Windows Analysis Report QT21136583_Order_Doc.exe

Overview

General Information

Sample Name:	QT21136583_Order_Doc.exe
Analysis ID:	502708
MD5:	ac0f49a715ebc7eb6e51fb986425136e
SHA1:	813346ea143739c3fede3cde1d612de75ab731bf
SHA256:	ccc78c1d61ff6eb4b314c9ffbbd9f172984a6b3decb088b1398a96b382a3149e
Tags:	agentteslaexe
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Detected unpacking (overwrites its own PE header)

Yara detected AgentTesla

Detected unpacking (changes PE section rights)

Detected unpacking (creates a PE file in dynamic memory)

Initial sample is a PE file and has a suspicious name

Tries to harvest and steal ftp login credentials

Machine Learning detection for sample

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Injects a PE file into a foreign processes

Tries to steal Mail credentials (via file access)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

Contains functionality to call native functions

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Enables debug privileges

Sample file is different than original file name gathered from version info

Drops PE files

Contains functionality to read the PEB

Detected TCP or UDP traffic on non-standard ports

Uses SMTP (mail sending)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Signatures

AV Detection:

Found malware configuration

Source: 1.2.QT21136583_Order_Doc.exe.543f60.2.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "accounts2@dsqtech.com", "Password": "Kolhapur123#", "Host": "mail.dsqtech.com"}

Multi AV Scanner detection for submitted file

Source: QT21136583_Order_Doc.exe

ReversingLabs: Detection: 17%

Machine Learning detection for sample

Source: QT21136583_Order_Doc.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 1.2.QT21136583_Order_Doc.exe.2400000.4.unpack	Avira: Label: TR/Spy.Gen8
Source: 1.2.QT21136583_Order_Doc.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 1.1.QT21136583_Order_Doc.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8

Compliance:

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

Unpacked PE file: 1.2.QT21136583_Order_Doc.exe.400000.0.unpack

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

Unpacked PE file: 1.2.QT21136583_Order_Doc.exe.2400000.4.unpack

Uses 32bit PE files

Source: QT21136583_Order_Doc.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source:	Binary string: wntdll.pdbUGP source: QT21136583_Order_Doc.exe, 00000000.00000003.354146293.0000000002A20000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: QT21136583_Order_Doc.exe, 00000000.00000003.354146293.0000000002A20000.00000004.00000001.sdmp

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 0_2_00405E93 FindFirstFileA,FindClose,	0_2_00405E93
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 0_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_004054BD
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 0_2_00402671 FindFirstFileA,	0_2_00402671
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 1_2_00404A29 FindFirstFileExW,	1_2_00404A29

Networking:

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.6:49754 -> 162.241.244.46:587

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.6:49754 -> 162.241.244.46:587

Source: QT21136583_Order_Doc.exe, 00000001.00000002.618173385.00000000028B1000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: QT21136583_Order_Doc.exe, 00000001.00000002.618173385.00000000028B1000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: QT21136583_Order_Doc.exe, 00000001.00000002.618173385.00000000028B1000.00000004.00000001.sdmp	String found in binary or memory: http://K5S3hn76lHBxHr.com
Source: QT21136583_Order_Doc.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: QT21136583_Order_Doc.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: QT21136583_Order_Doc.exe, 00000001.00000002.618173385.00000000028B1000.00000004.00000001.sdmp	String found in binary or memory: http://qNEWtD.com
Source: QT21136583_Order_Doc.exe, 00000001.00000002.618173385.00000000028B1000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%(
Source: QT21136583_Order_Doc.exe, 00000001.00000002.618173385.00000000028B1000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: QT21136583_Order_Doc.exe	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: QT21136583_Order_Doc.exe, 00000001.00000002.618173385.00000000028B1000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: unknown

DNS traffic detected: queries for: mail.dsqtech.com

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

Code function: 1_2_0220B982 recv,

1_2_0220B982

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

Code function: 0_2_00404FC2 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00404FC2

System Summary:

Initial sample is a PE file and has a suspicious name

Source: initial sample	Static PE information: Filename: QT21136583_Order_Doc.exe
Source: initial sample	Static PE information: Filename: QT21136583_Order_Doc.exe

Uses 32bit PE files

Source: QT21136583_Order_Doc.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

Code function: 0_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

0_2_004030FB

Detected potential crypto function

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 0_2_004047D3	0_2_004047D3
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 0_2_004061D4	0_2_004061D4
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 0_2_736F17E0	0_2_736F17E0
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 0_2_736F8A0F	0_2_736F8A0F
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 0_2_736F8A1E	0_2_736F8A1E
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 1_2_0040A2A5	1_2_0040A2A5
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 1_2_008460A0	1_2_008460A0
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 1_2_008494F0	1_2_008494F0
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 1_2_0084C430	1_2_0084C430
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 1_2_00847530	1_2_00847530
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 1_2_0084EA10	1_2_0084EA10
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 1_2_0084F220	1_2_0084F220
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 1_2_0084C3D0	1_2_0084C3D0
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 1_2_00A024E0	1_2_00A024E0
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 1_2_00A079C0	1_2_00A079C0
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 1_2_00A02938	1_2_00A02938
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 1_2_00A00D1C	1_2_00A00D1C
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 1_2_00A07388	1_2_00A07388
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 1_2_00A03170	1_2_00A03170

Contains functionality to call native functions

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 1_2_0220B136 NtQuerySystemInformation,		1_2_0220B136
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 1_2_0220B105 NtQuerySystemInformation,		1_2_0220B105

Sample file is different than original file name gathered from version info

Source: QT21136583_Order_Doc.exe, 00000000.00000003.352447860.00000000029A6000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs QT21136583_Order_Doc.exe
Source: QT21136583_Order_Doc.exe, 00000000.00000002.357620213.0000000002840000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamerTljCOvqmtkfXeQCODdQUJAgATHv.exe4 vs QT21136583_Order_Doc.exe
Source: QT21136583_Order_Doc.exe	Binary or memory string: OriginalFilename vs QT21136583_Order_Doc.exe
Source: QT21136583_Order_Doc.exe, 00000001.00000002.615598257.0000000000400000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamerTljCOvqmtkfXeQCODdQUJAgATHv.exe4 vs QT21136583_Order_Doc.exe

Source: QT21136583_Order_Doc.exe

ReversingLabs: Detection: 17%

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

File read: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

Jump to behavior

Source: QT21136583_Order_Doc.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\QT21136583_Order_Doc.exe 'C:\Users\user\Desktop\QT21136583_Order_Doc.exe'
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process created: C:\Users\user\Desktop\QT21136583_Order_Doc.exe 'C:\Users\user\Desktop\QT21136583_Order_Doc.exe'
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process created: C:\Users\user\Desktop\QT21136583_Order_Doc.exe 'C:\Users\user\Desktop\QT21136583_Order_Doc.exe'	Jump to behavior

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 1_2_0220AFBA AdjustTokenPrivileges,		1_2_0220AFBA
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 1_2_0220AF83 AdjustTokenPrivileges,		1_2_0220AF83

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

File created: C:\Users\user\AppData\Roaming\zUbDt

Jump to behavior

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

File created: C:\Users\user\AppData\Local\Temp\nsz6C71.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/3@12/2

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

Code function: 0_2_00402053 CoCreateInstance,MultiByteToWideChar,

0_2_00402053

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

Code function: 0_2_00404292 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_00404292

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

Code function: 1_2_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess,

1_2_00401489

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source:	Binary string: wntdll.pdbUGP source: QT21136583_Order_Doc.exe, 00000000.00000003.354146293.0000000002A20000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: QT21136583_Order_Doc.exe, 00000000.00000003.354146293.0000000002A20000.00000004.00000001.sdmp

Data Obfuscation:

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

Unpacked PE file: 1.2.QT21136583_Order_Doc.exe.400000.0.unpack

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

Unpacked PE file: 1.2.QT21136583_Order_Doc.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

Unpacked PE file: 1.2.QT21136583_Order_Doc.exe.2400000.4.unpack

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

Code function: 1_2_00401F16 push ecx; ret

1_2_00401F29

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

File created: C:\Users\user\AppData\Local\Temp\nsu6CA1.tmp\ikmsjx.dll

Jump to dropped file

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run zUbDt			Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run zUbDt			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

Function Chain: memAlloc,systemQueried,systemQueried,threadCreated,threadResumed,threadDelayed,threadDelayed,threadDelayed,systemQueried,threadDelayed,threadDelayed,systemQueried,threadDelayed,memAlloc,processSet,processSet,processSet,fileCreated,processSet,processSet,keyOpened,keyValueQueried,keyValueCreated,keyOpened,keyValueQueried

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe TID: 7128	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe TID: 7128	Thread sleep time: -5280000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe TID: 7128	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe TID: 7128	Thread sleep time: -59718s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

Last function: Thread delayed

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 0_2_00405E93 FindFirstFileA,FindClose,	0_2_00405E93
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 0_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_004054BD
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 0_2_00402671 FindFirstFileA,	0_2_00402671
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 1_2_00404A29 FindFirstFileExW,	1_2_00404A29

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Thread delayed: delay time: 30000	Jump to behavior

Source: QT21136583_Order_Doc.exe, 00000001.00000003.578314756.0000000005449000.00000004.00000001.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

Code function: 1_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_0040446F

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

Code function: 1_2_004067FE GetProcessHeap,

1_2_004067FE

Enables debug privileges

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

Process token adjusted: Debug

Jump to behavior

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 0_2_736F8402 mov eax, dword ptr fs:[00000030h]	0_2_736F8402
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 0_2_736F8744 mov eax, dword ptr fs:[00000030h]	0_2_736F8744
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 0_2_736F8706 mov eax, dword ptr fs:[00000030h]	0_2_736F8706
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 0_2_736F8616 mov eax, dword ptr fs:[00000030h]	0_2_736F8616
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 0_2_736F86C7 mov eax, dword ptr fs:[00000030h]	0_2_736F86C7
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 1_2_004035F1 mov eax, dword ptr fs:[00000030h]	1_2_004035F1

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

Code function: 1_2_008494F0 LdrInitializeThunk,

1_2_008494F0

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 1_2_00401E1D SetUnhandledExceptionFilter,	1_2_00401E1D
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 1_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0040446F
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 1_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00401C88
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 1_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00401F30

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

Memory written: C:\Users\user\Desktop\QT21136583_Order_Doc.exe base: 400000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

Process created: C:\Users\user\Desktop\QT21136583_Order_Doc.exe 'C:\Users\user\Desktop\QT21136583_Order_Doc.exe'

Jump to behavior

Source: QT21136583_Order_Doc.exe, 00000001.00000002.617136043.0000000000DE0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: QT21136583_Order_Doc.exe, 00000001.00000002.617136043.0000000000DE0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: QT21136583_Order_Doc.exe, 00000001.00000002.617136043.0000000000DE0000.00000002.00020000.sdmp	Binary or memory string: &Program Manager
Source: QT21136583_Order_Doc.exe, 00000001.00000002.617136043.0000000000DE0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

Code function: 1_2_0040208D cpuid

1_2_0040208D

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

Code function: 0_2_736F1D20 memset,GetLocalTime,

0_2_736F1D20

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

0_2_004030FB

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

Code function: 1_2_0220BB16 GetUserNameW,

1_2_0220BB16

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 0.2.QT21136583_Order_Doc.exe.2851458.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QT21136583_Order_Doc.exe.38b3258.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QT21136583_Order_Doc.exe.2840000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QT21136583_Order_Doc.exe.2400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.QT21136583_Order_Doc.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QT21136583_Order_Doc.exe.23c0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QT21136583_Order_Doc.exe.543f60.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QT21136583_Order_Doc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QT21136583_Order_Doc.exe.2840000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.QT21136583_Order_Doc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QT21136583_Order_Doc.exe.543f60.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QT21136583_Order_Doc.exe.38b3258.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QT21136583_Order_Doc.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.QT21136583_Order_Doc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.QT21136583_Order_Doc.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QT21136583_Order_Doc.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QT21136583_Order_Doc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QT21136583_Order_Doc.exe.23c0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QT21136583_Order_Doc.exe.2851458.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.616077569.0000000000508000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.615598257.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.355689288.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.618000073.0000000002402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.617931637.00000000023C0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.620402128.00000000038B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.357620213.0000000002840000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.618173385.00000000028B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QT21136583_Order_Doc.exe PID: 6740, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: QT21136583_Order_Doc.exe PID: 6768, type: MEMORYSTR

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Tries to steal Mail credentials (via file access)

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000001.00000002.618173385.00000000028B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QT21136583_Order_Doc.exe PID: 6768, type: MEMORYSTR

Remote Access Functionality:

Yara detected AgentTesla

Source: Yara match	File source: 0.2.QT21136583_Order_Doc.exe.2851458.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QT21136583_Order_Doc.exe.38b3258.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QT21136583_Order_Doc.exe.2840000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QT21136583_Order_Doc.exe.2400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.QT21136583_Order_Doc.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QT21136583_Order_Doc.exe.23c0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QT21136583_Order_Doc.exe.543f60.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QT21136583_Order_Doc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QT21136583_Order_Doc.exe.2840000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.QT21136583_Order_Doc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QT21136583_Order_Doc.exe.543f60.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QT21136583_Order_Doc.exe.38b3258.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QT21136583_Order_Doc.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.QT21136583_Order_Doc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.QT21136583_Order_Doc.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QT21136583_Order_Doc.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QT21136583_Order_Doc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QT21136583_Order_Doc.exe.23c0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QT21136583_Order_Doc.exe.2851458.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.616077569.0000000000508000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.615598257.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.355689288.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.618000073.0000000002402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.617931637.00000000023C0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.620402128.00000000038B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.357620213.0000000002840000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.618173385.00000000028B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QT21136583_Order_Doc.exe PID: 6740, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: QT21136583_Order_Doc.exe PID: 6768, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
162.241.244.46	mail.dsqtech.com	United States		46606	UNIFIEDLAYER-AS-1US	true

Private

IP
192.168.2.1

Contacted Domains

Name	IP	Active
mail.dsqtech.com	162.241.244.46	true

AV Detection:

Found malware configuration

Source: 1.2.QT21136583_Order_Doc.exe.543f60.2.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "accounts2@dsqtech.com", "Password": "Kolhapur123#", "Host": "mail.dsqtech.com"}

Multi AV Scanner detection for submitted file

Source: QT21136583_Order_Doc.exe

ReversingLabs: Detection: 17%

Machine Learning detection for sample

Source: QT21136583_Order_Doc.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 1.2.QT21136583_Order_Doc.exe.2400000.4.unpack	Avira: Label: TR/Spy.Gen8
Source: 1.2.QT21136583_Order_Doc.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 1.1.QT21136583_Order_Doc.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8

Compliance:

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

Unpacked PE file: 1.2.QT21136583_Order_Doc.exe.400000.0.unpack

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

Unpacked PE file: 1.2.QT21136583_Order_Doc.exe.2400000.4.unpack

Uses 32bit PE files

Source: QT21136583_Order_Doc.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source:	Binary string: wntdll.pdbUGP source: QT21136583_Order_Doc.exe, 00000000.00000003.354146293.0000000002A20000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: QT21136583_Order_Doc.exe, 00000000.00000003.354146293.0000000002A20000.00000004.00000001.sdmp

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 0_2_00405E93 FindFirstFileA,FindClose,	0_2_00405E93
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 0_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_004054BD
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 0_2_00402671 FindFirstFileA,	0_2_00402671
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 1_2_00404A29 FindFirstFileExW,	1_2_00404A29

Networking:

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.6:49754 -> 162.241.244.46:587

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.6:49754 -> 162.241.244.46:587

Source: QT21136583_Order_Doc.exe, 00000001.00000002.618173385.00000000028B1000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: QT21136583_Order_Doc.exe, 00000001.00000002.618173385.00000000028B1000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: QT21136583_Order_Doc.exe, 00000001.00000002.618173385.00000000028B1000.00000004.00000001.sdmp	String found in binary or memory: http://K5S3hn76lHBxHr.com
Source: QT21136583_Order_Doc.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: QT21136583_Order_Doc.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: QT21136583_Order_Doc.exe, 00000001.00000002.618173385.00000000028B1000.00000004.00000001.sdmp	String found in binary or memory: http://qNEWtD.com
Source: QT21136583_Order_Doc.exe, 00000001.00000002.618173385.00000000028B1000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%(
Source: QT21136583_Order_Doc.exe, 00000001.00000002.618173385.00000000028B1000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: QT21136583_Order_Doc.exe	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: QT21136583_Order_Doc.exe, 00000001.00000002.618173385.00000000028B1000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: unknown

DNS traffic detected: queries for: mail.dsqtech.com

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

Code function: 1_2_0220B982 recv,

1_2_0220B982

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

0_2_00404FC2

System Summary:

Initial sample is a PE file and has a suspicious name

Source: initial sample	Static PE information: Filename: QT21136583_Order_Doc.exe
Source: initial sample	Static PE information: Filename: QT21136583_Order_Doc.exe

Uses 32bit PE files

Source: QT21136583_Order_Doc.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

0_2_004030FB

Detected potential crypto function

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 0_2_004047D3	0_2_004047D3
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 0_2_004061D4	0_2_004061D4
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 0_2_736F17E0	0_2_736F17E0
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 0_2_736F8A0F	0_2_736F8A0F
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 0_2_736F8A1E	0_2_736F8A1E
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 1_2_0040A2A5	1_2_0040A2A5
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 1_2_008460A0	1_2_008460A0
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 1_2_008494F0	1_2_008494F0
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 1_2_0084C430	1_2_0084C430
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 1_2_00847530	1_2_00847530
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 1_2_0084EA10	1_2_0084EA10
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 1_2_0084F220	1_2_0084F220
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 1_2_0084C3D0	1_2_0084C3D0
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 1_2_00A024E0	1_2_00A024E0
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 1_2_00A079C0	1_2_00A079C0
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 1_2_00A02938	1_2_00A02938
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 1_2_00A00D1C	1_2_00A00D1C
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 1_2_00A07388	1_2_00A07388
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 1_2_00A03170	1_2_00A03170

Contains functionality to call native functions

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 1_2_0220B136 NtQuerySystemInformation,		1_2_0220B136
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 1_2_0220B105 NtQuerySystemInformation,		1_2_0220B105

Sample file is different than original file name gathered from version info

Source: QT21136583_Order_Doc.exe, 00000000.00000003.352447860.00000000029A6000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs QT21136583_Order_Doc.exe
Source: QT21136583_Order_Doc.exe, 00000000.00000002.357620213.0000000002840000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamerTljCOvqmtkfXeQCODdQUJAgATHv.exe4 vs QT21136583_Order_Doc.exe
Source: QT21136583_Order_Doc.exe	Binary or memory string: OriginalFilename vs QT21136583_Order_Doc.exe
Source: QT21136583_Order_Doc.exe, 00000001.00000002.615598257.0000000000400000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamerTljCOvqmtkfXeQCODdQUJAgATHv.exe4 vs QT21136583_Order_Doc.exe

Source: QT21136583_Order_Doc.exe

ReversingLabs: Detection: 17%

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

File read: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

Jump to behavior

Source: QT21136583_Order_Doc.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\QT21136583_Order_Doc.exe 'C:\Users\user\Desktop\QT21136583_Order_Doc.exe'
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process created: C:\Users\user\Desktop\QT21136583_Order_Doc.exe 'C:\Users\user\Desktop\QT21136583_Order_Doc.exe'
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process created: C:\Users\user\Desktop\QT21136583_Order_Doc.exe 'C:\Users\user\Desktop\QT21136583_Order_Doc.exe'	Jump to behavior

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 1_2_0220AFBA AdjustTokenPrivileges,		1_2_0220AFBA
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 1_2_0220AF83 AdjustTokenPrivileges,		1_2_0220AF83

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

File created: C:\Users\user\AppData\Roaming\zUbDt

Jump to behavior

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

File created: C:\Users\user\AppData\Local\Temp\nsz6C71.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/3@12/2

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

Code function: 0_2_00402053 CoCreateInstance,MultiByteToWideChar,

0_2_00402053

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

Code function: 0_2_00404292 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_00404292

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

Code function: 1_2_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess,

1_2_00401489

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source:	Binary string: wntdll.pdbUGP source: QT21136583_Order_Doc.exe, 00000000.00000003.354146293.0000000002A20000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: QT21136583_Order_Doc.exe, 00000000.00000003.354146293.0000000002A20000.00000004.00000001.sdmp

Data Obfuscation:

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

Unpacked PE file: 1.2.QT21136583_Order_Doc.exe.400000.0.unpack

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

Unpacked PE file: 1.2.QT21136583_Order_Doc.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

Unpacked PE file: 1.2.QT21136583_Order_Doc.exe.2400000.4.unpack

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

Code function: 1_2_00401F16 push ecx; ret

1_2_00401F29

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

File created: C:\Users\user\AppData\Local\Temp\nsu6CA1.tmp\ikmsjx.dll

Jump to dropped file

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run zUbDt			Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run zUbDt			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe TID: 7128	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe TID: 7128	Thread sleep time: -5280000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe TID: 7128	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe TID: 7128	Thread sleep time: -59718s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

Last function: Thread delayed

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 0_2_00405E93 FindFirstFileA,FindClose,	0_2_00405E93
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 0_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_004054BD
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 0_2_00402671 FindFirstFileA,	0_2_00402671
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 1_2_00404A29 FindFirstFileExW,	1_2_00404A29

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Thread delayed: delay time: 30000	Jump to behavior

Source: QT21136583_Order_Doc.exe, 00000001.00000003.578314756.0000000005449000.00000004.00000001.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

Code function: 1_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_0040446F

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

Code function: 1_2_004067FE GetProcessHeap,

1_2_004067FE

Enables debug privileges

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

Process token adjusted: Debug

Jump to behavior

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 0_2_736F8402 mov eax, dword ptr fs:[00000030h]	0_2_736F8402
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 0_2_736F8744 mov eax, dword ptr fs:[00000030h]	0_2_736F8744
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 0_2_736F8706 mov eax, dword ptr fs:[00000030h]	0_2_736F8706
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 0_2_736F8616 mov eax, dword ptr fs:[00000030h]	0_2_736F8616
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 0_2_736F86C7 mov eax, dword ptr fs:[00000030h]	0_2_736F86C7
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 1_2_004035F1 mov eax, dword ptr fs:[00000030h]	1_2_004035F1

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

Code function: 1_2_008494F0 LdrInitializeThunk,

1_2_008494F0

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 1_2_00401E1D SetUnhandledExceptionFilter,	1_2_00401E1D
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 1_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0040446F
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 1_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00401C88
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Code function: 1_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00401F30

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

Memory written: C:\Users\user\Desktop\QT21136583_Order_Doc.exe base: 400000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

Process created: C:\Users\user\Desktop\QT21136583_Order_Doc.exe 'C:\Users\user\Desktop\QT21136583_Order_Doc.exe'

Jump to behavior

Source: QT21136583_Order_Doc.exe, 00000001.00000002.617136043.0000000000DE0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: QT21136583_Order_Doc.exe, 00000001.00000002.617136043.0000000000DE0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: QT21136583_Order_Doc.exe, 00000001.00000002.617136043.0000000000DE0000.00000002.00020000.sdmp	Binary or memory string: &Program Manager
Source: QT21136583_Order_Doc.exe, 00000001.00000002.617136043.0000000000DE0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

Code function: 1_2_0040208D cpuid

1_2_0040208D

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

Code function: 0_2_736F1D20 memset,GetLocalTime,

0_2_736F1D20

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

0_2_004030FB

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe

Code function: 1_2_0220BB16 GetUserNameW,

1_2_0220BB16

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 0.2.QT21136583_Order_Doc.exe.2851458.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QT21136583_Order_Doc.exe.38b3258.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QT21136583_Order_Doc.exe.2840000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QT21136583_Order_Doc.exe.2400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.QT21136583_Order_Doc.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QT21136583_Order_Doc.exe.23c0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QT21136583_Order_Doc.exe.543f60.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QT21136583_Order_Doc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QT21136583_Order_Doc.exe.2840000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.QT21136583_Order_Doc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QT21136583_Order_Doc.exe.543f60.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QT21136583_Order_Doc.exe.38b3258.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QT21136583_Order_Doc.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.QT21136583_Order_Doc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.QT21136583_Order_Doc.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QT21136583_Order_Doc.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QT21136583_Order_Doc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QT21136583_Order_Doc.exe.23c0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QT21136583_Order_Doc.exe.2851458.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.616077569.0000000000508000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.615598257.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.355689288.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.618000073.0000000002402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.617931637.00000000023C0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.620402128.00000000038B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.357620213.0000000002840000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.618173385.00000000028B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QT21136583_Order_Doc.exe PID: 6740, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: QT21136583_Order_Doc.exe PID: 6768, type: MEMORYSTR

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Tries to steal Mail credentials (via file access)

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\QT21136583_Order_Doc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000001.00000002.618173385.00000000028B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QT21136583_Order_Doc.exe PID: 6768, type: MEMORYSTR

Remote Access Functionality:

Yara detected AgentTesla

Source: Yara match	File source: 0.2.QT21136583_Order_Doc.exe.2851458.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QT21136583_Order_Doc.exe.38b3258.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QT21136583_Order_Doc.exe.2840000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QT21136583_Order_Doc.exe.2400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.QT21136583_Order_Doc.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QT21136583_Order_Doc.exe.23c0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QT21136583_Order_Doc.exe.543f60.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QT21136583_Order_Doc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QT21136583_Order_Doc.exe.2840000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.QT21136583_Order_Doc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QT21136583_Order_Doc.exe.543f60.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QT21136583_Order_Doc.exe.38b3258.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QT21136583_Order_Doc.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.QT21136583_Order_Doc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.QT21136583_Order_Doc.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QT21136583_Order_Doc.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QT21136583_Order_Doc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.QT21136583_Order_Doc.exe.23c0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.QT21136583_Order_Doc.exe.2851458.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.616077569.0000000000508000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.615598257.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.355689288.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.618000073.0000000002402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.617931637.00000000023C0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.620402128.00000000038B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.357620213.0000000002840000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.618173385.00000000028B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: QT21136583_Order_Doc.exe PID: 6740, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: QT21136583_Order_Doc.exe PID: 6768, type: MEMORYSTR

ID:	502708
Product:	CloudBasic
Start time:	10:36:10
Start date:	14.10.2021
Sample:	QT21136583_Order_Doc.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	ac0f49a715ebc7eb6e51fb986425136e
SHA1:	813346ea143739c3fede3cde1d612de75ab731bf
SHA256:	ccc78c1d61ff6eb4b314c9ffbbd9f172984a6b3decb088b1398a96b382a3149e
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\8bhrwsa6e4bco2fa	data	7B82527EF3902CDE28E5AB6890BBF2E0	82A7E22B5AAD3334C2A31169242B3AA4AAE12064	20E590EC166F217952C77C9A8F22710B43A53085CE2B4C2CAC548DB3EBA3EA1B
C:\Users\user\AppData\Local\Temp\nsu6CA1.tmp\ikmsjx.dll	PE32 executable (DLL) (native) Intel 80386, for MS Windows	F2CB15FFF5ADFDEB4771E5C0AC2A625B	B54854EF1BBEBB978D692E39743029BB75E22717	978CBAA195D4647B16AFBCB1BF5E85E03672D4345881770BB5F24BF2E6BEB35B
C:\Users\user\AppData\Roaming\3sdjzcdc.k45\Chrome\Default\Cookies	SQLite 3.x database, last written using SQLite version 3032001	EA7F9615D77815B5FFF7C15179C6C560	3D1D0BAC6633344E2B6592464EBB957D0D8DD48F	A5D1ABB57C516F4B3DF3D18950AD1319BA1A63F9A39785F8F0EACE0A482CAB17

Windows Analysis Report QT21136583_Order_Doc.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains