Windows Analysis Report Purchase Order PO5351.exe

Overview

General Information

Sample Name: Purchase Order PO5351.exe
Analysis ID: 502625
MD5: 583ae888adbd5a79d055fbd414cc403b
SHA1: 02fe0acb2796c2be544cee6cde690071e3cbfced
SHA256: e2ef34d6833b50a6bb0c28e94c5f1f0c7454d13b41c14b5b5a8de2a84f8a8771
Tags: exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Detected unpacking (overwrites its own PE header)
Yara detected AgentTesla
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Initial sample is a PE file and has a suspicious name
Detected potential unwanted application
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Machine Learning detection for sample
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Executable has a suspicious name (potential lure to open the executable)
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Drops certificate files (DER)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Yara detected Credential Stealer
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Drops PE files
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
PE / OLE file has an invalid certificate
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection:

barindex
Found malware configuration
Source: 2.2.Purchase Order PO5351.exe.47c0000.4.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "newwork1@appalliser.com", "Password": "!%RvA^hkLSn&", "Host": "mail.appalliser.com"}
Multi AV Scanner detection for submitted file
Source: Purchase Order PO5351.exe ReversingLabs: Detection: 26%
Machine Learning detection for sample
Source: Purchase Order PO5351.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 2.1.Purchase Order PO5351.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 2.2.Purchase Order PO5351.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 2.2.Purchase Order PO5351.exe.4810000.5.unpack Avira: Label: TR/Spy.Gen8

Compliance:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Unpacked PE file: 2.2.Purchase Order PO5351.exe.400000.0.unpack
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Unpacked PE file: 2.2.Purchase Order PO5351.exe.4810000.5.unpack
Uses 32bit PE files
Source: Purchase Order PO5351.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: Binary string: wntdll.pdbUGP source: Purchase Order PO5351.exe, 00000000.00000003.285257913.000000000EF70000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: Purchase Order PO5351.exe, 00000000.00000003.285257913.000000000EF70000.00000004.00000001.sdmp
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Code function: 0_2_00405E93 FindFirstFileA,FindClose, 0_2_00405E93
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Code function: 0_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_004054BD
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Code function: 0_2_00402671 FindFirstFileA, 0_2_00402671
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Code function: 2_2_00404A29 FindFirstFileExW, 2_2_00404A29

Networking:

barindex
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ITLDC-NLUA ITLDC-NLUA
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49827 -> 185.237.206.6:587
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.3:49827 -> 185.237.206.6:587
Source: Purchase Order PO5351.exe, 00000002.00000002.550115709.0000000002341000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: Purchase Order PO5351.exe, 00000002.00000002.550115709.0000000002341000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: Purchase Order PO5351.exe, 00000002.00000002.550115709.0000000002341000.00000004.00000001.sdmp String found in binary or memory: http://JydZpq.com
Source: Purchase Order PO5351.exe, 00000002.00000002.550446128.0000000002694000.00000004.00000001.sdmp String found in binary or memory: http://appalliser.com
Source: Purchase Order PO5351.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: Purchase Order PO5351.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: Purchase Order PO5351.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Purchase Order PO5351.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: Purchase Order PO5351.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Purchase Order PO5351.exe, 00000002.00000002.553363264.0000000005930000.00000004.00000001.sdmp String found in binary or memory: http://cps.letsencrypt.org0
Source: Purchase Order PO5351.exe, 00000002.00000002.553363264.0000000005930000.00000004.00000001.sdmp String found in binary or memory: http://crl.veris
Source: Purchase Order PO5351.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: Purchase Order PO5351.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Purchase Order PO5351.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: Purchase Order PO5351.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Purchase Order PO5351.exe String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: Purchase Order PO5351.exe String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: Purchase Order PO5351.exe String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Purchase Order PO5351.exe String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: Purchase Order PO5351.exe String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Purchase Order PO5351.exe String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Purchase Order PO5351.exe String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: Purchase Order PO5351.exe String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: Purchase Order PO5351.exe String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Purchase Order PO5351.exe, 00000002.00000002.553363264.0000000005930000.00000004.00000001.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/
Source: Purchase Order PO5351.exe, 00000002.00000002.553525383.00000000059A6000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.2.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: Purchase Order PO5351.exe, 00000002.00000002.553363264.0000000005930000.00000004.00000001.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?1fdd1722a2534
Source: Purchase Order PO5351.exe, 00000002.00000002.550446128.0000000002694000.00000004.00000001.sdmp String found in binary or memory: http://mail.appalliser.com
Source: Purchase Order PO5351.exe String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Purchase Order PO5351.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Purchase Order PO5351.exe String found in binary or memory: http://ocsp.digicert.com0A
Source: Purchase Order PO5351.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: Purchase Order PO5351.exe String found in binary or memory: http://ocsp.digicert.com0L
Source: Purchase Order PO5351.exe String found in binary or memory: http://ocsp.digicert.com0N
Source: Purchase Order PO5351.exe String found in binary or memory: http://ocsp.digicert.com0O
Source: Purchase Order PO5351.exe, 00000002.00000002.553363264.0000000005930000.00000004.00000001.sdmp String found in binary or memory: http://r3.i.lencr.org/0
Source: Purchase Order PO5351.exe, 00000002.00000002.553363264.0000000005930000.00000004.00000001.sdmp String found in binary or memory: http://r3.o.lencr.org0
Source: Purchase Order PO5351.exe String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: Purchase Order PO5351.exe, 00000002.00000002.553363264.0000000005930000.00000004.00000001.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: Purchase Order PO5351.exe, 00000002.00000002.553363264.0000000005930000.00000004.00000001.sdmp, 2D85F72862B55C4EADD9E66E06947F3D0.2.dr String found in binary or memory: http://x1.i.lencr.org/
Source: Purchase Order PO5351.exe, 00000002.00000002.553363264.0000000005930000.00000004.00000001.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: Purchase Order PO5351.exe, 00000002.00000003.508552580.00000000059BA000.00000004.00000001.sdmp String found in binary or memory: https://dii.lencr.org/
Source: Purchase Order PO5351.exe, 00000002.00000002.550115709.0000000002341000.00000004.00000001.sdmp, Purchase Order PO5351.exe, 00000002.00000003.491025576.0000000000644000.00000004.00000001.sdmp String found in binary or memory: https://m5KdogWJECP9WFOWfNf.org
Source: Purchase Order PO5351.exe String found in binary or memory: https://www.digicert.com/CPS0
Source: Purchase Order PO5351.exe String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: Purchase Order PO5351.exe, 00000002.00000002.550115709.0000000002341000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
Source: unknown DNS traffic detected: queries for: mail.appalliser.com

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Code function: 0_2_00404FC2 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00404FC2

E-Banking Fraud:

barindex
Drops certificate files (DER)
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D Jump to dropped file

System Summary:

barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Purchase Order PO5351.exe
Detected potential unwanted application
Source: Purchase Order PO5351.exe PE Siganture Subject Chain: CN=Tencent Technology(Shenzhen) Company Limited, O=Tencent Technology(Shenzhen) Company Limited, L=Shenzhen, S=Guangdong, C=CN
.NET source code contains very large array initializations
Source: 2.2.Purchase Order PO5351.exe.4810000.5.unpack, u003cPrivateImplementationDetailsu003eu007bD4B941FAu002d2DBAu002d4076u002dBF2Bu002d68A2FCF4E49Bu007d/BDC4F16Au002d1B55u002d4A62u002d9374u002d3C2BBA0A451E.cs Large array initialization: .cctor: array initializer size 11961
Executable has a suspicious name (potential lure to open the executable)
Source: Purchase Order PO5351.exe Static file information: Suspicious name
Uses 32bit PE files
Source: Purchase Order PO5351.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Code function: 0_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_004030FB
Detected potential crypto function
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Code function: 0_2_004047D3 0_2_004047D3
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Code function: 0_2_004061D4 0_2_004061D4
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Code function: 0_2_72F369FA 0_2_72F369FA
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Code function: 0_2_72F36A09 0_2_72F36A09
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Code function: 2_2_0040A2A5 2_2_0040A2A5
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Code function: 2_2_0075EC80 2_2_0075EC80
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Code function: 2_2_00756180 2_2_00756180
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Code function: 2_2_0075E288 2_2_0075E288
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Code function: 2_2_0075D8A0 2_2_0075D8A0
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Code function: 2_2_008B2D30 2_2_008B2D30
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Code function: 2_2_008B4A4C 2_2_008B4A4C
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Code function: 2_2_008B7E70 2_2_008B7E70
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Code function: 2_2_008B0040 2_2_008B0040
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Code function: 2_2_008BD780 2_2_008BD780
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Code function: 2_2_008CC960 2_2_008CC960
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Code function: 2_2_008C7250 2_2_008C7250
Sample file is different than original file name gathered from version info
Source: Purchase Order PO5351.exe, 00000000.00000003.283553488.000000000F21F000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Purchase Order PO5351.exe
Source: Purchase Order PO5351.exe, 00000000.00000002.293225806.00000000023A0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamekLkdFlZsZNmHamqDFHmrAA.exe4 vs Purchase Order PO5351.exe
Source: Purchase Order PO5351.exe Binary or memory string: OriginalFilename vs Purchase Order PO5351.exe
Source: Purchase Order PO5351.exe, 00000002.00000002.551186931.0000000004812000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamekLkdFlZsZNmHamqDFHmrAA.exe4 vs Purchase Order PO5351.exe
Source: Purchase Order PO5351.exe, 00000002.00000002.548280613.0000000000199000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Purchase Order PO5351.exe
PE / OLE file has an invalid certificate
Source: Purchase Order PO5351.exe Static PE information: invalid certificate
Source: Purchase Order PO5351.exe ReversingLabs: Detection: 26%
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe File read: C:\Users\user\Desktop\Purchase Order PO5351.exe Jump to behavior
Source: Purchase Order PO5351.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Purchase Order PO5351.exe 'C:\Users\user\Desktop\Purchase Order PO5351.exe'
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process created: C:\Users\user\Desktop\Purchase Order PO5351.exe 'C:\Users\user\Desktop\Purchase Order PO5351.exe'
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process created: C:\Users\user\Desktop\Purchase Order PO5351.exe 'C:\Users\user\Desktop\Purchase Order PO5351.exe' Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe File created: C:\Users\user\AppData\Local\Temp\nsk73A8.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/5@3/1
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Code function: 0_2_00402053 CoCreateInstance,MultiByteToWideChar, 0_2_00402053
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Code function: 0_2_00404292 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_00404292
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Code function: 2_2_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess, 2_2_00401489
Source: 2.2.Purchase Order PO5351.exe.4810000.5.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 2.2.Purchase Order PO5351.exe.4810000.5.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: Binary string: wntdll.pdbUGP source: Purchase Order PO5351.exe, 00000000.00000003.285257913.000000000EF70000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: Purchase Order PO5351.exe, 00000000.00000003.285257913.000000000EF70000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Unpacked PE file: 2.2.Purchase Order PO5351.exe.400000.0.unpack
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Unpacked PE file: 2.2.Purchase Order PO5351.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Unpacked PE file: 2.2.Purchase Order PO5351.exe.4810000.5.unpack
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Code function: 0_2_72F31080 push eax; ret 0_2_72F310AE
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Code function: 2_2_00401F16 push ecx; ret 2_2_00401F29
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Code function: 2_2_0075B59F push edi; retn 0000h 2_2_0075B5A1
PE file contains an invalid checksum
Source: Purchase Order PO5351.exe Static PE information: real checksum: 0x0 should be: 0x64210
Source: gqdtoh.dll.0.dr Static PE information: real checksum: 0xe45e should be: 0x1158f

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe File created: C:\Users\user\AppData\Local\Temp\nsk73A9.tmp\gqdtoh.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe TID: 5296 Thread sleep time: -22136092888451448s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe TID: 1716 Thread sleep count: 1209 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe TID: 1716 Thread sleep count: 8626 > 30 Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Window / User API: threadDelayed 1209 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Window / User API: threadDelayed 8626 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Code function: 0_2_00405E93 FindFirstFileA,FindClose, 0_2_00405E93
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Code function: 0_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_004054BD
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Code function: 0_2_00402671 FindFirstFileA, 0_2_00402671
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Code function: 2_2_00404A29 FindFirstFileExW, 2_2_00404A29
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: Purchase Order PO5351.exe, 00000002.00000003.511012133.00000000059BA000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Code function: 2_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_0040446F
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Code function: 2_2_004067FE GetProcessHeap, 2_2_004067FE
Enables debug privileges
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Code function: 0_2_72F36402 mov eax, dword ptr fs:[00000030h] 0_2_72F36402
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Code function: 0_2_72F366C7 mov eax, dword ptr fs:[00000030h] 0_2_72F366C7
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Code function: 0_2_72F36744 mov eax, dword ptr fs:[00000030h] 0_2_72F36744
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Code function: 0_2_72F36616 mov eax, dword ptr fs:[00000030h] 0_2_72F36616
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Code function: 0_2_72F36706 mov eax, dword ptr fs:[00000030h] 0_2_72F36706
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Code function: 2_2_004035F1 mov eax, dword ptr fs:[00000030h] 2_2_004035F1
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Code function: 2_2_00750A66 KiUserExceptionDispatcher,KiUserExceptionDispatcher,LdrInitializeThunk, 2_2_00750A66
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Code function: 2_2_00401E1D SetUnhandledExceptionFilter, 2_2_00401E1D
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Code function: 2_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_0040446F
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Code function: 2_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00401C88
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Code function: 2_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00401F30

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Memory written: C:\Users\user\Desktop\Purchase Order PO5351.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Process created: C:\Users\user\Desktop\Purchase Order PO5351.exe 'C:\Users\user\Desktop\Purchase Order PO5351.exe' Jump to behavior
Source: Purchase Order PO5351.exe, 00000002.00000002.550054564.0000000000E30000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: Purchase Order PO5351.exe, 00000002.00000002.550054564.0000000000E30000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: Purchase Order PO5351.exe, 00000002.00000002.550054564.0000000000E30000.00000002.00020000.sdmp Binary or memory string: Progman
Source: Purchase Order PO5351.exe, 00000002.00000002.550054564.0000000000E30000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Code function: 2_2_0040208D cpuid 2_2_0040208D
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Code function: 2_2_00401B74 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 2_2_00401B74
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Code function: 0_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_004030FB

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 2.2.Purchase Order PO5351.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Purchase Order PO5351.exe.3345530.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Purchase Order PO5351.exe.3345530.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Purchase Order PO5351.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Purchase Order PO5351.exe.4e81b0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.1.Purchase Order PO5351.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Purchase Order PO5351.exe.47c0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order PO5351.exe.23b1458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.1.Purchase Order PO5351.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order PO5351.exe.23b1458.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Purchase Order PO5351.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Purchase Order PO5351.exe.4810000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Purchase Order PO5351.exe.47c0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order PO5351.exe.23a0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Purchase Order PO5351.exe.4e81b0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.1.Purchase Order PO5351.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order PO5351.exe.23a0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Purchase Order PO5351.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.551186931.0000000004812000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000001.291805615.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.550696214.0000000003341000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.548389108.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.550919665.00000000047C0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.293225806.00000000023A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.548716786.00000000004CB000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.550115709.0000000002341000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Purchase Order PO5351.exe PID: 492, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Purchase Order PO5351.exe PID: 5504, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order PO5351.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000002.00000002.550115709.0000000002341000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Purchase Order PO5351.exe PID: 5504, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 2.2.Purchase Order PO5351.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Purchase Order PO5351.exe.3345530.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Purchase Order PO5351.exe.3345530.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Purchase Order PO5351.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Purchase Order PO5351.exe.4e81b0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.1.Purchase Order PO5351.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Purchase Order PO5351.exe.47c0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order PO5351.exe.23b1458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.1.Purchase Order PO5351.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order PO5351.exe.23b1458.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Purchase Order PO5351.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Purchase Order PO5351.exe.4810000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Purchase Order PO5351.exe.47c0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order PO5351.exe.23a0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Purchase Order PO5351.exe.4e81b0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.1.Purchase Order PO5351.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order PO5351.exe.23a0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.Purchase Order PO5351.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.551186931.0000000004812000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000001.291805615.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.550696214.0000000003341000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.548389108.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.550919665.00000000047C0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.293225806.00000000023A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.548716786.00000000004CB000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.550115709.0000000002341000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Purchase Order PO5351.exe PID: 492, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Purchase Order PO5351.exe PID: 5504, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 502625 Sample: Purchase Order PO5351.exe Startdate: 14/10/2021 Architecture: WINDOWS Score: 100 22 Found malware configuration 2->22 24 Multi AV Scanner detection for submitted file 2->24 26 Detected unpacking (changes PE section rights) 2->26 28 10 other signatures 2->28 6 Purchase Order PO5351.exe 17 2->6         started        process3 file4 14 C:\Users\user\AppData\Local\...\gqdtoh.dll, PE32 6->14 dropped 30 Injects a PE file into a foreign processes 6->30 10 Purchase Order PO5351.exe 4 6->10         started        signatures5 process6 dnsIp7 16 appalliser.com 185.237.206.6, 49827, 587 ITLDC-NLUA Ukraine 10->16 18 mail.appalliser.com 10->18 20 x1.i.lencr.org 10->20 32 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 10->32 34 Tries to steal Mail credentials (via file access) 10->34 36 Tries to harvest and steal ftp login credentials 10->36 38 Tries to harvest and steal browser information (history, passwords, etc) 10->38 signatures8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.237.206.6
 appalliser.com Ukraine
21100 ITLDC-NLUA true

Contacted Domains

Name IP Active
appalliser.com 185.237.206.6 true
x1.i.lencr.org unknown unknown
mail.appalliser.com unknown unknown