Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ORDEN DE COMPRA 80107.pdf________________________.exe

Overview

General Information

Sample Name:ORDEN DE COMPRA 80107.pdf________________________.exe
Analysis ID:558805
MD5:af7c27fd6e49538aa93a667d67463c51
SHA1:e2da9a0143a07da2b2c498f4622ea5db21d9298f
SHA256:d7553925a2f9d9840cd23da20f66fcbfb3e7eca2f24c624e2f6139181eefc138
Tags:exe
Infos:

Detection

AgentTesla GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Yara detected GuLoader
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
C2 URLs / IPs found in malware configuration
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
PE / OLE file has an invalid certificate
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • ORDEN DE COMPRA 80107.pdf________________________.exe (PID: 4600 cmdline: "C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exe" MD5: AF7C27FD6E49538AA93A667D67463C51)
    • CasPol.exe (PID: 5340 cmdline: "C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exe" MD5: F866FC1C2E928779C7119353C3091F0C)
    • CasPol.exe (PID: 4820 cmdline: "C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exe" MD5: F866FC1C2E928779C7119353C3091F0C)
    • CasPol.exe (PID: 5640 cmdline: "C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exe" MD5: F866FC1C2E928779C7119353C3091F0C)
      • conhost.exe (PID: 4568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup
{"Payload URL": "https://cdn.discordapp.com/attachments/934180388522299433/9350"}
{"Exfil Mode": "SMTP", "SMTP Info": "kubaba@bhgautopartes.comicui4cu2@@mail.bhgautopartes.comkubabareports@bhgautopartes.com"}
SourceRuleDescriptionAuthorStrings
00000000.00000002.366777936.000000000040D000.00000020.00000001.01000000.00000003.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
  • 0x26f8:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000000.00000000.289570164.000000000040D000.00000020.00000001.01000000.00000003.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
  • 0x26f8:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000007.00000000.335904974.0000000001300000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    00000007.00000002.567367145.000000001E271000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000007.00000002.567367145.000000001E271000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Click to see the 2 entries
        No Sigma rule has matched

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: 00000007.00000000.335904974.0000000001300000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://cdn.discordapp.com/attachments/934180388522299433/9350"}
        Source: CasPol.exe.5340.5.memstrminMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "kubaba@bhgautopartes.comicui4cu2@@mail.bhgautopartes.comkubabareports@bhgautopartes.com"}
        Source: ORDEN DE COMPRA 80107.pdf________________________.exeVirustotal: Detection: 17%Perma Link
        Source: ORDEN DE COMPRA 80107.pdf________________________.exeReversingLabs: Detection: 23%
        Source: ORDEN DE COMPRA 80107.pdf________________________.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
        Source: unknownHTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.3:49750 version: TLS 1.2

        Networking

        barindex
        Source: Malware configuration extractorURLs: https://cdn.discordapp.com/attachments/934180388522299433/9350
        Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
        Source: Joe Sandbox ViewIP Address: 162.159.133.233 162.159.133.233
        Source: Joe Sandbox ViewIP Address: 162.159.133.233 162.159.133.233
        Source: global trafficHTTP traffic detected: GET /attachments/934180388522299433/935091672193314826/kubaba_yqzTpIrbd157.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: cdn.discordapp.comCache-Control: no-cache
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
        Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
        Source: CasPol.exe, 00000007.00000002.567367145.000000001E271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
        Source: CasPol.exe, 00000007.00000002.567367145.000000001E271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNS
        Source: CasPol.exe, 00000007.00000002.567367145.000000001E271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://JNREkg.com
        Source: ORDEN DE COMPRA 80107.pdf________________________.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
        Source: ORDEN DE COMPRA 80107.pdf________________________.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
        Source: CasPol.exe, 00000007.00000003.361928759.0000000001629000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000007.00000003.362053804.0000000001629000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.558008011.0000000001620000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
        Source: ORDEN DE COMPRA 80107.pdf________________________.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
        Source: ORDEN DE COMPRA 80107.pdf________________________.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
        Source: ORDEN DE COMPRA 80107.pdf________________________.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
        Source: ORDEN DE COMPRA 80107.pdf________________________.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
        Source: ORDEN DE COMPRA 80107.pdf________________________.exeString found in binary or memory: http://ocsp.digicert.com0C
        Source: ORDEN DE COMPRA 80107.pdf________________________.exeString found in binary or memory: http://ocsp.digicert.com0O
        Source: ORDEN DE COMPRA 80107.pdf________________________.exeString found in binary or memory: http://www.digicert.com/CPS0
        Source: CasPol.exe, 00000007.00000002.558269317.00000000016B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/934180388522299433/935091672193314826/kubaba_yqzTpIrbd157.bin
        Source: ORDEN DE COMPRA 80107.pdf________________________.exeString found in binary or memory: https://www.digicert.com/CPS0
        Source: CasPol.exe, 00000007.00000002.567367145.000000001E271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
        Source: unknownDNS traffic detected: queries for: cdn.discordapp.com
        Source: global trafficHTTP traffic detected: GET /attachments/934180388522299433/935091672193314826/kubaba_yqzTpIrbd157.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: cdn.discordapp.comCache-Control: no-cache
        Source: unknownHTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.3:49750 version: TLS 1.2

        System Summary

        barindex
        Source: 00000000.00000002.366777936.000000000040D000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
        Source: 00000000.00000000.289570164.000000000040D000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
        Source: initial sampleStatic PE information: Filename: ORDEN DE COMPRA 80107.pdf________________________.exe
        Source: ORDEN DE COMPRA 80107.pdf________________________.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
        Source: 00000000.00000002.366777936.000000000040D000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000000.00000000.289570164.000000000040D000.00000020.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exeCode function: 0_2_0041357E0_2_0041357E
        Source: C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exeCode function: 0_2_004015B80_2_004015B8
        Source: C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exeCode function: 0_2_004135790_2_00413579
        Source: C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exeCode function: 0_2_0040192D0_2_0040192D
        Source: C:\Users\user\Desktop\ORDEN DE COMPRA 80107.pdf________________________.exeCode function: 0_2_004071BA