Loading ...

Play interactive tourEdit tour

Analysis Report supply us this product.exe

Overview

General Information

Sample Name:supply us this product.exe
Analysis ID:432673
MD5:958f243581dc2eda4e763086875e9a0b
SHA1:cd163dd563fa0cda762ab9c5df8743f053fed612
SHA256:ae44346a0297d8a9deab5419ff2b4679b83646abbed05b835c90fc33eb3ce2d5
Tags:exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected AgentTesla
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains very large array initializations
Injects a PE file into a foreign processes
Installs a global keyboard hook
Modifies the hosts file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • supply us this product.exe (PID: 5764 cmdline: 'C:\Users\user\Desktop\supply us this product.exe' MD5: 958F243581DC2EDA4E763086875E9A0B)
    • supply us this product.exe (PID: 4800 cmdline: C:\Users\user\Desktop\supply us this product.exe MD5: 958F243581DC2EDA4E763086875E9A0B)
    • supply us this product.exe (PID: 4772 cmdline: C:\Users\user\Desktop\supply us this product.exe MD5: 958F243581DC2EDA4E763086875E9A0B)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "ideshow@eflownutrition.com", "Password": "ngozi8989", "Host": "mail.scottbyscott.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000005.00000000.212702747.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000005.00000000.212702747.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
        00000001.00000002.216940516.00000000034F9000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000001.00000002.216940516.00000000034F9000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
            Click to see the 7 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.supply us this product.exe.3770470.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              1.2.supply us this product.exe.3770470.2.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                1.2.supply us this product.exe.3770470.2.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  1.2.supply us this product.exe.3770470.2.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    5.2.supply us this product.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 5 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 1.2.supply us this product.exe.3770470.2.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "ideshow@eflownutrition.com", "Password": "ngozi8989", "Host": "mail.scottbyscott.com"}
                      Source: 5.2.supply us this product.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 5.0.supply us this product.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                      Source: supply us this product.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: supply us this product.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\kzeyDVBhkY\src\obj\Debug\MultiProducerMultiConsumerQueue.pdb<O source: supply us this product.exe
                      Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\kzeyDVBhkY\src\obj\Debug\MultiProducerMultiConsumerQueue.pdb source: supply us this product.exe
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h1_2_0B12AC58
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h1_2_0B12BF78
                      Source: global trafficTCP traffic: 192.168.2.3:49759 -> 50.87.146.199:587
                      Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
                      Source: global trafficTCP traffic: 192.168.2.3:49759 -> 50.87.146.199:587
                      Source: unknownDNS traffic detected: queries for: mail.scottbyscott.com
                      Source: supply us this product.exe, 00000005.00000002.476764881.0000000002881000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: supply us this product.exe, 00000005.00000002.476764881.0000000002881000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: supply us this product.exe, 00000005.00000002.474926872.0000000000BB3000.00000004.00000020.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
                      Source: supply us this product.exe, 00000005.00000002.474926872.0000000000BB3000.00000004.00000020.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                      Source: supply us this product.exe, 00000005.00000002.474926872.0000000000BB3000.00000004.00000020.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
                      Source: supply us this product.exe, 00000005.00000002.474926872.0000000000BB3000.00000004.00000020.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
                      Source: supply us this product.exe, 00000005.00000002.478257571.0000000002AF7000.00000004.00000001.sdmp, supply us this product.exe, 00000005.00000002.478643570.0000000002B54000.00000004.00000001.sdmpString found in binary or memory: http://htwqxRSsZE4FT.org
                      Source: supply us this product.exe, 00000005.00000002.478483716.0000000002B30000.00000004.00000001.sdmpString found in binary or memory: http://mail.scottbyscott.com
                      Source: supply us this product.exe, 00000005.00000002.474926872.0000000000BB3000.00000004.00000020.sdmpString found in binary or memory: http://r3.i.lencr.org/0
                      Source: supply us this product.exe, 00000005.00000002.474926872.0000000000BB3000.00000004.00000020.sdmpString found in binary or memory: http://r3.o.lencr.org0
                      Source: supply us this product.exe, 00000001.00000002.216030237.00000000024F1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: supply us this product.exe, 00000005.00000002.478483716.0000000002B30000.00000004.00000001.sdmpString found in binary or memory: http://scottbyscott.com
                      Source: supply us this product.exe, 00000005.00000002.476764881.0000000002881000.00000004.00000001.sdmpString found in binary or memory: http://vmyBzt.com
                      Source: supply us this product.exe, 00000005.00000002.474926872.0000000000BB3000.00000004.00000020.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                      Source: supply us this product.exe, 00000005.00000002.474926872.0000000000BB3000.00000004.00000020.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                      Source: supply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
                      Source: supply us this product.exe, 00000001.00000002.216940516.00000000034F9000.00000004.00000001.sdmp, supply us this product.exe, 00000005.00000000.212702747.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: supply us this product.exe, 00000005.00000002.476764881.0000000002881000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Installs a global keyboard hookShow sources
                      Source: C:\Users\user\Desktop\supply us this product.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\supply us this product.exeJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                      Spam, unwanted Advertisements and Ransom Demands:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Users\user\Desktop\supply us this product.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 5.2.supply us this product.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b9AB3E9B2u002dCCCAu002d4F7Du002d85E1u002d8625B6C7A3E5u007d/u003129E41EDu002d6F52u002d4B23u002d9F03u002d59879E427C5D.csLarge array initialization: .cctor: array initializer size 11994
                      Source: 5.0.supply us this product.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007b9AB3E9B2u002dCCCAu002d4F7Du002d85E1u002d8625B6C7A3E5u007d/u003129E41EDu002d6F52u002d4B23u002d9F03u002d59879E427C5D.csLarge array initialization: .cctor: array initializer size 11994
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_024B94A81_2_024B94A8
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_024BC1481_2_024BC148
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_024BA7581_2_024BA758
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_054FB4401_2_054FB440
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_054FF3B01_2_054FF3B0
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_054FACF01_2_054FACF0
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_054FBE701_2_054FBE70
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_054F7B001_2_054F7B00
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_054F75481_2_054F7548
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_054F75501_2_054F7550
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_054FB4331_2_054FB433
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_054FA1791_2_054FA179
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_054FA1881_2_054FA188
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_054FF1B81_2_054FF1B8
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_054F00401_2_054F0040
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_054F003E1_2_054F003E
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_054FACEB1_2_054FACEB
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_054FECE81_2_054FECE8
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_054FEF201_2_054FEF20
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_054FBE6E1_2_054FBE6E
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_054FDB601_2_054FDB60
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_054F7AFB1_2_054F7AFB
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_0B12B5101_2_0B12B510
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_0B1245001_2_0B124500
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_0B1289E71_2_0B1289E7
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_0B1240181_2_0B124018
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_0B1247F81_2_0B1247F8
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_0B1247E91_2_0B1247E9
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_0B128A4E1_2_0B128A4E
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_0B1236DC1_2_0B1236DC
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_0B1231101_2_0B123110
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_0B1288101_2_0B128810
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_0B1268101_2_0B126810
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_0B1288011_2_0B128801
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_0B1200061_2_0B120006
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_0B1240081_2_0B124008
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_0B125C311_2_0B125C31
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_0B1284501_2_0B128450
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_0B1200401_2_0B120040
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_0B125C401_2_0B125C40
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_0B1284411_2_0B128441
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_0B1230C91_2_0B1230C9
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_0B1244EF1_2_0B1244EF
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 5_2_00D147A05_2_00D147A0
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 5_2_00D147905_2_00D14790
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 5_2_00D383B05_2_00D383B0
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 5_2_00D3A7785_2_00D3A778
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 5_2_00D359405_2_00D35940
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 5_2_00D32EC85_2_00D32EC8
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 5_2_00D32F3A5_2_00D32F3A
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 5_2_00D668185_2_00D66818
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 5_2_00D65AB85_2_00D65AB8
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 5_2_00D662305_2_00D66230
                      Source: supply us this product.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: supply us this product.exe, 00000001.00000002.220189281.0000000005620000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs supply us this product.exe
                      Source: supply us this product.exe, 00000001.00000002.214120101.000000000018A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMultiProducerMultiConsumerQueue.exe< vs supply us this product.exe
                      Source: supply us this product.exe, 00000001.00000002.216030237.00000000024F1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamedpmEuvYxooWcRZhqwNkcIIeFuEcnrQym.exe4 vs supply us this product.exe
                      Source: supply us this product.exe, 00000001.00000002.216940516.00000000034F9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKygo.dll* vs supply us this product.exe
                      Source: supply us this product.exe, 00000003.00000000.210980526.00000000004EA000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMultiProducerMultiConsumerQueue.exe< vs supply us this product.exe
                      Source: supply us this product.exe, 00000005.00000002.472757335.000000000058A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMultiProducerMultiConsumerQueue.exe< vs supply us this product.exe
                      Source: supply us this product.exe, 00000005.00000002.475727960.0000000000D70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs supply us this product.exe
                      Source: supply us this product.exe, 00000005.00000002.473311587.00000000009D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs supply us this product.exe
                      Source: supply us this product.exe, 00000005.00000002.471383380.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamedpmEuvYxooWcRZhqwNkcIIeFuEcnrQym.exe4 vs supply us this product.exe
                      Source: supply us this product.exe, 00000005.00000002.473017146.0000000000938000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs supply us this product.exe
                      Source: supply us this product.exeBinary or memory string: OriginalFilenameMultiProducerMultiConsumerQueue.exe< vs supply us this product.exe
                      Source: supply us this product.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: supply us this product.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: 5.2.supply us this product.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.2.supply us this product.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.0.supply us this product.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.0.supply us this product.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@5/2@2/1
                      Source: C:\Users\user\Desktop\supply us this product.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\supply us this product.exe.logJump to behavior
                      Source: supply us this product.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\supply us this product.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\supply us this product.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\supply us this product.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: supply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
                      Source: supply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
                      Source: supply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
                      Source: supply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
                      Source: supply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                      Source: supply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                      Source: supply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
                      Source: supply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
                      Source: supply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
                      Source: unknownProcess created: C:\Users\user\Desktop\supply us this product.exe 'C:\Users\user\Desktop\supply us this product.exe'
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess created: C:\Users\user\Desktop\supply us this product.exe C:\Users\user\Desktop\supply us this product.exe
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess created: C:\Users\user\Desktop\supply us this product.exe C:\Users\user\Desktop\supply us this product.exe
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess created: C:\Users\user\Desktop\supply us this product.exe C:\Users\user\Desktop\supply us this product.exeJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess created: C:\Users\user\Desktop\supply us this product.exe C:\Users\user\Desktop\supply us this product.exeJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: supply us this product.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: supply us this product.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: supply us this product.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\kzeyDVBhkY\src\obj\Debug\MultiProducerMultiConsumerQueue.pdb<O source: supply us this product.exe
                      Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\kzeyDVBhkY\src\obj\Debug\MultiProducerMultiConsumerQueue.pdb source: supply us this product.exe
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_054FB3B0 push eax; retf 1_2_054FB3B1
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_0B124B6E push ebx; retf 1_2_0B124B7B
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_0B127DDA push ecx; retf 1_2_0B127DDB
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_0B127DE1 push ecx; retf 1_2_0B127DE2
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 1_2_0B12805D push esp; retf 1_2_0B128064
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.95544670392
                      Source: C:\Users\user\Desktop\supply us this product.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: supply us this product.exe PID: 5764, type: MEMORY
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\supply us this product.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\supply us this product.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: supply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: supply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\Desktop\supply us this product.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeWindow / User API: threadDelayed 2046Jump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeWindow / User API: threadDelayed 7805Jump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exe TID: 4768Thread sleep time: -101949s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exe TID: 5108Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exe TID: 1064Thread sleep time: -18446744073709540s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exe TID: 1048Thread sleep count: 2046 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exe TID: 1048Thread sleep count: 7805 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\supply us this product.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\supply us this product.exeThread delayed: delay time: 101949Jump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: supply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: supply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: supply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                      Source: supply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
                      Source: supply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmpBinary or memory string: VMWARE
                      Source: supply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: supply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                      Source: supply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: supply us this product.exe, 00000001.00000002.216164536.000000000252E000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                      Source: supply us this product.exe, 00000005.00000002.474926872.0000000000BB3000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll}"_
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeCode function: 5_2_00D3B6E8 LdrInitializeThunk,5_2_00D3B6E8
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\supply us this product.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion: