Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
shipmentReceipt(22kb).pdf__customInvoice12074408.exe

Overview

General Information

Sample Name:shipmentReceipt(22kb).pdf__customInvoice12074408.exe
Analysis ID:876162
MD5:278d48d9ea2fe8350796279e5d08a72a
SHA1:30a693e39b775de6afbd146722d07bba0e4f16bf
SHA256:53823b0378b9a17181fef455b3625e7909e703d600b480ffccc9a1c6d4232c4a
Tags:exe
Infos:

Detection

AgentTesla, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected zgRAT
Malicious sample detected (through community Yara rule)
Yara detected Telegram RAT
Yara detected AgentTesla
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Yara detected Generic Downloader
Machine Learning detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Binary contains a suspicious time stamp
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Classification

  • System is w10x64
  • kmk.exe (PID: 2400 cmdline: "C:\Users\user\AppData\Roaming\kmk\kmk.exe" MD5: 278D48D9EA2FE8350796279E5D08A72A)
    • kmk.exe (PID: 4588 cmdline: C:\Users\user\AppData\Roaming\kmk\kmk.exe MD5: 278D48D9EA2FE8350796279E5D08A72A)
  • kmk.exe (PID: 3276 cmdline: "C:\Users\user\AppData\Roaming\kmk\kmk.exe" MD5: 278D48D9EA2FE8350796279E5D08A72A)
  • cleanup
{"C2 url": "https://api.telegram.org/bot1360033246:AAF6H8m6YrL09doyxtsvJzZ_cIl__BCF4aU/sendMessage"}
{"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot1360033246:AAF6H8m6YrL09doyxtsvJzZ_cIl__BCF4aU/sendDocumentsendMessage?chat_id=document"}
SourceRuleDescriptionAuthorStrings
00000005.00000002.799586620.0000000000430000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
  • 0x1696:$a11: get_securityProfile
  • 0x1537:$a12: get_useSeparateFolderTree
  • 0x1946:$a14: get_archivingScope
  • 0x176e:$a15: get_providerName
  • 0x12fd:$a20: get_LastAccessed
  • 0x19e0:$a21: get_avatarType
  • 0x17eb:$a26: set_accountName
  • 0xc94:$a28: set_bindingConfigurationUID
  • 0x1846:$a31: set_username
  • 0x13e8:$a33: get_Clipboard
  • 0x13f6:$a34: get_Keyboard
  • 0x1403:$a37: get_Password
00000005.00000002.804401224.0000000003012000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000005.00000002.804401224.0000000003012000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000002.573264210.0000000004D80000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.573264210.0000000004D80000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          Click to see the 30 entries
          SourceRuleDescriptionAuthorStrings
          0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.44d1788.5.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.44d1788.5.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
              0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.44d1788.5.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
              • 0x2e600:$s1: get_kbok
              • 0x2ef34:$s2: get_CHoo
              • 0x2fb8f:$s3: set_passwordIsSet
              • 0x2e404:$s4: get_enableLog
              • 0x32b27:$s8: torbrowser
              • 0x3150a:$s10: logins
              • 0x30dd8:$s11: credential
              • 0x2d7e8:$g1: get_Clipboard
              • 0x2d7f6:$g2: get_Keyboard
              • 0x2d803:$g3: get_Password
              • 0x2ede2:$g4: get_CtrlKeyDown
              • 0x2edf2:$g5: get_ShiftKeyDown
              • 0x2ee03:$g6: get_AltKeyDown
              0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.44d1788.5.unpackWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
              • 0x2eb45:$a3: MailAccountConfiguration
              • 0x2eb5e:$a5: SmtpAccountConfiguration
              • 0x2eb25:$a8: set_BindingAccountConfiguration
              • 0x2da96:$a11: get_securityProfile
              • 0x2d937:$a12: get_useSeparateFolderTree
              • 0x2f288:$a13: get_DnsResolver
              • 0x2dd46:$a14: get_archivingScope
              • 0x2db6e:$a15: get_providerName
              • 0x30273:$a17: get_priority
              • 0x2f847:$a18: get_advancedParameters
              • 0x2ec5f:$a19: get_disabledByRestriction
              • 0x2d6fd:$a20: get_LastAccessed
              • 0x2dde0:$a21: get_avatarType
              • 0x2f95e:$a22: get_signaturePresets
              • 0x2e404:$a23: get_enableLog
              • 0x2dbeb:$a26: set_accountName
              • 0x2fda9:$a27: set_InternalServerPort
              • 0x2d094:$a28: set_bindingConfigurationUID
              • 0x2f924:$a29: set_IdnAddress
              • 0x30127:$a30: set_GuidMasterKey
              • 0x2dc46:$a31: set_username
              0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.449bf68.6.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                Click to see the 48 entries
                No Sigma rule has matched
                No Snort rule has matched

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.449bf68.6.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot1360033246:AAF6H8m6YrL09doyxtsvJzZ_cIl__BCF4aU/sendDocumentsendMessage?chat_id=document"}
                Source: kmk.exe.4588.7.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot1360033246:AAF6H8m6YrL09doyxtsvJzZ_cIl__BCF4aU/sendMessage"}
                Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exeReversingLabs: Detection: 16%
                Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exeVirustotal: Detection: 27%Perma Link
                Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exeAvira: detected
                Source: C:\Users\user\AppData\Roaming\kmk\kmk.exeAvira: detection malicious, Label: HEUR/AGEN.1309734
                Source: C:\Users\user\AppData\Roaming\kmk\kmk.exeReversingLabs: Detection: 16%
                Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Roaming\kmk\kmk.exeJoe Sandbox ML: detected
                Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: mOdw.pdb source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, kmk.exe.5.dr
                Source: Binary string: mOdw.pdbSHA256 source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, kmk.exe.5.dr
                Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exeCode function: 4x nop then jmp 07FD925Bh

                Networking

                barindex
                Source: Yara matchFile source: 6.2.kmk.exe.3cbb920.7.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.4462548.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.kmk.exe.3c86100.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.449bf68.6.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.44d1788.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.kmk.exe.3c4c6e0.5.raw.unpack, type: UNPACKEDPE
                Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000005.00000002.804401224.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, kmk.exe, 00000007.00000002.803741749.0000000002D11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                Source: kmk.exe, 00000007.00000002.803741749.0000000002D11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNS
                Source: kmk.exe, 00000007.00000002.803741749.0000000002D11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://UZQtUP.com
                Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.538649666.00000000064EE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://en.wikiphD
                Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
                Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.539693492.00000000064E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comams/R
                Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.539693492.00000000064E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comdol
                Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.539693492.00000000064E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comes
                Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.539693492.00000000064E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comg
                Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.547482112.00000000064E3000.00000004.00000020.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.547482112.00000000064E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comdia
                Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.553540335.00000000064E4000.00000004.00000020.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.547482112.00000000064E3000.00000004.00000020.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.553420022.00000000064E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.commTTF
                Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.547482112.00000000064E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.commpKF
                Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.539103728.00000000064EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.539103728.00000000064EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn(
                Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.539230782.00000000064EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/uG
                Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.539103728.00000000064EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnN
                Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.539103728.00000000064EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnr-t
                Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.539103728.00000000064EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cnsk
                Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540333707.00000000064E7000.00000004.00000020.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540184473.00000000064E7000.00000004.00000020.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540333707.00000000064E7000.00000004.00000020.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540184473.00000000064E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/.Kp
                Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540333707.00000000064E7000.00000004.00000020.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540184473.00000000064E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//r$
                Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540333707.00000000064E7000.00000004.00000020.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540184473.00000000064E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/CK
                Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540333707.00000000064E7000.00000004.00000020.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540184473.00000000064E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Sue
                Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540333707.00000000064E7000.00000004.00000020.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540184473.00000000064E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/fK(
                Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540333707.00000000064E7000.00000004.00000020.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540184473.00000000064E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540184473.00000000064E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/%Ki
                Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540184473.00000000064E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/oK?
                Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540333707.00000000064E7000.00000004.00000020.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540184473.00000000064E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/on
                Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540333707.00000000064E7000.00000004.00000020.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540184473.00000000064E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/s
                Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540333707.00000000064E7000.00000004.00000020.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000003.540184473.00000000064E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/yKM
                Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.577848847.0000000007632000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.573264210.0000000004D80000.00000004.00000800.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.573264210.0000000004462000.00000004.00000800.00020000.00000000.sdmp, kmk.exe, 00000006.00000002.658231003.0000000003C4C000.00000004.00000800.00020000.00000000.sdmp, kmk.exe, 00000007.00000002.799586439.0000000000434000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot1360033246:AAF6H8m6YrL09doyxtsvJzZ_cIl__BCF4aU/
                Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000005.00000002.804401224.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, kmk.exe, 00000007.00000002.803741749.0000000002D11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot1360033246:AAF6H8m6YrL09doyxtsvJzZ_cIl__BCF4aU/sendDocumentdocument-----
                Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.573264210.0000000004D80000.00000004.00000800.00020000.00000000.sdmp, shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.573264210.0000000004462000.00000004.00000800.00020000.00000000.sdmp, kmk.exe, 00000006.00000002.658231003.0000000003C4C000.00000004.00000800.00020000.00000000.sdmp, kmk.exe, 00000007.00000002.799586439.0000000000436000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000005.00000002.804401224.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, kmk.exe, 00000007.00000002.803741749.0000000002D11000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exe
                Source: shipmentReceipt(22kb).pdf__customInvoice12074408.exe, 00000000.00000002.565506875.00000000015DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                Source: C:\Users\user\Desktop\shipmentReceipt(22kb).pdf__customInvoice12074408.exeWindow created: window name: CLIPBRDWNDCLASS
                Source: C:\Users\user\AppData\Roaming\kmk\kmk.exeWindow created: window name: CLIPBRDWNDCLASS

                System Summary

                barindex
                Source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.44d1788.5.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.44d1788.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.449bf68.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.449bf68.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 6.2.kmk.exe.3cbb920.7.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 6.2.kmk.exe.3cbb920.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 7.2.kmk.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 6.2.kmk.exe.3cbb920.7.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 6.2.kmk.exe.3cbb920.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 6.2.kmk.exe.3c86100.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 6.2.kmk.exe.3c86100.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.4462548.4.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.4462548.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                Source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.4462548.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 6.2.kmk.exe.3c86100.6.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 6.2.kmk.exe.3c86100.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.449bf68.6.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.449bf68.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                Source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.449bf68.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.44d1788.5.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.44d1788.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                Source: 0.2.shipmentReceipt(22kb).pdf__customInvoice12074408.exe.44d1788.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 6.2.kmk.exe.3c4c6e0.5.raw.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 6.2.kmk.exe.3c4c6e0.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 00000005.00000002.799586620.0000000000430000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 00000000.00000002.573264210.0000000004D80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 00000006.00000002.658231003.0000000003C4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 00000007.00000002.799586439.0000000000432000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 00000000.00000002.573264210.0000000004462000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
                Source: 00000005.00000002.804401224.0000000002F51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: 00000007.00000002.803741749.0000000002D11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                Source: Process Memory Space: shipmentReceipt(22kb).pdf__customInvoice12074408.exe PID: 6492, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTe