220189281.0000000005620000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameDSASignature.dll@ vs supply us this product.exe
Source: supply us this product.exe, 00000001.00000002.214120101.000000000018A000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameMultiProducerMultiConsumerQueue.exe< vs supply us this product.exe
Source: supply us this product.exe, 00000001.00000002.216030237.00000000024F1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamedpmEuvYxooWcRZhqwNkcIIeFuEcnrQym.exe4 vs supply us this product.exe
Source: supply us this product.exe, 00000001.00000002.216940516.00000000034F9000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameKygo.dll* vs supply us this product.exe
Source: supply us this product.exe, 00000003.00000000.210980526.00000000004EA000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameMultiProducerMultiConsumerQueue.exe< vs supply us this product.exe
Source: supply us this product.exe, 00000005.00000002.472757335.000000000058A000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameMultiProducerMultiConsumerQueue.exe< vs supply us this product.exe
Source: supply us this product.exe, 00000005.00000002.475727960.0000000000D70000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs supply us this product.exe
Source: supply us this product.exe, 00000005.00000002.473311587.00000000009D0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewshom.ocx.mui vs supply us this product.exe
Source: supply us this product.exe, 00000005.00000002.471383380.0000000000402000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamedpmEuvYxooWcRZhqwNkcIIeFuEcnrQym.exe4 vs supply us this product.exe
Source: supply us this product.exe, 00000005.00000002.473017146.0000000000938000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs supply us this product.exe
Source: supply us this product.exe Binary or memory string: OriginalFilenameMultiProducerMultiConsumerQueue.exe< vs supply us this product.exe
Uses 32bit PE files
Source: supply us this product.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: supply us this product.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 5.2.supply us this product.exe.400000.0.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.2.supply us this product.exe.400000.0.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.0.supply us this product.exe.400000.1.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.0.supply us this product.exe.400000.1.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: classification engine Classification label: mal100.troj.adwa.spyw.evad.winEXE@5/2@2/1
Source: C:\Users\user\Desktop\supply us this product.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\supply us this product.exe.log Jump to behavior
Source: supply us this product.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\supply us this product.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\supply us this product.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\supply us this product.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: supply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmp Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: supply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmp Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: supply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: supply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: supply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: supply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmp Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: supply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: supply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmp Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: supply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
Source: unknown Process created: C:\Users\user\Desktop\supply us this product.exe 'C:\Users\user\Desktop\supply us this product.exe'
Source: C:\Users\user\Desktop\supply us this product.exe Process created: C:\Users\user\Desktop\supply us this product.exe C:\Users\user\Desktop\supply us this product.exe
Source: C:\Users\user\Desktop\supply us this product.exe Process created: C:\Users\user\Desktop\supply us this product.exe C:\Users\user\Desktop\supply us this product.exe
Source: C:\Users\user\Desktop\supply us this product.exe Process created: C:\Users\user\Desktop\supply us this product.exe C:\Users\user\Desktop\supply us this product.exe Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process created: C:\Users\user\Desktop\supply us this product.exe C:\Users\user\Desktop\supply us this product.exe Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: supply us this product.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: supply us this product.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: supply us this product.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\kzeyDVBhkY\src\obj\Debug\MultiProducerMultiConsumerQueue.pdb<O source: supply us this product.exe
Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\kzeyDVBhkY\src\obj\Debug\MultiProducerMultiConsumerQueue.pdb source: supply us this product.exe

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\supply us this product.exe Code function: 1_2_054FB3B0 push eax; retf 1_2_054FB3B1
Source: C:\Users\user\Desktop\supply us this product.exe Code function: 1_2_0B124B6E push ebx; retf 1_2_0B124B7B
Source: C:\Users\user\Desktop\supply us this product.exe Code function: 1_2_0B127DDA push ecx; retf 1_2_0B127DDB
Source: C:\Users\user\Desktop\supply us this product.exe Code function: 1_2_0B127DE1 push ecx; retf 1_2_0B127DE2
Source: C:\Users\user\Desktop\supply us this product.exe Code function: 1_2_0B12805D push esp; retf 1_2_0B128064
Source: initial sample Static PE information: section name: .text entropy: 7.95544670392

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\supply us this product.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: supply us this product.exe PID: 5764, type: MEMORY
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\supply us this product.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\supply us this product.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: supply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: supply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\supply us this product.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\supply us this product.exe Window / User API: threadDelayed 2046 Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Window / User API: threadDelayed 7805 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\supply us this product.exe TID: 4768 Thread sleep time: -101949s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe TID: 5108 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe TID: 1064 Thread sleep time: -18446744073709540s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe TID: 1048 Thread sleep count: 2046 > 30 Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe TID: 1048 Thread sleep count: 7805 > 30 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\supply us this product.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\supply us this product.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\supply us this product.exe Thread delayed: delay time: 101949 Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: supply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmp Binary or memory string: vmware
Source: supply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: supply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: supply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: supply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: supply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: supply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: supply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: supply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: supply us this product.exe, 00000005.00000002.474926872.0000000000BB3000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll}"_
Source: C:\Users\user\Desktop\supply us this product.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\supply us this product.exe Code function: 5_2_00D3B6E8 LdrInitializeThunk, 5_2_00D3B6E8
Enables debug privileges
Source: C:\Users\user\Desktop\supply us this product.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\supply us this product.exe Memory written: C:\Users\user\Desktop\supply us this product.exe base: 400000 value starts with: 4D5A Jump to behavior
Modifies the hosts file
Source: C:\Users\user\Desktop\supply us this product.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\supply us this product.exe Process created: C:\Users\user\Desktop\supply us this product.exe C:\Users\user\Desktop\supply us this product.exe Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Process created: C:\Users\user\Desktop\supply us this product.exe C:\Users\user\Desktop\supply us this product.exe Jump to behavior
Source: supply us this product.exe, 00000005.00000002.476156488.00000000012D0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: supply us this product.exe, 00000005.00000002.476156488.00000000012D0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: supply us this product.exe, 00000005.00000002.476156488.00000000012D0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: supply us this product.exe, 00000005.00000002.476156488.00000000012D0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\supply us this product.exe Queries volume information: C:\Users\user\Desktop\supply us this product.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Queries volume information: C:\Users\user\Desktop\supply us this product.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Modifies the hosts file
Source: C:\Users\user\Desktop\supply us this product.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000005.00000000.212702747.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.216940516.00000000034F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.471383380.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 1.2.supply us this product.exe.3770470.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.supply us this product.exe.3770470.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.supply us this product.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.supply us this product.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.supply us this product.exe.35bbe30.1.raw.unpack, type: UNPACKEDPE
Yara detected AgentTesla
Source: Yara match File source: 00000005.00000000.212702747.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.216940516.00000000034F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.471383380.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: supply us this product.exe PID: 5764, type: MEMORY
Source: Yara match File source: Process Memory Space: supply us this product.exe PID: 4772, type: MEMORY
Source: Yara match File source: 1.2.supply us this product.exe.3770470.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.supply us this product.exe.3770470.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.supply us this product.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.supply us this product.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.supply us this product.exe.35bbe30.1.raw.unpack, type: UNPACKEDPE
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\supply us this product.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\supply us this product.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\supply us this product.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Users\user\Desktop\supply us this product.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\Desktop\supply us this product.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000005.00000002.476764881.0000000002881000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: supply us this product.exe PID: 4772, type: MEMORY

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000005.00000000.212702747.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.216940516.00000000034F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.471383380.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 1.2.supply us this product.exe.3770470.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.supply us this product.exe.3770470.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.supply us this product.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.supply us this product.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.supply us this product.exe.35bbe30.1.raw.unpack, type: UNPACKEDPE
Yara detected AgentTesla
Source: Yara match File source: 00000005.00000000.212702747.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.216940516.00000000034F9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.471383380.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: supply us this product.exe PID: 5764, type: MEMORY
Source: Yara match File source: Process Memory Space: supply us this product.exe PID: 4772, type: MEMORY
Source: Yara match File source: 1.2.supply us this product.exe.3770470.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.supply us this product.exe.3770470.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.supply us this product.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.supply us this product.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.supply us this product.exe.35bbe30.1.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 432673 Sample: supply us this product.exe Startdate: 10/06/2021 Architecture: WINDOWS Score: 100 22 Found malware configuration 2->22 24 Yara detected AgentTesla 2->24 26 Yara detected AgentTesla 2->26 28 5 other signatures 2->28 6 supply us this product.exe 3 2->6         started        process3 signatures4 30 Injects a PE file into a foreign processes 6->30 9 supply us this product.exe 2 6->9         started        14 supply us this product.exe 6->14         started        process5 dnsIp6 18 scottbyscott.com 50.87.146.199, 49759, 587 UNIFIEDLAYER-AS-1US United States 9->18 20 mail.scottbyscott.com 9->20 16 C:\Windows\System32\drivers\etc\hosts, ASCII 9->16 dropped 32 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 9->32 34 Tries to steal Mail credentials (via file access) 9->34 36 Tries to harvest and steal ftp login credentials 9->36 38 3 other signatures 9->38 file7 signatures8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
50.87.146.199
 scottbyscott.com United States
46606 UNIFIEDLAYER-AS-1US true

Contacted Domains

Name IP Active
scottbyscott.com 50.87.146.199 true
mail.scottbyscott.com unknown unknown