Windows Analysis Report
OR098765458900009876540.exe

Overview

General Information

Sample Name: OR098765458900009876540.exe
Analysis ID: 635066
MD5: cb490dd90ce8d9d11aadb9765abbe5e5
SHA1: 1557b8f1f9c2879a8de75689530f78d796d8fc04
SHA256: c0f90aecb695c93c21e13bbb346f794928bd4dfdde1c3c88c70f62acaf1d368e
Tags: AgentTeslaexe
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Multi AV Scanner detection for dropped file
Machine Learning detection for sample
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Yara detected Generic Downloader
Machine Learning detection for dropped file
Uses 32bit PE files
Yara signature match
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Found malware configuration
Source: 1.2.dktozm.exe.a20000.1.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "muhasebe@parkhotelizmir.com", "Password": "zHhYkTCp0(bk", "Host": "mail.parkhotelizmir.com"}
Multi AV Scanner detection for submitted file
Source: OR098765458900009876540.exe Virustotal: Detection: 28% Perma Link
Source: OR098765458900009876540.exe ReversingLabs: Detection: 26%
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe Virustotal: Detection: 40% Perma Link
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe Virustotal: Detection: 40% Perma Link
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe ReversingLabs: Detection: 26%
Machine Learning detection for sample
Source: OR098765458900009876540.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: OR098765458900009876540.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: Binary string: C:\fhkoa\tmrvof\utxf\9028a39e21cc4788aca7630018f06cbf\jixuwv\evsohjmi\Release\evsohjmi.pdb source: OR098765458900009876540.exe, 00000000.00000002.269600052.000000000040B000.00000004.00000001.01000000.00000003.sdmp, OR098765458900009876540.exe, 00000000.00000002.269786138.0000000002734000.00000004.00000800.00020000.00000000.sdmp, dktozm.exe, 00000001.00000002.255310840.000000000117B000.00000002.00000001.01000000.00000004.sdmp, dktozm.exe, 00000001.00000002.255152045.0000000000E60000.00000004.00001000.00020000.00000000.sdmp, dktozm.exe, 00000001.00000000.250355664.000000000117B000.00000002.00000001.01000000.00000004.sdmp, dktozm.exe, 00000002.00000002.512729465.000000000117B000.00000002.00000001.01000000.00000004.sdmp, vxmtbmahtsqaf.exe, 00000005.00000000.271738739.0000000000E2B000.00000002.00000001.01000000.00000005.sdmp, vxmtbmahtsqaf.exe, 00000005.00000000.292788386.0000000000E2B000.00000002.00000001.01000000.00000005.sdmp, vxmtbmahtsqaf.exe, 00000008.00000000.291649043.0000000000E2B000.00000002.00000001.01000000.00000005.sdmp, vxmtbmahtsqaf.exe, 00000008.00000000.288899385.0000000000E2B000.00000002.00000001.01000000.00000005.sdmp, dktozm.exe.0.dr, nsa28F1.tmp.0.dr, vxmtbmahtsqaf.exe.1.dr
Source: C:\Users\user\Desktop\OR098765458900009876540.exe Code function: 0_2_00405426 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_00405426
Source: C:\Users\user\Desktop\OR098765458900009876540.exe Code function: 0_2_00405D9C SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose, 0_2_00405D9C
Source: C:\Users\user\Desktop\OR098765458900009876540.exe Code function: 0_2_004026A1 FindFirstFileA, 0_2_004026A1

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: 1.2.dktozm.exe.a31658.0.raw.unpack, type: UNPACKEDPE
Source: dktozm.exe, 00000001.00000002.255113669.0000000000A20000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Creates a DirectInput object (often for capturing keystrokes)
Source: dktozm.exe, 00000001.00000002.255049339.00000000006BA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\OR098765458900009876540.exe Code function: 0_2_00404FDD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00404FDD

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 1.2.dktozm.exe.a31658.0.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.2.dktozm.exe.a31658.0.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.2.dktozm.exe.a20000.1.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.2.dktozm.exe.a20000.1.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 00000001.00000002.255113669.0000000000A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Uses 32bit PE files
Source: OR098765458900009876540.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 1.2.dktozm.exe.a31658.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.2.dktozm.exe.a31658.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.2.dktozm.exe.a20000.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.2.dktozm.exe.a20000.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 00000001.00000002.255113669.0000000000A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
One or more processes crash
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6584 -s 636
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\OR098765458900009876540.exe Code function: 0_2_004032FA EntryPoint,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_004032FA
Detected potential crypto function
Source: C:\Users\user\Desktop\OR098765458900009876540.exe Code function: 0_2_004047EE 0_2_004047EE
Source: C:\Users\user\Desktop\OR098765458900009876540.exe Code function: 0_2_00406083 0_2_00406083
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe Code function: 1_2_01177444 1_2_01177444
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe Code function: 1_2_01176960 1_2_01176960
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe Code function: 1_2_01177444 1_2_01177444
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe Code function: 1_2_01176960 1_2_01176960
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe Code function: 1_2_01177444 1_2_01177444
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe Code function: 1_2_01174A4E 1_2_01174A4E
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe Code function: 1_2_01174A4E 1_2_01174A4E
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe Code function: 1_2_0117967D 1_2_0117967D
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe Code function: 1_2_011786B1 1_2_011786B1
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe Code function: 1_2_01176ED2 1_2_01176ED2
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe Code function: 1_2_00A10C26 1_2_00A10C26
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe Code function: 5_2_00E27444 5_2_00E27444
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe Code function: 5_2_00E26960 5_2_00E26960
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe Code function: 5_2_00E27444 5_2_00E27444
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe Code function: 5_2_00E26960 5_2_00E26960
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe Code function: 5_2_00E27444 5_2_00E27444
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe Code function: 5_2_00E26ED2 5_2_00E26ED2
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe Code function: 5_2_00E286B1 5_2_00E286B1
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe Code function: 5_2_00E2967D 5_2_00E2967D
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe Code function: 5_2_00E24A4E 5_2_00E24A4E
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe Code function: 5_2_00E24A4E 5_2_00E24A4E
PE file contains strange resources
Source: OR098765458900009876540.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: OR098765458900009876540.exe Virustotal: Detection: 28%
Source: OR098765458900009876540.exe ReversingLabs: Detection: 26%
Source: C:\Users\user\Desktop\OR098765458900009876540.exe File read: C:\Users\user\Desktop\OR098765458900009876540.exe Jump to behavior
Source: OR098765458900009876540.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\OR098765458900009876540.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\OR098765458900009876540.exe "C:\Users\user\Desktop\OR098765458900009876540.exe"
Source: C:\Users\user\Desktop\OR098765458900009876540.exe Process created: C:\Users\user\AppData\Local\Temp\dktozm.exe C:\Users\user\AppData\Local\Temp\dktozm.exe C:\Users\user\AppData\Local\Temp\tweziehjnh
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe Process created: C:\Users\user\AppData\Local\Temp\dktozm.exe C:\Users\user\AppData\Local\Temp\dktozm.exe C:\Users\user\AppData\Local\Temp\tweziehjnh
Source: unknown Process created: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe "C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe "C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe"
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6584 -s 636
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6776 -s 176
Source: C:\Users\user\Desktop\OR098765458900009876540.exe Process created: C:\Users\user\AppData\Local\Temp\dktozm.exe C:\Users\user\AppData\Local\Temp\dktozm.exe C:\Users\user\AppData\Local\Temp\tweziehjnh Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe Process created: C:\Users\user\AppData\Local\Temp\dktozm.exe C:\Users\user\AppData\Local\Temp\dktozm.exe C:\Users\user\AppData\Local\Temp\tweziehjnh Jump to behavior
Source: C:\Users\user\Desktop\OR098765458900009876540.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe File created: C:\Users\user\AppData\Roaming\wyimvgfphnjxg Jump to behavior
Source: C:\Users\user\Desktop\OR098765458900009876540.exe File created: C:\Users\user\AppData\Local\Temp\nsa28F0.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@9/13@0/0
Source: C:\Users\user\Desktop\OR098765458900009876540.exe Code function: 0_2_00402078 CoCreateInstance,MultiByteToWideChar, 0_2_00402078
Source: C:\Users\user\Desktop\OR098765458900009876540.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\OR098765458900009876540.exe Code function: 0_2_00404333 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_00404333
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6584
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6776
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe Command line argument: & 5_2_00E22640
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Binary string: C:\fhkoa\tmrvof\utxf\9028a39e21cc4788aca7630018f06cbf\jixuwv\evsohjmi\Release\evsohjmi.pdb source: OR098765458900009876540.exe, 00000000.00000002.269600052.000000000040B000.00000004.00000001.01000000.00000003.sdmp, OR098765458900009876540.exe, 00000000.00000002.269786138.0000000002734000.00000004.00000800.00020000.00000000.sdmp, dktozm.exe, 00000001.00000002.255310840.000000000117B000.00000002.00000001.01000000.00000004.sdmp, dktozm.exe, 00000001.00000002.255152045.0000000000E60000.00000004.00001000.00020000.00000000.sdmp, dktozm.exe, 00000001.00000000.250355664.000000000117B000.00000002.00000001.01000000.00000004.sdmp, dktozm.exe, 00000002.00000002.512729465.000000000117B000.00000002.00000001.01000000.00000004.sdmp, vxmtbmahtsqaf.exe, 00000005.00000000.271738739.0000000000E2B000.00000002.00000001.01000000.00000005.sdmp, vxmtbmahtsqaf.exe, 00000005.00000000.292788386.0000000000E2B000.00000002.00000001.01000000.00000005.sdmp, vxmtbmahtsqaf.exe, 00000008.00000000.291649043.0000000000E2B000.00000002.00000001.01000000.00000005.sdmp, vxmtbmahtsqaf.exe, 00000008.00000000.288899385.0000000000E2B000.00000002.00000001.01000000.00000005.sdmp, dktozm.exe.0.dr, nsa28F1.tmp.0.dr, vxmtbmahtsqaf.exe.1.dr
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe Code function: 1_2_0116F115 push ecx; ret 1_2_0116F128
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe Code function: 5_2_00E1F115 push ecx; ret 5_2_00E1F128
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\OR098765458900009876540.exe Code function: 0_2_00405DDA GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00405DDA
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe File created: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe Jump to dropped file
Source: C:\Users\user\Desktop\OR098765458900009876540.exe File created: C:\Users\user\AppData\Local\Temp\dktozm.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run xnfumqdlkjxkua Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run xnfumqdlkjxkua Jump to behavior
Source: C:\Users\user\Desktop\OR098765458900009876540.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\OR098765458900009876540.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe API coverage: 2.6 %
Source: C:\Users\user\Desktop\OR098765458900009876540.exe Code function: 0_2_00405426 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_00405426
Source: C:\Users\user\Desktop\OR098765458900009876540.exe Code function: 0_2_00405D9C SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose, 0_2_00405D9C
Source: C:\Users\user\Desktop\OR098765458900009876540.exe Code function: 0_2_004026A1 FindFirstFileA, 0_2_004026A1
Source: C:\Users\user\Desktop\OR098765458900009876540.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe Code function: 1_2_0116E981 _memset,IsDebuggerPresent, 1_2_0116E981
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe Code function: 1_2_01174475 RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer, 1_2_01174475
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\OR098765458900009876540.exe Code function: 0_2_00405DDA GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00405DDA
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe Code function: 1_2_0117546A __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,RtlAllocateHeap,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock, 1_2_0117546A
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe Code function: 1_2_00A106F7 mov eax, dword ptr fs:[00000030h] 1_2_00A106F7
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe Code function: 1_2_00A1061D mov eax, dword ptr fs:[00000030h] 1_2_00A1061D
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe Code function: 1_2_00A103F8 mov eax, dword ptr fs:[00000030h] 1_2_00A103F8
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe Code function: 1_2_00A10736 mov eax, dword ptr fs:[00000030h] 1_2_00A10736
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe Code function: 1_2_00A10772 mov eax, dword ptr fs:[00000030h] 1_2_00A10772
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe Code function: 1_2_0117159B SetUnhandledExceptionFilter, 1_2_0117159B
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe Code function: 1_2_011715CC SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_011715CC
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe Code function: 5_2_00E215CC SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_00E215CC
Source: C:\Users\user\AppData\Roaming\wyimvgfphnjxg\vxmtbmahtsqaf.exe Code function: 5_2_00E2159B SetUnhandledExceptionFilter, 5_2_00E2159B
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe Process created: C:\Users\user\AppData\Local\Temp\dktozm.exe C:\Users\user\AppData\Local\Temp\dktozm.exe C:\Users\user\AppData\Local\Temp\tweziehjnh Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe Code function: 1_2_0116FF53 cpuid 1_2_0116FF53
Source: C:\Users\user\AppData\Local\Temp\dktozm.exe Code function: 1_2_011710C8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 1_2_011710C8

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 1.2.dktozm.exe.a31658.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.dktozm.exe.a31658.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.dktozm.exe.a20000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.dktozm.exe.a20000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.255113669.0000000000A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: dktozm.exe PID: 6336, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 1.2.dktozm.exe.a31658.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.dktozm.exe.a31658.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.dktozm.exe.a20000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.dktozm.exe.a20000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.255113669.0000000000A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: dktozm.exe PID: 6336, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 635066 Sample: OR098765458900009876540.exe Startdate: 27/05/2022 Architecture: WINDOWS Score: 100 35 Found malware configuration 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 3 other signatures 2->41 7 OR098765458900009876540.exe 19 2->7         started        10 vxmtbmahtsqaf.exe 2->10         started        13 vxmtbmahtsqaf.exe 2->13         started        process3 file4 25 C:\Users\user\AppData\Local\Temp\dktozm.exe, PE32 7->25 dropped 15 dktozm.exe 1 2 7->15         started        43 Multi AV Scanner detection for dropped file 10->43 45 Machine Learning detection for dropped file 10->45 19 WerFault.exe 3 10 10->19         started        21 WerFault.exe 10 13->21         started        signatures5 process6 file7 27 C:\Users\user\AppData\...\vxmtbmahtsqaf.exe, PE32 15->27 dropped 29 Multi AV Scanner detection for dropped file 15->29 31 Machine Learning detection for dropped file 15->31 33 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 15->33 23 dktozm.exe 15->23         started        signatures8 process9
No contacted IP infos