Loading ...

Play interactive tourEdit tour

Windows Analysis Report Quotation for Enq # 90038355.exe

Overview

General Information

Sample Name:Quotation for Enq # 90038355.exe
Analysis ID:483892
MD5:344ba2ed272ba7e67556b82f312ea816
SHA1:e1d5527552a9879bfded79c3c76a673913e15ada
SHA256:9b4cb73e87053b62028a877f31ffba62960560bf707fa0458b3acc0899e942dd
Tags:agentteslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Yara detected AgentTesla
Yara detected AntiVM3
Sigma detected: MSBuild connects to smtp port
Installs a global keyboard hook
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains very large strings
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Binary contains a suspicious time stamp
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • Quotation for Enq # 90038355.exe (PID: 5192 cmdline: 'C:\Users\user\Desktop\Quotation for Enq # 90038355.exe' MD5: 344BA2ED272BA7E67556B82F312EA816)
    • MSBuild.exe (PID: 1848 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: D621FD77BD585874F9686D3A76462EF1)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "share@phoenixfinance.com.bd", "Password": "Pfil*786", "Host": "mail.phoenixfinance.com.bd"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.931030895.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000002.00000002.931030895.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000000.00000002.669711456.0000000003141000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        00000000.00000002.670463877.00000000043B4000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.670463877.00000000043B4000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
            Click to see the 8 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.Quotation for Enq # 90038355.exe.420acc8.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.Quotation for Enq # 90038355.exe.420acc8.1.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                2.2.MSBuild.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  2.2.MSBuild.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    0.2.Quotation for Enq # 90038355.exe.420acc8.1.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 1 entries

                      Sigma Overview

                      Networking:

                      barindex
                      Sigma detected: MSBuild connects to smtp portShow sources
                      Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 192.185.108.208, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 1848, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49832

                      System Summary:

                      barindex
                      Sigma detected: Possible Applocker BypassShow sources
                      Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ParentCommandLine: 'C:\Users\user\Desktop\Quotation for Enq # 90038355.exe' , ParentImage: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe, ParentProcessId: 5192, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, ProcessId: 1848

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 0.2.Quotation for Enq # 90038355.exe.420acc8.1.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "share@phoenixfinance.com.bd", "Password": "Pfil*786", "Host": "mail.phoenixfinance.com.bd"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: Quotation for Enq # 90038355.exeVirustotal: Detection: 32%Perma Link
                      Source: Quotation for Enq # 90038355.exeReversingLabs: Detection: 26%
                      Machine Learning detection for sampleShow sources
                      Source: Quotation for Enq # 90038355.exeJoe Sandbox ML: detected
                      Source: 2.2.MSBuild.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: Quotation for Enq # 90038355.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: Quotation for Enq # 90038355.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Networking:

                      barindex
                      Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49695 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49696
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49695
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49694
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49693
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49692
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49690
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49681 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50120 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49688
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50119
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49681
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49688 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 50119 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50120
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
                      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
                      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
                      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
                      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
                      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
                      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
                      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
                      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
                      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
                      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
                      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
                      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
                      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
                      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
                      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
                      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
                      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
                      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
                      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
                      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
                      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
                      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
                      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
                      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
                      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
                      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
                      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
                      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
                      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
                      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
                      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
                      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
                      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
                      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
                      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
                      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
                      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
                      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
                      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
                      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
                      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
                      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
                      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
                      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
                      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
                      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
                      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
                      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
                      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
                      Source: unknownTCP traffic detected without corresponding DNS query: 92.122.145.220
                      Source: MSBuild.exe, 00000002.00000002.933029235.0000000003351000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: MSBuild.exe, 00000002.00000002.933029235.0000000003351000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: MSBuild.exe, 00000002.00000002.935633413.00000000064A0000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
                      Source: MSBuild.exe, 00000002.00000002.933029235.0000000003351000.00000004.00000001.sdmpString found in binary or memory: http://bJvmVK.com
                      Source: MSBuild.exe, 00000002.00000002.935633413.00000000064A0000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                      Source: MSBuild.exe, 00000002.00000002.935578751.000000000648B000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsenc
                      Source: MSBuild.exe, 00000002.00000002.935633413.00000000064A0000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
                      Source: MSBuild.exe, 00000002.00000002.935633413.00000000064A0000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
                      Source: MSBuild.exe, 00000002.00000002.934081784.0000000003706000.00000004.00000001.sdmpString found in binary or memory: http://mail.phoenixfinance.com.bd
                      Source: MSBuild.exe, 00000002.00000002.935633413.00000000064A0000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0v
                      Source: MSBuild.exe, 00000002.00000002.935633413.00000000064A0000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
                      Source: MSBuild.exe, 00000002.00000002.935633413.00000000064A0000.00000004.00000001.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                      Source: MSBuild.exe, 00000002.00000002.935633413.00000000064A0000.00000004.00000001.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                      Source: MSBuild.exe, 00000002.00000002.933029235.0000000003351000.00000004.00000001.sdmpString found in binary or memory: https://YWRIJujMGl.org
                      Source: MSBuild.exe, 00000002.00000002.933029235.0000000003351000.00000004.00000001.sdmpString found in binary or memory: https://YWRIJujMGl.orgD0=
                      Source: MSBuild.exe, 00000002.00000002.933029235.0000000003351000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%
                      Source: MSBuild.exe, 00000002.00000002.933029235.0000000003351000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: Quotation for Enq # 90038355.exe, 00000000.00000002.670463877.00000000043B4000.00000004.00000001.sdmp, MSBuild.exe, 00000002.00000002.931030895.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: MSBuild.exe, 00000002.00000002.933029235.0000000003351000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownDNS traffic detected: queries for: mail.phoenixfinance.com.bd

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Installs a global keyboard hookShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeJump to behavior
                      Source: Quotation for Enq # 90038355.exe, 00000000.00000002.669555775.00000000015AB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: Quotation for Enq # 90038355.exe
                      .NET source code contains very large stringsShow sources
                      Source: Quotation for Enq # 90038355.exe, Forms/mainForm.csLong String: Length: 38272
                      Source: 0.0.Quotation for Enq # 90038355.exe.e60000.0.unpack, Forms/mainForm.csLong String: Length: 38272
                      Source: 0.2.Quotation for Enq # 90038355.exe.e60000.0.unpack, Forms/mainForm.csLong String: Length: 38272
                      Source: Quotation for Enq # 90038355.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exeCode function: 0_2_0159C1240_2_0159C124
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exeCode function: 0_2_0159E5700_2_0159E570
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exeCode function: 0_2_0159E5630_2_0159E563
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exeCode function: 0_2_051432750_2_05143275
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exeCode function: 0_2_05142E900_2_05142E90
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exeCode function: 0_2_05143B480_2_05143B48
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exeCode function: 0_2_05146BB80_2_05146BB8
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exeCode function: 0_2_051414780_2_05141478
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exeCode function: 0_2_051414680_2_05141468
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exeCode function: 0_2_051434A80_2_051434A8
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exeCode function: 0_2_051437B00_2_051437B0
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exeCode function: 0_2_051437C00_2_051437C0
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exeCode function: 0_2_05143D410_2_05143D41
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exeCode function: 0_2_05140D780_2_05140D78
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exeCode function: 0_2_05140D670_2_05140D67
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exeCode function: 0_2_05142E800_2_05142E80
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exeCode function: 0_2_05143B390_2_05143B39
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_05E2B6CC2_2_05E2B6CC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_05E2D1582_2_05E2D158
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_05E213602_2_05E21360
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_05E2D8682_2_05E2D868
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_066DD65F2_2_066DD65F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_066D9F942_2_066D9F94
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_066D5D782_2_066D5D78
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_066DDAB82_2_066DDAB8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_066DBBC12_2_066DBBC1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_066D00862_2_066D0086
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_066D6E682_2_066D6E68
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_066D6E5C2_2_066D6E5C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_066D8D702_2_066D8D70
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_07172C582_2_07172C58
                      Source: Quotation for Enq # 90038355.exeBinary or memory string: OriginalFilename vs Quotation for Enq # 90038355.exe
                      Source: Quotation for Enq # 90038355.exe, 00000000.00000000.661886892.0000000000E62000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameEVENTFILTERDESCRIPT.exe4 vs Quotation for Enq # 90038355.exe
                      Source: Quotation for Enq # 90038355.exe, 00000000.00000002.669711456.0000000003141000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamejsUtdMNBeuhbNnokaRBAyEynyJeXUAQH.exe4 vs Quotation for Enq # 90038355.exe
                      Source: Quotation for Enq # 90038355.exe, 00000000.00000002.670396850.0000000004311000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCF_Secretaria.dll< vs Quotation for Enq # 90038355.exe
                      Source: Quotation for Enq # 90038355.exe, 00000000.00000002.669555775.00000000015AB000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Quotation for Enq # 90038355.exe
                      Source: Quotation for Enq # 90038355.exeBinary or memory string: OriginalFilenameEVENTFILTERDESCRIPT.exe4 vs Quotation for Enq # 90038355.exe
                      Source: Quotation for Enq # 90038355.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: Quotation for Enq # 90038355.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: Quotation for Enq # 90038355.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: Quotation for Enq # 90038355.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: Quotation for Enq # 90038355.exeVirustotal: Detection: 32%
                      Source: Quotation for Enq # 90038355.exeReversingLabs: Detection: 26%
                      Source: Quotation for Enq # 90038355.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe 'C:\Users\user\Desktop\Quotation for Enq # 90038355.exe'
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Quotation for Enq # 90038355.exe.logJump to behavior
                      Source: classification engineClassification label: mal100.spre.troj.spyw.evad.winEXE@3/2@2/1
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exeMutant created: \Sessions\1\BaseNamedObjects\NFGbaNkhdbYRiBBEDhHWGl
                      Source: Quotation for Enq # 90038355.exe, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 0.0.Quotation for Enq # 90038355.exe.e60000.0.unpack, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 0.2.Quotation for Enq # 90038355.exe.e60000.0.unpack, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: Quotation for Enq # 90038355.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: Quotation for Enq # 90038355.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Quotation for Enq # 90038355.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: Quotation for Enq # 90038355.exe, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.0.Quotation for Enq # 90038355.exe.e60000.0.unpack, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 0.2.Quotation for Enq # 90038355.exe.e60000.0.unpack, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exeCode function: 0_2_0159B5D1 pushad ; retf 0_2_0159B5ED
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exeCode function: 0_2_0159F933 push esp; iretd 0_2_0159F939
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exeCode function: 0_2_0514289F push edx; retf 0_2_051428A0
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exeCode function: 0_2_05142898 push edx; retf 0_2_05142899
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_05E20BCE push ss; iretd 2_2_05E20BD6
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_066D3C2B push 0000001Ah; iretd 2_2_066D3C2D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_066D3DB5 push es; ret 2_2_066D3E10
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_066D9A5F push ss; iretd 2_2_066D9A65
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_066D5BE8 push ss; iretd 2_2_066D5BEF
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 2_2_066D41E1 push es; ret 2_2_066D41F4
                      Source: Quotation for Enq # 90038355.exeStatic PE information: 0xC4BE8666 [Mon Aug 6 22:36:22 2074 UTC]
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.22138751359

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Icon mismatch, binary includes an icon from a different legit application in order to fool usersShow sources
                      Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: icon2083.png
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 00000000.00000002.669711456.0000000003141000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Quotation for Enq # 90038355.exe PID: 5192, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: Quotation for Enq # 90038355.exe, 00000000.00000002.669711456.0000000003141000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: Quotation for Enq # 90038355.exe, 00000000.00000002.669711456.0000000003141000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe TID: 5416Thread sleep time: -39332s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exe TID: 3112Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 6092Thread sleep time: -14757395258967632s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5688Thread sleep count: 9535 > 30Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5688Thread sleep count: 315 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 9535Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exeThread delayed: delay time: 39332Jump to behavior
                      Source: C:\Users\user\Desktop\Quotation for Enq # 90038355.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: Quotation for Enq # 90038355.exe, 00000000.00000002.669711456.0000000003141000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: Quotation for Enq # 90038355.exe, 00000000.00000002.669711456.0000000003141000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: Quotation for Enq # 90038355.exe, 00000000.00000002.669711456.0000000003141000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                      Source: Quotation for Enq # 90038355.exe, 00000000.00000002.669711456.0000000003141000.00000004.00000001.sdmpBinary or memory string: VMWARE
                      Source: Quotation for Enq # 90038355.exe, 00000000.00000002.669711456.0000000003141000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: Quotation for Enq # 90038355.exe, 00000000.00000002.669711456.0000000003141000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                      Source: Quotation for Enq # 90038355.exe, 00000000.00000002.669711456.0000000003141000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: Quotation for Enq # 90038355.exe, 00000000.00000002.669711456.0000000003141000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                      Source: MSBuild.exe, 00000002.00000002.935518873.000000000647B000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll