Windows Analysis Report
VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe

Overview

General Information

Sample Name: VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe
Analysis ID: 635135
MD5: 9c4dccd93ae4440b5dbc580a85f53b94
SHA1: c9caa8238fc581ce3504a8513a2e3ee4701e9274
SHA256: 78990521b8fd82b6f0eae446fc6d3f4763764bd85f8820dc7d0a3eeb50d8933b
Tags: exe
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Telegram RAT
Yara detected AgentTesla
Multi AV Scanner detection for dropped file
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Contains functionality to register a low level keyboard hook
Machine Learning detection for sample
Injects a PE file into a foreign processes
Yara detected Generic Downloader
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Creates autostart registry keys with suspicious names
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Creates processes with suspicious names
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Found malware configuration
Source: 1.0.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.400000.6.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "-449207656", "Chat URL": "https://api.telegram.org/bot1338829993:AAGkgJ80sLaIYwBfp79Ps5EtdSP1XH6jBV8/sendDocument"}
Source: 231.exe.6908.26.memstrmin Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot1338829993:AAGkgJ80sLaIYwBfp79Ps5EtdSP1XH6jBV8/sendMessage"}
Multi AV Scanner detection for submitted file
Source: VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Virustotal: Detection: 51% Perma Link
Source: VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe ReversingLabs: Detection: 80%
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\231\231.exe ReversingLabs: Detection: 80%
Machine Learning detection for sample
Source: VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\231\231.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 1.0.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.400000.6.unpack Avira: Label: TR/Spy.Gen8
Source: 27.0.231.exe.400000.6.unpack Avira: Label: TR/Spy.Gen8
Source: 27.2.231.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 1.0.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.400000.10.unpack Avira: Label: TR/Spy.Gen8
Source: 1.2.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 27.0.231.exe.400000.10.unpack Avira: Label: TR/Spy.Gen8
Source: 21.0.231.exe.400000.8.unpack Avira: Label: TR/Spy.Gen8
Source: 21.0.231.exe.400000.4.unpack Avira: Label: TR/Spy.Gen8
Source: 27.0.231.exe.400000.8.unpack Avira: Label: TR/Spy.Gen8
Source: 1.0.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.400000.12.unpack Avira: Label: TR/Spy.Gen8
Source: 27.0.231.exe.400000.4.unpack Avira: Label: TR/Spy.Gen8
Source: 1.0.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.400000.8.unpack Avira: Label: TR/Spy.Gen8
Source: 21.0.231.exe.400000.10.unpack Avira: Label: TR/Spy.Gen8
Source: 27.0.231.exe.400000.12.unpack Avira: Label: TR/Spy.Gen8
Source: 21.0.231.exe.400000.12.unpack Avira: Label: TR/Spy.Gen8
Source: 21.2.231.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 21.0.231.exe.400000.6.unpack Avira: Label: TR/Spy.Gen8
Source: 1.0.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.400000.4.unpack Avira: Label: TR/Spy.Gen8
Uses 32bit PE files
Source: VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: 27.0.231.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.231.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.231.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.231.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.231.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.231.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.231.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.231.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.231.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.450ed30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.44d9510.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.231.exe.3909510.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.231.exe.380ed30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.231.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.231.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.231.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.231.exe.37d9510.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.231.exe.393ed30.1.raw.unpack, type: UNPACKEDPE
Source: VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe, 00000001.00000002.518792616.0000000002901000.00000004.00000800.00020000.00000000.sdmp, 231.exe, 00000015.00000002.371598282.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 231.exe, 0000001B.00000002.518793277.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: 231.exe, 0000001B.00000002.518793277.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: 231.exe, 0000001B.00000002.518793277.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://kjcOuF.com
Source: 231.exe, 231.exe, 0000001B.00000000.354938229.0000000000FE2000.00000002.00000001.01000000.00000008.sdmp, VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe, 231.exe.1.dr String found in binary or memory: http://sawebservice.red-gate.com/
Source: VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe, 231.exe.1.dr String found in binary or memory: http://www.smartassembly.com/webservices/Reporting/
Source: 231.exe, 231.exe, 0000001B.00000000.354938229.0000000000FE2000.00000002.00000001.01000000.00000008.sdmp, VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe, 231.exe.1.dr String found in binary or memory: http://www.smartassembly.com/webservices/Reporting/UploadReport2
Source: VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe, 231.exe.1.dr String found in binary or memory: http://www.smartassembly.com/webservices/UploadReportLogin/
Source: 231.exe, 231.exe, 0000001B.00000000.354938229.0000000000FE2000.00000002.00000001.01000000.00000008.sdmp, VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe, 231.exe.1.dr String found in binary or memory: http://www.smartassembly.com/webservices/UploadReportLogin/GetServerURL
Source: VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe, 00000000.00000002.261040909.00000000044D9000.00000004.00000800.00020000.00000000.sdmp, VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe, 00000001.00000000.253607505.0000000000402000.00000040.00000400.00020000.00000000.sdmp, 231.exe, 00000014.00000002.346293586.0000000003909000.00000004.00000800.00020000.00000000.sdmp, 231.exe, 00000015.00000000.340208778.0000000000402000.00000040.00000400.00020000.00000000.sdmp, 231.exe, 0000001A.00000002.367814812.00000000037D9000.00000004.00000800.00020000.00000000.sdmp, 231.exe, 0000001B.00000002.515903120.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot1338829993:AAGkgJ80sLaIYwBfp79Ps5EtdSP1XH6jBV8/
Source: VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe, 00000001.00000002.518792616.0000000002901000.00000004.00000800.00020000.00000000.sdmp, 231.exe, 00000015.00000002.371598282.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 231.exe, 0000001B.00000002.518793277.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot1338829993:AAGkgJ80sLaIYwBfp79Ps5EtdSP1XH6jBV8/sendDocumentdocument-----
Source: 231.exe String found in binary or memory: https://dsssdsa.fa
Source: VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe, 231.exe.1.dr String found in binary or memory: https://dsssdsa.fa)Uri
Source: VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe, 00000000.00000002.261040909.00000000044D9000.00000004.00000800.00020000.00000000.sdmp, VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe, 00000001.00000000.253607505.0000000000402000.00000040.00000400.00020000.00000000.sdmp, 231.exe, 00000014.00000002.346293586.0000000003909000.00000004.00000800.00020000.00000000.sdmp, 231.exe, 00000015.00000000.340208778.0000000000402000.00000040.00000400.00020000.00000000.sdmp, 231.exe, 0000001A.00000002.367814812.00000000037D9000.00000004.00000800.00020000.00000000.sdmp, 231.exe, 0000001B.00000002.515903120.0000000000402000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe, 00000001.00000002.518792616.0000000002901000.00000004.00000800.00020000.00000000.sdmp, 231.exe, 00000015.00000002.371598282.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 231.exe, 0000001B.00000002.518793277.0000000003381000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Installs a global keyboard hook
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Windows user hook set: 0 keyboard low level C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Jump to behavior
Contains functionality to register a low level keyboard hook
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Code function: 1_2_00BECF50 SetWindowsHookExW 0000000D,00000000,?,? 1_2_00BECF50
Creates a DirectInput object (often for capturing keystrokes)
Source: VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe, 00000000.00000002.260674158.000000000169B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 27.0.231.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 21.0.231.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 21.0.231.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.0.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 27.0.231.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.2.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 20.2.231.exe.393ed30.1.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 27.2.231.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.0.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 21.0.231.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 27.0.231.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 27.0.231.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.0.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.0.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.44d9510.1.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 21.0.231.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 26.2.231.exe.37d9510.1.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.450ed30.2.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.44d9510.1.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 20.2.231.exe.3909510.2.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 26.2.231.exe.380ed30.2.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 21.0.231.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 21.2.231.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 27.0.231.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 26.2.231.exe.380ed30.2.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.0.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 26.2.231.exe.37d9510.1.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 20.2.231.exe.3909510.2.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 20.2.231.exe.393ed30.1.raw.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.450ed30.2.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 00000001.00000002.518792616.0000000002901000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0000001B.00000002.518793277.0000000003381000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 00000015.00000002.371598282.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: Process Memory Space: VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe PID: 6472, type: MEMORYSTR Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: Process Memory Space: 231.exe PID: 6496, type: MEMORYSTR Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: Process Memory Space: 231.exe PID: 476, type: MEMORYSTR Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe
.NET source code contains very large array initializations
Source: 1.0.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.400000.6.unpack, u003cPrivateImplementationDetailsu003eu007bA17F9E4Bu002dB23Eu002d4670u002d8522u002d97B1B11F19F6u007d/u0031054D6EEu002d42AFu002d424Au002d9F3Au002dCB1C9BDFFA8C.cs Large array initialization: .cctor: array initializer size 11788
Source: 1.0.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.400000.10.unpack, u003cPrivateImplementationDetailsu003eu007bA17F9E4Bu002dB23Eu002d4670u002d8522u002d97B1B11F19F6u007d/u0031054D6EEu002d42AFu002d424Au002d9F3Au002dCB1C9BDFFA8C.cs Large array initialization: .cctor: array initializer size 11788
Source: 1.2.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bA17F9E4Bu002dB23Eu002d4670u002d8522u002d97B1B11F19F6u007d/u0031054D6EEu002d42AFu002d424Au002d9F3Au002dCB1C9BDFFA8C.cs Large array initialization: .cctor: array initializer size 11788
Source: 1.0.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.400000.12.unpack, u003cPrivateImplementationDetailsu003eu007bA17F9E4Bu002dB23Eu002d4670u002d8522u002d97B1B11F19F6u007d/u0031054D6EEu002d42AFu002d424Au002d9F3Au002dCB1C9BDFFA8C.cs Large array initialization: .cctor: array initializer size 11788
Uses 32bit PE files
Source: VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 27.0.231.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 21.0.231.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 21.0.231.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.0.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 27.0.231.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.2.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 20.2.231.exe.393ed30.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 27.2.231.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.0.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 21.0.231.exe.400000.10.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 27.0.231.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 27.0.231.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.0.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.0.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.44d9510.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 21.0.231.exe.400000.12.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 26.2.231.exe.37d9510.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.450ed30.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.44d9510.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 20.2.231.exe.3909510.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 26.2.231.exe.380ed30.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 21.0.231.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 21.2.231.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 27.0.231.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 26.2.231.exe.380ed30.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.0.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 26.2.231.exe.37d9510.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 20.2.231.exe.3909510.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 20.2.231.exe.393ed30.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.450ed30.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 00000001.00000002.518792616.0000000002901000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0000001B.00000002.518793277.0000000003381000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 00000015.00000002.371598282.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: Process Memory Space: VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe PID: 6472, type: MEMORYSTR Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: Process Memory Space: 231.exe PID: 6496, type: MEMORYSTR Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: Process Memory Space: 231.exe PID: 476, type: MEMORYSTR Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Detected potential crypto function
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Code function: 1_2_00B7AEC8 1_2_00B7AEC8
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Code function: 1_2_00B75F60 1_2_00B75F60
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Code function: 1_2_00BE2AE8 1_2_00BE2AE8
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Code function: 1_2_00BE6378 1_2_00BE6378
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Code function: 1_2_00BEC400 1_2_00BEC400
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Code function: 1_2_00BE1DE0 1_2_00BE1DE0
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Code function: 1_2_00BE4EA8 1_2_00BE4EA8
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Code function: 1_2_00BEC1E0 1_2_00BEC1E0
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Code function: 1_2_00BE52C8 1_2_00BE52C8
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Code function: 1_2_00BED6D8 1_2_00BED6D8
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Code function: 1_2_00CA46E0 1_2_00CA46E0
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Code function: 1_2_00CA3604 1_2_00CA3604
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Code function: 1_2_00CA45F0 1_2_00CA45F0
Source: C:\Users\user\AppData\Roaming\231\231.exe Code function: 21_2_02F246E0 21_2_02F246E0
Source: C:\Users\user\AppData\Roaming\231\231.exe Code function: 21_2_02F246D2 21_2_02F246D2
Source: C:\Users\user\AppData\Roaming\231\231.exe Code function: 21_2_02F24630 21_2_02F24630
Source: C:\Users\user\AppData\Roaming\231\231.exe Code function: 21_2_02F2D350 21_2_02F2D350
Source: C:\Users\user\AppData\Roaming\231\231.exe Code function: 21_2_0635973C 21_2_0635973C
Source: C:\Users\user\AppData\Roaming\231\231.exe Code function: 21_2_06357530 21_2_06357530
Source: C:\Users\user\AppData\Roaming\231\231.exe Code function: 21_2_063590F0 21_2_063590F0
Source: C:\Users\user\AppData\Roaming\231\231.exe Code function: 21_2_06356918 21_2_06356918
Source: C:\Users\user\AppData\Roaming\231\231.exe Code function: 21_2_06355FFC 21_2_06355FFC
Source: C:\Users\user\AppData\Roaming\231\231.exe Code function: 21_2_06356C60 21_2_06356C60
Source: C:\Users\user\AppData\Roaming\231\231.exe Code function: 27_2_01B546E0 27_2_01B546E0
Source: C:\Users\user\AppData\Roaming\231\231.exe Code function: 27_2_01B545F0 27_2_01B545F0
Source: C:\Users\user\AppData\Roaming\231\231.exe Code function: 27_2_01B546B2 27_2_01B546B2
Source: C:\Users\user\AppData\Roaming\231\231.exe Code function: 27_2_01B5D350 27_2_01B5D350
Source: C:\Users\user\AppData\Roaming\231\231.exe Code function: 27_2_065A7530 27_2_065A7530
Source: C:\Users\user\AppData\Roaming\231\231.exe Code function: 27_2_065A90F0 27_2_065A90F0
Source: C:\Users\user\AppData\Roaming\231\231.exe Code function: 27_2_065A6918 27_2_065A6918
Source: C:\Users\user\AppData\Roaming\231\231.exe Code function: 27_2_065A6C60 27_2_065A6C60
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Code function: 0_2_01682F00 CreateProcessAsUserA, 0_2_01682F00
Sample file is different than original file name gathered from version info
Source: VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe, 00000000.00000002.260982705.00000000034D1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLWABKHloeNeCwdHNjMDwbOzZQvZZLLbKL.exe4 vs VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe
Source: VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe, 00000000.00000002.260674158.000000000169B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe
Source: VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe, 00000000.00000002.261040909.00000000044D9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLWABKHloeNeCwdHNjMDwbOzZQvZZLLbKL.exe4 vs VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe
Source: VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe, 00000001.00000000.253647167.0000000000438000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLWABKHloeNeCwdHNjMDwbOzZQvZZLLbKL.exe4 vs VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe
Source: VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe, 00000001.00000002.516701121.00000000008F8000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe
PE file contains strange resources
Source: VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 231.exe.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 231.exe.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Section loaded: sfc.dll Jump to behavior
Source: VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 231.exe.1.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Virustotal: Detection: 51%
Source: VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe ReversingLabs: Detection: 80%
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe File read: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Jump to behavior
Source: VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe "C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe"
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process created: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\231\231.exe "C:\Users\user\AppData\Roaming\231\231.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\231\231.exe "C:\Users\user\AppData\Roaming\231\231.exe"
Source: C:\Users\user\AppData\Roaming\231\231.exe Process created: C:\Users\user\AppData\Roaming\231\231.exe C:\Users\user\AppData\Roaming\231\231.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\231\231.exe "C:\Users\user\AppData\Roaming\231\231.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\231\231.exe "C:\Users\user\AppData\Roaming\231\231.exe"
Source: C:\Users\user\AppData\Roaming\231\231.exe Process created: C:\Users\user\AppData\Roaming\231\231.exe C:\Users\user\AppData\Roaming\231\231.exe
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process created: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process created: C:\Users\user\AppData\Roaming\231\231.exe C:\Users\user\AppData\Roaming\231\231.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process created: C:\Users\user\AppData\Roaming\231\231.exe C:\Users\user\AppData\Roaming\231\231.exe Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\231\231.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\231\231.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@11/4@0/1
Source: 0.2.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.fb0000.0.unpack, u000fu0005/u0095u0005.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.0.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.510000.1.unpack, u000fu0005/u0095u0005.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.0.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.510000.3.unpack, u000fu0005/u0095u0005.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe, u000fu0005/u0095u0005.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.0.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.fb0000.0.unpack, u000fu0005/u0095u0005.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 231.exe.1.dr, u000fu0005/u0095u0005.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.2.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.510000.1.unpack, u000fu0005/u0095u0005.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe, u0097/u0005u0002.cs Cryptographic APIs: 'CreateDecryptor'
Source: VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe, u0097/u0005u0002.cs Cryptographic APIs: 'TransformFinalBlock'
Source: VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe, u001a/u008eu001a.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 0.0.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.fb0000.0.unpack, u0097/u0005u0002.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.fb0000.0.unpack, u0097/u0005u0002.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.0.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.fb0000.0.unpack, u001a/u008eu001a.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 0.2.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.fb0000.0.unpack, u0097/u0005u0002.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.fb0000.0.unpack, u0097/u0005u0002.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.fb0000.0.unpack, u001a/u008eu001a.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Roaming\231\231.exe Code function: 21_2_0635A61F push es; iretd 21_2_0635A63C
Source: C:\Users\user\AppData\Roaming\231\231.exe Code function: 27_2_065AA61F push es; iretd 27_2_065AA63C
Source: C:\Users\user\AppData\Roaming\231\231.exe Code function: 27_2_065A8532 push es; ret 27_2_065A8540
Source: C:\Users\user\AppData\Roaming\231\231.exe Code function: 27_2_065AC080 push es; ret 27_2_065AC090
Source: initial sample Static PE information: section name: .text entropy: 7.7588479864
Source: initial sample Static PE information: section name: .text entropy: 7.7588479864
Creates processes with suspicious names
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe File created: \van nang tech-h#u00e0ng h#u00f3a y#u00eau c#u1ea7u_order rfq 2209865.exe
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe File created: \van nang tech-h#u00e0ng h#u00f3a y#u00eau c#u1ea7u_order rfq 2209865.exe Jump to behavior
Drops PE files
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe File created: C:\Users\user\AppData\Roaming\231\231.exe Jump to dropped file

Boot Survival
barindex
Creates autostart registry keys with suspicious names
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 231 Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 231 Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 231 Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe File opened: C:\Users\user\AppData\Roaming\231\231.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\231\231.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\231\231.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\231\231.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\231\231.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe TID: 6468 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe TID: 6848 Thread sleep count: 44 > 30 Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe TID: 6848 Thread sleep time: -40582836962160988s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe TID: 6852 Thread sleep count: 3813 > 30 Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe TID: 6852 Thread sleep count: 5983 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe TID: 3336 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe TID: 1892 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe TID: 1896 Thread sleep count: 397 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe TID: 1896 Thread sleep count: 179 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe TID: 2136 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe TID: 4816 Thread sleep count: 31 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe TID: 4816 Thread sleep time: -28592453314249787s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe TID: 4724 Thread sleep count: 7866 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe TID: 4724 Thread sleep count: 1862 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Roaming\231\231.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Window / User API: threadDelayed 3813 Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Window / User API: threadDelayed 5983 Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Window / User API: threadDelayed 397 Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Window / User API: threadDelayed 7866 Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Window / User API: threadDelayed 1862 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\231\231.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\231\231.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process token adjusted: Debug Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Code function: 1_2_00BE2490 LdrInitializeThunk, 1_2_00BE2490
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Memory written: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Memory written: C:\Users\user\AppData\Roaming\231\231.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Memory written: C:\Users\user\AppData\Roaming\231\231.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Process created: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process created: C:\Users\user\AppData\Roaming\231\231.exe C:\Users\user\AppData\Roaming\231\231.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Process created: C:\Users\user\AppData\Roaming\231\231.exe C:\Users\user\AppData\Roaming\231\231.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Queries volume information: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Queries volume information: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Queries volume information: C:\Users\user\AppData\Roaming\231\231.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Queries volume information: C:\Users\user\AppData\Roaming\231\231.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Queries volume information: C:\Users\user\AppData\Roaming\231\231.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Queries volume information: C:\Users\user\AppData\Roaming\231\231.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\AppData\Roaming\231\231.exe Code function: 21_2_063563F4 GetUserNameW, 21_2_063563F4

Stealing of Sensitive Information
barindex
Yara detected Telegram RAT
Source: Yara match File source: 00000001.00000002.518792616.0000000002901000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.518793277.0000000003381000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.371598282.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe PID: 6472, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 231.exe PID: 6496, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 231.exe PID: 476, type: MEMORYSTR
Yara detected AgentTesla
Source: Yara match File source: 27.0.231.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.231.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.231.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.231.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.231.exe.393ed30.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.231.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.231.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.231.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.231.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.44d9510.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.231.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.231.exe.37d9510.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.450ed30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.44d9510.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.231.exe.3909510.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.231.exe.380ed30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.231.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.231.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.231.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.231.exe.380ed30.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.231.exe.37d9510.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.231.exe.3909510.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.231.exe.393ed30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.450ed30.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000000.253607505.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.515903120.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.367814812.00000000037D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.356681363.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.340208778.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.370461628.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.254906680.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.355665401.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.339810964.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.515882418.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.346293586.0000000003909000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.339477661.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.253095019.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.261040909.00000000044D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.356011581.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.254062993.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.356342873.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.339160538.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.518792616.0000000002901000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.519047597.00000000029B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.518793277.0000000003381000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.371598282.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe PID: 6448, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe PID: 6472, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 231.exe PID: 6744, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 231.exe PID: 6496, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 231.exe PID: 6908, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 231.exe PID: 476, type: MEMORYSTR
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000001.00000002.518792616.0000000002901000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.518793277.0000000003381000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.371598282.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe PID: 6472, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 231.exe PID: 6496, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 231.exe PID: 476, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Telegram RAT
Source: Yara match File source: 00000001.00000002.518792616.0000000002901000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.518793277.0000000003381000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.371598282.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe PID: 6472, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 231.exe PID: 6496, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 231.exe PID: 476, type: MEMORYSTR
Yara detected AgentTesla
Source: Yara match File source: 27.0.231.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.231.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.231.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.231.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.231.exe.393ed30.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.231.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.231.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.231.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.231.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.44d9510.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.231.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.231.exe.37d9510.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.450ed30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.44d9510.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.231.exe.3909510.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.231.exe.380ed30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.0.231.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.231.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.231.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.231.exe.380ed30.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.231.exe.37d9510.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.231.exe.3909510.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.231.exe.393ed30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe.450ed30.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000000.253607505.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.515903120.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.367814812.00000000037D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.356681363.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.340208778.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.370461628.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.254906680.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.355665401.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.339810964.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.515882418.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.346293586.0000000003909000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.339477661.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.253095019.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.261040909.00000000044D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.356011581.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.254062993.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.356342873.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.339160538.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.518792616.0000000002901000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.519047597.00000000029B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.518793277.0000000003381000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.371598282.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe PID: 6448, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe PID: 6472, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 231.exe PID: 6744, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 231.exe PID: 6496, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 231.exe PID: 6908, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 231.exe PID: 476, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 635135 Sample: VAN NANG TECH-H#U00e0ng h#U... Startdate: 27/05/2022 Architecture: WINDOWS Score: 100 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 9 other signatures 2->47 6 VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe 1 2->6         started        10 231.exe 2->10         started        12 231.exe 2->12         started        14 2 other processes 2->14 process3 file4 29 VAN NANG TECH-H#U0...RFQ 2209865.exe.log, ASCII 6->29 dropped 49 Injects a PE file into a foreign processes 6->49 16 VAN NANG TECH-H#U00e0ng h#U00f3a y#U00eau c#U1ea7u_order RFQ 2209865.exe 2 5 6->16         started        51 Multi AV Scanner detection for dropped file 10->51 53 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 10->53 55 Machine Learning detection for dropped file 10->55 57 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 10->57 20 231.exe 2 12->20         started        23 231.exe 2 14->23         started        signatures5 process6 dnsIp7 25 C:\Users\user\AppData\Roaming\231\231.exe, PE32 16->25 dropped 27 C:\Users\user\...\231.exe:Zone.Identifier, ASCII 16->27 dropped 33 Tries to steal Mail credentials (via file / registry access) 16->33 35 Creates autostart registry keys with suspicious names 16->35 37 Tries to harvest and steal browser information (history, passwords, etc) 16->37 39 2 other signatures 16->39 31 192.168.2.1 unknown unknown 20->31 file8 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious

Private

IP
192.168.2.1