Analysis Report NEW-ORDER.(Ref PO-298721).exe

Overview

General Information

Sample Name: NEW-ORDER.(Ref PO-298721).exe
Analysis ID: 433325
MD5: c24db33dcb80c125929e56b349aef88b
SHA1: 685b0a2469c84129e35f5009d5f46477212f10ff
SHA256: 6a994554941a4823012414ea3de13cd21a9ed1e5c0ed4648fbfa91dcd81dae79
Tags: AgentTeslaexeratremcos
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains very large array initializations
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000005.00000002.906370490.0000000002CF1000.00000004.00000001.sdmp Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "manish.gupta@omicronernergy.comtDqq*Na6smtp.omicronernergy.com"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\dbUtABvDycqz.exe Metadefender: Detection: 34% Perma Link
Source: C:\Users\user\AppData\Roaming\dbUtABvDycqz.exe ReversingLabs: Detection: 65%
Multi AV Scanner detection for submitted file
Source: NEW-ORDER.(Ref PO-298721).exe Virustotal: Detection: 31% Perma Link
Source: NEW-ORDER.(Ref PO-298721).exe Metadefender: Detection: 34% Perma Link
Source: NEW-ORDER.(Ref PO-298721).exe ReversingLabs: Detection: 65%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\dbUtABvDycqz.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: NEW-ORDER.(Ref PO-298721).exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 5.0.NEW-ORDER.(Ref PO-298721).exe.400000.1.unpack Avira: Label: TR/Spy.Gen8
Source: 5.2.NEW-ORDER.(Ref PO-298721).exe.400000.0.unpack Avira: Label: TR/Spy.Gen8

Compliance:

barindex
Uses 32bit PE files
Source: NEW-ORDER.(Ref PO-298721).exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: NEW-ORDER.(Ref PO-298721).exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\CZuaLVSaDt\src\obj\Debug\TraceLoggingTypeInfo.pdb source: NEW-ORDER.(Ref PO-298721).exe

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49771 -> 208.91.199.223:587
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49772 -> 208.91.199.223:587
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49771 -> 208.91.199.223:587
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 208.91.199.223 208.91.199.223
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.4:49771 -> 208.91.199.223:587
Source: unknown DNS traffic detected: queries for: smtp.omicronernergy.com
Source: NEW-ORDER.(Ref PO-298721).exe, 00000005.00000002.906370490.0000000002CF1000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: NEW-ORDER.(Ref PO-298721).exe, 00000005.00000002.906370490.0000000002CF1000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: NEW-ORDER.(Ref PO-298721).exe, 00000005.00000002.906370490.0000000002CF1000.00000004.00000001.sdmp String found in binary or memory: http://MAwYKI.com
Source: NEW-ORDER.(Ref PO-298721).exe, 00000001.00000002.659605450.0000000002A81000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: NEW-ORDER.(Ref PO-298721).exe, 00000005.00000002.907129054.0000000003057000.00000004.00000001.sdmp String found in binary or memory: http://smtp.omicronernergy.com
Source: NEW-ORDER.(Ref PO-298721).exe, 00000005.00000002.907129054.0000000003057000.00000004.00000001.sdmp String found in binary or memory: http://us2.smtp.mailhostbox.com
Source: NEW-ORDER.(Ref PO-298721).exe, 00000005.00000002.906370490.0000000002CF1000.00000004.00000001.sdmp String found in binary or memory: https://jLu3b8shjhUe.net
Source: NEW-ORDER.(Ref PO-298721).exe, 00000001.00000002.659659639.0000000002AC2000.00000004.00000001.sdmp String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: NEW-ORDER.(Ref PO-298721).exe, 00000001.00000002.659984462.0000000003A89000.00000004.00000001.sdmp, NEW-ORDER.(Ref PO-298721).exe, 00000005.00000000.654489875.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: NEW-ORDER.(Ref PO-298721).exe, 00000005.00000002.906370490.0000000002CF1000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a global keyboard hook
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Jump to behavior
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

System Summary:

barindex
.NET source code contains very large array initializations
Source: 5.0.NEW-ORDER.(Ref PO-298721).exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007b85F2CCB3u002d4440u002d4FE8u002d92CFu002d4F2A3ECD0BBEu007d/u00368F2FDBFu002dF366u002d435Du002d8C3Fu002d339575B521D6.cs Large array initialization: .cctor: array initializer size 11945
Source: 5.2.NEW-ORDER.(Ref PO-298721).exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b85F2CCB3u002d4440u002d4FE8u002d92CFu002d4F2A3ECD0BBEu007d/u00368F2FDBFu002dF366u002d435Du002d8C3Fu002d339575B521D6.cs Large array initialization: .cctor: array initializer size 11945
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: NEW-ORDER.(Ref PO-298721).exe
Detected potential crypto function
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 1_2_005CB7D5 1_2_005CB7D5
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 1_2_05C62DD8 1_2_05C62DD8
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 1_2_05C6E138 1_2_05C6E138
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 1_2_05C614C0 1_2_05C614C0
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 1_2_05C6E4A8 1_2_05C6E4A8
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 1_2_05C60C70 1_2_05C60C70
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 1_2_05C6EBB8 1_2_05C6EBB8
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 1_2_05C61EA0 1_2_05C61EA0
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 1_2_05C6F240 1_2_05C6F240
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 1_2_05C6C5D8 1_2_05C6C5D8
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 1_2_05C62D6D 1_2_05C62D6D
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 1_2_05C6A480 1_2_05C6A480
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 1_2_05C65480 1_2_05C65480
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 1_2_05C65490 1_2_05C65490
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 1_2_05C69098 1_2_05C69098
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 1_2_05C63CA8 1_2_05C63CA8
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 1_2_05C614B0 1_2_05C614B0
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 1_2_05C63CB8 1_2_05C63CB8
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 1_2_05C60040 1_2_05C60040
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 1_2_05C69040 1_2_05C69040
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 1_2_05C65060 1_2_05C65060
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 1_2_05C65070 1_2_05C65070
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 1_2_05C60007 1_2_05C60007
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 1_2_05C647D1 1_2_05C647D1
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 1_2_05C647E0 1_2_05C647E0
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 1_2_05C69FB8 1_2_05C69FB8
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 1_2_05C60BB8 1_2_05C60BB8
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 1_2_05C65F70 1_2_05C65F70
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 1_2_05C652C8 1_2_05C652C8
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 1_2_05C65ED8 1_2_05C65ED8
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 1_2_05C6BEE0 1_2_05C6BEE0
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 1_2_05C61E90 1_2_05C61E90
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 1_2_05C652B9 1_2_05C652B9
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 1_2_05C64E59 1_2_05C64E59
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 1_2_05C64E68 1_2_05C64E68
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 1_2_0BEE0040 1_2_0BEE0040
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 1_2_0BEE0006 1_2_0BEE0006
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 1_2_005CC915 1_2_005CC915
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 5_2_0084B7D5 5_2_0084B7D5
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 5_2_00D26CE8 5_2_00D26CE8
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 5_2_00D2C198 5_2_00D2C198
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 5_2_00D27E40 5_2_00D27E40
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 5_2_00D21B68 5_2_00D21B68
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 5_2_00D230F0 5_2_00D230F0
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 5_2_00D200A0 5_2_00D200A0
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 5_2_00D21B16 5_2_00D21B16
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 5_2_00D2DB28 5_2_00D2DB28
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 5_2_00FF5DD8 5_2_00FF5DD8
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 5_2_00FF6510 5_2_00FF6510
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 5_2_00FF57E0 5_2_00FF57E0
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 5_2_00FFE338 5_2_00FFE338
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 5_2_00FF4978 5_2_00FF4978
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 5_2_011446A0 5_2_011446A0
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 5_2_0114467D 5_2_0114467D
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 5_2_0114D301 5_2_0114D301
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 5_2_06041BB8 5_2_06041BB8
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 5_2_0607C4E0 5_2_0607C4E0
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 5_2_0607051F 5_2_0607051F
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 5_2_06078D9C 5_2_06078D9C
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 5_2_06075DD0 5_2_06075DD0
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 5_2_06076C98 5_2_06076C98
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 5_2_0084C915 5_2_0084C915
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: String function: 00D20040 appears 34 times
PE file contains strange resources
Source: NEW-ORDER.(Ref PO-298721).exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: dbUtABvDycqz.exe.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: NEW-ORDER.(Ref PO-298721).exe, 00000001.00000002.663759923.000000000BCF0000.00000002.00000001.sdmp Binary or memory string: originalfilename vs NEW-ORDER.(Ref PO-298721).exe
Source: NEW-ORDER.(Ref PO-298721).exe, 00000001.00000002.663759923.000000000BCF0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs NEW-ORDER.(Ref PO-298721).exe
Source: NEW-ORDER.(Ref PO-298721).exe, 00000001.00000002.663467586.000000000BC00000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs NEW-ORDER.(Ref PO-298721).exe
Source: NEW-ORDER.(Ref PO-298721).exe, 00000001.00000000.635637564.0000000000666000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameTraceLoggingTypeInfo.exeH vs NEW-ORDER.(Ref PO-298721).exe
Source: NEW-ORDER.(Ref PO-298721).exe, 00000001.00000002.659659639.0000000002AC2000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameKygo.dll* vs NEW-ORDER.(Ref PO-298721).exe
Source: NEW-ORDER.(Ref PO-298721).exe, 00000001.00000002.659984462.0000000003A89000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameZeCZoLumKUlqgLhVTBGayNKBODOczMKnM.exe4 vs NEW-ORDER.(Ref PO-298721).exe
Source: NEW-ORDER.(Ref PO-298721).exe, 00000001.00000002.660121761.0000000003BD4000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameDSASignature.dll@ vs NEW-ORDER.(Ref PO-298721).exe
Source: NEW-ORDER.(Ref PO-298721).exe, 00000005.00000002.905124694.0000000001000000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs NEW-ORDER.(Ref PO-298721).exe
Source: NEW-ORDER.(Ref PO-298721).exe, 00000005.00000002.909745162.0000000005D30000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs NEW-ORDER.(Ref PO-298721).exe
Source: NEW-ORDER.(Ref PO-298721).exe, 00000005.00000002.905249891.00000000010B0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewshom.ocx.mui vs NEW-ORDER.(Ref PO-298721).exe
Source: NEW-ORDER.(Ref PO-298721).exe, 00000005.00000002.904357562.00000000008E6000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameTraceLoggingTypeInfo.exeH vs NEW-ORDER.(Ref PO-298721).exe
Source: NEW-ORDER.(Ref PO-298721).exe, 00000005.00000002.904175791.0000000000402000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameZeCZoLumKUlqgLhVTBGayNKBODOczMKnM.exe4 vs NEW-ORDER.(Ref PO-298721).exe
Source: NEW-ORDER.(Ref PO-298721).exe, 00000005.00000002.905222915.00000000010A0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamewshom.ocx vs NEW-ORDER.(Ref PO-298721).exe
Source: NEW-ORDER.(Ref PO-298721).exe, 00000005.00000002.904471307.0000000000CF8000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs NEW-ORDER.(Ref PO-298721).exe
Source: NEW-ORDER.(Ref PO-298721).exe Binary or memory string: OriginalFilenameTraceLoggingTypeInfo.exeH vs NEW-ORDER.(Ref PO-298721).exe
Uses 32bit PE files
Source: NEW-ORDER.(Ref PO-298721).exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: NEW-ORDER.(Ref PO-298721).exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dbUtABvDycqz.exe.1.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 5.0.NEW-ORDER.(Ref PO-298721).exe.400000.1.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.0.NEW-ORDER.(Ref PO-298721).exe.400000.1.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.2.NEW-ORDER.(Ref PO-298721).exe.400000.0.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 5.2.NEW-ORDER.(Ref PO-298721).exe.400000.0.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@6/5@4/1
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe File created: C:\Users\user\AppData\Roaming\dbUtABvDycqz.exe Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Mutant created: \Sessions\1\BaseNamedObjects\mddhQHCcfUmwiOAolWFYG
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5164:120:WilError_01
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe File created: C:\Users\user\AppData\Local\Temp\tmp8BDC.tmp Jump to behavior
Source: NEW-ORDER.(Ref PO-298721).exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: NEW-ORDER.(Ref PO-298721).exe, 00000001.00000002.659659639.0000000002AC2000.00000004.00000001.sdmp Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: NEW-ORDER.(Ref PO-298721).exe, 00000001.00000002.659659639.0000000002AC2000.00000004.00000001.sdmp Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: NEW-ORDER.(Ref PO-298721).exe, 00000001.00000002.659659639.0000000002AC2000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: NEW-ORDER.(Ref PO-298721).exe, 00000001.00000002.659659639.0000000002AC2000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: NEW-ORDER.(Ref PO-298721).exe, 00000001.00000002.659659639.0000000002AC2000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: NEW-ORDER.(Ref PO-298721).exe, 00000001.00000002.659659639.0000000002AC2000.00000004.00000001.sdmp Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: NEW-ORDER.(Ref PO-298721).exe, 00000001.00000002.659659639.0000000002AC2000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: NEW-ORDER.(Ref PO-298721).exe, 00000001.00000002.659659639.0000000002AC2000.00000004.00000001.sdmp Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: NEW-ORDER.(Ref PO-298721).exe, 00000001.00000002.659659639.0000000002AC2000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
Source: NEW-ORDER.(Ref PO-298721).exe Virustotal: Detection: 31%
Source: NEW-ORDER.(Ref PO-298721).exe Metadefender: Detection: 34%
Source: NEW-ORDER.(Ref PO-298721).exe ReversingLabs: Detection: 65%
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe File read: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe 'C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe'
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\dbUtABvDycqz' /XML 'C:\Users\user\AppData\Local\Temp\tmp8BDC.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process created: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\dbUtABvDycqz' /XML 'C:\Users\user\AppData\Local\Temp\tmp8BDC.tmp' Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process created: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: NEW-ORDER.(Ref PO-298721).exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: NEW-ORDER.(Ref PO-298721).exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: NEW-ORDER.(Ref PO-298721).exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\CZuaLVSaDt\src\obj\Debug\TraceLoggingTypeInfo.pdb source: NEW-ORDER.(Ref PO-298721).exe

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 1_2_005C5A3D push es; retf 0000h 1_2_005C5CE2
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 1_2_05C6684F push esp; iretd 1_2_05C66851
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 1_2_05C66859 push esp; iretd 1_2_05C6685B
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 1_2_05C676A9 push ebx; iretd 1_2_05C676AB
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 1_2_05C676B3 push ebx; iretd 1_2_05C676B5
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 5_2_00845A3D push es; retf 0000h 5_2_00845CE2
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 5_2_00FFD458 pushad ; retf 5_2_00FFD459
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 5_2_00FFD44C pushad ; retf 5_2_00FFD455
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 5_2_00FFB5FF push edi; retn 0000h 5_2_00FFB601
Source: initial sample Static PE information: section name: .text entropy: 7.73942494263
Source: initial sample Static PE information: section name: .text entropy: 7.73942494263

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe File created: C:\Users\user\AppData\Roaming\dbUtABvDycqz.exe Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\dbUtABvDycqz' /XML 'C:\Users\user\AppData\Local\Temp\tmp8BDC.tmp'

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 00000001.00000002.659659639.0000000002AC2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: NEW-ORDER.(Ref PO-298721).exe PID: 7060, type: MEMORY
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: NEW-ORDER.(Ref PO-298721).exe, 00000001.00000002.659659639.0000000002AC2000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: NEW-ORDER.(Ref PO-298721).exe, 00000001.00000002.659659639.0000000002AC2000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Window / User API: threadDelayed 758 Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Window / User API: threadDelayed 9050 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe TID: 7064 Thread sleep time: -103078s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe TID: 4460 Thread sleep time: -11990383647911201s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe TID: 6840 Thread sleep count: 758 > 30 Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe TID: 6840 Thread sleep count: 9050 > 30 Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe TID: 4460 Thread sleep count: 53 > 30 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Thread delayed: delay time: 103078 Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: NEW-ORDER.(Ref PO-298721).exe, 00000005.00000002.909745162.0000000005D30000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: NEW-ORDER.(Ref PO-298721).exe, 00000001.00000002.659659639.0000000002AC2000.00000004.00000001.sdmp Binary or memory string: vmware
Source: NEW-ORDER.(Ref PO-298721).exe, 00000001.00000002.659659639.0000000002AC2000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: NEW-ORDER.(Ref PO-298721).exe, 00000001.00000002.659659639.0000000002AC2000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: NEW-ORDER.(Ref PO-298721).exe, 00000001.00000002.659659639.0000000002AC2000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: NEW-ORDER.(Ref PO-298721).exe, 00000001.00000002.659659639.0000000002AC2000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: NEW-ORDER.(Ref PO-298721).exe, 00000001.00000002.659659639.0000000002AC2000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: NEW-ORDER.(Ref PO-298721).exe, 00000005.00000002.909745162.0000000005D30000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: NEW-ORDER.(Ref PO-298721).exe, 00000005.00000002.909745162.0000000005D30000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: NEW-ORDER.(Ref PO-298721).exe, 00000001.00000002.659659639.0000000002AC2000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: NEW-ORDER.(Ref PO-298721).exe, 00000001.00000002.659659639.0000000002AC2000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: NEW-ORDER.(Ref PO-298721).exe, 00000001.00000002.659659639.0000000002AC2000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: NEW-ORDER.(Ref PO-298721).exe, 00000005.00000002.904938331.0000000000F5D000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: NEW-ORDER.(Ref PO-298721).exe, 00000005.00000002.909745162.0000000005D30000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Code function: 5_2_00D22DB8 LdrInitializeThunk, 5_2_00D22DB8
Enables debug privileges
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Memory written: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\dbUtABvDycqz' /XML 'C:\Users\user\AppData\Local\Temp\tmp8BDC.tmp' Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Process created: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Jump to behavior
Source: NEW-ORDER.(Ref PO-298721).exe, 00000005.00000002.905768522.0000000001690000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: NEW-ORDER.(Ref PO-298721).exe, 00000005.00000002.905768522.0000000001690000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: NEW-ORDER.(Ref PO-298721).exe, 00000005.00000002.905768522.0000000001690000.00000002.00000001.sdmp Binary or memory string: Progman
Source: NEW-ORDER.(Ref PO-298721).exe, 00000005.00000002.905768522.0000000001690000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Queries volume information: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Queries volume information: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000005.00000000.654489875.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.659984462.0000000003A89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.904175791.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 5.2.NEW-ORDER.(Ref PO-298721).exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.NEW-ORDER.(Ref PO-298721).exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.NEW-ORDER.(Ref PO-298721).exe.3b493e0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.NEW-ORDER.(Ref PO-298721).exe.3b493e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.NEW-ORDER.(Ref PO-298721).exe.3a89930.2.raw.unpack, type: UNPACKEDPE
Yara detected AgentTesla
Source: Yara match File source: 00000005.00000000.654489875.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.659984462.0000000003A89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.904175791.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.906370490.0000000002CF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: NEW-ORDER.(Ref PO-298721).exe PID: 4672, type: MEMORY
Source: Yara match File source: Process Memory Space: NEW-ORDER.(Ref PO-298721).exe PID: 7060, type: MEMORY
Source: Yara match File source: 5.2.NEW-ORDER.(Ref PO-298721).exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.NEW-ORDER.(Ref PO-298721).exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.NEW-ORDER.(Ref PO-298721).exe.3b493e0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.NEW-ORDER.(Ref PO-298721).exe.3b493e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.NEW-ORDER.(Ref PO-298721).exe.3a89930.2.raw.unpack, type: UNPACKEDPE
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\Desktop\NEW-ORDER.(Ref PO-298721).exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000005.00000002.906370490.0000000002CF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: NEW-ORDER.(Ref PO-298721).exe PID: 4672, type: MEMORY

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000005.00000000.654489875.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.659984462.0000000003A89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.904175791.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 5.2.NEW-ORDER.(Ref PO-298721).exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.NEW-ORDER.(Ref PO-298721).exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.NEW-ORDER.(Ref PO-298721).exe.3b493e0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.NEW-ORDER.(Ref PO-298721).exe.3b493e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.NEW-ORDER.(Ref PO-298721).exe.3a89930.2.raw.unpack, type: UNPACKEDPE
Yara detected AgentTesla
Source: Yara match File source: 00000005.00000000.654489875.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.659984462.0000000003A89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.904175791.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.906370490.0000000002CF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: NEW-ORDER.(Ref PO-298721).exe PID: 4672, type: MEMORY
Source: Yara match File source: Process Memory Space: NEW-ORDER.(Ref PO-298721).exe PID: 7060, type: MEMORY
Source: Yara match File source: 5.2.NEW-ORDER.(Ref PO-298721).exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.NEW-ORDER.(Ref PO-298721).exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.NEW-ORDER.(Ref PO-298721).exe.3b493e0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.NEW-ORDER.(Ref PO-298721).exe.3b493e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.NEW-ORDER.(Ref PO-298721).exe.3a89930.2.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 433325 Sample: NEW-ORDER.(Ref PO-298721).exe Startdate: 11/06/2021 Architecture: WINDOWS Score: 100 31 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->31 33 Found malware configuration 2->33 35 Multi AV Scanner detection for dropped file 2->35 37 12 other signatures 2->37 7 NEW-ORDER.(Ref PO-298721).exe 7 2->7         started        process3 file4 19 C:\Users\user\AppData\...\dbUtABvDycqz.exe, PE32 7->19 dropped 21 C:\Users\...\dbUtABvDycqz.exe:Zone.Identifier, ASCII 7->21 dropped 23 C:\Users\user\AppData\Local\...\tmp8BDC.tmp, XML 7->23 dropped 25 C:\...25EW-ORDER.(Ref PO-298721).exe.log, ASCII 7->25 dropped 39 Injects a PE file into a foreign processes 7->39 11 NEW-ORDER.(Ref PO-298721).exe 6 7->11         started        15 schtasks.exe 1 7->15         started        signatures5 process6 dnsIp7 27 smtp.omicronernergy.com 11->27 29 us2.smtp.mailhostbox.com 208.91.199.223, 49771, 49772, 587 PUBLIC-DOMAIN-REGISTRYUS United States 11->29 41 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->41 43 Tries to steal Mail credentials (via file access) 11->43 45 Tries to harvest and steal ftp login credentials 11->45 47 2 other signatures 11->47 17 conhost.exe 15->17         started        signatures8 process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
208.91.199.223
 us2.smtp.mailhostbox.com United States
394695 PUBLIC-DOMAIN-REGISTRYUS false

Contacted Domains

Name IP Active
us2.smtp.mailhostbox.com 208.91.199.223 true
smtp.omicronernergy.com unknown unknown