Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report QUOTE 7129.bat

Overview

General Information

Sample Name:QUOTE 7129.bat (renamed file extension from bat to exe)
Analysis ID:502636
MD5:c5cc1718876b11652a056bfb7c819521
SHA1:37beee9cd4da05c76e9e79a98e824d7f103bf986
SHA256:bd6fb4af1ac12b02fdfa5df9ce0094710fab6415f3154cdcc6c1e5d8b7f351a1
Tags:AgentTeslabatexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • QUOTE 7129.exe (PID: 6056 cmdline: 'C:\Users\user\Desktop\QUOTE 7129.exe' MD5: C5CC1718876B11652A056BFB7C819521)
    • QUOTE 7129.exe (PID: 5876 cmdline: C:\Users\user\Desktop\QUOTE 7129.exe MD5: C5CC1718876B11652A056BFB7C819521)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "anams@rapidmail.ec", "Password": "icui4cu2@@", "Host": "mail.rapidmail.ec"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.511981128.0000000002F0E000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.244101705.0000000003B99000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.244101705.0000000003B99000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
        00000000.00000002.243646942.0000000002B91000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          00000001.00000002.506588894.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 10 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.QUOTE 7129.exe.3c15220.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.QUOTE 7129.exe.3c15220.2.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                1.2.QUOTE 7129.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  1.2.QUOTE 7129.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    0.2.QUOTE 7129.exe.3c15220.2.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 2 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 0.2.QUOTE 7129.exe.3c15220.2.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "anams@rapidmail.ec", "Password": "icui4cu2@@", "Host": "mail.rapidmail.ec"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: QUOTE 7129.exeVirustotal: Detection: 42%Perma Link
                      Source: 1.2.QUOTE 7129.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: QUOTE 7129.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: QUOTE 7129.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: QUOTE 7129.exe, 00000001.00000002.511615461.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: QUOTE 7129.exe, 00000001.00000002.511615461.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: QUOTE 7129.exe, 00000001.00000002.511615461.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: http://RSNcbZ.com
                      Source: QUOTE 7129.exeString found in binary or memory: http://gcr.github.com/super-sudoku-for-windows/
                      Source: QUOTE 7129.exe, 00000000.00000002.243646942.0000000002B91000.00000004.00000001.sdmpString found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
                      Source: QUOTE 7129.exe, 00000000.00000002.244101705.0000000003B99000.00000004.00000001.sdmp, QUOTE 7129.exe, 00000001.00000002.506588894.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: QUOTE 7129.exe, 00000001.00000002.511615461.0000000002E61000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 1.2.QUOTE 7129.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b041C5864u002d8BC5u002d4FD4u002d8275u002d9B3B73CB91FAu007d/FA9420DDu002d9003u002d4CC1u002d9A6Eu002dDA16936AF8BD.csLarge array initialization: .cctor: array initializer size 11777
                      Source: QUOTE 7129.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 0_2_007A4FE4
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 0_2_00FCC124
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 0_2_00FCE570
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 0_2_00FCE560
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 0_2_05F80040
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 0_2_05F86010
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 0_2_05F86000
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 0_2_05F80006
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 0_2_05F80346
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 1_2_009E4FE4
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 1_2_00BCAB70
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 1_2_00BC2D50
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 1_2_00BC2618
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 1_2_00BC1FE1
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 1_2_00BCCA68
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 1_2_00BC9DB8
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 1_2_00BD4660
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 1_2_00BDA8E8
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 1_2_00BD5D80
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 1_2_014246A0
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 1_2_01424690
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 1_2_0142DA00
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 1_2_00BCD2B8
                      Source: QUOTE 7129.exeBinary or memory string: OriginalFilename vs QUOTE 7129.exe
                      Source: QUOTE 7129.exe, 00000000.00000002.243646942.0000000002B91000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamejOUkZdFMCThYhhcCysTX.exe4 vs QUOTE 7129.exe
                      Source: QUOTE 7129.exe, 00000000.00000002.246572300.0000000005E80000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll< vs QUOTE 7129.exe
                      Source: QUOTE 7129.exeBinary or memory string: OriginalFilename vs QUOTE 7129.exe
                      Source: QUOTE 7129.exe, 00000001.00000002.506867447.0000000000438000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamejOUkZdFMCThYhhcCysTX.exe4 vs QUOTE 7129.exe
                      Source: QUOTE 7129.exe, 00000001.00000002.509760538.00000000012AA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs QUOTE 7129.exe
                      Source: QUOTE 7129.exe, 00000001.00000002.508685597.0000000000EF8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs QUOTE 7129.exe
                      Source: QUOTE 7129.exeBinary or memory string: OriginalFilenameContinuationResultTaskFromTa.exe8 vs QUOTE 7129.exe
                      Source: QUOTE 7129.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: QUOTE 7129.exeVirustotal: Detection: 42%
                      Source: QUOTE 7129.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Users\user\Desktop\QUOTE 7129.exe 'C:\Users\user\Desktop\QUOTE 7129.exe'
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess created: C:\Users\user\Desktop\QUOTE 7129.exe C:\Users\user\Desktop\QUOTE 7129.exe
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess created: C:\Users\user\Desktop\QUOTE 7129.exe C:\Users\user\Desktop\QUOTE 7129.exe
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QUOTE 7129.exe.logJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@0/0
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeMutant created: \Sessions\1\BaseNamedObjects\ZypyrYXSztKSWDInUrsOgsZc
                      Source: 1.2.QUOTE 7129.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 1.2.QUOTE 7129.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: QUOTE 7129.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: QUOTE 7129.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: QUOTE 7129.exe, WelcomeForm.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 0.0.QUOTE 7129.exe.7a0000.0.unpack, WelcomeForm.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 0.2.QUOTE 7129.exe.7a0000.0.unpack, WelcomeForm.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 1.0.QUOTE 7129.exe.9e0000.0.unpack, WelcomeForm.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: 1.2.QUOTE 7129.exe.9e0000.1.unpack, WelcomeForm.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 0_2_007A800D push es; ret
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 0_2_00FCF930 pushad ; iretd
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 0_2_05F84513 push ss; ret
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 0_2_05F84126 push ss; ret
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 0_2_05F8505D push E9FFFFFEh; retf
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 0_2_05F83FD2 push FFFFFFF1h; ret
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 0_2_05F84F42 pushfd ; iretd
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 0_2_05F83F36 push es; ret
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 0_2_05F84ED0 pushad ; iretd
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 0_2_05F85BA0 push 28054CD0h; iretd
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 1_2_009E800D push es; ret
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 1_2_00BC7A37 push edi; retn 0000h
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 1_2_00BC8326 push ecx; retf
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 1_2_00BC8352 push ecx; retf
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeCode function: 1_2_00BD05C8 push 3C00BBCBh; retf
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.92204747437
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 0.2.QUOTE 7129.exe.2bb1170.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.243646942.0000000002B91000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.243793993.0000000002C33000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: QUOTE 7129.exe PID: 6056, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: QUOTE 7129.exe, 00000000.00000002.243646942.0000000002B91000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: QUOTE 7129.exe, 00000000.00000002.243646942.0000000002B91000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\QUOTE 7129.exe TID: 3528Thread sleep time: -44412s >= -30000s
                      Source: C:\Users\user\Desktop\QUOTE 7129.exe TID: 4508Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\QUOTE 7129.exe TID: 1396Thread sleep time: -20291418481080494s >= -30000s
                      Source: C:\Users\user\Desktop\QUOTE 7129.exe TID: 5936Thread sleep count: 457 > 30
                      Source: C:\Users\user\Desktop\QUOTE 7129.exe TID: 5936Thread sleep count: 9400 > 30
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeWindow / User API: threadDelayed 457
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeWindow / User API: threadDelayed 9400
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeThread delayed: delay time: 44412
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeThread delayed: delay time: 922337203685477
                      Source: QUOTE 7129.exe, 00000000.00000002.243646942.0000000002B91000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
                      Source: QUOTE 7129.exe, 00000000.00000002.243646942.0000000002B91000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: QUOTE 7129.exe, 00000000.00000002.243646942.0000000002B91000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: QUOTE 7129.exe, 00000000.00000002.243646942.0000000002B91000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeMemory written: C:\Users\user\Desktop\QUOTE 7129.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeProcess created: C:\Users\user\Desktop\QUOTE 7129.exe C:\Users\user\Desktop\QUOTE 7129.exe
                      Source: QUOTE 7129.exe, 00000001.00000002.510914977.00000000017E0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: QUOTE 7129.exe, 00000001.00000002.510914977.00000000017E0000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: QUOTE 7129.exe, 00000001.00000002.510914977.00000000017E0000.00000002.00020000.sdmpBinary or memory string: SProgram Managerl
                      Source: QUOTE 7129.exe, 00000001.00000002.510914977.00000000017E0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd,
                      Source: QUOTE 7129.exe, 00000001.00000002.510914977.00000000017E0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeQueries volume information: C:\Users\user\Desktop\QUOTE 7129.exe VolumeInformation
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeQueries volume information: C:\Users\user\Desktop\QUOTE 7129.exe VolumeInformation
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0.2.QUOTE 7129.exe.3c15220.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.QUOTE 7129.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.QUOTE 7129.exe.3c15220.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.244101705.0000000003B99000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.506588894.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.244299750.0000000003C99000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.511981128.0000000002F0E000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.511615461.0000000002E61000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: QUOTE 7129.exe PID: 6056, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: QUOTE 7129.exe PID: 5876, type: MEMORYSTR
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Users\user\Desktop\QUOTE 7129.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Source: Yara matchFile source: 00000001.00000002.511615461.0000000002E61000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: QUOTE 7129.exe PID: 5876, type: MEMORYSTR

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 0.2.QUOTE 7129.exe.3c15220.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.QUOTE 7129.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.QUOTE 7129.exe.3c15220.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.244101705.0000000003B99000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.506588894.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.244299750.0000000003C99000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.511981128.0000000002F0E000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.511615461.0000000002E61000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: QUOTE 7129.exe PID: 6056, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: QUOTE 7129.exe PID: 5876, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection112Masquerading1OS Credential Dumping1Query Registry1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemorySecurity Software Discovery211Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion131Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Local System1Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSVirtualization/Sandbox Evasion131Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsSystem Information Discovery114VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing13DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      QUOTE 7129.exe42%VirustotalBrowse
                      QUOTE 7129.exe9%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      1.2.QUOTE 7129.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      http://RSNcbZ.com0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://www.collada.org/2005/11/COLLADASchema9Done0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://127.0.0.1:HTTP/1.1QUOTE 7129.exe, 00000001.00000002.511615461.0000000002E61000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      http://DynDns.comDynDNSQUOTE 7129.exe, 00000001.00000002.511615461.0000000002E61000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haQUOTE 7129.exe, 00000001.00000002.511615461.0000000002E61000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://gcr.github.com/super-sudoku-for-windows/QUOTE 7129.exefalse
                        		high
                        http://RSNcbZ.comQUOTE 7129.exe, 00000001.00000002.511615461.0000000002E61000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipQUOTE 7129.exe, 00000000.00000002.244101705.0000000003B99000.00000004.00000001.sdmp, QUOTE 7129.exe, 00000001.00000002.506588894.0000000000402000.00000040.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.collada.org/2005/11/COLLADASchema9DoneQUOTE 7129.exe, 00000000.00000002.243646942.0000000002B91000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown

                        Contacted IPs

                        No contacted IP infos

                        General Information

                        Joe Sandbox Version:33.0.0 White Diamond
                        Analysis ID:502636
                        Start date:14.10.2021
                        Start time:07:47:12
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 7m 58s
                        Hypervisor based Inspection enabled:false
                        Report type:light
                        Sample file name:QUOTE 7129.bat (renamed file extension from bat to exe)
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                        Number of analysed new started processes analysed:27
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal100.troj.spyw.evad.winEXE@3/1@0/0
                        EGA Information:Failed
                        HDC Information:
                        • Successful, ratio: 0.1% (good quality ratio 0%)
                        • Quality average: 19.3%
                        • Quality standard deviation: 27.3%
                        HCA Information:
                        • Successful, ratio: 99%
                        • Number of executed functions: 0
                        • Number of non-executed functions: 0
                        Cookbook Comments:
                        • Adjust boot time
                        • Enable AMSI
                        Warnings:
                        Show All
                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                        • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 20.50.102.62, 95.100.218.79, 95.100.216.89, 20.54.110.249, 52.251.79.25, 40.112.88.60, 2.20.178.24, 2.20.178.33, 20.82.210.154
                        • Excluded domains from analysis (whitelisted): consumer-displaycatalogrp-aks2aks-useast.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, www.bing.com, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, eus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, displaycatalog-rp-useast.md.mp.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        07:48:11API Interceptor743x Sleep call for process: QUOTE 7129.exe modified

                        Joe Sandbox View / Context

                        IPs

                        No context

                        Domains

                        No context

                        ASN

                        No context

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QUOTE 7129.exe.log
                        Process:C:\Users\user\Desktop\QUOTE 7129.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):1216
                        Entropy (8bit):5.355304211458859
                        Encrypted:false
                        SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                        MD5:FED34146BF2F2FA59DCF8702FCC8232E
                        SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                        SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                        SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                        Malicious:true
                        Reputation:high, very likely benign file
                        Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Entropy (8bit):7.911253135021535
                        TrID:
                        • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                        • Win32 Executable (generic) a (10002005/4) 49.75%
                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                        • Windows Screen Saver (13104/52) 0.07%
                        • Generic Win/DOS Executable (2004/3) 0.01%
                        File name:QUOTE 7129.exe
                        File size:581120
                        MD5:c5cc1718876b11652a056bfb7c819521
                        SHA1:37beee9cd4da05c76e9e79a98e824d7f103bf986
                        SHA256:bd6fb4af1ac12b02fdfa5df9ce0094710fab6415f3154cdcc6c1e5d8b7f351a1
                        SHA512:547edba7ff818c915e9fa6c16ea2c8ad214afcdef4049aea72a18d6e64243ba227fa8ec77d5232e7f36ab14f9bbae657adce82a3b77f33616d44a552eaf15e45
                        SSDEEP:12288:IS5dcKXjBESZdXDzPjIAnqRISXXLb4mZGKW0LKEDR3YA9SB:pcMSSZdXDLMRISXXLb4gW0WU9wB
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{.ea..............0.................. ........@.. .......................@............@................................

                        File Icon

                        Icon Hash:00828e8e8686b000

                        Static PE Info

                        General

                        Entrypoint:0x48f12e
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                        DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                        Time Stamp:0x6165A47B [Tue Oct 12 15:06:35 2021 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:v4.0.30319
                        OS Version Major:4
                        OS Version Minor:0
                        File Version Major:4
                        File Version Minor:0
                        Subsystem Version Major:4
                        Subsystem Version Minor:0
                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                        Entrypoint Preview

                        Instruction
                        jmp dword ptr [00402000h]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x8f0dc0x4f.text
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x900000x638.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x920000xc.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x20000x8d1340x8d200False0.946054652901data7.92204747437IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                        .rsrc0x900000x6380x800False0.34228515625data3.50491456727IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .reloc0x920000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountry
                        RT_VERSION0x900900x3a8data
                        RT_MANIFEST0x904480x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                        Imports

                        DLLImport
                        mscoree.dll_CorExeMain

                        Version Infos

                        DescriptionData
                        Translation0x0000 0x04b0
                        LegalCopyrightCopyright 2011
                        Assembly Version1.2.2.0
                        InternalNameContinuationResultTaskFromTa.exe
                        FileVersion1.2.0.0
                        CompanyNameLife Plan Counselling
                        LegalTrademarks
                        CommentsTeam Uno
                        ProductNameSuperSudoku
                        ProductVersion1.2.0.0
                        FileDescriptionSuperSudoku
                        OriginalFilenameContinuationResultTaskFromTa.exe

                        Network Behavior

                        No network behavior found

                        Code Manipulations

                        Statistics

                        Behavior

                        Click to jump to process

                        System Behavior

                        Analysis Process: QUOTE 7129.exe PID: 6056 Parent PID: 6136

                        General

                        Start time:07:48:10
                        Start date:14/10/2021
                        Path:C:\Users\user\Desktop\QUOTE 7129.exe
                        Wow64 process (32bit):true
                        Commandline:'C:\Users\user\Desktop\QUOTE 7129.exe'
                        Imagebase:0x7a0000
                        File size:581120 bytes
                        MD5 hash:C5CC1718876B11652A056BFB7C819521
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Yara matches:
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.244101705.0000000003B99000.00000004.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.244101705.0000000003B99000.00000004.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.243646942.0000000002B91000.00000004.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.243793993.0000000002C33000.00000004.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.244299750.0000000003C99000.00000004.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.244299750.0000000003C99000.00000004.00000001.sdmp, Author: Joe Security
                        Reputation:low

                        Analysis Process: QUOTE 7129.exe PID: 5876 Parent PID: 6056

                        General

                        Start time:07:48:12
                        Start date:14/10/2021
                        Path:C:\Users\user\Desktop\QUOTE 7129.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Users\user\Desktop\QUOTE 7129.exe
                        Imagebase:0x9e0000
                        File size:581120 bytes
                        MD5 hash:C5CC1718876B11652A056BFB7C819521
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Yara matches:
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.511981128.0000000002F0E000.00000004.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.506588894.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.506588894.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.511615461.0000000002E61000.00000004.00000001.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.511615461.0000000002E61000.00000004.00000001.sdmp, Author: Joe Security
                        Reputation:low

                        Disassembly

                        Code Analysis

                        Reset < >