Windows Analysis Report QUOTATION OF EQUIPMENT.exe

Overview

General Information

Sample Name:	QUOTATION OF EQUIPMENT.exe
Analysis ID:	502687
MD5:	6f058c62ace41a97a12e6e7a47c9c76e
SHA1:	9c5e94ba757e2387a510bc10559136cb308ce535
SHA256:	713bcae8bce87e51a3b3f1448d816dce365302918c476d4bbe964b4834db3ccf
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Detected unpacking (overwrites its own PE header)

Yara detected AgentTesla

Detected unpacking (changes PE section rights)

Detected unpacking (creates a PE file in dynamic memory)

Initial sample is a PE file and has a suspicious name

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

Machine Learning detection for sample

Injects a PE file into a foreign processes

.NET source code contains very large array initializations

Tries to steal Mail credentials (via file access)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Yara detected Credential Stealer

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Uses FTP

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Signatures

AV Detection:

Found malware configuration

Source: 1.2.QUOTATION OF EQUIPMENT.exe.415058.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "FTP Host": "ftp://ftp.omindexgroup.com/", "Username": "info@omindexgroup.com", "Password": "tlW}sP3mS7Z3"}

Machine Learning detection for sample

Source: QUOTATION OF EQUIPMENT.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 1.2.QUOTATION OF EQUIPMENT.exe.400000.1.unpack	Avira: Label: TR/Spy.Gen8
Source: 1.2.QUOTATION OF EQUIPMENT.exe.4810000.5.unpack	Avira: Label: TR/Spy.Gen8

Compliance:

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe

Unpacked PE file: 1.2.QUOTATION OF EQUIPMENT.exe.400000.1.unpack

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe

Unpacked PE file: 1.2.QUOTATION OF EQUIPMENT.exe.4810000.5.unpack

Uses 32bit PE files

Source: QUOTATION OF EQUIPMENT.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source:	Binary string: wntdll.pdbUGP source: QUOTATION OF EQUIPMENT.exe, 00000000.00000003.306358828.000000000F0D0000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: QUOTATION OF EQUIPMENT.exe, 00000000.00000003.306358828.000000000F0D0000.00000004.00000001.sdmp

Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Code function: 0_2_00405E93 FindFirstFileA,FindClose,	0_2_00405E93
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Code function: 0_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_004054BD
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Code function: 0_2_00402671 FindFirstFileA,	0_2_00402671
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Code function: 1_2_00404A29 FindFirstFileExW,	1_2_00404A29

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2029927 ET TROJAN AgentTesla Exfil via FTP 192.168.2.3:49832 -> 192.119.9.178:21
Source: Traffic	Snort IDS: 2029928 ET TROJAN AgentTesla HTML System Info Report Exfil via FTP 192.168.2.3:49833 -> 192.119.9.178:55115

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: 24SHELLSUS 24SHELLSUS

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 192.119.9.178 192.119.9.178

Uses FTP

Source: unknown

FTP traffic detected: 192.119.9.178:21 -> 192.168.2.3:49832 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 08:49. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 08:49. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 08:49. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 08:49. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.

Source: QUOTATION OF EQUIPMENT.exe, 00000001.00000002.566863487.0000000002331000.00000004.00000001.sdmp	String found in binary or memory: ftp://ftp.omindexgroup.com/info
Source: QUOTATION OF EQUIPMENT.exe, 00000001.00000002.566863487.0000000002331000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: QUOTATION OF EQUIPMENT.exe, 00000001.00000002.566863487.0000000002331000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: QUOTATION OF EQUIPMENT.exe, 00000001.00000002.566863487.0000000002331000.00000004.00000001.sdmp	String found in binary or memory: http://ftp.omindexgroup.com
Source: QUOTATION OF EQUIPMENT.exe, 00000001.00000002.566863487.0000000002331000.00000004.00000001.sdmp, QUOTATION OF EQUIPMENT.exe, 00000001.00000003.514210140.00000000005C4000.00000004.00000001.sdmp	String found in binary or memory: http://kMfms0NpHAa2q.org
Source: QUOTATION OF EQUIPMENT.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: QUOTATION OF EQUIPMENT.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: QUOTATION OF EQUIPMENT.exe, 00000001.00000002.566863487.0000000002331000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: QUOTATION OF EQUIPMENT.exe, 00000001.00000002.566863487.0000000002331000.00000004.00000001.sdmp	String found in binary or memory: http://yJUdUS.com
Source: QUOTATION OF EQUIPMENT.exe, 00000001.00000002.566863487.0000000002331000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%$
Source: QUOTATION OF EQUIPMENT.exe, 00000001.00000002.566863487.0000000002331000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: QUOTATION OF EQUIPMENT.exe	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: QUOTATION OF EQUIPMENT.exe, 00000001.00000002.566863487.0000000002331000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: unknown

DNS traffic detected: queries for: ftp.omindexgroup.com

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe

Code function: 0_2_00404FC2 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00404FC2

System Summary:

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: QUOTATION OF EQUIPMENT.exe

.NET source code contains very large array initializations

Source: 1.2.QUOTATION OF EQUIPMENT.exe.4810000.5.unpack, u003cPrivateImplementationDetailsu003eu007bADDD92D2u002d841Au002d42EAu002dB77Cu002d1470A1722442u007d/u00347097661u002d7D05u002d4653u002d940Au002dC774450E8E39.cs

Large array initialization: .cctor: array initializer size 11940

Uses 32bit PE files

Source: QUOTATION OF EQUIPMENT.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe

Code function: 0_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

0_2_004030FB

Detected potential crypto function

Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Code function: 0_2_004047D3	0_2_004047D3
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Code function: 0_2_004061D4	0_2_004061D4
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Code function: 0_2_72E46A24	0_2_72E46A24
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Code function: 0_2_72E46A33	0_2_72E46A33
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Code function: 1_2_0040A2A5	1_2_0040A2A5
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Code function: 1_2_021846A0	1_2_021846A0
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Code function: 1_2_021845B0	1_2_021845B0
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Code function: 1_2_0218D310	1_2_0218D310
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Code function: 1_2_05929790	1_2_05929790
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Code function: 1_2_059246F8	1_2_059246F8
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Code function: 1_2_05925310	1_2_05925310
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Code function: 1_2_0592E260	1_2_0592E260
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Code function: 1_2_05924A40	1_2_05924A40
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Code function: 1_2_05EB0EA0	1_2_05EB0EA0
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Code function: 1_1_0040A2A5	1_1_0040A2A5

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Code function: String function: 00401ED0 appears 46 times
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Code function: String function: 0040569E appears 36 times

Sample file is different than original file name gathered from version info

Source: QUOTATION OF EQUIPMENT.exe, 00000000.00000003.297338018.000000000F1E6000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs QUOTATION OF EQUIPMENT.exe
Source: QUOTATION OF EQUIPMENT.exe, 00000000.00000002.307528948.0000000002440000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameeoQopvcgKxToaqzqUBTWKQEmbNlozHuMTqggKL.exe4 vs QUOTATION OF EQUIPMENT.exe
Source: QUOTATION OF EQUIPMENT.exe	Binary or memory string: OriginalFilename vs QUOTATION OF EQUIPMENT.exe
Source: QUOTATION OF EQUIPMENT.exe, 00000001.00000002.567930918.0000000003331000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameeoQopvcgKxToaqzqUBTWKQEmbNlozHuMTqggKL.exe4 vs QUOTATION OF EQUIPMENT.exe
Source: QUOTATION OF EQUIPMENT.exe, 00000001.00000002.565195545.0000000000199000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs QUOTATION OF EQUIPMENT.exe

PE file contains strange resources

Source: QUOTATION OF EQUIPMENT.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe

File read: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe

Source: unknown	Process created: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe 'C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe'
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process created: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe 'C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe'
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process created: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe 'C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe'	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: 1.2.QUOTATION OF EQUIPMENT.exe.4810000.5.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.QUOTATION OF EQUIPMENT.exe.4810000.5.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Code function: 0_2_72E41080 push eax; ret	0_2_72E410AE
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Code function: 1_2_00401F16 push ecx; ret	1_2_00401F29
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Code function: 1_1_00401F16 push ecx; ret	1_1_00401F29

Source: QUOTATION OF EQUIPMENT.exe	Static PE information: real checksum: 0x0 should be: 0x6e839
Source: eluwnahujm.dll.0.dr	Static PE information: real checksum: 0xca76 should be: 0x1039d

Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run newapp			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run newapp			Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe TID: 1304	Thread sleep time: -16602069666338586s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe TID: 3604	Thread sleep count: 756 > 30	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe TID: 3604	Thread sleep count: 9099 > 30	Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Window / User API: threadDelayed 756			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Window / User API: threadDelayed 9099			Jump to behavior

Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Code function: 0_2_72E46402 mov eax, dword ptr fs:[00000030h]	0_2_72E46402
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Code function: 0_2_72E466C7 mov eax, dword ptr fs:[00000030h]	0_2_72E466C7
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Code function: 0_2_72E46744 mov eax, dword ptr fs:[00000030h]	0_2_72E46744
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Code function: 0_2_72E46706 mov eax, dword ptr fs:[00000030h]	0_2_72E46706
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Code function: 0_2_72E46616 mov eax, dword ptr fs:[00000030h]	0_2_72E46616
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Code function: 1_2_004035F1 mov eax, dword ptr fs:[00000030h]	1_2_004035F1
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Code function: 1_1_004035F1 mov eax, dword ptr fs:[00000030h]	1_1_004035F1

Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Code function: 1_2_00401E1D SetUnhandledExceptionFilter,	1_2_00401E1D
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Code function: 1_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0040446F
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Code function: 1_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00401C88
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Code function: 1_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00401F30
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Code function: 1_1_00401E1D SetUnhandledExceptionFilter,	1_1_00401E1D

Source: QUOTATION OF EQUIPMENT.exe, 00000001.00000002.566499923.0000000000D30000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: QUOTATION OF EQUIPMENT.exe, 00000001.00000002.566499923.0000000000D30000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: QUOTATION OF EQUIPMENT.exe, 00000001.00000002.566499923.0000000000D30000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: QUOTATION OF EQUIPMENT.exe, 00000001.00000002.566499923.0000000000D30000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: Yara match	File source: 1.2.QUOTATION OF EQUIPMENT.exe.3335530.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QUOTATION OF EQUIPMENT.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION OF EQUIPMENT.exe.2451458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION OF EQUIPMENT.exe.2440000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QUOTATION OF EQUIPMENT.exe.3335530.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION OF EQUIPMENT.exe.2440000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QUOTATION OF EQUIPMENT.exe.4810000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QUOTATION OF EQUIPMENT.exe.22e0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QUOTATION OF EQUIPMENT.exe.2451458.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QUOTATION OF EQUIPMENT.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QUOTATION OF EQUIPMENT.exe.22e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QUOTATION OF EQUIPMENT.exe.7a9f68.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QUOTATION OF EQUIPMENT.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QUOTATION OF EQUIPMENT.exe.7a9f68.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QUOTATION OF EQUIPMENT.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.567930918.0000000003331000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.307528948.0000000002440000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.566777680.00000000022E0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.568210008.0000000004812000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.566108651.000000000078B000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.565262027.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.566863487.0000000002331000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QUOTATION OF EQUIPMENT.exe PID: 6748, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: QUOTATION OF EQUIPMENT.exe PID: 6716, type: MEMORYSTR

Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Users\user\Desktop\QUOTATION OF EQUIPMENT.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

ID:	502687
Product:	CloudBasic
Start time:	09:46:19
Start date:	14.10.2021
Sample:	QUOTATION OF EQUIPMENT.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	6f058c62ace41a97a12e6e7a47c9c76e
SHA1:	9c5e94ba757e2387a510bc10559136cb308ce535
SHA256:	713bcae8bce87e51a3b3f1448d816dce365302918c476d4bbe964b4834db3ccf
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\cdumvf73e27ykoiratb	data	6FC877D9CB3CBC4295FA7DC49E122056	6E9A0AAAD8DB4BC0B91730CDE935242D53355F87	F9EC9E039DCCA4BC15106EDE96D0901AE68AF866A89C33AFCD61F6B2B6F3A2A0
C:\Users\user\AppData\Local\Temp\nsxC806.tmp\eluwnahujm.dll	PE32 executable (DLL) (native) Intel 80386, for MS Windows	A4D8F681C3E11B358C8A4CEAA7F6A796	DBCED7E47A095D1F423073E63860903D859440ED	B1F2B5522B0B8DEB1E7C13218399FD40ED1D9F8447772246776CC78F49D9D6D0
C:\Users\user\AppData\Roaming\uop1cr4a.d5x\Chrome\Default\Cookies	SQLite 3.x database, last written using SQLite version 3032001	00681D89EDDB6AD25E6F4BD2E66C61C6	14B2FBFB460816155190377BBC66AB5D2A15F7AB	8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85

Windows Analysis Report QUOTATION OF EQUIPMENT.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains