Windows Analysis Report
Tender_QUOTATION__LH22000309AA2023.exe

Overview

General Information

Sample Name: Tender_QUOTATION__LH22000309AA2023.exe
Analysis ID: 830459
MD5: e615251b80317473a68488a21a1d0457
SHA1: 56f3a2dcf6d730126426ce2d65ae5819ca4c753e
SHA256: b4a5e199a29723b27c6aced8f28c7b39f29738bfb2ea3ada079e38c4aad366f4
Tags: AgentTeslaexe
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Detected unpacking (overwrites its own PE header)
Yara detected AgentTesla
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for dropped file
Detected unpacking (creates a PE file in dynamic memory)
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Contains functionality to read the PEB
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: Tender_QUOTATION__LH22000309AA2023.exe ReversingLabs: Detection: 43%
Source: Tender_QUOTATION__LH22000309AA2023.exe Virustotal: Detection: 46% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe ReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Virustotal: Detection: 37% Perma Link
Machine Learning detection for sample
Source: Tender_QUOTATION__LH22000309AA2023.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 3.2.rtvzitvzef.exe.400000.1.unpack Avira: Label: TR/Spy.Gen8
Source: 3.2.rtvzitvzef.exe.4950000.5.unpack Avira: Label: TR/Spy.Gen8
Source: 1.2.rtvzitvzef.exe.a23658.2.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "gtasportsltd.com", "Username": "vestorfile@gtasportsltd.com", "Password": "00$rqv^A,;te "}

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Unpacked PE file: 3.2.rtvzitvzef.exe.400000.1.unpack
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Unpacked PE file: 3.2.rtvzitvzef.exe.4950000.5.unpack
Uses 32bit PE files
Source: Tender_QUOTATION__LH22000309AA2023.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: Tender_QUOTATION__LH22000309AA2023.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: wntdll.pdbUGP source: rtvzitvzef.exe, 00000001.00000003.250525206.000000001A170000.00000004.00001000.00020000.00000000.sdmp, rtvzitvzef.exe, 00000001.00000003.248575249.0000000019FE0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: rtvzitvzef.exe, 00000001.00000003.250525206.000000001A170000.00000004.00001000.00020000.00000000.sdmp, rtvzitvzef.exe, 00000001.00000003.248575249.0000000019FE0000.00000004.00001000.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\Tender_QUOTATION__LH22000309AA2023.exe Code function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405D74
Source: C:\Users\user\Desktop\Tender_QUOTATION__LH22000309AA2023.exe Code function: 0_2_0040699E FindFirstFileW,FindClose, 0_2_0040699E
Source: C:\Users\user\Desktop\Tender_QUOTATION__LH22000309AA2023.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Code function: 1_2_004089F8 FindFirstFileExW, 1_2_004089F8
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Code function: 3_2_00406715 FindFirstFileExW, 3_2_00406715
Source: Tender_QUOTATION__LH22000309AA2023.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\Tender_QUOTATION__LH22000309AA2023.exe Code function: 0_2_00405809 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00405809

System Summary
barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Tender_QUOTATION__LH22000309AA2023.exe
Uses 32bit PE files
Source: Tender_QUOTATION__LH22000309AA2023.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\Tender_QUOTATION__LH22000309AA2023.exe Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403640
Detected potential crypto function
Source: C:\Users\user\Desktop\Tender_QUOTATION__LH22000309AA2023.exe Code function: 0_2_00406D5F 0_2_00406D5F
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Code function: 1_2_00410371 1_2_00410371
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Code function: 1_2_009F08B7 1_2_009F08B7
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Code function: 1_2_009F0A34 1_2_009F0A34
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Code function: 3_2_0040CBD1 3_2_0040CBD1
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Code function: 3_2_023C7240 3_2_023C7240
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Code function: 3_2_023CC2F0 3_2_023CC2F0
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Code function: 3_2_023C7E58 3_2_023C7E58
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Code function: 3_2_023C7588 3_2_023C7588
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Code function: 3_2_023C4C7B 3_2_023C4C7B
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Code function: 3_2_056DCC51 3_2_056DCC51
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Code function: 3_2_056DC1BC 3_2_056DC1BC
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Code function: String function: 004019C0 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Code function: String function: 00401EE0 appears 33 times
Source: Tender_QUOTATION__LH22000309AA2023.exe ReversingLabs: Detection: 43%
Source: Tender_QUOTATION__LH22000309AA2023.exe Virustotal: Detection: 46%
Source: C:\Users\user\Desktop\Tender_QUOTATION__LH22000309AA2023.exe File read: C:\Users\user\Desktop\Tender_QUOTATION__LH22000309AA2023.exe Jump to behavior
Source: Tender_QUOTATION__LH22000309AA2023.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Tender_QUOTATION__LH22000309AA2023.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Tender_QUOTATION__LH22000309AA2023.exe C:\Users\user\Desktop\Tender_QUOTATION__LH22000309AA2023.exe
Source: C:\Users\user\Desktop\Tender_QUOTATION__LH22000309AA2023.exe Process created: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe "C:\Users\user~1\AppData\Local\Temp\rtvzitvzef.exe" C:\Users\user~1\AppData\Local\Temp\ggbdhaflcbm.cer
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Process created: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe C:\Users\user~1\AppData\Local\Temp\rtvzitvzef.exe
Source: C:\Users\user\Desktop\Tender_QUOTATION__LH22000309AA2023.exe Process created: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe "C:\Users\user~1\AppData\Local\Temp\rtvzitvzef.exe" C:\Users\user~1\AppData\Local\Temp\ggbdhaflcbm.cer Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Process created: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe C:\Users\user~1\AppData\Local\Temp\rtvzitvzef.exe Jump to behavior
Source: C:\Users\user\Desktop\Tender_QUOTATION__LH22000309AA2023.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Tender_QUOTATION__LH22000309AA2023.exe Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403640
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Tender_QUOTATION__LH22000309AA2023.exe File created: C:\Users\user~1\AppData\Local\Temp\nsmC7A4.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@6/4@0/0
Source: C:\Users\user\Desktop\Tender_QUOTATION__LH22000309AA2023.exe Code function: 0_2_004021AA CoCreateInstance, 0_2_004021AA
Source: C:\Users\user\Desktop\Tender_QUOTATION__LH22000309AA2023.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Tender_QUOTATION__LH22000309AA2023.exe Code function: 0_2_00404AB5 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_00404AB5
Source: rtvzitvzef.exe, 00000003.00000002.507831904.000000000265D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5348:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Code function: 3_2_0040147B GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess, 3_2_0040147B
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Command line argument: A 1_2_00410940
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: Tender_QUOTATION__LH22000309AA2023.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: wntdll.pdbUGP source: rtvzitvzef.exe, 00000001.00000003.250525206.000000001A170000.00000004.00001000.00020000.00000000.sdmp, rtvzitvzef.exe, 00000001.00000003.248575249.0000000019FE0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: rtvzitvzef.exe, 00000001.00000003.250525206.000000001A170000.00000004.00001000.00020000.00000000.sdmp, rtvzitvzef.exe, 00000001.00000003.248575249.0000000019FE0000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Unpacked PE file: 3.2.rtvzitvzef.exe.400000.1.unpack
Detected unpacking (changes PE section rights)
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Unpacked PE file: 3.2.rtvzitvzef.exe.400000.1.unpack .text:ER;.rdata:R;.data:W; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Unpacked PE file: 3.2.rtvzitvzef.exe.4950000.5.unpack
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Code function: 1_2_00410AA4 push ecx; ret 1_2_00410AB7
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Code function: 3_2_0040D2E1 push ecx; ret 3_2_0040D2F4
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Code function: 3_2_023CD286 push esi; retf 3_2_023CD287
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Code function: 3_2_056D5278 pushfd ; iretd 3_2_056D5279
Drops PE files
Source: C:\Users\user\Desktop\Tender_QUOTATION__LH22000309AA2023.exe File created: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Jump to dropped file
Source: C:\Users\user\Desktop\Tender_QUOTATION__LH22000309AA2023.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Tender_QUOTATION__LH22000309AA2023.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Tender_QUOTATION__LH22000309AA2023.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Tender_QUOTATION__LH22000309AA2023.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Tender_QUOTATION__LH22000309AA2023.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Tender_QUOTATION__LH22000309AA2023.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Tender_QUOTATION__LH22000309AA2023.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe TID: 2828 Thread sleep count: 495 > 30 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Window / User API: threadDelayed 495 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Code function: 1_2_009F07DA GetSystemInfo, 1_2_009F07DA
Source: C:\Users\user\Desktop\Tender_QUOTATION__LH22000309AA2023.exe Code function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405D74
Source: C:\Users\user\Desktop\Tender_QUOTATION__LH22000309AA2023.exe Code function: 0_2_0040699E FindFirstFileW,FindClose, 0_2_0040699E
Source: C:\Users\user\Desktop\Tender_QUOTATION__LH22000309AA2023.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Code function: 1_2_004089F8 FindFirstFileExW, 1_2_004089F8
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Code function: 3_2_00406715 FindFirstFileExW, 3_2_00406715
Source: C:\Users\user\Desktop\Tender_QUOTATION__LH22000309AA2023.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Code function: 1_2_0040636B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0040636B
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Code function: 1_2_0040B0AF GetProcessHeap, 1_2_0040B0AF
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Code function: 1_2_009F005F mov eax, dword ptr fs:[00000030h] 1_2_009F005F
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Code function: 1_2_009F0109 mov eax, dword ptr fs:[00000030h] 1_2_009F0109
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Code function: 1_2_009F013E mov eax, dword ptr fs:[00000030h] 1_2_009F013E
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Code function: 1_2_009F017B mov eax, dword ptr fs:[00000030h] 1_2_009F017B
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Code function: 1_2_004018F8 SetUnhandledExceptionFilter, 1_2_004018F8
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Code function: 1_2_0040636B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0040636B
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Code function: 1_2_00401BF3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_00401BF3
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Code function: 1_2_00401796 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00401796
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Code function: 3_2_00401E16 SetUnhandledExceptionFilter, 3_2_00401E16
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Code function: 3_2_00401C83 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_00401C83
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Code function: 3_2_004060A4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_004060A4
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Code function: 3_2_00401F2A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_00401F2A

HIPS / PFW / Operating System Protection Evasion
barindex
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Section loaded: unknown target: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe protection: execute and read and write Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Process created: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe C:\Users\user~1\AppData\Local\Temp\rtvzitvzef.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Code function: 1_2_00401A05 cpuid 1_2_00401A05
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Code function: 1_2_0040167D GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 1_2_0040167D
Source: C:\Users\user\Desktop\Tender_QUOTATION__LH22000309AA2023.exe Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403640
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Code function: 3_2_023CF438 GetUserNameW, 3_2_023CF438

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 00000003.00000002.507831904.00000000025E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rtvzitvzef.exe PID: 5760, type: MEMORYSTR
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\rtvzitvzef.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 00000003.00000002.507831904.00000000025E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rtvzitvzef.exe PID: 5760, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 830459 Sample: Tender_QUOTATION__LH2200030... Startdate: 20/03/2023 Architecture: WINDOWS Score: 100 20 Multi AV Scanner detection for submitted file 2->20 22 Yara detected AgentTesla 2->22 24 Machine Learning detection for sample 2->24 26 Initial sample is a PE file and has a suspicious name 2->26 7 Tender_QUOTATION__LH22000309AA2023.exe 19 2->7         started        process3 file4 18 C:\Users\user\AppData\...\rtvzitvzef.exe, PE32 7->18 dropped 10 rtvzitvzef.exe 1 7->10         started        process5 signatures6 28 Multi AV Scanner detection for dropped file 10->28 30 Detected unpacking (changes PE section rights) 10->30 32 Detected unpacking (creates a PE file in dynamic memory) 10->32 34 5 other signatures 10->34 13 rtvzitvzef.exe 2 10->13         started        16 conhost.exe 10->16         started        process7 signatures8 36 Tries to steal Mail credentials (via file / registry access) 13->36 38 Tries to harvest and steal browser information (history, passwords, etc) 13->38
No contacted IP infos