Source: Purchase Order No. XIV21623..exe |
Avira: detected |
Source: 0.2.Purchase Order No. XIV21623..exe.13454660.3.unpack |
Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "anjay@peoplesource.in", "Password": "Admin@12345", "Host": "mail.peoplesource.in"} |
Source: Purchase Order No. XIV21623..exe |
ReversingLabs: Detection: 35% |
Source: Purchase Order No. XIV21623..exe |
Joe Sandbox ML: detected |
Source: 0.0.Purchase Order No. XIV21623..exe.810000.0.unpack |
Avira: Label: TR/Dropper.MSIL.Gen |
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe |
Unpacked PE file: 0.2.Purchase Order No. XIV21623..exe.810000.0.unpack |
Source: Purchase Order No. XIV21623..exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED |
Source: Purchase Order No. XIV21623..exe |
Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: |
Binary string: ?????????????c.pdb source: Purchase Order No. XIV21623..exe, 00000000.00000002.248225365.0000000000ED0000.00000004.00020000.sdmp |
Source: Purchase Order No. XIV21623..exe, 00000000.00000002.250031063.0000000013189000.00000004.00000001.sdmp |
String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip |
Source: initial sample |
Static PE information: Filename: Purchase Order No. XIV21623..exe |
Source: Purchase Order No. XIV21623..exe |
Static file information: Suspicious name |
Source: Purchase Order No. XIV21623..exe |
Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED |
Source: Purchase Order No. XIV21623..exe, 00000000.00000002.247943652.0000000000850000.00000002.00020000.sdmp |
Binary or memory string: OriginalFilenametaker.exeP vs Purchase Order No. XIV21623..exe |
Source: Purchase Order No. XIV21623..exe, 00000000.00000002.248225365.0000000000ED0000.00000004.00020000.sdmp |
Binary or memory string: OriginalFilename8l vs Purchase Order No. XIV21623..exe |
Source: Purchase Order No. XIV21623..exe, 00000000.00000002.250031063.0000000013189000.00000004.00000001.sdmp |
Binary or memory string: OriginalFilenametnCUHxlBGCKFCsHpcbSvLqLWGfKD.exe4 vs Purchase Order No. XIV21623..exe |
Source: Purchase Order No. XIV21623..exe, 00000000.00000002.248059960.0000000000D19000.00000004.00000020.sdmp |
Binary or memory string: OriginalFilenameclr.dllT vs Purchase Order No. XIV21623..exe |
Source: Purchase Order No. XIV21623..exe |
Binary or memory string: OriginalFilenametaker.exeP vs Purchase Order No. XIV21623..exe |
Source: Purchase Order No. XIV21623..exe |
Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe |
Code function: 0_2_00007FFA1D941D0D |
0_2_00007FFA1D941D0D |
Source: Purchase Order No. XIV21623..exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: Purchase Order No. XIV21623..exe |
ReversingLabs: Detection: 35% |
Source: Purchase Order No. XIV21623..exe |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe |
Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll |
Jump to behavior |
Source: unknown |
Process created: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe "C:\Users\user\Desktop\Purchase Order No. XIV21623..exe" |
|
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
|
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe |
File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Purchase Order No. XIV21623..exe.log |
Jump to behavior |
Source: classification engine |
Classification label: mal100.troj.evad.winEXE@3/1@0/0 |
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe |
File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll |
Jump to behavior |
Source: Purchase Order No. XIV21623..exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR |
Source: Purchase Order No. XIV21623..exe |
Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: |
Binary string: ?????????????c.pdb source: Purchase Order No. XIV21623..exe, 00000000.00000002.248225365.0000000000ED0000.00000004.00020000.sdmp |
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe |
Unpacked PE file: 0.2.Purchase Order No. XIV21623..exe.810000.0.unpack |
Source: Purchase Order No. XIV21623..exe, c5b09415cd7b0c75252f1d37810bcc5d0.cs |
.Net Code: c08af4a61b44020d61ee70e0d21a00651 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: 0.2.Purchase Order No. XIV21623..exe.810000.0.unpack, c5b09415cd7b0c75252f1d37810bcc5d0.cs |
.Net Code: c08af4a61b44020d61ee70e0d21a00651 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: 0.0.Purchase Order No. XIV21623..exe.810000.0.unpack, c5b09415cd7b0c75252f1d37810bcc5d0.cs |
.Net Code: c08af4a61b44020d61ee70e0d21a00651 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe |
Code function: 0_2_00007FFA1D94518E push edx; iretd |
0_2_00007FFA1D945191 |
Source: initial sample |
Static PE information: section name: .text entropy: 7.96708162926 |
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe TID: 2072 |
Thread sleep time: -922337203685477s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe |
Thread delayed: delay time: 922337203685477 |
Jump to behavior |
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe |
Process information queried: ProcessInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe |
Thread delayed: delay time: 922337203685477 |
Jump to behavior |
Source: Purchase Order No. XIV21623..exe, 00000000.00000002.250031063.0000000013189000.00000004.00000001.sdmp |
Binary or memory string: !`0QYYJVMcIQ |
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe |
Process token adjusted: Debug |
Jump to behavior |
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe |
Memory allocated: page read and write | page guard |
Jump to behavior |
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe |
Queries volume information: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\Purchase Order No. XIV21623..exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |
Source: Yara match |
File source: 0.2.Purchase Order No. XIV21623..exe.13454660.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.Purchase Order No. XIV21623..exe.13454660.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.250031063.0000000013189000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: Purchase Order No. XIV21623..exe PID: 496, type: MEMORYSTR |
Source: Yara match |
File source: 0.2.Purchase Order No. XIV21623..exe.13454660.3.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.Purchase Order No. XIV21623..exe.13454660.3.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.250031063.0000000013189000.00000004.00000001.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: Purchase Order No. XIV21623..exe PID: 496, type: MEMORYSTR |