Edit tour

Windows Analysis Report
offer_doc.exe

Overview

General Information

Sample Name:	offer_doc.exe
Analysis ID:	680343
MD5:	915026107719604ff39f95cd37c6da08
SHA1:	7708c1a71b95b019ff7d02e295938b342f2bdfb7
SHA256:	f6d4110e70ad9d1525395ad0f693bb5132d7684c989bc2e6ab2e4b12a22223f0
Tags:	agentteslaexe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AgentTesla

Yara detected AntiVM3

Snort IDS alert for network traffic

Tries to steal Mail credentials (via file / registry access)

Initial sample is a PE file and has a suspicious name

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

.NET source code contains very large array initializations

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Yara detected Credential Stealer

Contains long sleeps (>= 3 min)

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Detected TCP or UDP traffic on non-standard ports

Uses SMTP (mail sending)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

offer_doc.exe (PID: 5428 cmdline: "C:\Users\user\Desktop\offer_doc.exe" MD5: 915026107719604FF39F95CD37C6DA08)

offer_doc.exe (PID: 4516 cmdline: C:\Users\user\Desktop\offer_doc.exe MD5: 915026107719604FF39F95CD37C6DA08)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "info@rwan.asia", "Password": "RWAN802754", "Host": "mail.rwan.asia"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.446200384.0000000002CEF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000003.00000000.431207200.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000000.431207200.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000003.00000000.431207200.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x3009d:$a13: get_DnsResolver 0x2e8b2:$a20: get_LastAccessed 0x30a1b:$a27: set_InternalServerPort 0x30d37:$a30: set_GuidMasterKey 0x2e9b9:$a33: get_Clipboard 0x2e9c7:$a34: get_Keyboard 0x2fcd0:$a35: get_ShiftKeyDown 0x2fce1:$a36: get_AltKeyDown 0x2e9d4:$a37: get_Password 0x2f480:$a38: get_PasswordHash 0x3049d:$a39: get_DefaultCredentials
00000003.00000000.431207200.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_e577e17e	unknown	unknown	0x8004:$a: 20 4D 27 00 00 33 DB 19 0B 00 07 17 FE 01 2C 02 18 0B 00 07
00000000.00000002.435893996.0000000002AA3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000000.00000002.447303398.0000000003B68000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.447303398.0000000003B68000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
00000000.00000002.447303398.0000000003B68000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x67425:$a13: get_DnsResolver 0x9ba45:$a13: get_DnsResolver 0xcfe65:$a13: get_DnsResolver 0x65c3a:$a20: get_LastAccessed 0x9a25a:$a20: get_LastAccessed 0xce67a:$a20: get_LastAccessed 0x67da3:$a27: set_InternalServerPort 0x9c3c3:$a27: set_InternalServerPort 0xd07e3:$a27: set_InternalServerPort 0x680bf:$a30: set_GuidMasterKey 0x9c6df:$a30: set_GuidMasterKey 0xd0aff:$a30: set_GuidMasterKey 0x65d41:$a33: get_Clipboard 0x9a361:$a33: get_Clipboard 0xce781:$a33: get_Clipboard 0x65d4f:$a34: get_Keyboard 0x9a36f:$a34: get_Keyboard 0xce78f:$a34: get_Keyboard 0x67058:$a35: get_ShiftKeyDown 0x9b678:$a35: get_ShiftKeyDown 0xcfa98:$a35: get_ShiftKeyDown
00000000.00000002.447303398.0000000003B68000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_AgentTesla_e577e17e	unknown	unknown	0x3f38c:$a: 20 4D 27 00 00 33 DB 19 0B 00 07 17 FE 01 2C 02 18 0B 00 07 0x739ac:$a: 20 4D 27 00 00 33 DB 19 0B 00 07 17 FE 01 2C 02 18 0B 00 07 0xa7dcc:$a: 20 4D 27 00 00 33 DB 19 0B 00 07 17 FE 01 2C 02 18 0B 00 07
00000003.00000002.676265825.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.676265825.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: offer_doc.exe PID: 5428	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: offer_doc.exe PID: 5428	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: offer_doc.exe PID: 5428	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x9889d:$a13: get_DnsResolver 0x97312:$a20: get_LastAccessed 0x991ca:$a27: set_InternalServerPort 0x99426:$a30: set_GuidMasterKey 0x97405:$a33: get_Clipboard 0x97413:$a34: get_Keyboard 0x9856f:$a35: get_ShiftKeyDown 0x98580:$a36: get_AltKeyDown 0x97420:$a37: get_Password 0x97e28:$a38: get_PasswordHash 0x98c71:$a39: get_DefaultCredentials
Process Memory Space: offer_doc.exe PID: 4516	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: offer_doc.exe PID: 4516	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: offer_doc.exe PID: 4516	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x38d6e:$a13: get_DnsResolver 0x377e3:$a20: get_LastAccessed 0x3969b:$a27: set_InternalServerPort 0x398f7:$a30: set_GuidMasterKey 0x378d6:$a33: get_Clipboard 0x378e4:$a34: get_Keyboard 0x38a40:$a35: get_ShiftKeyDown 0x38a51:$a36: get_AltKeyDown 0x378f1:$a37: get_Password 0x382f9:$a38: get_PasswordHash 0x39142:$a39: get_DefaultCredentials
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.offer_doc.exe.3bd37a8.7.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.offer_doc.exe.3bd37a8.7.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.offer_doc.exe.3bd37a8.7.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30d4f:$s10: logins 0x307b6:$s11: credential 0x2cdb9:$g1: get_Clipboard 0x2cdc7:$g2: get_Keyboard 0x2cdd4:$g3: get_Password 0x2e0c0:$g4: get_CtrlKeyDown 0x2e0d0:$g5: get_ShiftKeyDown 0x2e0e1:$g6: get_AltKeyDown
0.2.offer_doc.exe.3bd37a8.7.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x2e49d:$a13: get_DnsResolver 0x2ccb2:$a20: get_LastAccessed 0x2ee1b:$a27: set_InternalServerPort 0x2f137:$a30: set_GuidMasterKey 0x2cdb9:$a33: get_Clipboard 0x2cdc7:$a34: get_Keyboard 0x2e0d0:$a35: get_ShiftKeyDown 0x2e0e1:$a36: get_AltKeyDown 0x2cdd4:$a37: get_Password 0x2d880:$a38: get_PasswordHash 0x2e89d:$a39: get_DefaultCredentials
0.2.offer_doc.exe.3bd37a8.7.unpack	Windows_Trojan_AgentTesla_e577e17e	unknown	unknown	0x6404:$a: 20 4D 27 00 00 33 DB 19 0B 00 07 17 FE 01 2C 02 18 0B 00 07
3.0.offer_doc.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
3.0.offer_doc.exe.400000.0.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
3.0.offer_doc.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32b4f:$s10: logins 0x325b6:$s11: credential 0x2ebb9:$g1: get_Clipboard 0x2ebc7:$g2: get_Keyboard 0x2ebd4:$g3: get_Password 0x2fec0:$g4: get_CtrlKeyDown 0x2fed0:$g5: get_ShiftKeyDown 0x2fee1:$g6: get_AltKeyDown
3.0.offer_doc.exe.400000.0.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x3029d:$a13: get_DnsResolver 0x2eab2:$a20: get_LastAccessed 0x30c1b:$a27: set_InternalServerPort 0x30f37:$a30: set_GuidMasterKey 0x2ebb9:$a33: get_Clipboard 0x2ebc7:$a34: get_Keyboard 0x2fed0:$a35: get_ShiftKeyDown 0x2fee1:$a36: get_AltKeyDown 0x2ebd4:$a37: get_Password 0x2f680:$a38: get_PasswordHash 0x3069d:$a39: get_DefaultCredentials
3.0.offer_doc.exe.400000.0.unpack	Windows_Trojan_AgentTesla_e577e17e	unknown	unknown	0x8204:$a: 20 4D 27 00 00 33 DB 19 0B 00 07 17 FE 01 2C 02 18 0B 00 07
0.2.offer_doc.exe.3b9f188.6.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.offer_doc.exe.3b9f188.6.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.offer_doc.exe.3b9f188.6.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x30d4f:$s10: logins 0x307b6:$s11: credential 0x2cdb9:$g1: get_Clipboard 0x2cdc7:$g2: get_Keyboard 0x2cdd4:$g3: get_Password 0x2e0c0:$g4: get_CtrlKeyDown 0x2e0d0:$g5: get_ShiftKeyDown 0x2e0e1:$g6: get_AltKeyDown
0.2.offer_doc.exe.3b9f188.6.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x2e49d:$a13: get_DnsResolver 0x2ccb2:$a20: get_LastAccessed 0x2ee1b:$a27: set_InternalServerPort 0x2f137:$a30: set_GuidMasterKey 0x2cdb9:$a33: get_Clipboard 0x2cdc7:$a34: get_Keyboard 0x2e0d0:$a35: get_ShiftKeyDown 0x2e0e1:$a36: get_AltKeyDown 0x2cdd4:$a37: get_Password 0x2d880:$a38: get_PasswordHash 0x2e89d:$a39: get_DefaultCredentials
0.2.offer_doc.exe.3b9f188.6.unpack	Windows_Trojan_AgentTesla_e577e17e	unknown	unknown	0x6404:$a: 20 4D 27 00 00 33 DB 19 0B 00 07 17 FE 01 2C 02 18 0B 00 07
0.2.offer_doc.exe.3bd37a8.7.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.offer_doc.exe.3bd37a8.7.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.offer_doc.exe.3bd37a8.7.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32b4f:$s10: logins 0x66f6f:$s10: logins 0x325b6:$s11: credential 0x669d6:$s11: credential 0x2ebb9:$g1: get_Clipboard 0x62fd9:$g1: get_Clipboard 0x2ebc7:$g2: get_Keyboard 0x62fe7:$g2: get_Keyboard 0x2ebd4:$g3: get_Password 0x62ff4:$g3: get_Password 0x2fec0:$g4: get_CtrlKeyDown 0x642e0:$g4: get_CtrlKeyDown 0x2fed0:$g5: get_ShiftKeyDown 0x642f0:$g5: get_ShiftKeyDown 0x2fee1:$g6: get_AltKeyDown 0x64301:$g6: get_AltKeyDown
0.2.offer_doc.exe.3bd37a8.7.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x9c00f:$s1: file:/// 0x10fe2f:$s1: file:/// 0x9bf1f:$s2: {11111-22222-10009-11112} 0x10fd3f:$s2: {11111-22222-10009-11112} 0x9bf9f:$s3: {11111-22222-50001-00000} 0x10fdbf:$s3: {11111-22222-50001-00000} 0x992a3:$s4: get_Module 0x10d0c3:$s4: get_Module 0x2f122:$s5: Reverse 0x63542:$s5: Reverse 0x9971c:$s5: Reverse 0x10d53c:$s5: Reverse 0x30fd9:$s6: BlockCopy 0x653f9:$s6: BlockCopy 0x9b6e1:$s6: BlockCopy 0x10f501:$s6: BlockCopy 0x2f3c3:$s7: ReadByte 0x637e3:$s7: ReadByte 0x9c021:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ... 0x10fe41:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.offer_doc.exe.3bd37a8.7.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x3029d:$a13: get_DnsResolver 0x646bd:$a13: get_DnsResolver 0x2eab2:$a20: get_LastAccessed 0x62ed2:$a20: get_LastAccessed 0x30c1b:$a27: set_InternalServerPort 0x6503b:$a27: set_InternalServerPort 0x30f37:$a30: set_GuidMasterKey 0x65357:$a30: set_GuidMasterKey 0x2ebb9:$a33: get_Clipboard 0x62fd9:$a33: get_Clipboard 0x2ebc7:$a34: get_Keyboard 0x62fe7:$a34: get_Keyboard 0x2fed0:$a35: get_ShiftKeyDown 0x642f0:$a35: get_ShiftKeyDown 0x2fee1:$a36: get_AltKeyDown 0x64301:$a36: get_AltKeyDown 0x2ebd4:$a37: get_Password 0x62ff4:$a37: get_Password 0x2f680:$a38: get_PasswordHash 0x63aa0:$a38: get_PasswordHash 0x3069d:$a39: get_DefaultCredentials
0.2.offer_doc.exe.3bd37a8.7.raw.unpack	Windows_Trojan_AgentTesla_e577e17e	unknown	unknown	0x8204:$a: 20 4D 27 00 00 33 DB 19 0B 00 07 17 FE 01 2C 02 18 0B 00 07 0x3c624:$a: 20 4D 27 00 00 33 DB 19 0B 00 07 17 FE 01 2C 02 18 0B 00 07
0.2.offer_doc.exe.3b9f188.6.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.offer_doc.exe.3b9f188.6.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.offer_doc.exe.3b9f188.6.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x32b4f:$s10: logins 0x6716f:$s10: logins 0x9b58f:$s10: logins 0x325b6:$s11: credential 0x66bd6:$s11: credential 0x9aff6:$s11: credential 0x2ebb9:$g1: get_Clipboard 0x631d9:$g1: get_Clipboard 0x975f9:$g1: get_Clipboard 0x2ebc7:$g2: get_Keyboard 0x631e7:$g2: get_Keyboard 0x97607:$g2: get_Keyboard 0x2ebd4:$g3: get_Password 0x631f4:$g3: get_Password 0x97614:$g3: get_Password 0x2fec0:$g4: get_CtrlKeyDown 0x644e0:$g4: get_CtrlKeyDown 0x98900:$g4: get_CtrlKeyDown 0x2fed0:$g5: get_ShiftKeyDown 0x644f0:$g5: get_ShiftKeyDown 0x98910:$g5: get_ShiftKeyDown
0.2.offer_doc.exe.3b9f188.6.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0xd062f:$s1: file:/// 0x14444f:$s1: file:/// 0xd053f:$s2: {11111-22222-10009-11112} 0x14435f:$s2: {11111-22222-10009-11112} 0xd05bf:$s3: {11111-22222-50001-00000} 0x1443df:$s3: {11111-22222-50001-00000} 0xcd8c3:$s4: get_Module 0x1416e3:$s4: get_Module 0x2f122:$s5: Reverse 0x63742:$s5: Reverse 0x97b62:$s5: Reverse 0xcdd3c:$s5: Reverse 0x141b5c:$s5: Reverse 0x30fd9:$s6: BlockCopy 0x655f9:$s6: BlockCopy 0x99a19:$s6: BlockCopy 0xcfd01:$s6: BlockCopy 0x143b21:$s6: BlockCopy 0x2f3c3:$s7: ReadByte 0x639e3:$s7: ReadByte 0x97e03:$s7: ReadByte
0.2.offer_doc.exe.3b9f188.6.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x3029d:$a13: get_DnsResolver 0x648bd:$a13: get_DnsResolver 0x98cdd:$a13: get_DnsResolver 0x2eab2:$a20: get_LastAccessed 0x630d2:$a20: get_LastAccessed 0x974f2:$a20: get_LastAccessed 0x30c1b:$a27: set_InternalServerPort 0x6523b:$a27: set_InternalServerPort 0x9965b:$a27: set_InternalServerPort 0x30f37:$a30: set_GuidMasterKey 0x65557:$a30: set_GuidMasterKey 0x99977:$a30: set_GuidMasterKey 0x2ebb9:$a33: get_Clipboard 0x631d9:$a33: get_Clipboard 0x975f9:$a33: get_Clipboard 0x2ebc7:$a34: get_Keyboard 0x631e7:$a34: get_Keyboard 0x97607:$a34: get_Keyboard 0x2fed0:$a35: get_ShiftKeyDown 0x644f0:$a35: get_ShiftKeyDown 0x98910:$a35: get_ShiftKeyDown
0.2.offer_doc.exe.3b9f188.6.raw.unpack	Windows_Trojan_AgentTesla_e577e17e	unknown	unknown	0x8204:$a: 20 4D 27 00 00 33 DB 19 0B 00 07 17 FE 01 2C 02 18 0B 00 07 0x3c824:$a: 20 4D 27 00 00 33 DB 19 0B 00 07 17 FE 01 2C 02 18 0B 00 07 0x70c44:$a: 20 4D 27 00 00 33 DB 19 0B 00 07 17 FE 01 2C 02 18 0B 00 07
0.2.offer_doc.exe.3b68d68.5.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.offer_doc.exe.3b68d68.5.raw.unpack	JoeSecurity_AgentTesla_2	Yara detected AgentTesla	Joe Security
0.2.offer_doc.exe.3b68d68.5.raw.unpack	MALWARE_Win_AgentTeslaV3	AgentTeslaV3 infostealer payload	ditekSHen	0x68f6f:$s10: logins 0x9d58f:$s10: logins 0xd19af:$s10: logins 0x689d6:$s11: credential 0x9cff6:$s11: credential 0xd1416:$s11: credential 0x64fd9:$g1: get_Clipboard 0x995f9:$g1: get_Clipboard 0xcda19:$g1: get_Clipboard 0x64fe7:$g2: get_Keyboard 0x99607:$g2: get_Keyboard 0xcda27:$g2: get_Keyboard 0x64ff4:$g3: get_Password 0x99614:$g3: get_Password 0xcda34:$g3: get_Password 0x662e0:$g4: get_CtrlKeyDown 0x9a900:$g4: get_CtrlKeyDown 0xced20:$g4: get_CtrlKeyDown 0x662f0:$g5: get_ShiftKeyDown 0x9a910:$g5: get_ShiftKeyDown 0xced30:$g5: get_ShiftKeyDown
0.2.offer_doc.exe.3b68d68.5.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x106a4f:$s1: file:/// 0x17a86f:$s1: file:/// 0x10695f:$s2: {11111-22222-10009-11112} 0x17a77f:$s2: {11111-22222-10009-11112} 0x1069df:$s3: {11111-22222-50001-00000} 0x17a7ff:$s3: {11111-22222-50001-00000} 0x103ce3:$s4: get_Module 0x177b03:$s4: get_Module 0x65542:$s5: Reverse 0x99b62:$s5: Reverse 0xcdf82:$s5: Reverse 0x10415c:$s5: Reverse 0x177f7c:$s5: Reverse 0x673f9:$s6: BlockCopy 0x9ba19:$s6: BlockCopy 0xcfe39:$s6: BlockCopy 0x106121:$s6: BlockCopy 0x179f41:$s6: BlockCopy 0x657e3:$s7: ReadByte 0x99e03:$s7: ReadByte 0xce223:$s7: ReadByte
0.2.offer_doc.exe.3b68d68.5.raw.unpack	Windows_Trojan_AgentTesla_d3ac2b2f	unknown	unknown	0x666bd:$a13: get_DnsResolver 0x9acdd:$a13: get_DnsResolver 0xcf0fd:$a13: get_DnsResolver 0x64ed2:$a20: get_LastAccessed 0x994f2:$a20: get_LastAccessed 0xcd912:$a20: get_LastAccessed 0x6703b:$a27: set_InternalServerPort 0x9b65b:$a27: set_InternalServerPort 0xcfa7b:$a27: set_InternalServerPort 0x67357:$a30: set_GuidMasterKey 0x9b977:$a30: set_GuidMasterKey 0xcfd97:$a30: set_GuidMasterKey 0x64fd9:$a33: get_Clipboard 0x995f9:$a33: get_Clipboard 0xcda19:$a33: get_Clipboard 0x64fe7:$a34: get_Keyboard 0x99607:$a34: get_Keyboard 0xcda27:$a34: get_Keyboard 0x662f0:$a35: get_ShiftKeyDown 0x9a910:$a35: get_ShiftKeyDown 0xced30:$a35: get_ShiftKeyDown
0.2.offer_doc.exe.3b68d68.5.raw.unpack	Windows_Trojan_AgentTesla_e577e17e	unknown	unknown	0x3e624:$a: 20 4D 27 00 00 33 DB 19 0B 00 07 17 FE 01 2C 02 18 0B 00 07 0x72c44:$a: 20 4D 27 00 00 33 DB 19 0B 00 07 17 FE 01 2C 02 18 0B 00 07 0xa7064:$a: 20 4D 27 00 00 33 DB 19 0B 00 07 17 FE 01 2C 02 18 0B 00 07
Click to see the 28 entries

Snort Signatures

ET TROJAN AgentTesla Exfil Via SMTP - Source IP: 192.168.2.5 - Destination IP: 119.59.104.27

Timestamp:	192.168.2.5119.59.104.27497195872030171 08/08/22-12:37:22.771751
SID:	2030171
Source Port:	49719
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 - Source IP: 192.168.2.5 - Destination IP: 119.59.104.27

Timestamp:	192.168.2.5119.59.104.27497195872840032 08/08/22-12:37:22.771866
SID:	2840032
Source Port:	49719
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.5 - Destination IP: 119.59.104.27

Timestamp:	192.168.2.5119.59.104.27497195872851779 08/08/22-12:37:22.771866
SID:	2851779
Source Port:	49719
Destination Port:	587
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: offer_doc.exe

ReversingLabs: Detection: 24%

Machine Learning detection for sample

Source: offer_doc.exe

Joe Sandbox ML: detected

Source: 3.0.offer_doc.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Source: 3.0.offer_doc.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "info@rwan.asia", "Password": "RWAN802754", "Host": "mail.rwan.asia"}

Source: offer_doc.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: offer_doc.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49719 -> 119.59.104.27:587
Source: Traffic	Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49719 -> 119.59.104.27:587
Source: Traffic	Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49719 -> 119.59.104.27:587

Source: Joe Sandbox View

ASN Name: METRABYTE-TH453LadplacoutJorakhaebuaTH METRABYTE-TH453LadplacoutJorakhaebuaTH

Source: global traffic

TCP traffic: 192.168.2.5:49719 -> 119.59.104.27:587

Source: global traffic

TCP traffic: 192.168.2.5:49719 -> 119.59.104.27:587

Source: offer_doc.exe, 00000003.00000002.676265825.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: offer_doc.exe, 00000003.00000002.676265825.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: offer_doc.exe, 00000003.00000002.676265825.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dzByIm.com
Source: offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: offer_doc.exe, 00000003.00000002.678536332.00000000030EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.rwan.asia
Source: offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: offer_doc.exe, 00000000.00000002.434864485.0000000001097000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.como
Source: offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: offer_doc.exe, 00000003.00000002.676265825.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org%
Source: offer_doc.exe, 00000003.00000002.676265825.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org%%startupfolder%
Source: offer_doc.exe, 00000003.00000002.678536332.00000000030EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://hI6edvnAmdv.org
Source: offer_doc.exe, 00000003.00000002.676265825.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www

Source: unknown

DNS traffic detected: queries for: mail.rwan.asia

Source: offer_doc.exe, 00000000.00000002.433866824.0000000000C0A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.offer_doc.exe.3bd37a8.7.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.offer_doc.exe.3bd37a8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.offer_doc.exe.3bd37a8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_e577e17e Author: unknown
Source: 3.0.offer_doc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 3.0.offer_doc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 3.0.offer_doc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_e577e17e Author: unknown
Source: 0.2.offer_doc.exe.3b9f188.6.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.offer_doc.exe.3b9f188.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.offer_doc.exe.3b9f188.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_e577e17e Author: unknown
Source: 0.2.offer_doc.exe.3bd37a8.7.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.offer_doc.exe.3bd37a8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.offer_doc.exe.3bd37a8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.offer_doc.exe.3bd37a8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_e577e17e Author: unknown
Source: 0.2.offer_doc.exe.3b9f188.6.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.offer_doc.exe.3b9f188.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.offer_doc.exe.3b9f188.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.offer_doc.exe.3b9f188.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_e577e17e Author: unknown
Source: 0.2.offer_doc.exe.3b68d68.5.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 0.2.offer_doc.exe.3b68d68.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.offer_doc.exe.3b68d68.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0.2.offer_doc.exe.3b68d68.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_e577e17e Author: unknown
Source: 00000003.00000000.431207200.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000003.00000000.431207200.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_e577e17e Author: unknown
Source: 00000000.00000002.447303398.0000000003B68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000000.00000002.447303398.0000000003B68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_e577e17e Author: unknown
Source: Process Memory Space: offer_doc.exe PID: 5428, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: offer_doc.exe PID: 4516, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: offer_doc.exe

.NET source code contains very large array initializations

Source: 3.0.offer_doc.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bBFEAAEE6u002d466Du002d4D0Au002d8579u002d0D52F9710340u007d/u0038E7E1D9Bu002d4103u002d4A26u002d9CEAu002d5E7F2E73DD6F.cs

Large array initialization: .cctor: array initializer size 11630

Source: offer_doc.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.offer_doc.exe.3bd37a8.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.offer_doc.exe.3bd37a8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.offer_doc.exe.3bd37a8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_e577e17e reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 009cb27295a1aa0dde84d29ee49b8fa2e7a6cec75eccb7534fec3f5c89395a9d, id = e577e17e-5c42-4431-8c2d-0c1153128226, last_modified = 2022-04-12
Source: 3.0.offer_doc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 3.0.offer_doc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 3.0.offer_doc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_e577e17e reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 009cb27295a1aa0dde84d29ee49b8fa2e7a6cec75eccb7534fec3f5c89395a9d, id = e577e17e-5c42-4431-8c2d-0c1153128226, last_modified = 2022-04-12
Source: 0.2.offer_doc.exe.3b9f188.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.offer_doc.exe.3b9f188.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.offer_doc.exe.3b9f188.6.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_e577e17e reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 009cb27295a1aa0dde84d29ee49b8fa2e7a6cec75eccb7534fec3f5c89395a9d, id = e577e17e-5c42-4431-8c2d-0c1153128226, last_modified = 2022-04-12
Source: 0.2.offer_doc.exe.3bd37a8.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.offer_doc.exe.3bd37a8.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.offer_doc.exe.3bd37a8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.offer_doc.exe.3bd37a8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_e577e17e reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 009cb27295a1aa0dde84d29ee49b8fa2e7a6cec75eccb7534fec3f5c89395a9d, id = e577e17e-5c42-4431-8c2d-0c1153128226, last_modified = 2022-04-12
Source: 0.2.offer_doc.exe.3b9f188.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.offer_doc.exe.3b9f188.6.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.offer_doc.exe.3b9f188.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.offer_doc.exe.3b9f188.6.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_e577e17e reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 009cb27295a1aa0dde84d29ee49b8fa2e7a6cec75eccb7534fec3f5c89395a9d, id = e577e17e-5c42-4431-8c2d-0c1153128226, last_modified = 2022-04-12
Source: 0.2.offer_doc.exe.3b68d68.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 0.2.offer_doc.exe.3b68d68.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.offer_doc.exe.3b68d68.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0.2.offer_doc.exe.3b68d68.5.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_e577e17e reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 009cb27295a1aa0dde84d29ee49b8fa2e7a6cec75eccb7534fec3f5c89395a9d, id = e577e17e-5c42-4431-8c2d-0c1153128226, last_modified = 2022-04-12
Source: 00000003.00000000.431207200.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000003.00000000.431207200.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_e577e17e reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 009cb27295a1aa0dde84d29ee49b8fa2e7a6cec75eccb7534fec3f5c89395a9d, id = e577e17e-5c42-4431-8c2d-0c1153128226, last_modified = 2022-04-12
Source: 00000000.00000002.447303398.0000000003B68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000000.00000002.447303398.0000000003B68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_e577e17e reference_sample = ed43ddb536e6c3f8513213cd6eb2e890b73e26d5543c0ba1deb2690b5c0385b6, os = windows, severity = x86, creation_date = 2022-03-11, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = 009cb27295a1aa0dde84d29ee49b8fa2e7a6cec75eccb7534fec3f5c89395a9d, id = e577e17e-5c42-4431-8c2d-0c1153128226, last_modified = 2022-04-12
Source: Process Memory Space: offer_doc.exe PID: 5428, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: offer_doc.exe PID: 4516, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20

Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 0_2_00BFCD04
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 0_2_00BFF0D0
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 0_2_06ED41D0
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 0_2_06ED4F28
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 0_2_07105DC8
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 0_2_07105590
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 0_2_071055A0
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 0_2_07106F9A
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 0_2_07106FA8
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_0140F080
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_01406120
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_0140F3C8
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_0637BFB8
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_06378440
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_0637C0C4
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_063776A8
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_063732A8
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_066AA278
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_066AAA88
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_066A8740
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_066AF338
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_066A7BC8
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_066ABB80
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_066A38C0
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_066A28D0
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_066ABB1C
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_066AA939
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_066A8930
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_066FADE8
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_066F1AC4
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_066F4B10
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_0637A7E8

Source: offer_doc.exe, 00000000.00000002.438858978.0000000002B0B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWebName.dll4 vs offer_doc.exe
Source: offer_doc.exe, 00000000.00000002.452768106.0000000006EB0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameKeysNormalize.dll4 vs offer_doc.exe
Source: offer_doc.exe, 00000000.00000002.433866824.0000000000C0A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs offer_doc.exe
Source: offer_doc.exe, 00000000.00000002.453065620.0000000006F00000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameWebName.dll4 vs offer_doc.exe
Source: offer_doc.exe, 00000000.00000003.423409650.0000000000C95000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameKeysNormalize.dll4 vs offer_doc.exe
Source: offer_doc.exe, 00000000.00000002.453449981.0000000007070000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameDoncepre.dll@ vs offer_doc.exe
Source: offer_doc.exe, 00000000.00000000.407180408.00000000005EE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSYSTEMI.exeB vs offer_doc.exe
Source: offer_doc.exe, 00000000.00000002.447303398.0000000003B68000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQIPpUdJOXlzKKWqWQXrayNItXcNYucwtbWIvIC.exe4 vs offer_doc.exe
Source: offer_doc.exe, 00000000.00000002.447303398.0000000003B68000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDoncepre.dll@ vs offer_doc.exe
Source: offer_doc.exe, 00000000.00000002.435893996.0000000002AA3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQIPpUdJOXlzKKWqWQXrayNItXcNYucwtbWIvIC.exe4 vs offer_doc.exe
Source: offer_doc.exe, 00000003.00000000.431756265.0000000000436000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQIPpUdJOXlzKKWqWQXrayNItXcNYucwtbWIvIC.exe4 vs offer_doc.exe
Source: offer_doc.exe, 00000003.00000002.673994817.0000000000BE8000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs offer_doc.exe
Source: offer_doc.exe, 00000003.00000002.674351176.000000000101A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs offer_doc.exe
Source: offer_doc.exe	Binary or memory string: OriginalFilenameSYSTEMI.exeB vs offer_doc.exe

Source: offer_doc.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: offer_doc.exe

ReversingLabs: Detection: 24%

Source: offer_doc.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\offer_doc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\offer_doc.exe "C:\Users\user\Desktop\offer_doc.exe"
Source: C:\Users\user\Desktop\offer_doc.exe	Process created: C:\Users\user\Desktop\offer_doc.exe C:\Users\user\Desktop\offer_doc.exe
Source: C:\Users\user\Desktop\offer_doc.exe	Process created: C:\Users\user\Desktop\offer_doc.exe C:\Users\user\Desktop\offer_doc.exe

Source: C:\Users\user\Desktop\offer_doc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Source: C:\Users\user\Desktop\offer_doc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\offer_doc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\offer_doc.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\offer_doc.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@1/1

Source: offer_doc.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\offer_doc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\offer_doc.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: offer_doc.exe, ProcExpGUI/Form1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.0.offer_doc.exe.520000.0.unpack, ProcExpGUI/Form1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.0.offer_doc.exe.400000.0.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.0.offer_doc.exe.400000.0.unpack, A/F1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Users\user\Desktop\offer_doc.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\offer_doc.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\offer_doc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\Desktop\offer_doc.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: offer_doc.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: offer_doc.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: offer_doc.exe, ProcExpGUI/Form1.cs	.Net Code: WaitHandle System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.offer_doc.exe.520000.0.unpack, ProcExpGUI/Form1.cs	.Net Code: WaitHandle System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_063716B2 push es; ret
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_063716BA push es; ret
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_063716A9 push es; ret
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_0637169E push es; ret
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_0637169A push es; ret
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_0637168E push es; ret
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_063716F1 push es; ret
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_063716FA push es; ret
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_063716E2 push es; ret
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_063716EA push es; ret
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_063716D2 push es; ret
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_063716D9 push es; ret
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_063716C1 push es; ret
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_063716CA push es; ret
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_06371732 push es; ret
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_06371739 push es; ret
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_06371721 push es; ret
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_0637172A push es; ret
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_06371712 push es; ret
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_0637171A push es; ret
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_06371702 push es; ret
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_06371709 push es; ret
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_06371752 push es; ret
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_06371742 push es; ret
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_0637174A push es; ret
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_063717B2 push es; ret
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_063717B9 push es; ret
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_063717A1 push es; ret
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_063717AE push es; ret
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_063717AA push es; ret
Source: C:\Users\user\Desktop\offer_doc.exe	Code function: 3_2_06371796 push es; ret

Source: initial sample

Static PE information: section name: .text entropy: 7.788970576048009

Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\offer_doc.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 00000000.00000002.446200384.0000000002CEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.435893996.0000000002AA3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: offer_doc.exe PID: 5428, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: offer_doc.exe, 00000000.00000002.446200384.0000000002CEF000.00000004.00000800.00020000.00000000.sdmp, offer_doc.exe, 00000000.00000002.435893996.0000000002AA3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: offer_doc.exe, 00000000.00000002.446200384.0000000002CEF000.00000004.00000800.00020000.00000000.sdmp, offer_doc.exe, 00000000.00000002.435893996.0000000002AA3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\offer_doc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\offer_doc.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\offer_doc.exe TID: 5440	Thread sleep time: -45877s >= -30000s
Source: C:\Users\user\Desktop\offer_doc.exe TID: 3108	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\offer_doc.exe TID: 3676	Thread sleep count: 9610 > 30

Source: C:\Users\user\Desktop\offer_doc.exe

Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\offer_doc.exe

Window / User API: threadDelayed 9610

Source: C:\Users\user\Desktop\offer_doc.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\offer_doc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\offer_doc.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\offer_doc.exe	Thread delayed: delay time: 45877
Source: C:\Users\user\Desktop\offer_doc.exe	Thread delayed: delay time: 922337203685477

Source: offer_doc.exe, 00000000.00000002.435893996.0000000002AA3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: offer_doc.exe, 00000000.00000002.435893996.0000000002AA3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: offer_doc.exe, 00000003.00000003.473613333.00000000010B9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll'
Source: offer_doc.exe, 00000000.00000002.435893996.0000000002AA3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: offer_doc.exe, 00000000.00000002.435893996.0000000002AA3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Users\user\Desktop\offer_doc.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\offer_doc.exe

Code function: 3_2_066AB210 LdrInitializeThunk,

Source: C:\Users\user\Desktop\offer_doc.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\offer_doc.exe

Memory written: C:\Users\user\Desktop\offer_doc.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\offer_doc.exe

Process created: C:\Users\user\Desktop\offer_doc.exe C:\Users\user\Desktop\offer_doc.exe

Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Users\user\Desktop\offer_doc.exe VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Users\user\Desktop\offer_doc.exe VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\offer_doc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\offer_doc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.offer_doc.exe.3bd37a8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.offer_doc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.offer_doc.exe.3b9f188.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.offer_doc.exe.3bd37a8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.offer_doc.exe.3b9f188.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.offer_doc.exe.3b68d68.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.431207200.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.447303398.0000000003B68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.676265825.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: offer_doc.exe PID: 5428, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: offer_doc.exe PID: 4516, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\offer_doc.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\Desktop\offer_doc.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\Desktop\offer_doc.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\offer_doc.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\offer_doc.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
Source: C:\Users\user\Desktop\offer_doc.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\offer_doc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\Desktop\offer_doc.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Source: Yara match	File source: 00000003.00000002.676265825.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: offer_doc.exe PID: 4516, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.offer_doc.exe.3bd37a8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.offer_doc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.offer_doc.exe.3b9f188.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.offer_doc.exe.3bd37a8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.offer_doc.exe.3b9f188.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.offer_doc.exe.3b68d68.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.431207200.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.447303398.0000000003B68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.676265825.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: offer_doc.exe PID: 5428, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: offer_doc.exe PID: 4516, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	211 Windows Management Instrumentation	Path Interception	111 Process Injection	1 Masquerading	2 OS Credential Dumping	211 Security Software Discovery	Remote Services	1 Email Collection	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	1 Input Capture	1 Process Discovery	Remote Desktop Protocol	1 Input Capture	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	131 Virtualization/Sandbox Evasion	1 Credentials in Registry	131 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	11 Archive Collected Data	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	2 Data from Local System	Scheduled Transfer	11 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Obfuscated Files or Information	Cached Domain Credentials	114 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	13 Software Packing	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
offer_doc.exe	24%	ReversingLabs	ByteCode-MSIL.Trojan.Pwsx
offer_doc.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
3.0.offer_doc.exe.400000.0.unpack	100%	Avira	TR/Spy.Gen8		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
https://api.ipify.org%%startupfolder%	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://mail.rwan.asia	0%	Avira URL Cloud	safe
http://dzByIm.com	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	0%	URL Reputation	safe
http://www.fontbureau.como	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
https://api.ipify.org%	0%	URL Reputation	safe
https://hI6edvnAmdv.org	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mail.rwan.asia	119.59.104.27	true	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	offer_doc.exe, 00000003.00000002.676265825.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.apache.org/licenses/LICENSE-2.0	offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designersG	offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/?	offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	offer_doc.exe, 00000003.00000002.676265825.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.tiro.com	offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.org%%startupfolder%	offer_doc.exe, 00000003.00000002.676265825.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	low
http://www.goodfont.co.kr	offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://mail.rwan.asia	offer_doc.exe, 00000003.00000002.678536332.00000000030EA000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://dzByIm.com	offer_doc.exe, 00000003.00000002.676265825.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	offer_doc.exe, 00000003.00000002.676265825.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.como	offer_doc.exe, 00000000.00000002.434864485.0000000001097000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	offer_doc.exe, 00000000.00000002.450816491.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org%	offer_doc.exe, 00000003.00000002.676265825.0000000002D91000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	low
https://hI6edvnAmdv.org	offer_doc.exe, 00000003.00000002.678536332.00000000030EA000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
119.59.104.27	mail.rwan.asia	Thailand		56067	METRABYTE-TH453LadplacoutJorakhaebuaTH	true

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	680343
Start date and time: 08/08/202212:35:50	2022-08-08 12:35:50 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 25s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	offer_doc.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@1/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 98% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, HxTsr.exe, RuntimeBroker.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded domains from analysis (whitelisted): www.bing.com, licensing.mp.microsoft.com, fs.microsoft.com, login.live.com, store-images.s-microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, arc.msn.com, storeedgefd.dsx.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:37:00	API Interceptor	759x Sleep call for process: offer_doc.exe modified

Process:	C:\Users\user\Desktop\offer_doc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1308
Entropy (8bit):	5.345811588615766
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84FsXE8:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzu
MD5:	2E016B886BDB8389D2DD0867BE55F87B
SHA1:	25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
SHA-256:	1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
SHA-512:	C100729153954328AA2A77EECB2A3CBD03CB7E8E23D736000F890B17AAA50BA87745E30FB9E2B0D61E16DCA45694C79B4CE09B9F4475220BEB38CAEA546CFC2A
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.782708595845613
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	offer_doc.exe
File size:	833536
MD5:	915026107719604ff39f95cd37c6da08
SHA1:	7708c1a71b95b019ff7d02e295938b342f2bdfb7
SHA256:	f6d4110e70ad9d1525395ad0f693bb5132d7684c989bc2e6ab2e4b12a22223f0
SHA512:	96a6c907bf2de1eb5e72c702a91a541b1d34f2ea176fc669f103ad7c80ea1d3e534632a5262215251d077c111f50dcd3d1828c58973ce598c6d22628d9d167f3
SSDEEP:	24576:NBZFxgV10k+YG7Cbgu8KPVeCwZOe9IbUDHDl:1gVWCFzDPVeCwc7U
TLSH:	2E05BF1BBF147308C5A76AB5EE0BBD6267F61C5D3135E0783A647C4A4AFF301E52242A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b..............0.................. ........@.. ....................... ............@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x4cceaa
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x62F0B69A [Mon Aug 8 07:09:14 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xcce58	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xce000	0x390	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd0000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xcaeb0	0xcb000	False	0.8195620381773399	PGP symmetric key encrypted data - Plaintext or unencrypted data	7.788970576048009	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xce000	0x390	0x400	False	0.3740234375	data	2.8957942416950724	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xd0000	0xc	0x200	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xce058	0x334	data

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.5119.59.104.27497195872030171 08/08/22-12:37:22.771751	TCP	2030171	ET TROJAN AgentTesla Exfil Via SMTP	49719	587	192.168.2.5	119.59.104.27
192.168.2.5119.59.104.27497195872840032 08/08/22-12:37:22.771866	TCP	2840032	ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2	49719	587	192.168.2.5	119.59.104.27
192.168.2.5119.59.104.27497195872851779 08/08/22-12:37:22.771866	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49719	587	192.168.2.5	119.59.104.27

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 8, 2022 12:37:20.559009075 CEST	49719	587	192.168.2.5	119.59.104.27
Aug 8, 2022 12:37:20.761368036 CEST	587	49719	119.59.104.27	192.168.2.5
Aug 8, 2022 12:37:20.761497974 CEST	49719	587	192.168.2.5	119.59.104.27
Aug 8, 2022 12:37:21.500310898 CEST	587	49719	119.59.104.27	192.168.2.5
Aug 8, 2022 12:37:21.510185957 CEST	49719	587	192.168.2.5	119.59.104.27
Aug 8, 2022 12:37:21.747618914 CEST	587	49719	119.59.104.27	192.168.2.5
Aug 8, 2022 12:37:21.749319077 CEST	49719	587	192.168.2.5	119.59.104.27
Aug 8, 2022 12:37:21.951539040 CEST	587	49719	119.59.104.27	192.168.2.5
Aug 8, 2022 12:37:21.952100992 CEST	49719	587	192.168.2.5	119.59.104.27
Aug 8, 2022 12:37:22.158607006 CEST	587	49719	119.59.104.27	192.168.2.5
Aug 8, 2022 12:37:22.164627075 CEST	49719	587	192.168.2.5	119.59.104.27
Aug 8, 2022 12:37:22.366159916 CEST	587	49719	119.59.104.27	192.168.2.5
Aug 8, 2022 12:37:22.366766930 CEST	49719	587	192.168.2.5	119.59.104.27
Aug 8, 2022 12:37:22.569576025 CEST	587	49719	119.59.104.27	192.168.2.5
Aug 8, 2022 12:37:22.570023060 CEST	49719	587	192.168.2.5	119.59.104.27
Aug 8, 2022 12:37:22.770673990 CEST	587	49719	119.59.104.27	192.168.2.5
Aug 8, 2022 12:37:22.770766020 CEST	587	49719	119.59.104.27	192.168.2.5
Aug 8, 2022 12:37:22.771750927 CEST	49719	587	192.168.2.5	119.59.104.27
Aug 8, 2022 12:37:22.771866083 CEST	49719	587	192.168.2.5	119.59.104.27
Aug 8, 2022 12:37:22.772742987 CEST	49719	587	192.168.2.5	119.59.104.27
Aug 8, 2022 12:37:22.772816896 CEST	49719	587	192.168.2.5	119.59.104.27
Aug 8, 2022 12:37:22.973253965 CEST	587	49719	119.59.104.27	192.168.2.5
Aug 8, 2022 12:37:22.973604918 CEST	587	49719	119.59.104.27	192.168.2.5
Aug 8, 2022 12:37:23.125147104 CEST	587	49719	119.59.104.27	192.168.2.5
Aug 8, 2022 12:37:23.167823076 CEST	49719	587	192.168.2.5	119.59.104.27
Aug 8, 2022 12:39:00.131582975 CEST	49719	587	192.168.2.5	119.59.104.27
Aug 8, 2022 12:39:00.333028078 CEST	587	49719	119.59.104.27	192.168.2.5
Aug 8, 2022 12:39:00.333506107 CEST	49719	587	192.168.2.5	119.59.104.27
Aug 8, 2022 12:39:00.334780931 CEST	49719	587	192.168.2.5	119.59.104.27
Aug 8, 2022 12:39:00.535305977 CEST	587	49719	119.59.104.27	192.168.2.5
Aug 8, 2022 12:39:00.536053896 CEST	587	49719	119.59.104.27	192.168.2.5
Aug 8, 2022 12:39:00.536117077 CEST	49719	587	192.168.2.5	119.59.104.27

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 8, 2022 12:37:20.161004066 CEST	51769	53	192.168.2.5	8.8.8.8
Aug 8, 2022 12:37:20.532987118 CEST	53	51769	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 8, 2022 12:37:20.161004066 CEST	192.168.2.5	8.8.8.8	0x3028	Standard query (0)	mail.rwan.asia	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Aug 8, 2022 12:37:20.532987118 CEST	8.8.8.8	192.168.2.5	0x3028	No error (0)	mail.rwan.asia		119.59.104.27	A (IP address)	IN (0x0001)

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Aug 8, 2022 12:37:21.500310898 CEST	587	49719	119.59.104.27	192.168.2.5	220 ns61.hostinglotus.net ESMTP Exim 4.94.2 Mon, 08 Aug 2022 17:30:23 +0700
Aug 8, 2022 12:37:21.510185957 CEST	49719	587	192.168.2.5	119.59.104.27	EHLO 724536
Aug 8, 2022 12:37:21.747618914 CEST	587	49719	119.59.104.27	192.168.2.5	250-ns61.hostinglotus.net Hello 724536 [102.129.143.3] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Aug 8, 2022 12:37:21.749319077 CEST	49719	587	192.168.2.5	119.59.104.27	AUTH login aW5mb0Byd2FuLmFzaWE=
Aug 8, 2022 12:37:21.951539040 CEST	587	49719	119.59.104.27	192.168.2.5	334 UGFzc3dvcmQ6
Aug 8, 2022 12:37:22.158607006 CEST	587	49719	119.59.104.27	192.168.2.5	235 Authentication succeeded
Aug 8, 2022 12:37:22.164627075 CEST	49719	587	192.168.2.5	119.59.104.27	MAIL FROM:<info@rwan.asia>
Aug 8, 2022 12:37:22.366159916 CEST	587	49719	119.59.104.27	192.168.2.5	250 OK
Aug 8, 2022 12:37:22.366766930 CEST	49719	587	192.168.2.5	119.59.104.27	RCPT TO:<africawire2018@gmail.com>
Aug 8, 2022 12:37:22.569576025 CEST	587	49719	119.59.104.27	192.168.2.5	250 Accepted
Aug 8, 2022 12:37:22.570023060 CEST	49719	587	192.168.2.5	119.59.104.27	DATA
Aug 8, 2022 12:37:22.770766020 CEST	587	49719	119.59.104.27	192.168.2.5	354 Enter message, ending with "." on a line by itself
Aug 8, 2022 12:37:22.772816896 CEST	49719	587	192.168.2.5	119.59.104.27	.
Aug 8, 2022 12:37:23.125147104 CEST	587	49719	119.59.104.27	192.168.2.5	250 OK id=1oL01g-00Ephe-V7
Aug 8, 2022 12:39:00.131582975 CEST	49719	587	192.168.2.5	119.59.104.27	QUIT
Aug 8, 2022 12:39:00.333028078 CEST	587	49719	119.59.104.27	192.168.2.5	221 ns61.hostinglotus.net closing connection

Target ID:	0
Start time:	12:36:51
Start date:	08/08/2022
Path:	C:\Users\user\Desktop\offer_doc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\offer_doc.exe"
Imagebase:	0x520000
File size:	833536 bytes
MD5 hash:	915026107719604FF39F95CD37C6DA08
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.446200384.0000000002CEF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.435893996.0000000002AA3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.447303398.0000000003B68000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.447303398.0000000003B68000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000000.00000002.447303398.0000000003B68000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_AgentTesla_e577e17e, Description: unknown, Source: 00000000.00000002.447303398.0000000003B68000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Analysis Process: offer_doc.exePID: 4516, Parent PID: 5428

General

Target ID:	3
Start time:	12:37:02
Start date:	08/08/2022
Path:	C:\Users\user\Desktop\offer_doc.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\offer_doc.exe
Imagebase:	0x980000
File size:	833536 bytes
MD5 hash:	915026107719604FF39F95CD37C6DA08
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000000.431207200.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000000.431207200.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000003.00000000.431207200.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_AgentTesla_e577e17e, Description: unknown, Source: 00000003.00000000.431207200.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.676265825.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.676265825.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Disassembly

⊘No disassembly

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report offer_doc.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\offer_doc.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

SMTP Packets

Windows Analysis Report
offer_doc.exe