Windows Analysis Report QUOTE 7129.bat

Overview

General Information

Sample Name: QUOTE 7129.bat (renamed file extension from bat to exe)
Analysis ID: 502636
MD5: c5cc1718876b11652a056bfb7c819521
SHA1: 37beee9cd4da05c76e9e79a98e824d7f103bf986
SHA256: bd6fb4af1ac12b02fdfa5df9ce0094710fab6415f3154cdcc6c1e5d8b7f351a1
Tags: AgentTeslabatexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Found malware configuration
Source: 0.2.QUOTE 7129.exe.3c15220.2.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "anams@rapidmail.ec", "Password": "icui4cu2@@", "Host": "mail.rapidmail.ec"}
Multi AV Scanner detection for submitted file
Source: QUOTE 7129.exe Virustotal: Detection: 42% Perma Link
Antivirus or Machine Learning detection for unpacked file
Source: 1.2.QUOTE 7129.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8

Compliance:

barindex
Uses 32bit PE files
Source: QUOTE 7129.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: QUOTE 7129.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: QUOTE 7129.exe, 00000001.00000002.511615461.0000000002E61000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: QUOTE 7129.exe, 00000001.00000002.511615461.0000000002E61000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: QUOTE 7129.exe, 00000001.00000002.511615461.0000000002E61000.00000004.00000001.sdmp String found in binary or memory: http://RSNcbZ.com
Source: QUOTE 7129.exe String found in binary or memory: http://gcr.github.com/super-sudoku-for-windows/
Source: QUOTE 7129.exe, 00000000.00000002.243646942.0000000002B91000.00000004.00000001.sdmp String found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
Source: QUOTE 7129.exe, 00000000.00000002.244101705.0000000003B99000.00000004.00000001.sdmp, QUOTE 7129.exe, 00000001.00000002.506588894.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: QUOTE 7129.exe, 00000001.00000002.511615461.0000000002E61000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

System Summary:

barindex
.NET source code contains very large array initializations
Source: 1.2.QUOTE 7129.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b041C5864u002d8BC5u002d4FD4u002d8275u002d9B3B73CB91FAu007d/FA9420DDu002d9003u002d4CC1u002d9A6Eu002dDA16936AF8BD.cs Large array initialization: .cctor: array initializer size 11777
Uses 32bit PE files
Source: QUOTE 7129.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Detected potential crypto function
Source: C:\Users\user\Desktop\QUOTE 7129.exe Code function: 0_2_007A4FE4 0_2_007A4FE4
Source: C:\Users\user\Desktop\QUOTE 7129.exe Code function: 0_2_00FCC124 0_2_00FCC124
Source: C:\Users\user\Desktop\QUOTE 7129.exe Code function: 0_2_00FCE570 0_2_00FCE570
Source: C:\Users\user\Desktop\QUOTE 7129.exe Code function: 0_2_00FCE560 0_2_00FCE560
Source: C:\Users\user\Desktop\QUOTE 7129.exe Code function: 0_2_05F80040 0_2_05F80040
Source: C:\Users\user\Desktop\QUOTE 7129.exe Code function: 0_2_05F86010 0_2_05F86010
Source: C:\Users\user\Desktop\QUOTE 7129.exe Code function: 0_2_05F86000 0_2_05F86000
Source: C:\Users\user\Desktop\QUOTE 7129.exe Code function: 0_2_05F80006 0_2_05F80006
Source: C:\Users\user\Desktop\QUOTE 7129.exe Code function: 0_2_05F80346 0_2_05F80346
Source: C:\Users\user\Desktop\QUOTE 7129.exe Code function: 1_2_009E4FE4 1_2_009E4FE4
Source: C:\Users\user\Desktop\QUOTE 7129.exe Code function: 1_2_00BCAB70 1_2_00BCAB70
Source: C:\Users\user\Desktop\QUOTE 7129.exe Code function: 1_2_00BC2D50 1_2_00BC2D50
Source: C:\Users\user\Desktop\QUOTE 7129.exe Code function: 1_2_00BC2618 1_2_00BC2618
Source: C:\Users\user\Desktop\QUOTE 7129.exe Code function: 1_2_00BC1FE1 1_2_00BC1FE1
Source: C:\Users\user\Desktop\QUOTE 7129.exe Code function: 1_2_00BCCA68 1_2_00BCCA68
Source: C:\Users\user\Desktop\QUOTE 7129.exe Code function: 1_2_00BC9DB8 1_2_00BC9DB8
Source: C:\Users\user\Desktop\QUOTE 7129.exe Code function: 1_2_00BD4660 1_2_00BD4660
Source: C:\Users\user\Desktop\QUOTE 7129.exe Code function: 1_2_00BDA8E8 1_2_00BDA8E8
Source: C:\Users\user\Desktop\QUOTE 7129.exe Code function: 1_2_00BD5D80 1_2_00BD5D80
Source: C:\Users\user\Desktop\QUOTE 7129.exe Code function: 1_2_014246A0 1_2_014246A0
Source: C:\Users\user\Desktop\QUOTE 7129.exe Code function: 1_2_01424690 1_2_01424690
Source: C:\Users\user\Desktop\QUOTE 7129.exe Code function: 1_2_0142DA00 1_2_0142DA00
Source: C:\Users\user\Desktop\QUOTE 7129.exe Code function: 1_2_00BCD2B8 1_2_00BCD2B8
Sample file is different than original file name gathered from version info
Source: QUOTE 7129.exe Binary or memory string: OriginalFilename vs QUOTE 7129.exe
Source: QUOTE 7129.exe, 00000000.00000002.243646942.0000000002B91000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamejOUkZdFMCThYhhcCysTX.exe4 vs QUOTE 7129.exe
Source: QUOTE 7129.exe, 00000000.00000002.246572300.0000000005E80000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameUI.dll< vs QUOTE 7129.exe
Source: QUOTE 7129.exe Binary or memory string: OriginalFilename vs QUOTE 7129.exe
Source: QUOTE 7129.exe, 00000001.00000002.506867447.0000000000438000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamejOUkZdFMCThYhhcCysTX.exe4 vs QUOTE 7129.exe
Source: QUOTE 7129.exe, 00000001.00000002.509760538.00000000012AA000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs QUOTE 7129.exe
Source: QUOTE 7129.exe, 00000001.00000002.508685597.0000000000EF8000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs QUOTE 7129.exe
Source: QUOTE 7129.exe Binary or memory string: OriginalFilenameContinuationResultTaskFromTa.exe8 vs QUOTE 7129.exe
Source: QUOTE 7129.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: QUOTE 7129.exe Virustotal: Detection: 42%
Source: QUOTE 7129.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\QUOTE 7129.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\QUOTE 7129.exe 'C:\Users\user\Desktop\QUOTE 7129.exe'
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process created: C:\Users\user\Desktop\QUOTE 7129.exe C:\Users\user\Desktop\QUOTE 7129.exe
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process created: C:\Users\user\Desktop\QUOTE 7129.exe C:\Users\user\Desktop\QUOTE 7129.exe Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\QUOTE 7129.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QUOTE 7129.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/1@0/0
Source: C:\Users\user\Desktop\QUOTE 7129.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Mutant created: \Sessions\1\BaseNamedObjects\ZypyrYXSztKSWDInUrsOgsZc
Source: 1.2.QUOTE 7129.exe.400000.0.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.QUOTE 7129.exe.400000.0.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: C:\Users\user\Desktop\QUOTE 7129.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: QUOTE 7129.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: QUOTE 7129.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: QUOTE 7129.exe, WelcomeForm.cs .Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.QUOTE 7129.exe.7a0000.0.unpack, WelcomeForm.cs .Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.2.QUOTE 7129.exe.7a0000.0.unpack, WelcomeForm.cs .Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 1.0.QUOTE 7129.exe.9e0000.0.unpack, WelcomeForm.cs .Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 1.2.QUOTE 7129.exe.9e0000.1.unpack, WelcomeForm.cs .Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\QUOTE 7129.exe Code function: 0_2_007A800D push es; ret 0_2_007A8018
Source: C:\Users\user\Desktop\QUOTE 7129.exe Code function: 0_2_00FCF930 pushad ; iretd 0_2_00FCF931
Source: C:\Users\user\Desktop\QUOTE 7129.exe Code function: 0_2_05F84513 push ss; ret 0_2_05F84516
Source: C:\Users\user\Desktop\QUOTE 7129.exe Code function: 0_2_05F84126 push ss; ret 0_2_05F84127
Source: C:\Users\user\Desktop\QUOTE 7129.exe Code function: 0_2_05F8505D push E9FFFFFEh; retf 0_2_05F85062
Source: C:\Users\user\Desktop\QUOTE 7129.exe Code function: 0_2_05F83FD2 push FFFFFFF1h; ret 0_2_05F83FD4
Source: C:\Users\user\Desktop\QUOTE 7129.exe Code function: 0_2_05F84F42 pushfd ; iretd 0_2_05F84F43
Source: C:\Users\user\Desktop\QUOTE 7129.exe Code function: 0_2_05F83F36 push es; ret 0_2_05F83F37
Source: C:\Users\user\Desktop\QUOTE 7129.exe Code function: 0_2_05F84ED0 pushad ; iretd 0_2_05F84ED1
Source: C:\Users\user\Desktop\QUOTE 7129.exe Code function: 0_2_05F85BA0 push 28054CD0h; iretd 0_2_05F85BAD
Source: C:\Users\user\Desktop\QUOTE 7129.exe Code function: 1_2_009E800D push es; ret 1_2_009E8018
Source: C:\Users\user\Desktop\QUOTE 7129.exe Code function: 1_2_00BC7A37 push edi; retn 0000h 1_2_00BC7A39
Source: C:\Users\user\Desktop\QUOTE 7129.exe Code function: 1_2_00BC8326 push ecx; retf 1_2_00BC832C
Source: C:\Users\user\Desktop\QUOTE 7129.exe Code function: 1_2_00BC8352 push ecx; retf 1_2_00BC832C
Source: C:\Users\user\Desktop\QUOTE 7129.exe Code function: 1_2_00BD05C8 push 3C00BBCBh; retf 1_2_00BD05CD
Source: initial sample Static PE information: section name: .text entropy: 7.92204747437

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\QUOTE 7129.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 0.2.QUOTE 7129.exe.2bb1170.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.243646942.0000000002B91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.243793993.0000000002C33000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: QUOTE 7129.exe PID: 6056, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: QUOTE 7129.exe, 00000000.00000002.243646942.0000000002B91000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: QUOTE 7129.exe, 00000000.00000002.243646942.0000000002B91000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\QUOTE 7129.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\QUOTE 7129.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\QUOTE 7129.exe TID: 3528 Thread sleep time: -44412s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe TID: 4508 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe TID: 1396 Thread sleep time: -20291418481080494s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe TID: 5936 Thread sleep count: 457 > 30 Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe TID: 5936 Thread sleep count: 9400 > 30 Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\QUOTE 7129.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\QUOTE 7129.exe Window / User API: threadDelayed 457 Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Window / User API: threadDelayed 9400 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\QUOTE 7129.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Thread delayed: delay time: 44412 Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: QUOTE 7129.exe, 00000000.00000002.243646942.0000000002B91000.00000004.00000001.sdmp Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: QUOTE 7129.exe, 00000000.00000002.243646942.0000000002B91000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: QUOTE 7129.exe, 00000000.00000002.243646942.0000000002B91000.00000004.00000001.sdmp Binary or memory string: vmware
Source: QUOTE 7129.exe, 00000000.00000002.243646942.0000000002B91000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\QUOTE 7129.exe Memory written: C:\Users\user\Desktop\QUOTE 7129.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\QUOTE 7129.exe Process created: C:\Users\user\Desktop\QUOTE 7129.exe C:\Users\user\Desktop\QUOTE 7129.exe Jump to behavior
Source: QUOTE 7129.exe, 00000001.00000002.510914977.00000000017E0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: QUOTE 7129.exe, 00000001.00000002.510914977.00000000017E0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: QUOTE 7129.exe, 00000001.00000002.510914977.00000000017E0000.00000002.00020000.sdmp Binary or memory string: SProgram Managerl
Source: QUOTE 7129.exe, 00000001.00000002.510914977.00000000017E0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd,
Source: QUOTE 7129.exe, 00000001.00000002.510914977.00000000017E0000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\QUOTE 7129.exe Queries volume information: C:\Users\user\Desktop\QUOTE 7129.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Queries volume information: C:\Users\user\Desktop\QUOTE 7129.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.QUOTE 7129.exe.3c15220.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.QUOTE 7129.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QUOTE 7129.exe.3c15220.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.244101705.0000000003B99000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.506588894.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.244299750.0000000003C99000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.511981128.0000000002F0E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.511615461.0000000002E61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: QUOTE 7129.exe PID: 6056, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: QUOTE 7129.exe PID: 5876, type: MEMORYSTR
Tries to steal Mail credentials (via file access)
Source: C:\Users\user\Desktop\QUOTE 7129.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\QUOTE 7129.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\QUOTE 7129.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000001.00000002.511615461.0000000002E61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: QUOTE 7129.exe PID: 5876, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.QUOTE 7129.exe.3c15220.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.QUOTE 7129.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.QUOTE 7129.exe.3c15220.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.244101705.0000000003B99000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.506588894.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.244299750.0000000003C99000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.511981128.0000000002F0E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.511615461.0000000002E61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: QUOTE 7129.exe PID: 6056, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: QUOTE 7129.exe PID: 5876, type: MEMORYSTR
No contacted IP infos