Windows Analysis Report Price enquiry for test machine.exe

Overview

General Information

Sample Name: Price enquiry for test machine.exe
Analysis ID: 502599
MD5: c7564ca82a81b09c5d401918fda024c2
SHA1: ef07d5e0c6f49aa75a63108ec655860da6591a6a
SHA256: f9db35de0ae4c59df7d3ef7525cc111b55e9304cf8d61714d69378aa201acd7f
Tags: agentteslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Detected unpacking (overwrites its own PE header)
Yara detected AgentTesla
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Machine Learning detection for sample
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains functionality to call native functions
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection:

barindex
Found malware configuration
Source: 1.2.Price enquiry for test machine.exe.4980000.4.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "osy@seredebe.com", "Password": "@4u$1Ldri{uQ", "Host": "smtp.seredebe.com"}
Multi AV Scanner detection for submitted file
Source: Price enquiry for test machine.exe Virustotal: Detection: 25% Perma Link
Source: Price enquiry for test machine.exe ReversingLabs: Detection: 24%
Machine Learning detection for sample
Source: Price enquiry for test machine.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 1.2.Price enquiry for test machine.exe.4980000.4.unpack Avira: Label: TR/Spy.Gen8
Source: 1.2.Price enquiry for test machine.exe.400000.1.unpack Avira: Label: TR/Spy.Gen8
Source: 1.1.Price enquiry for test machine.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8

Compliance:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Unpacked PE file: 1.2.Price enquiry for test machine.exe.400000.1.unpack
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Unpacked PE file: 1.2.Price enquiry for test machine.exe.4980000.4.unpack
Uses 32bit PE files
Source: Price enquiry for test machine.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: Binary string: wntdll.pdbUGP source: Price enquiry for test machine.exe, 00000000.00000003.287527899.000000000F380000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: Price enquiry for test machine.exe, 00000000.00000003.287527899.000000000F380000.00000004.00000001.sdmp
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 0_2_00405E93 FindFirstFileA,FindClose, 0_2_00405E93
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 0_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_004054BD
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 0_2_00402671 FindFirstFileA, 0_2_00402671
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 1_2_00404A29 FindFirstFileExW, 1_2_00404A29
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 1_1_00404A29 FindFirstFileExW, 1_1_00404A29

Networking:

barindex
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 208.91.198.143 208.91.198.143
Source: Joe Sandbox View IP Address: 208.91.199.223 208.91.199.223
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49834 -> 208.91.198.143:587
Source: global traffic TCP traffic: 192.168.2.3:49838 -> 208.91.199.223:587
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.3:49834 -> 208.91.198.143:587
Source: global traffic TCP traffic: 192.168.2.3:49838 -> 208.91.199.223:587
Source: Price enquiry for test machine.exe, 00000001.00000002.545933351.0000000002841000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: Price enquiry for test machine.exe, 00000001.00000002.545933351.0000000002841000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: Price enquiry for test machine.exe, 00000001.00000002.545933351.0000000002841000.00000004.00000001.sdmp String found in binary or memory: http://fFlwaf.com
Source: Price enquiry for test machine.exe String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Price enquiry for test machine.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Price enquiry for test machine.exe, 00000001.00000002.545933351.0000000002841000.00000004.00000001.sdmp String found in binary or memory: https://8CVKb4wLGkADrnEe6T.org
Source: Price enquiry for test machine.exe String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: Price enquiry for test machine.exe, 00000001.00000002.545933351.0000000002841000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
Source: unknown DNS traffic detected: queries for: smtp.seredebe.com
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 1_2_00C0B982 recv, 1_2_00C0B982

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: Price enquiry for test machine.exe, 00000000.00000002.288113341.00000000006CA000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 0_2_00404FC2 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00404FC2

System Summary:

barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Price enquiry for test machine.exe
.NET source code contains very large array initializations
Source: 1.2.Price enquiry for test machine.exe.4980000.4.unpack, u003cPrivateImplementationDetailsu003eu007bB0AD7952u002d9BA5u002d4C1Au002d8F12u002dF5F6821AA348u007d/CB52A583u002d7065u002d495Fu002d9FFBu002dDDFBDAC53907.cs Large array initialization: .cctor: array initializer size 11930
Uses 32bit PE files
Source: Price enquiry for test machine.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 0_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_004030FB
Detected potential crypto function
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 0_2_004047D3 0_2_004047D3
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 0_2_004061D4 0_2_004061D4
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 0_2_72E46A2B 0_2_72E46A2B
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 0_2_72E46A3A 0_2_72E46A3A
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 1_2_0040A2A5 1_2_0040A2A5
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 1_2_049DA018 1_2_049DA018
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 1_2_049DF110 1_2_049DF110
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 1_2_049D7D00 1_2_049D7D00
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 1_2_05447027 1_2_05447027
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 1_2_054409A0 1_2_054409A0
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 1_2_054429A8 1_2_054429A8
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 1_1_0040A2A5 1_1_0040A2A5
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: String function: 00401ED0 appears 46 times
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: String function: 0040569E appears 36 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 1_2_00C0B136 NtQuerySystemInformation, 1_2_00C0B136
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 1_2_00C0B105 NtQuerySystemInformation, 1_2_00C0B105
Sample file is different than original file name gathered from version info
Source: Price enquiry for test machine.exe, 00000000.00000003.286324609.000000000F49F000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Price enquiry for test machine.exe
Source: Price enquiry for test machine.exe, 00000000.00000002.288215698.0000000002360000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameRsjyOsdLqvhuIzXOfDQRRmNhPfWtmUIrRAfWeL.exe4 vs Price enquiry for test machine.exe
Source: Price enquiry for test machine.exe Binary or memory string: OriginalFilename vs Price enquiry for test machine.exe
Source: Price enquiry for test machine.exe, 00000001.00000002.544995726.0000000000768000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameRsjyOsdLqvhuIzXOfDQRRmNhPfWtmUIrRAfWeL.exe4 vs Price enquiry for test machine.exe
PE file contains strange resources
Source: Price enquiry for test machine.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Price enquiry for test machine.exe Virustotal: Detection: 25%
Source: Price enquiry for test machine.exe ReversingLabs: Detection: 24%
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe File read: C:\Users\user\Desktop\Price enquiry for test machine.exe Jump to behavior
Source: Price enquiry for test machine.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Price enquiry for test machine.exe 'C:\Users\user\Desktop\Price enquiry for test machine.exe'
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process created: C:\Users\user\Desktop\Price enquiry for test machine.exe 'C:\Users\user\Desktop\Price enquiry for test machine.exe'
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process created: C:\Users\user\Desktop\Price enquiry for test machine.exe 'C:\Users\user\Desktop\Price enquiry for test machine.exe' Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 1_2_00C0AFBA AdjustTokenPrivileges, 1_2_00C0AFBA
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 1_2_00C0AF83 AdjustTokenPrivileges, 1_2_00C0AF83
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe File created: C:\Users\user\AppData\Roaming\ff3jhzsj.yhh Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe File created: C:\Users\user\AppData\Local\Temp\nslB4A9.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/3@3/2
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 0_2_00402053 CoCreateInstance,MultiByteToWideChar, 0_2_00402053
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 0_2_00404292 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_00404292
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 1_2_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess, 1_2_00401489
Source: 1.2.Price enquiry for test machine.exe.4980000.4.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.Price enquiry for test machine.exe.4980000.4.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: Binary string: wntdll.pdbUGP source: Price enquiry for test machine.exe, 00000000.00000003.287527899.000000000F380000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: Price enquiry for test machine.exe, 00000000.00000003.287527899.000000000F380000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Unpacked PE file: 1.2.Price enquiry for test machine.exe.400000.1.unpack
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Unpacked PE file: 1.2.Price enquiry for test machine.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Unpacked PE file: 1.2.Price enquiry for test machine.exe.4980000.4.unpack
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 0_2_72E41080 push eax; ret 0_2_72E410AE
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 1_2_00401F16 push ecx; ret 1_2_00401F29
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 1_2_00C0306D push edi; ret 1_2_00C0306E
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 1_2_00C03401 push eax; ret 1_2_00C0340E
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 1_2_00C025DD push eax; ret 1_2_00C025DE
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 1_2_00C02DA8 push edi; ret 1_2_00C02DB6
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 1_2_00C02570 push ecx; ret 1_2_00C02572
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 1_2_00C032DC push eax; ret 1_2_00C032DE
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 1_2_00C02685 push edi; ret 1_2_00C02686
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 1_2_00C03389 push eax; ret 1_2_00C0340E
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 1_2_00C02B20 push eax; ret 1_2_00C02B22
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 1_1_00401F16 push ecx; ret 1_1_00401F29
PE file contains an invalid checksum
Source: Price enquiry for test machine.exe Static PE information: real checksum: 0x0 should be: 0x7a0a3
Source: hjoxggvy.dll.0.dr Static PE information: real checksum: 0x7bd8 should be: 0xaeed

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe File created: C:\Users\user\AppData\Local\Temp\nslB4AA.tmp\hjoxggvy.dll Jump to dropped file
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Function Chain: memAlloc,systemQueried,systemQueried,threadCreated,threadResumed,threadDelayed,threadDelayed,threadDelayed,systemQueried,systemQueried,threadDelayed,systemQueried,threadDelayed,threadDelayed,threadAPCQueued,threadDelayed,threadDelayed,systemQueried,threadDelayed,threadDelayed,systemQueried,threadDelayed,threadDelayed,threadDelayed,threadDelayed
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe TID: 4848 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe TID: 4848 Thread sleep time: -14250000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe TID: 4848 Thread sleep time: -90000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Window / User API: threadDelayed 475 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 0_2_00405E93 FindFirstFileA,FindClose, 0_2_00405E93
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 0_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_004054BD
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 0_2_00402671 FindFirstFileA, 0_2_00402671
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 1_2_00404A29 FindFirstFileExW, 1_2_00404A29
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 1_1_00404A29 FindFirstFileExW, 1_1_00404A29
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Thread delayed: delay time: 30000 Jump to behavior
Source: Price enquiry for test machine.exe, 00000001.00000002.547347419.0000000005462000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWU
Source: Price enquiry for test machine.exe, 00000001.00000002.547347419.0000000005462000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 1_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0040446F
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 1_2_004067FE GetProcessHeap, 1_2_004067FE
Enables debug privileges
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 0_2_72E46402 mov eax, dword ptr fs:[00000030h] 0_2_72E46402
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 0_2_72E466C7 mov eax, dword ptr fs:[00000030h] 0_2_72E466C7
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 0_2_72E46744 mov eax, dword ptr fs:[00000030h] 0_2_72E46744
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 0_2_72E46706 mov eax, dword ptr fs:[00000030h] 0_2_72E46706
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 0_2_72E46616 mov eax, dword ptr fs:[00000030h] 0_2_72E46616
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 1_2_004035F1 mov eax, dword ptr fs:[00000030h] 1_2_004035F1
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 1_1_004035F1 mov eax, dword ptr fs:[00000030h] 1_1_004035F1
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 1_2_049DED98 LdrInitializeThunk, 1_2_049DED98
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 1_2_00401E1D SetUnhandledExceptionFilter, 1_2_00401E1D
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 1_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0040446F
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 1_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00401C88
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 1_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_00401F30
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 1_1_00401E1D SetUnhandledExceptionFilter, 1_1_00401E1D
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 1_1_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_1_0040446F
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 1_1_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_1_00401C88
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 1_1_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_1_00401F30

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Memory written: C:\Users\user\Desktop\Price enquiry for test machine.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Process created: C:\Users\user\Desktop\Price enquiry for test machine.exe 'C:\Users\user\Desktop\Price enquiry for test machine.exe' Jump to behavior
Source: Price enquiry for test machine.exe, 00000001.00000002.545562667.0000000000E60000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: Price enquiry for test machine.exe, 00000001.00000002.545562667.0000000000E60000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: Price enquiry for test machine.exe, 00000001.00000002.545562667.0000000000E60000.00000002.00020000.sdmp Binary or memory string: Progman
Source: Price enquiry for test machine.exe, 00000001.00000002.545562667.0000000000E60000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 1_2_0040208D cpuid 1_2_0040208D
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 1_2_00401B74 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 1_2_00401B74
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Code function: 0_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_004030FB

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 1.2.Price enquiry for test machine.exe.7a77e8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Price enquiry for test machine.exe.4980000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Price enquiry for test machine.exe.2371458.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Price enquiry for test machine.exe.7a77e8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Price enquiry for test machine.exe.2360000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Price enquiry for test machine.exe.4940000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Price enquiry for test machine.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Price enquiry for test machine.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Price enquiry for test machine.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Price enquiry for test machine.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Price enquiry for test machine.exe.2360000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.Price enquiry for test machine.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.Price enquiry for test machine.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Price enquiry for test machine.exe.4940000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.Price enquiry for test machine.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Price enquiry for test machine.exe.2371458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.544995726.0000000000768000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.288215698.0000000002360000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.544787506.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000001.287742408.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.546940233.0000000004940000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.546899969.0000000003841000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.546967586.0000000004982000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.545933351.0000000002841000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Price enquiry for test machine.exe PID: 5956, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Price enquiry for test machine.exe PID: 4344, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Users\user\Desktop\Price enquiry for test machine.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000001.00000002.545933351.0000000002841000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Price enquiry for test machine.exe PID: 4344, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 1.2.Price enquiry for test machine.exe.7a77e8.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Price enquiry for test machine.exe.4980000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Price enquiry for test machine.exe.2371458.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Price enquiry for test machine.exe.7a77e8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Price enquiry for test machine.exe.2360000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Price enquiry for test machine.exe.4940000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Price enquiry for test machine.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Price enquiry for test machine.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Price enquiry for test machine.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Price enquiry for test machine.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Price enquiry for test machine.exe.2360000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.Price enquiry for test machine.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.Price enquiry for test machine.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Price enquiry for test machine.exe.4940000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.Price enquiry for test machine.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Price enquiry for test machine.exe.2371458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.544995726.0000000000768000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.288215698.0000000002360000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.544787506.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000001.287742408.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.546940233.0000000004940000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.546899969.0000000003841000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.546967586.0000000004982000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.545933351.0000000002841000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Price enquiry for test machine.exe PID: 5956, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Price enquiry for test machine.exe PID: 4344, type: MEMORYSTR
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs