Windows Analysis Report Purchase Order No. XIV21623..exe

Overview

General Information

Sample Name: Purchase Order No. XIV21623..exe
Analysis ID: 532633
MD5: 5e5c83d04f20a03826b8cd80d2c4a0b5
SHA1: 840248f524917151d9b44dda32cbb32ab1fd7d80
SHA256: 62c4b3a0c365726907f0ac94621c85f5c52056eb94653b151144cc841502e916
Tags: agentteslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Detected unpacking (overwrites its own PE header)
Yara detected AgentTesla
Initial sample is a PE file and has a suspicious name
Executable has a suspicious name (potential lure to open the executable)
Machine Learning detection for sample
.NET source code contains potential unpacker
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Sample file is different than original file name gathered from version info
PE file contains strange resources
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Sigma detected: Suspicious aspnet_compiler.exe Execution
Detected potential crypto function
Creates a process in suspended mode (likely to inject code)
Contains long sleeps (>= 3 min)
Enables debug privileges

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: Purchase Order No. XIV21623..exe Avira: detected
Found malware configuration
Source: 0.2.Purchase Order No. XIV21623..exe.13454660.3.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "anjay@peoplesource.in", "Password": "Admin@12345", "Host": "mail.peoplesource.in"}
Multi AV Scanner detection for submitted file
Source: Purchase Order No. XIV21623..exe ReversingLabs: Detection: 35%
Machine Learning detection for sample
Source: Purchase Order No. XIV21623..exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.0.Purchase Order No. XIV21623..exe.810000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen

Compliance:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe Unpacked PE file: 0.2.Purchase Order No. XIV21623..exe.810000.0.unpack
Uses 32bit PE files
Source: Purchase Order No. XIV21623..exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Source: Purchase Order No. XIV21623..exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: ?????????????c.pdb source: Purchase Order No. XIV21623..exe, 00000000.00000002.248225365.0000000000ED0000.00000004.00020000.sdmp
Source: Purchase Order No. XIV21623..exe, 00000000.00000002.250031063.0000000013189000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip

System Summary:

barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Purchase Order No. XIV21623..exe
Executable has a suspicious name (potential lure to open the executable)
Source: Purchase Order No. XIV21623..exe Static file information: Suspicious name
Uses 32bit PE files
Source: Purchase Order No. XIV21623..exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Sample file is different than original file name gathered from version info
Source: Purchase Order No. XIV21623..exe, 00000000.00000002.247943652.0000000000850000.00000002.00020000.sdmp Binary or memory string: OriginalFilenametaker.exeP vs Purchase Order No. XIV21623..exe
Source: Purchase Order No. XIV21623..exe, 00000000.00000002.248225365.0000000000ED0000.00000004.00020000.sdmp Binary or memory string: OriginalFilename8l vs Purchase Order No. XIV21623..exe
Source: Purchase Order No. XIV21623..exe, 00000000.00000002.250031063.0000000013189000.00000004.00000001.sdmp Binary or memory string: OriginalFilenametnCUHxlBGCKFCsHpcbSvLqLWGfKD.exe4 vs Purchase Order No. XIV21623..exe
Source: Purchase Order No. XIV21623..exe, 00000000.00000002.248059960.0000000000D19000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Purchase Order No. XIV21623..exe
Source: Purchase Order No. XIV21623..exe Binary or memory string: OriginalFilenametaker.exeP vs Purchase Order No. XIV21623..exe
PE file contains strange resources
Source: Purchase Order No. XIV21623..exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Detected potential crypto function
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe Code function: 0_2_00007FFA1D941D0D 0_2_00007FFA1D941D0D
Source: Purchase Order No. XIV21623..exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Purchase Order No. XIV21623..exe ReversingLabs: Detection: 35%
Source: Purchase Order No. XIV21623..exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe "C:\Users\user\Desktop\Purchase Order No. XIV21623..exe"
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Purchase Order No. XIV21623..exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@3/1@0/0
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: Purchase Order No. XIV21623..exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Purchase Order No. XIV21623..exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: ?????????????c.pdb source: Purchase Order No. XIV21623..exe, 00000000.00000002.248225365.0000000000ED0000.00000004.00020000.sdmp

Data Obfuscation:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe Unpacked PE file: 0.2.Purchase Order No. XIV21623..exe.810000.0.unpack
.NET source code contains potential unpacker
Source: Purchase Order No. XIV21623..exe, c5b09415cd7b0c75252f1d37810bcc5d0.cs .Net Code: c08af4a61b44020d61ee70e0d21a00651 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.Purchase Order No. XIV21623..exe.810000.0.unpack, c5b09415cd7b0c75252f1d37810bcc5d0.cs .Net Code: c08af4a61b44020d61ee70e0d21a00651 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.Purchase Order No. XIV21623..exe.810000.0.unpack, c5b09415cd7b0c75252f1d37810bcc5d0.cs .Net Code: c08af4a61b44020d61ee70e0d21a00651 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe Code function: 0_2_00007FFA1D94518E push edx; iretd 0_2_00007FFA1D945191
Source: initial sample Static PE information: section name: .text entropy: 7.96708162926
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe TID: 2072 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: Purchase Order No. XIV21623..exe, 00000000.00000002.250031063.0000000013189000.00000004.00000001.sdmp Binary or memory string: !`0QYYJVMcIQ

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe Queries volume information: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.Purchase Order No. XIV21623..exe.13454660.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order No. XIV21623..exe.13454660.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.250031063.0000000013189000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Purchase Order No. XIV21623..exe PID: 496, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 0.2.Purchase Order No. XIV21623..exe.13454660.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Purchase Order No. XIV21623..exe.13454660.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.250031063.0000000013189000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Purchase Order No. XIV21623..exe PID: 496, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 532633 Sample: Purchase Order No. XIV21623..exe Startdate: 02/12/2021 Architecture: WINDOWS Score: 100 13 Found malware configuration 2->13 15 Antivirus / Scanner detection for submitted sample 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 6 other signatures 2->19 6 Purchase Order No. XIV21623..exe 1 2->6         started        process3 file4 11 C:\...\Purchase Order No. XIV21623..exe.log, ASCII 6->11 dropped 9 aspnet_compiler.exe 6->9         started        process5
No contacted IP infos