Windows Analysis Report CMR-7146846_PDF.pif

Overview

General Information

Sample Name:	CMR-7146846_PDF.pif (renamed file extension from pif to exe)
Analysis ID:	492199
MD5:	71028a6ec414b1642243aa4981a3365f
SHA1:	630b016a94f7bee220565d3b9a55a2ae8ef73c5a
SHA256:	167d1af8c8c4a185c34d0e65bab348748fb524f3e95c6136324f1e2d7e310918
Tags:	agentteslaexe
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Detected unpacking (overwrites its own PE header)

Yara detected AgentTesla

Detected unpacking (changes PE section rights)

Detected unpacking (creates a PE file in dynamic memory)

Initial sample is a PE file and has a suspicious name

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

Machine Learning detection for sample

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Moves itself to temp directory

Tries to steal Mail credentials (via file access)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Yara detected Credential Stealer

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Drops PE files

Contains functionality to read the PEB

Detected TCP or UDP traffic on non-standard ports

Uses SMTP (mail sending)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Classification

Signatures

AV Detection:

Found malware configuration

Source: 2.2.CMR-7146846_PDF.exe.4970000.5.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "vic@globalmedical.nl", "Password": "W3oxtsMvzRhJV&eBZoFabwZV", "Host": "mail.globalmedical.nl"}

Multi AV Scanner detection for submitted file

Source: CMR-7146846_PDF.exe	Virustotal: Detection: 32%			Perma Link
Source: CMR-7146846_PDF.exe	ReversingLabs: Detection: 35%

Machine Learning detection for sample

Source: CMR-7146846_PDF.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\nsiF9AF.tmp\agyko.dll

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 2.2.CMR-7146846_PDF.exe.4970000.5.unpack	Avira: Label: TR/Spy.Gen8
Source: 2.2.CMR-7146846_PDF.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 2.1.CMR-7146846_PDF.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8

Compliance:

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe

Unpacked PE file: 2.2.CMR-7146846_PDF.exe.400000.0.unpack

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe

Unpacked PE file: 2.2.CMR-7146846_PDF.exe.4970000.5.unpack

Uses 32bit PE files

Source: CMR-7146846_PDF.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source:	Binary string: wntdll.pdbUGP source: CMR-7146846_PDF.exe, 00000000.00000003.363777273.000000000E9D0000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: CMR-7146846_PDF.exe, 00000000.00000003.363777273.000000000E9D0000.00000004.00000001.sdmp

Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Code function: 0_2_00405EC2 FindFirstFileA,FindClose,	0_2_00405EC2
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Code function: 0_2_004054EC DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_004054EC
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Code function: 0_2_00402671 FindFirstFileA,	0_2_00402671
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Code function: 2_2_00404A29 FindFirstFileExW,	2_2_00404A29

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic

Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.6:49834 -> 185.104.29.70:587

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: AS-ZXCSNL AS-ZXCSNL

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 185.104.29.70 185.104.29.70
Source: Joe Sandbox View	IP Address: 185.104.29.70 185.104.29.70

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.6:49834 -> 185.104.29.70:587

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.6:49834 -> 185.104.29.70:587

Source: CMR-7146846_PDF.exe, 00000002.00000002.629693670.0000000002411000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: CMR-7146846_PDF.exe, 00000002.00000002.629693670.0000000002411000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: CMR-7146846_PDF.exe, 00000002.00000002.629693670.0000000002411000.00000004.00000001.sdmp	String found in binary or memory: http://ddNhwG.com
Source: CMR-7146846_PDF.exe, 00000002.00000002.631714049.000000000276F000.00000004.00000001.sdmp	String found in binary or memory: http://mail.globalmedical.nl
Source: CMR-7146846_PDF.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: CMR-7146846_PDF.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: CMR-7146846_PDF.exe, 00000002.00000002.629693670.0000000002411000.00000004.00000001.sdmp, CMR-7146846_PDF.exe, 00000002.00000002.631714049.000000000276F000.00000004.00000001.sdmp, CMR-7146846_PDF.exe, 00000002.00000003.587762630.00000000050F1000.00000004.00000001.sdmp	String found in binary or memory: https://QzBZUNOYPDPf.com
Source: CMR-7146846_PDF.exe, 00000002.00000002.629693670.0000000002411000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%$
Source: CMR-7146846_PDF.exe, 00000002.00000002.629693670.0000000002411000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: CMR-7146846_PDF.exe	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: CMR-7146846_PDF.exe, 00000002.00000002.629693670.0000000002411000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: unknown

DNS traffic detected: queries for: mail.globalmedical.nl

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe

Code function: 0_2_00404FF1 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00404FF1

System Summary:

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: CMR-7146846_PDF.exe

Uses 32bit PE files

Source: CMR-7146846_PDF.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe

Code function: 0_2_0040312A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

0_2_0040312A

Detected potential crypto function

Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Code function: 0_2_00406354	0_2_00406354
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Code function: 0_2_00404802	0_2_00404802
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Code function: 0_2_00406B2B	0_2_00406B2B
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Code function: 0_2_7365AA0F	0_2_7365AA0F
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Code function: 0_2_7365AA1E	0_2_7365AA1E
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Code function: 2_2_0040A2A5	2_2_0040A2A5
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Code function: 2_2_0078C268	2_2_0078C268
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Code function: 2_2_00787388	2_2_00787388

Sample file is different than original file name gathered from version info

Source: CMR-7146846_PDF.exe, 00000000.00000003.363210386.000000000E956000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs CMR-7146846_PDF.exe
Source: CMR-7146846_PDF.exe, 00000000.00000002.373072071.000000000E7F0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamekrQdlryxVJGWmOsVbuwTEnFgX.exe4 vs CMR-7146846_PDF.exe
Source: CMR-7146846_PDF.exe	Binary or memory string: OriginalFilename vs CMR-7146846_PDF.exe
Source: CMR-7146846_PDF.exe, 00000002.00000002.632498335.0000000004972000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamekrQdlryxVJGWmOsVbuwTEnFgX.exe4 vs CMR-7146846_PDF.exe
Source: CMR-7146846_PDF.exe, 00000002.00000002.625566247.0000000000199000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs CMR-7146846_PDF.exe

Source: CMR-7146846_PDF.exe	Virustotal: Detection: 32%
Source: CMR-7146846_PDF.exe	ReversingLabs: Detection: 35%

Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe

File read: C:\Users\user\Desktop\CMR-7146846_PDF.exe

Source: unknown	Process created: C:\Users\user\Desktop\CMR-7146846_PDF.exe 'C:\Users\user\Desktop\CMR-7146846_PDF.exe'
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Process created: C:\Users\user\Desktop\CMR-7146846_PDF.exe 'C:\Users\user\Desktop\CMR-7146846_PDF.exe'
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Process created: C:\Users\user\Desktop\CMR-7146846_PDF.exe 'C:\Users\user\Desktop\CMR-7146846_PDF.exe'	Jump to behavior

Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe TID: 5764	Thread sleep time: -11990383647911201s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe TID: 6068	Thread sleep count: 9213 > 30	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe TID: 6068	Thread sleep count: 645 > 30	Jump to behavior

Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Window / User API: threadDelayed 9213			Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Window / User API: threadDelayed 645			Jump to behavior

Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Code function: 0_2_7365A402 mov eax, dword ptr fs:[00000030h]	0_2_7365A402
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Code function: 0_2_7365A744 mov eax, dword ptr fs:[00000030h]	0_2_7365A744
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Code function: 0_2_7365A706 mov eax, dword ptr fs:[00000030h]	0_2_7365A706
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Code function: 0_2_7365A616 mov eax, dword ptr fs:[00000030h]	0_2_7365A616
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Code function: 0_2_7365A6C7 mov eax, dword ptr fs:[00000030h]	0_2_7365A6C7
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Code function: 2_2_004035F1 mov eax, dword ptr fs:[00000030h]	2_2_004035F1

Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Code function: 2_2_00401E1D SetUnhandledExceptionFilter,	2_2_00401E1D
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Code function: 2_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0040446F
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Code function: 2_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00401C88
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Code function: 2_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00401F30

Source: CMR-7146846_PDF.exe, 00000002.00000002.629291886.0000000000E30000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: CMR-7146846_PDF.exe, 00000002.00000002.629291886.0000000000E30000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: CMR-7146846_PDF.exe, 00000002.00000002.629291886.0000000000E30000.00000002.00020000.sdmp	Binary or memory string: &Program Manager
Source: CMR-7146846_PDF.exe, 00000002.00000002.629291886.0000000000E30000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: Yara match	File source: 2.2.CMR-7146846_PDF.exe.3415530.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.1.CMR-7146846_PDF.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.CMR-7146846_PDF.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.CMR-7146846_PDF.exe.4930000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.CMR-7146846_PDF.exe.4930000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.CMR-7146846_PDF.exe.4970000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CMR-7146846_PDF.exe.e801458.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.CMR-7146846_PDF.exe.6d1ae0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.CMR-7146846_PDF.exe.6d1ae0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.CMR-7146846_PDF.exe.3415530.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.CMR-7146846_PDF.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.1.CMR-7146846_PDF.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CMR-7146846_PDF.exe.e7f0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.CMR-7146846_PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.CMR-7146846_PDF.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CMR-7146846_PDF.exe.e801458.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.1.CMR-7146846_PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.CMR-7146846_PDF.exe.e7f0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.373072071.000000000E7F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.632498335.0000000004972000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.625897476.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.632394783.0000000004930000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.628026463.00000000006B8000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.632152824.0000000003411000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000001.370770222.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.629693670.0000000002411000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CMR-7146846_PDF.exe PID: 6124, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: CMR-7146846_PDF.exe PID: 772, type: MEMORYSTR

Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\Desktop\CMR-7146846_PDF.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

ID:	492199
Product:	CloudBasic
Start time:	13:24:51
Start date:	28.09.2021
Sample:	CMR-7146846_PDF.pif
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	71028a6ec414b1642243aa4981a3365f
SHA1:	630b016a94f7bee220565d3b9a55a2ae8ef73c5a
SHA256:	167d1af8c8c4a185c34d0e65bab348748fb524f3e95c6136324f1e2d7e310918
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\lwp4r7ldzqpo26xd	data	2FE1DC80424E1F7A367C2EC10F82D6E3	A1CBB2EE20EEB13B7D8A3C322BEE54F2F44246E2	8B59DB4A29E96B2178AF1491631076557866ECD5AF4DF7CB1FE02DD7A2AAE38D
C:\Users\user\AppData\Local\Temp\nsiF9AF.tmp\agyko.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	7DC59F4707DAE01D8BC589B5764FBD65	53397FB4FCE54937BF30764283934B6573FD63A9	D8F687BA9EEA4E69AEAAD9CCCAFD1ECC9BE0B1B09C88AB8A4B5728ABA666C903

Windows Analysis Report CMR-7146846_PDF.pif

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains