Post on 20-Mar-2023
ID: 256530Sample Name: Inv.exeCookbook: default.jbsTime: 08:10:12Date: 04/08/2020Version: 29.0.0 Ocean Jasper
2444444444445555555556666777888888999
1212121314141515151515161718181818
1819
Table of Contents
Table of ContentsAnalysis Report Inv.exe
OverviewGeneral InformationDetectionSignaturesClassification
StartupMalware Configuration
Threatname: AgentteslaYara Overview
Memory DumpsUnpacked PEs
Sigma OverviewSystem Summary:
Signature OverviewAV Detection:Key, Mouse, Clipboard, Microphone and Screen Capturing:System Summary:Boot Survival:Malware Analysis System Evasion:HIPS / PFW / Operating System Protection Evasion:Stealing of Sensitive Information:Remote Access Functionality:
Mitre Att&ck MatrixBehavior GraphScreenshots
ThumbnailsAntivirus, Machine Learning and Genetic Malware Detection
Initial SampleDropped FilesUnpacked PE FilesDomainsURLs
Domains and IPsContacted DomainsURLs from Memory and BinariesContacted IPsPublic
General InformationSimulations
Behavior and APIsCreated / dropped FilesStatic File Info
GeneralFile IconStatic PE Info
GeneralEntrypoint PreviewData DirectoriesSectionsResourcesImportsVersion Infos
Network BehaviorNetwork Port Distribution
Copyright null 2020 Page 2 of 27
19202020202121212121212222222224
25252525
2525
2525262626
2727
TCP PacketsUDP PacketsDNS QueriesDNS AnswersSMTP Packets
Code ManipulationsStatistics
BehaviorSystem Behavior
Analysis Process: Inv.exe PID: 6820 Parent PID: 5584GeneralFile Activities
File CreatedFile DeletedFile WrittenFile Read
Analysis Process: schtasks.exe PID: 6976 Parent PID: 6820GeneralFile Activities
File Read
Analysis Process: conhost.exe PID: 6984 Parent PID: 6976General
Analysis Process: Inv.exe PID: 7020 Parent PID: 6820GeneralFile Activities
File CreatedFile Read
DisassemblyCode Analysis
Copyright null 2020 Page 3 of 27
Analysis Report Inv.exe
Overview
General Information
Sample Name:
Inv.exe
Analysis ID: 256530
MD5: dbba4a1cfb0c5e4…
SHA1: 601c3731d847b3…
SHA256: 2349240bbb67cb…
Most interesting Screenshot:
Detection
AgentTeslaAgentTeslaScore: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%
Signatures
Found malware configuration
Found malware configuration
Found malware configuration
Found malware configuration
Found malware configuration
Found malware configuration
Found malware configurationFound malware configuration
Sigma detected: Scheduled temp file
Sigma detected: Scheduled temp file
Sigma detected: Scheduled temp file
Sigma detected: Scheduled temp file
Sigma detected: Scheduled temp file
Sigma detected: Scheduled temp file
Sigma detected: Scheduled temp fileSigma detected: Scheduled temp file……
Yara detected AgentTesla
Yara detected AgentTesla
Yara detected AgentTesla
Yara detected AgentTesla
Yara detected AgentTesla
Yara detected AgentTesla
Yara detected AgentTeslaYara detected AgentTesla
Yara detected AntiVM_3
Yara detected AntiVM_3
Yara detected AntiVM_3
Yara detected AntiVM_3
Yara detected AntiVM_3
Yara detected AntiVM_3
Yara detected AntiVM_3Yara detected AntiVM_3
Injects a PE file into a foreign proce
Injects a PE file into a foreign proce
Injects a PE file into a foreign proce
Injects a PE file into a foreign proce
Injects a PE file into a foreign proce
Injects a PE file into a foreign proce
Injects a PE file into a foreign proceInjects a PE file into a foreign proce……
Installs a global keyboard hook
Installs a global keyboard hook
Installs a global keyboard hook
Installs a global keyboard hook
Installs a global keyboard hook
Installs a global keyboard hook
Installs a global keyboard hookInstalls a global keyboard hook
Machine Learning detection for dropp
Machine Learning detection for dropp
Machine Learning detection for dropp
Machine Learning detection for dropp
Machine Learning detection for dropp
Machine Learning detection for dropp
Machine Learning detection for droppMachine Learning detection for dropp……
Machine Learning detection for samp
Machine Learning detection for samp
Machine Learning detection for samp
Machine Learning detection for samp
Machine Learning detection for samp
Machine Learning detection for samp
Machine Learning detection for sampMachine Learning detection for samp……
Queries sensitive BIOS Information
Queries sensitive BIOS Information
Queries sensitive BIOS Information
Queries sensitive BIOS Information
Queries sensitive BIOS Information
Queries sensitive BIOS Information
Queries sensitive BIOS Information Queries sensitive BIOS Information ……
Queries sensitive network adapter in
Queries sensitive network adapter in
Queries sensitive network adapter in
Queries sensitive network adapter in
Queries sensitive network adapter in
Queries sensitive network adapter in
Queries sensitive network adapter inQueries sensitive network adapter in……
Tries to detect sandboxes and other
Tries to detect sandboxes and other
Tries to detect sandboxes and other
Tries to detect sandboxes and other
Tries to detect sandboxes and other
Tries to detect sandboxes and other
Tries to detect sandboxes and otherTries to detect sandboxes and other……
Tries to harvest and steal Putty / Wi
Tries to harvest and steal Putty / Wi
Tries to harvest and steal Putty / Wi
Tries to harvest and steal Putty / Wi
Tries to harvest and steal Putty / Wi
Tries to harvest and steal Putty / Wi
Tries to harvest and steal Putty / WiTries to harvest and steal Putty / Wi……
Tries to harvest and steal browser in
Tries to harvest and steal browser in
Tries to harvest and steal browser in
Tries to harvest and steal browser in
Tries to harvest and steal browser in
Tries to harvest and steal browser in
Tries to harvest and steal browser inTries to harvest and steal browser in……
Tries to harvest and steal ftp login c
Tries to harvest and steal ftp login c
Tries to harvest and steal ftp login c
Tries to harvest and steal ftp login c
Tries to harvest and steal ftp login c
Tries to harvest and steal ftp login c
Tries to harvest and steal ftp login cTries to harvest and steal ftp login c……
Tries to steal Mail credentials (via fil
Tries to steal Mail credentials (via fil
Tries to steal Mail credentials (via fil
Tries to steal Mail credentials (via fil
Tries to steal Mail credentials (via fil
Tries to steal Mail credentials (via fil
Tries to steal Mail credentials (via filTries to steal Mail credentials (via fil……
Uses schtasks.exe or at.exe to add
Uses schtasks.exe or at.exe to add
Uses schtasks.exe or at.exe to add
Uses schtasks.exe or at.exe to add
Uses schtasks.exe or at.exe to add
Uses schtasks.exe or at.exe to add
Uses schtasks.exe or at.exe to add Uses schtasks.exe or at.exe to add ……
Contains capabilities to detect virtua
Contains capabilities to detect virtua
Contains capabilities to detect virtua
Contains capabilities to detect virtua
Contains capabilities to detect virtua
Contains capabilities to detect virtua
Contains capabilities to detect virtuaContains capabilities to detect virtua……
Contains functionality to access load
Contains functionality to access load
Contains functionality to access load
Contains functionality to access load
Contains functionality to access load
Contains functionality to access load
Contains functionality to access loadContains functionality to access load……
Contains long sleeps (>= 3 min)
Contains long sleeps (>= 3 min)
Contains long sleeps (>= 3 min)
Contains long sleeps (>= 3 min)
Contains long sleeps (>= 3 min)
Contains long sleeps (>= 3 min)
Contains long sleeps (>= 3 min)Contains long sleeps (>= 3 min)
Creates a process in suspended mo
Creates a process in suspended mo
Creates a process in suspended mo
Creates a process in suspended mo
Creates a process in suspended mo
Creates a process in suspended mo
Creates a process in suspended moCreates a process in suspended mo……
Creates a window with clipboard cap
Creates a window with clipboard cap
Creates a window with clipboard cap
Creates a window with clipboard cap
Creates a window with clipboard cap
Creates a window with clipboard cap
Creates a window with clipboard capCreates a window with clipboard cap……
Detected TCP or UDP traffic on non
Detected TCP or UDP traffic on non
Detected TCP or UDP traffic on non
Detected TCP or UDP traffic on non
Detected TCP or UDP traffic on non
Detected TCP or UDP traffic on non
Detected TCP or UDP traffic on nonDetected TCP or UDP traffic on non……
Detected potential crypto function
Detected potential crypto function
Detected potential crypto function
Detected potential crypto function
Detected potential crypto function
Detected potential crypto function
Detected potential crypto functionDetected potential crypto function
Drops PE files
Drops PE files
Drops PE files
Drops PE files
Drops PE files
Drops PE files
Drops PE filesDrops PE files
Enables debug privileges
Enables debug privileges
Enables debug privileges
Enables debug privileges
Enables debug privileges
Enables debug privileges
Enables debug privilegesEnables debug privileges
Found a high number of Window / Us
Found a high number of Window / Us
Found a high number of Window / Us
Found a high number of Window / Us
Found a high number of Window / Us
Found a high number of Window / Us
Found a high number of Window / UsFound a high number of Window / Us……
Found inlined nop instructions (likely
Found inlined nop instructions (likely
Found inlined nop instructions (likely
Found inlined nop instructions (likely
Found inlined nop instructions (likely
Found inlined nop instructions (likely
Found inlined nop instructions (likelyFound inlined nop instructions (likely……
May sleep (evasive loops) to hinder
May sleep (evasive loops) to hinder
May sleep (evasive loops) to hinder
May sleep (evasive loops) to hinder
May sleep (evasive loops) to hinder
May sleep (evasive loops) to hinder
May sleep (evasive loops) to hinder May sleep (evasive loops) to hinder ……
PE file contains strange resources
PE file contains strange resources
PE file contains strange resources
PE file contains strange resources
PE file contains strange resources
PE file contains strange resources
PE file contains strange resourcesPE file contains strange resources
Queries sensitive processor informa
Queries sensitive processor informa
Queries sensitive processor informa
Queries sensitive processor informa
Queries sensitive processor informa
Queries sensitive processor informa
Queries sensitive processor informaQueries sensitive processor informa……
Queries the volume information (nam
Queries the volume information (nam
Queries the volume information (nam
Queries the volume information (nam
Queries the volume information (nam
Queries the volume information (nam
Queries the volume information (namQueries the volume information (nam……
Sample execution stops while proce
Sample execution stops while proce
Sample execution stops while proce
Sample execution stops while proce
Sample execution stops while proce
Sample execution stops while proce
Sample execution stops while proceSample execution stops while proce……
Sample file is different than original
Sample file is different than original
Sample file is different than original
Sample file is different than original
Sample file is different than original
Sample file is different than original
Sample file is different than original Sample file is different than original ……
Uses SMTP (mail sending)
Uses SMTP (mail sending)
Uses SMTP (mail sending)
Uses SMTP (mail sending)
Uses SMTP (mail sending)
Uses SMTP (mail sending)
Uses SMTP (mail sending)Uses SMTP (mail sending)
Uses code obfuscation techniques (
Uses code obfuscation techniques (
Uses code obfuscation techniques (
Uses code obfuscation techniques (
Uses code obfuscation techniques (
Uses code obfuscation techniques (
Uses code obfuscation techniques (Uses code obfuscation techniques (……
Yara detected Credential Stealer
Yara detected Credential Stealer
Yara detected Credential Stealer
Yara detected Credential Stealer
Yara detected Credential Stealer
Yara detected Credential Stealer
Yara detected Credential StealerYara detected Credential Stealer
Classification
Ransomware
Spreading
Phishing
Banker
Trojan / Bot
Adware
Spyware
Exploiter
Evader
Miner
clean
clean
clean
clean
clean
clean
clean
suspicious
suspicious
suspicious
suspicious
suspicious
suspicious
suspicious
malicious
malicious
malicious
malicious
malicious
malicious
malicious
System is w10x64
Inv.exe (PID: 6820 cmdline: 'C:\Users\user\Desktop\Inv.exe' MD5: DBBA4A1CFB0C5E47B375461AA25F09FC)
schtasks.exe (PID: 6976 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmpBE4B.tmp' MD5:
15FF7D8324231381BAD48A052F85DF04)conhost.exe (PID: 6984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
Inv.exe (PID: 7020 cmdline: C:\Users\user\Desktop\Inv.exe MD5: DBBA4A1CFB0C5E47B375461AA25F09FC)
cleanup
{
"Username: ": "Q3wkYpYBQ7YH",
"URL: ": "http://2R77GrtX4rGdY1LV.com",
"To: ": "sahareshyrov@gmail.com",
"ByHost: ": "bottleless.com:587",
"Password: ": "TH3SbQazDws",
"From: ": "test@bottleless.com"
}
Source Rule Description Author Strings
00000000.00000002.229272296.0000000003AA9000.00000004.00000001.sdmp
JoeSecurity_AgentTesla_1 Yara detected AgentTesla
Joe Security
00000003.00000002.480748598.0000000002E38000.00000004.00000001.sdmp
JoeSecurity_AgentTesla_1 Yara detected AgentTesla
Joe Security
00000003.00000002.480748598.0000000002E38000.00000004.00000001.sdmp
JoeSecurity_CredentialStealer
Yara detected Credential Stealer
Joe Security
00000003.00000002.477584981.0000000000402000.00000040.00000001.sdmp
JoeSecurity_AgentTesla_1 Yara detected AgentTesla
Joe Security
Startup
Malware Configuration
Threatname: Agenttesla
Yara Overview
Memory Dumps
Copyright null 2020 Page 4 of 27
Sigma Overview
System Summary:
Sigma detected: Scheduled temp file as task from temp location
Signature Overview
• AV Detection
• Software Vulnerabilities
• Networking
• Key, Mouse, Clipboard, Microphone and Screen Capturing
• System Summary
• Data Obfuscation
• Persistence and Installation Behavior
• Boot Survival
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Stealing of Sensitive Information
• Remote Access Functionality
Click to jump to signature section
AV Detection:
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Key, Mouse, Clipboard, Microphone and Screen Capturing:
Installs a global keyboard hook
System Summary:
Boot Survival:
Uses schtasks.exe or at.exe to add and modify task schedules
Malware Analysis System Evasion:
00000000.00000002.229071925.0000000002B20000.00000004.00000001.sdmp
JoeSecurity_AntiVM_3 Yara detected AntiVM_3
Joe Security
Click to see the 5 entries
Source Rule Description Author Strings
Source Rule Description Author Strings
3.2.Inv.exe.400000.0.unpack JoeSecurity_AgentTesla_1 Yara detected AgentTesla
Joe Security
Unpacked PEs
Copyright null 2020 Page 5 of 27
Yara detected AntiVM_3
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
HIPS / PFW / Operating System Protection Evasion:
Injects a PE file into a foreign processes
Stealing of Sensitive Information:
Yara detected AgentTesla
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Remote Access Functionality:
Yara detected AgentTesla
Mitre Att&ck Matrix
InitialAccess Execution Persistence
PrivilegeEscalation Defense Evasion
CredentialAccess Discovery
LateralMovement Collection Exfiltration
Commandand Control
ValidAccounts
Windows ManagementInstrumentation 2 1 1
ScheduledTask/Job 1
ProcessInjection 1 1 2
Disable or ModifyTools 1
OS CredentialDumping 2
Account Discovery 1 RemoteServices
ArchiveCollectedData 1 1
ExfiltrationOver OtherNetworkMedium
EncryptedChannel 1
DefaultAccounts
Scheduled Task/Job 1 Boot orLogonInitializationScripts
ScheduledTask/Job 1
Deobfuscate/DecodeFiles or Information 1
InputCapture 1 1
File and DirectoryDiscovery 1
RemoteDesktopProtocol
Data fromLocalSystem 2
ExfiltrationOverBluetooth
Non-StandardPort 1
DomainAccounts
At (Linux) Logon Script(Windows)
Logon Script(Windows)
Obfuscated Files orInformation 3
Credentials inRegistry 1
System InformationDiscovery 1 1 4
SMB/WindowsAdmin Shares
EmailCollection 1
AutomatedExfiltration
Non-ApplicationLayerProtocol 1
LocalAccounts
At (Windows) Logon Script(Mac)
Logon Script(Mac)
Software Packing 2 NTDS Security SoftwareDiscovery 2 2 1
DistributedComponentObject Model
InputCapture 1 1
ScheduledTransfer
ApplicationLayerProtocol 1
CloudAccounts
Cron NetworkLogon Script
Network LogonScript
Masquerading 1 LSA Secrets Virtualization/SandboxEvasion 1 4
SSH ClipboardData 1
DataTransferSize Limits
FallbackChannels
ReplicationThroughRemovableMedia
Launchd Rc.common Rc.common Virtualization/SandboxEvasion 1 4
CachedDomainCredentials
Process Discovery 2 VNC GUI InputCapture
ExfiltrationOver C2Channel
MultibandCommunication
ExternalRemoteServices
Scheduled Task StartupItems
Startup Items ProcessInjection 1 1 2
DCSync Application WindowDiscovery 1
WindowsRemoteManagement
Web PortalCapture
ExfiltrationOverAlternativeProtocol
CommonlyUsed Port
Drive-byCompromise
Command and ScriptingInterpreter
ScheduledTask/Job
ScheduledTask/Job
Indicator Removalfrom Tools
ProcFilesystem
System Owner/UserDiscovery 1
SharedWebroot
CredentialAPI Hooking
ExfiltrationOverSymmetricEncryptedNon-C2Protocol
ApplicationLayer Protocol
ExploitPublic-FacingApplication
PowerShell At (Linux) At (Linux) Masquerading /etc/passwdand/etc/shadow
Remote SystemDiscovery 1
SoftwareDeploymentTools
Data Staged ExfiltrationOverAsymmetricEncryptedNon-C2Protocol
Web Protocols
Copyright null 2020 Page 6 of 27
Behavior GraphID: 256530
Sample: Inv.exe
Startdate: 04/08/2020
Architecture: WINDOWS
Score: 100
Found malware configurationSigma detected: Scheduled
temp file as task fromtemp location
Yara detected AgentTesla 5 other signatures
Inv.exe
7
started
C:\Users\user\AppData\...\&startupname&.exe, PE32
dropped
C:\...\&startupname&.exe:Zone.Identifier, ASCII
dropped
C:\Users\user\AppData\Local\...\tmpBE4B.tmp, XML
dropped
C:\Users\user\AppData\Local\...\Inv.exe.log, ASCII
dropped
Queries sensitive networkadapter information
(via WMI, Win32_NetworkAdapter,often done to detect
virtual machines)
Queries sensitive BIOSInformation (via WMI,
Win32_Bios & Win32_BaseBoard,often done to detect
virtual machines)
Injects a PE file intoa foreign processes
Inv.exe
2
started
schtasks.exe
1
started
bottleless.com
50.116.103.43, 49728, 587
UNIFIEDLAYER-AS-1US
United States
Tries to harvest andsteal Putty / WinSCP
information (sessions,passwords, etc)
Tries to steal Mailcredentials (via file
access)
Tries to harvest andsteal ftp login credentials 2 other signatures
conhost.exe
started
Legend:
Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet
Hide Legend
ThumbnailsThis section contains all screenshots as thumbnails, including those not shown in the slideshow.
Behavior Graph
Screenshots
Copyright null 2020 Page 7 of 27
Source Detection Scanner Label Link
Inv.exe 100% Joe Sandbox ML
Source Detection Scanner Label Link
C:\Users\user\AppData\Roaming\&startupname&.exe 100% Joe Sandbox ML
No Antivirus matches
No Antivirus matches
Source Detection Scanner Label Link
www.founder.com.cn/cn/bThe 0% URL Reputation safe
www.founder.com.cn/cn/bThe 0% URL Reputation safe
www.tiro.com 0% URL Reputation safe
Antivirus, Machine Learning and Genetic Malware Detection
Initial Sample
Dropped Files
Unpacked PE Files
Domains
URLs
Copyright null 2020 Page 8 of 27
www.tiro.com 0% URL Reputation safe
www.goodfont.co.kr 0% URL Reputation safe
www.goodfont.co.kr 0% URL Reputation safe
www.sajatypeworks.com 0% URL Reputation safe
www.sajatypeworks.com 0% URL Reputation safe
www.typography.netD 0% URL Reputation safe
www.typography.netD 0% URL Reputation safe
www.founder.com.cn/cn/cThe 0% URL Reputation safe
www.founder.com.cn/cn/cThe 0% URL Reputation safe
www.galapagosdesign.com/staff/dennis.htm 0% URL Reputation safe
www.galapagosdesign.com/staff/dennis.htm 0% URL Reputation safe
fontfabrik.com 0% URL Reputation safe
fontfabrik.com 0% URL Reputation safe
www.galapagosdesign.com/DPlease 0% URL Reputation safe
www.galapagosdesign.com/DPlease 0% URL Reputation safe
www.sandoll.co.kr 0% URL Reputation safe
www.sandoll.co.kr 0% URL Reputation safe
www.urwpp.deDPlease 0% URL Reputation safe
www.urwpp.deDPlease 0% URL Reputation safe
www.zhongyicts.com.cn 0% URL Reputation safe
www.zhongyicts.com.cn 0% URL Reputation safe
www.sakkal.com 0% URL Reputation safe
www.sakkal.com 0% URL Reputation safe
www.jiyu-kobo.co.jp/jp/ 0% URL Reputation safe
www.jiyu-kobo.co.jp/jp/ 0% URL Reputation safe
www.carterandcone.coml 0% URL Reputation safe
www.carterandcone.coml 0% URL Reputation safe
www.founder.com.cn/cn 0% URL Reputation safe
www.founder.com.cn/cn 0% URL Reputation safe
www.jiyu-kobo.co.jp/ 0% URL Reputation safe
www.jiyu-kobo.co.jp/ 0% URL Reputation safe
Source Detection Scanner Label Link
Name IP Active Malicious Antivirus Detection Reputation
asf-ris-prod-neurope.northeurope.cloudapp.azure.com
168.63.67.155 true false high
bottleless.com 50.116.103.43 true true unknown
Name Source Malicious Antivirus Detection Reputation
www.fontbureau.com/designersG Inv.exe, 00000000.00000002.231878509.0000000005B50000.00000002.00000001.sdmp
false high
www.sajatypeworks.com0 Inv.exe, 00000000.00000003.211334635.0000000005A7B000.00000004.00000001.sdmp
false unknown
www.fontbureau.com/designers/? Inv.exe, 00000000.00000002.231878509.0000000005B50000.00000002.00000001.sdmp
false high
www.founder.com.cn/cn/bThe Inv.exe, 00000000.00000002.231878509.0000000005B50000.00000002.00000001.sdmp
false URL Reputation: safeURL Reputation: safe
unknown
www.fontbureau.com/designers? Inv.exe, 00000000.00000002.231878509.0000000005B50000.00000002.00000001.sdmp
false high
www.sajatypeworks.comn-u Inv.exe, 00000000.00000003.211334635.0000000005A7B000.00000004.00000001.sdmp
false unknown
www.jiyu-kobo.co.jp/jp/a= Inv.exe, 00000000.00000003.214177129.0000000005A64000.00000004.00000001.sdmp
false unknown
Domains and IPs
Contacted Domains
URLs from Memory and Binaries
Copyright null 2020 Page 9 of 27
www.sandoll.co.krndo Inv.exe, 00000000.00000003.212536162.0000000005A66000.00000004.00000001.sdmp
false unknown
www.founder.com.cn/cnA Inv.exe, 00000000.00000003.213164088.0000000005A64000.00000004.00000001.sdmp
false unknown
www.tiro.com Inv.exe, 00000000.00000002.231878509.0000000005B50000.00000002.00000001.sdmp
false URL Reputation: safeURL Reputation: safe
unknown
www.fontbureau.com/designers Inv.exe, 00000000.00000002.231878509.0000000005B50000.00000002.00000001.sdmp, Inv.exe, 00000000.00000003.216337971.0000000005A69000.00000004.00000001.sdmp, Inv.exe, 00000000.00000003.216809722.0000000005A6D000.00000004.00000001.sdmp
false high
www.goodfont.co.kr Inv.exe, 00000000.00000002.231878509.0000000005B50000.00000002.00000001.sdmp
false URL Reputation: safeURL Reputation: safe
unknown
www.jiyu-kobo.co.jp/Verd Inv.exe, 00000000.00000003.214177129.0000000005A64000.00000004.00000001.sdmp
false unknown
www.jiyu-kobo.co.jp/-cz Inv.exe, 00000000.00000003.214177129.0000000005A64000.00000004.00000001.sdmp
false unknown
www.fontbureau.comiona Inv.exe, 00000000.00000002.231822336.0000000005A60000.00000004.00000001.sdmp
false unknown
www.sajatypeworks.com Inv.exe, 00000000.00000002.231878509.0000000005B50000.00000002.00000001.sdmp
false URL Reputation: safeURL Reputation: safe
unknown
www.typography.netD Inv.exe, 00000000.00000002.231878509.0000000005B50000.00000002.00000001.sdmp
false URL Reputation: safeURL Reputation: safe
unknown
www.founder.com.cn/cn/cThe Inv.exe, 00000000.00000002.231878509.0000000005B50000.00000002.00000001.sdmp
false URL Reputation: safeURL Reputation: safe
unknown
www.galapagosdesign.com/staff/dennis.htm Inv.exe, 00000000.00000002.231878509.0000000005B50000.00000002.00000001.sdmp
false URL Reputation: safeURL Reputation: safe
unknown
fontfabrik.com Inv.exe, 00000000.00000002.231878509.0000000005B50000.00000002.00000001.sdmp
false URL Reputation: safeURL Reputation: safe
unknown
2R77GrtX4rGdY1LV.com Inv.exe, 00000003.00000002.480748598.0000000002E38000.00000004.00000001.sdmp
true unknown
www.fonts.comic Inv.exe, 00000000.00000003.211491106.0000000005A7B000.00000004.00000001.sdmp
false unknown
cert.int-x3.letsencrypt.org/0 Inv.exe, 00000003.00000002.481972288.0000000002F62000.00000004.00000001.sdmp
false high
www.galapagosdesign.com/DPlease Inv.exe, 00000000.00000002.231878509.0000000005B50000.00000002.00000001.sdmp
false URL Reputation: safeURL Reputation: safe
unknown
www.jiyu-kobo.co.jp/Y0 Inv.exe, 00000000.00000003.214177129.0000000005A64000.00000004.00000001.sdmp
false unknown
www.fonts.com Inv.exe, 00000000.00000002.231878509.0000000005B50000.00000002.00000001.sdmp
false high
www.sandoll.co.kr Inv.exe, 00000000.00000002.231878509.0000000005B50000.00000002.00000001.sdmp
false URL Reputation: safeURL Reputation: safe
unknown
www.urwpp.deDPlease Inv.exe, 00000000.00000002.231878509.0000000005B50000.00000002.00000001.sdmp
false URL Reputation: safeURL Reputation: safe
unknown
www.zhongyicts.com.cn Inv.exe, 00000000.00000002.231878509.0000000005B50000.00000002.00000001.sdmp
false URL Reputation: safeURL Reputation: safe
unknown
schemas.xmlsoap.org/ws/2005/05/identity/claims/name Inv.exe, 00000000.00000002.228988270.0000000002AA1000.00000004.00000001.sdmp
false high
www.sakkal.com Inv.exe, 00000000.00000002.231878509.0000000005B50000.00000002.00000001.sdmp
false URL Reputation: safeURL Reputation: safe
unknown
Name Source Malicious Antivirus Detection Reputation
Copyright null 2020 Page 10 of 27
cps.root-x1.letsencrypt.org0 Inv.exe, 00000003.00000002.481972288.0000000002F62000.00000004.00000001.sdmp
false unknown
www.apache.org/licenses/LICENSE-2.0 Inv.exe, 00000000.00000002.231878509.0000000005B50000.00000002.00000001.sdmp
false high
www.fontbureau.com Inv.exe, 00000000.00000002.231878509.0000000005B50000.00000002.00000001.sdmp
false high
www.jiyu-kobo.co.jp/U Inv.exe, 00000000.00000003.214177129.0000000005A64000.00000004.00000001.sdmp
false unknown
www.fonts.comc Inv.exe, 00000000.00000003.211388065.0000000005A7B000.00000004.00000001.sdmp
false unknown
www.fonts.comto Inv.exe, 00000000.00000003.211431826.0000000005A7B000.00000004.00000001.sdmp
false unknown
2R77GrtX4rGdY1LV.com$ Inv.exe, 00000003.00000002.480748598.0000000002E38000.00000004.00000001.sdmp
false low
cps.letsencrypt.org0 Inv.exe, 00000003.00000002.481972288.0000000002F62000.00000004.00000001.sdmp
false unknown
www.sandoll.co.krt Inv.exe, 00000000.00000003.212536162.0000000005A66000.00000004.00000001.sdmp
false unknown
ocsp.int-x3.letsencrypt.org0/ Inv.exe, 00000003.00000002.481972288.0000000002F62000.00000004.00000001.sdmp
false unknown
www.tiro.comn Inv.exe, 00000000.00000003.211774793.0000000005A7B000.00000004.00000001.sdmp
false unknown
www.jiyu-kobo.co.jp/uchef Inv.exe, 00000000.00000003.214177129.0000000005A64000.00000004.00000001.sdmp
false unknown
www.founder.com.cn/cn~ Inv.exe, 00000000.00000003.213164088.0000000005A64000.00000004.00000001.sdmp
false unknown
www.tiro.comlic Inv.exe, 00000000.00000003.211744394.0000000005A7B000.00000004.00000001.sdmp
false unknown
2R77GrtX4rGdY1LV.com1-5-21-3853321935-2125563209-4053062332-1002_Classes
Inv.exe, 00000003.00000003.310050379.0000000000B84000.00000004.00000001.sdmp
false low
www.jiyu-kobo.co.jp/jp/ Inv.exe, 00000000.00000003.214177129.0000000005A64000.00000004.00000001.sdmp
false URL Reputation: safeURL Reputation: safe
unknown
en.w Inv.exe, 00000000.00000003.210914982.000000000130D000.00000004.00000001.sdmp
false unknown
www.fontbureau.comgritop Inv.exe, 00000000.00000002.231822336.0000000005A60000.00000004.00000001.sdmp
false unknown
www.carterandcone.coml Inv.exe, 00000000.00000002.231878509.0000000005B50000.00000002.00000001.sdmp
false URL Reputation: safeURL Reputation: safe
unknown
bottleless.com Inv.exe, 00000003.00000002.481913612.0000000002F56000.00000004.00000001.sdmp
false unknown
www.founder.com.cn/cn/ Inv.exe, 00000000.00000003.213164088.0000000005A64000.00000004.00000001.sdmp
false unknown
www.fontbureau.com/designers/cabarga.htmlN Inv.exe, 00000000.00000002.231878509.0000000005B50000.00000002.00000001.sdmp
false high
www.jiyu-kobo.co.jp/z Inv.exe, 00000000.00000003.214177129.0000000005A64000.00000004.00000001.sdmp
false unknown
www.founder.com.cn/cn Inv.exe, 00000000.00000002.231878509.0000000005B50000.00000002.00000001.sdmp
false URL Reputation: safeURL Reputation: safe
unknown
www.fontbureau.com/designers/frere-user.html Inv.exe, 00000000.00000002.231878509.0000000005B50000.00000002.00000001.sdmp
false high
www.jiyu-kobo.co.jp/p Inv.exe, 00000000.00000003.214177129.0000000005A64000.00000004.00000001.sdmp
false unknown
Name Source Malicious Antivirus Detection Reputation
Copyright null 2020 Page 11 of 27
General Information
Joe Sandbox Version: 29.0.0 Ocean Jasper
www.fontbureau.comm Inv.exe, 00000000.00000002.231822336.0000000005A60000.00000004.00000001.sdmp
false unknown
www.jiyu-kobo.co.jp/ Inv.exe, 00000000.00000002.231878509.0000000005B50000.00000002.00000001.sdmp
false URL Reputation: safeURL Reputation: safe
unknown
www.founder.com.cn/cn1_ Inv.exe, 00000000.00000003.212967208.0000000005A9D000.00000004.00000001.sdmp
false unknown
www.jiyu-kobo.co.jp/i Inv.exe, 00000000.00000003.214177129.0000000005A64000.00000004.00000001.sdmp
false unknown
www.fontbureau.com/designers8 Inv.exe, 00000000.00000002.231878509.0000000005B50000.00000002.00000001.sdmp, Inv.exe, 00000000.00000003.216809722.0000000005A6D000.00000004.00000001.sdmp
false high
www.founder.com.cn/cn%_ Inv.exe, 00000000.00000003.212967208.0000000005A9D000.00000004.00000001.sdmp
false unknown
www.fontbureau.com/designers: Inv.exe, 00000000.00000003.216337971.0000000005A69000.00000004.00000001.sdmp
false high
www.founder.com.cn/cnk-s Inv.exe, 00000000.00000003.212967208.0000000005A9D000.00000004.00000001.sdmp
false unknown
Name Source Malicious Antivirus Detection Reputation
No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs
IP Country Flag ASN ASN Name Malicious
50.116.103.43 United States 46606 UNIFIEDLAYER-AS-1US true
Contacted IPs
Public
Copyright null 2020 Page 12 of 27
Analysis ID: 256530
Start date: 04.08.2020
Start time: 08:10:12
Joe Sandbox Product: CloudBasic
Overall analysis duration: 0h 8m 28s
Hypervisor based Inspection enabled: false
Report type: light
Sample file name: Inv.exe
Cookbook file name: default.jbs
Analysis system description: w10x64 Windows 10 64 bit v1803 with Office Professional Plus 2016, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed: 23
Number of new started drivers analysed: 0
Number of existing processes analysed: 0
Number of existing drivers analysed: 0
Number of injected processes analysed: 0
Technologies: HCA enabledEGA enabledHDC enabledAMSI enabled
Analysis Mode: default
Analysis stop reason: Timeout
Detection: MAL
Classification: mal100.troj.spyw.evad.winEXE@6/4@1/1
EGA Information: Failed
HDC Information: Successful, ratio: 1.4% (good quality ratio 1.1%)Quality average: 58.4%Quality standard deviation: 37.4%
HCA Information: Successful, ratio: 98%Number of executed functions: 0Number of non-executed functions: 0
Cookbook Comments: Adjust boot timeEnable AMSIFound application associated with file extension: .exe
Warnings:Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exeExcluded IPs from analysis (whitelisted): 51.132.208.181, 23.10.249.43, 23.10.249.26, 23.54.113.104, 23.0.174.184, 23.0.174.185, 51.104.139.180, 52.155.217.156Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, arc.msn.com.nsatc.net, fs.microsoft.com, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.netReport size getting too big, too many NtAllocateVirtualMemory calls found.Report size getting too big, too many NtOpenKeyEx calls found.Report size getting too big, too many NtProtectVirtualMemory calls found.Report size getting too big, too many NtQueryValueKey calls found.
Show All
Simulations
Copyright null 2020 Page 13 of 27
Time Type Description
08:11:03 API Interceptor 720x Sleep call for process: Inv.exe modified
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Inv.exe.log
Process: C:\Users\user\Desktop\Inv.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 1314
Entropy (8bit): 5.350128552078965
Encrypted: false
MD5: 1DC1A2DCC9EFAA84EABF4F6D6066565B
SHA1: B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
SHA-256: 28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
SHA-512: 95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
Malicious: true
Reputation: low
Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
C:\Users\user\AppData\Local\Temp\tmpBE4B.tmp
Process: C:\Users\user\Desktop\Inv.exe
File Type: XML 1.0 document, ASCII text, with CRLF line terminators
Size (bytes): 1646
Entropy (8bit): 5.173904955402888
Encrypted: false
MD5: 90D043FA85862B4CDFF66AA784AA584F
SHA1: 245FBD7FE81BBB8C85EB04167C73AB037E151CD7
SHA-256: 7F257D3E237135AF660C7041D66A0785228110559D066B10527ECC71F7AC2F44
SHA-512: 7B78AE82E047C7FD39C27A2C3C592536F7EA6DB391DC7142333E118EDD528DBD76A682904A0299E1AB9940EC6EAD35FE8208E1BC97E296DCE57A7BCB9D4F0022
Malicious: true
Reputation: low
Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true
C:\Users\user\AppData\Roaming\&startupname&.exe
Process: C:\Users\user\Desktop\Inv.exe
File Type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Size (bytes): 679424
Entropy (8bit): 7.469364253170773
Encrypted: false
MD5: DBBA4A1CFB0C5E47B375461AA25F09FC
SHA1: 601C3731D847B3B3FDBCF188CCD99AA29E01ABF6
SHA-256: 2349240BBB67CB6B51D03EEE0E68060F8C1BF067C4845CF48E00CD0A9EEADEED
SHA-512: B6315F52662BC6AF31AB9C2F29BF0EE5EC2527C3A88EF093DB2001071D2D79EF570F1A5DB08C54A1D51DF7BCDD80DCFE7A070AB3C9683784FF6139D8B7F2ACBC
Malicious: true
Antivirus: Antivirus: Joe Sandbox ML, Detection: 100%
Reputation: low
Behavior and APIs
Created / dropped Files
Copyright null 2020 Page 14 of 27
Static File Info
GeneralFile type: PE32 executable (GUI) Intel 80386 Mono/.Net assemb
ly, for MS Windows
Entropy (8bit): 7.469364253170773
TrID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%Win32 Executable (generic) a (10002005/4) 49.78%Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%Generic Win/DOS Executable (2004/3) 0.01%DOS Executable Generic (2002/1) 0.01%
File name: Inv.exe
File size: 679424
MD5: dbba4a1cfb0c5e47b375461aa25f09fc
SHA1: 601c3731d847b3b3fdbcf188ccd99aa29e01abf6
SHA256: 2349240bbb67cb6b51d03eee0e68060f8c1bf067c4845cf48e00cd0a9eeadeed
SHA512: b6315f52662bc6af31ab9c2f29bf0ee5ec2527c3a88ef093db2001071d2d79ef570f1a5db08c54a1d51df7bcdd80dcfe7a070ab3c9683784ff6139d8b7f2acbc
SSDEEP: 12288:ntNJ8Mrg2iNfbgic+dXHuuin4rmd/EeujQTjGV3/ORXUVh9Ha:ntN3g1Z9c+ZHu14a9EvAq3WRXYX
File Content Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....'_.................@..........._... ...`....@.. ....................................@................................
File Icon
Icon Hash: 0060c07479010100
Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....'_.................@..........._... ...`....@.. ....................................@..................................^..K....`............................................................................... ............... ..H............text....?... ...@.................. ..`.rsrc........`.......B..............@..@.reloc...............\..............@..B.................^......H.......l....+..........H...t~...........................................0..&.......+.&...(....(.............(.....o.....*...................0..........+.&.+.&. ....8,......(.... ....8.......(....8<... ............E........".......@...............R... ....8.......(....8....& ....8.......(.....(....9....& ....8.......(.... ....8.....*.^+.&...(....(....(.....*.+.&..*..+.&..*.J+.&.........(....*.J+.&.........(....*.J+.&.........(....*.J+.&.........(....*.J+.&.........(....*..+.&
C:\Users\user\AppData\Roaming\&startupname&.exe
C:\Users\user\AppData\Roaming\&startupname&.exe:Zone.Identifier
Process: C:\Users\user\Desktop\Inv.exe
File Type: ASCII text, with CRLF line terminators
Size (bytes): 26
Entropy (8bit): 3.95006375643621
Encrypted: false
MD5: 187F488E27DB4AF347237FE461A079AD
SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious: true
Reputation: low
Preview:[ZoneTransfer]....ZoneId=0
GeneralEntrypoint: 0x495f0e
Entrypoint Section: .text
Digitally signed: false
Imagebase: 0x400000
Subsystem: windows gui
Static PE Info
Copyright null 2020 Page 15 of 27
Image File Characteristics: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
DLL Characteristics: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp: 0x5F27F4A1 [Mon Aug 3 11:27:29 2020 UTC]
TLS Callbacks:
CLR (.Net) Version: v4.0.30319
OS Version Major: 4
OS Version Minor: 0
File Version Major: 4
File Version Minor: 0
Subsystem Version Major: 4
Subsystem Version Minor: 0
Import Hash: f34d5f2d4577ed6d9ceec516c1f5a744
General
Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
Entrypoint Preview
Copyright null 2020 Page 16 of 27
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
Instruction
Name Virtual Address Virtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0
IMAGE_DIRECTORY_ENTRY_IMPORT 0x95ec0 0x4b .text
IMAGE_DIRECTORY_ENTRY_RESOURCE 0x96000 0x11804 .rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0
IMAGE_DIRECTORY_ENTRY_SECURITY 0x0 0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC 0xa8000 0xc .reloc
IMAGE_DIRECTORY_ENTRY_DEBUG 0x0 0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0
IMAGE_DIRECTORY_ENTRY_TLS 0x0 0x0
Data Directories
Copyright null 2020 Page 17 of 27
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x0 0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0
IMAGE_DIRECTORY_ENTRY_IAT 0x2000 0x8 .text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x2008 0x48 .text
IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0
Name Virtual Address Virtual Size Is in Section
Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics
.text 0x2000 0x93f14 0x94000 False 0.829870275549 SysEx File - 7.65466418298 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc 0x96000 0x11804 0x11a00 False 0.373379321809 data 4.88368012601 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc 0xa8000 0xc 0x200 False 0.044921875 data 0.101910425663 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
Name RVA Size Type Language Country
RT_ICON 0x96370 0x2e8 data
RT_ICON 0x96658 0x128 GLS_BINARY_LSB_FIRST
RT_ICON 0x96780 0xea8 data
RT_ICON 0x97628 0x8a8 data
RT_ICON 0x97ed0 0x568 GLS_BINARY_LSB_FIRST
RT_ICON 0x98438 0x464d PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON 0x9ca88 0x4228 dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967295
RT_ICON 0xa0cb0 0x25a8 data
RT_ICON 0xa3258 0x1a68 data
RT_ICON 0xa4cc0 0x10a8 data
RT_ICON 0xa5d68 0x988 data
RT_ICON 0xa66f0 0x6b8 data
RT_ICON 0xa6da8 0x468 GLS_BINARY_LSB_FIRST
RT_GROUP_ICON 0xa7210 0xbc data
RT_VERSION 0xa72cc 0x34c data
RT_MANIFEST 0xa7618 0x1ea XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
DLL Import
mscoree.dll _CorExeMain
Description Data
Translation 0x0000 0x04b0
LegalCopyright Copyright Custume Me 2019
Assembly Version 1.0.0.0
InternalName yhAFvNveTd.exe
FileVersion 1.0.0.0
CompanyName Custume Me
LegalTrademarks
Comments
ProductName Parampaa
ProductVersion 1.0.0.0
FileDescription Parampaa
OriginalFilename yhAFvNveTd.exe
Network Behavior
Sections
Resources
Imports
Version Infos
Copyright null 2020 Page 18 of 27
Network Port Distribution
Total Packets: 35
• 53 (DNS)
• 587 undefined
Timestamp Source Port Dest Port Source IP Dest IP
Aug 4, 2020 08:11:48.526885986 CEST 49728 587 192.168.2.4 50.116.103.43
Aug 4, 2020 08:11:48.661958933 CEST 587 49728 50.116.103.43 192.168.2.4
Aug 4, 2020 08:11:48.662116051 CEST 49728 587 192.168.2.4 50.116.103.43
Aug 4, 2020 08:11:52.775135040 CEST 587 49728 50.116.103.43 192.168.2.4
Aug 4, 2020 08:11:52.778963089 CEST 49728 587 192.168.2.4 50.116.103.43
Aug 4, 2020 08:11:52.915221930 CEST 587 49728 50.116.103.43 192.168.2.4
Aug 4, 2020 08:11:52.915546894 CEST 49728 587 192.168.2.4 50.116.103.43
Aug 4, 2020 08:11:53.057800055 CEST 587 49728 50.116.103.43 192.168.2.4
Aug 4, 2020 08:11:53.110872030 CEST 49728 587 192.168.2.4 50.116.103.43
Aug 4, 2020 08:11:53.234931946 CEST 49728 587 192.168.2.4 50.116.103.43
Aug 4, 2020 08:11:53.386358023 CEST 587 49728 50.116.103.43 192.168.2.4
Aug 4, 2020 08:11:53.386450052 CEST 587 49728 50.116.103.43 192.168.2.4
Aug 4, 2020 08:11:53.386532068 CEST 49728 587 192.168.2.4 50.116.103.43
Aug 4, 2020 08:11:53.386558056 CEST 587 49728 50.116.103.43 192.168.2.4
Aug 4, 2020 08:11:53.390436888 CEST 49728 587 192.168.2.4 50.116.103.43
Aug 4, 2020 08:11:53.526855946 CEST 587 49728 50.116.103.43 192.168.2.4
Aug 4, 2020 08:11:53.579674959 CEST 49728 587 192.168.2.4 50.116.103.43
Aug 4, 2020 08:11:53.851332903 CEST 49728 587 192.168.2.4 50.116.103.43
Aug 4, 2020 08:11:53.986567974 CEST 587 49728 50.116.103.43 192.168.2.4
Aug 4, 2020 08:11:53.988300085 CEST 49728 587 192.168.2.4 50.116.103.43
Aug 4, 2020 08:11:54.124540091 CEST 587 49728 50.116.103.43 192.168.2.4
Aug 4, 2020 08:11:54.125386000 CEST 49728 587 192.168.2.4 50.116.103.43
Aug 4, 2020 08:11:54.300699949 CEST 587 49728 50.116.103.43 192.168.2.4
Aug 4, 2020 08:11:54.308904886 CEST 587 49728 50.116.103.43 192.168.2.4
Aug 4, 2020 08:11:54.310067892 CEST 49728 587 192.168.2.4 50.116.103.43
Aug 4, 2020 08:11:54.445458889 CEST 587 49728 50.116.103.43 192.168.2.4
Aug 4, 2020 08:11:54.445997000 CEST 49728 587 192.168.2.4 50.116.103.43
Aug 4, 2020 08:11:54.621643066 CEST 587 49728 50.116.103.43 192.168.2.4
Aug 4, 2020 08:11:54.776187897 CEST 587 49728 50.116.103.43 192.168.2.4
Aug 4, 2020 08:11:54.776814938 CEST 49728 587 192.168.2.4 50.116.103.43
Aug 4, 2020 08:11:54.912034988 CEST 587 49728 50.116.103.43 192.168.2.4
Aug 4, 2020 08:11:54.914423943 CEST 49728 587 192.168.2.4 50.116.103.43
Aug 4, 2020 08:11:54.914606094 CEST 49728 587 192.168.2.4 50.116.103.43
Aug 4, 2020 08:11:54.915432930 CEST 49728 587 192.168.2.4 50.116.103.43
Aug 4, 2020 08:11:54.915515900 CEST 49728 587 192.168.2.4 50.116.103.43
Aug 4, 2020 08:11:55.049621105 CEST 587 49728 50.116.103.43 192.168.2.4
Aug 4, 2020 08:11:55.049674988 CEST 587 49728 50.116.103.43 192.168.2.4
Aug 4, 2020 08:11:55.050230980 CEST 587 49728 50.116.103.43 192.168.2.4
Aug 4, 2020 08:11:55.050262928 CEST 587 49728 50.116.103.43 192.168.2.4
Aug 4, 2020 08:11:55.068192959 CEST 587 49728 50.116.103.43 192.168.2.4
Aug 4, 2020 08:11:55.126701117 CEST 49728 587 192.168.2.4 50.116.103.43
TCP Packets
Copyright null 2020 Page 19 of 27
Timestamp Source Port Dest Port Source IP Dest IP
Aug 4, 2020 08:11:16.343913078 CEST 60674 53 192.168.2.4 8.8.8.8
Aug 4, 2020 08:11:16.357618093 CEST 53 60674 8.8.8.8 192.168.2.4
Aug 4, 2020 08:11:21.879592896 CEST 54414 53 192.168.2.4 8.8.8.8
Aug 4, 2020 08:11:21.911478996 CEST 53 54414 8.8.8.8 192.168.2.4
Aug 4, 2020 08:11:24.160145044 CEST 62217 53 192.168.2.4 8.8.8.8
Aug 4, 2020 08:11:24.191515923 CEST 53 62217 8.8.8.8 192.168.2.4
Aug 4, 2020 08:11:42.118902922 CEST 62645 53 192.168.2.4 8.8.8.8
Aug 4, 2020 08:11:42.150262117 CEST 53 62645 8.8.8.8 192.168.2.4
Aug 4, 2020 08:11:43.195971966 CEST 61821 53 192.168.2.4 8.8.8.8
Aug 4, 2020 08:11:43.209985971 CEST 53 61821 8.8.8.8 192.168.2.4
Aug 4, 2020 08:11:48.223282099 CEST 58618 53 192.168.2.4 8.8.8.8
Aug 4, 2020 08:11:48.429869890 CEST 53 58618 8.8.8.8 192.168.2.4
Aug 4, 2020 08:11:53.100792885 CEST 60967 53 192.168.2.4 8.8.8.8
Aug 4, 2020 08:11:53.114653111 CEST 53 60967 8.8.8.8 192.168.2.4
Aug 4, 2020 08:12:13.084856033 CEST 50987 53 192.168.2.4 8.8.8.8
Aug 4, 2020 08:12:13.101197958 CEST 53 50987 8.8.8.8 192.168.2.4
Aug 4, 2020 08:12:13.498830080 CEST 52517 53 192.168.2.4 8.8.8.8
Aug 4, 2020 08:12:13.513168097 CEST 53 52517 8.8.8.8 192.168.2.4
Aug 4, 2020 08:12:13.941891909 CEST 54004 53 192.168.2.4 8.8.8.8
Aug 4, 2020 08:12:13.956748009 CEST 53 54004 8.8.8.8 192.168.2.4
Aug 4, 2020 08:12:14.328084946 CEST 53431 53 192.168.2.4 8.8.8.8
Aug 4, 2020 08:12:14.342156887 CEST 53 53431 8.8.8.8 192.168.2.4
Aug 4, 2020 08:12:14.386648893 CEST 59215 53 192.168.2.4 8.8.8.8
Aug 4, 2020 08:12:14.415805101 CEST 53 59215 8.8.8.8 192.168.2.4
Aug 4, 2020 08:12:14.920761108 CEST 58452 53 192.168.2.4 8.8.8.8
Aug 4, 2020 08:12:14.934847116 CEST 53 58452 8.8.8.8 192.168.2.4
Aug 4, 2020 08:12:15.332097054 CEST 55996 53 192.168.2.4 8.8.8.8
Aug 4, 2020 08:12:15.345973015 CEST 53 55996 8.8.8.8 192.168.2.4
Aug 4, 2020 08:12:27.420011044 CEST 50544 53 192.168.2.4 8.8.8.8
Aug 4, 2020 08:12:27.434170008 CEST 53 50544 8.8.8.8 192.168.2.4
Timestamp Source IP Dest IP Trans ID OP Code Name Type Class
Aug 4, 2020 08:11:48.223282099 CEST 192.168.2.4 8.8.8.8 0x1a85 Standard query (0)
bottleless.com A (IP address) IN (0x0001)
Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class
Aug 4, 2020 08:11:48.429869890 CEST
8.8.8.8 192.168.2.4 0x1a85 No error (0) bottleless.com 50.116.103.43 A (IP address) IN (0x0001)
Aug 4, 2020 08:12:14.415805101 CEST
8.8.8.8 192.168.2.4 0x11fa No error (0) asf-ris-prod-neurope.northeurope.cloudapp.azure.com
168.63.67.155 A (IP address) IN (0x0001)
Aug 4, 2020 08:12:27.434170008 CEST
8.8.8.8 192.168.2.4 0x44a No error (0) asf-ris-prod-neurope.northeurope.cloudapp.azure.com
168.63.67.155 A (IP address) IN (0x0001)
TimestampSourcePort
DestPort Source IP Dest IP Commands
Aug 4, 2020 08:11:52.775135040 CEST 587 49728 50.116.103.43 192.168.2.4 220-server.allxo.com ESMTP Exim 4.93 #2 Tue, 04 Aug 2020 00:11:51 -0600 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Aug 4, 2020 08:11:52.778963089 CEST 49728 587 192.168.2.4 50.116.103.43 EHLO 980108
UDP Packets
DNS Queries
DNS Answers
SMTP Packets
Copyright null 2020 Page 20 of 27
Code Manipulations
Statistics
Behavior
• Inv.exe
• schtasks.exe
• conhost.exe
• Inv.exe
Click to jump to process
System Behavior
Aug 4, 2020 08:11:52.915221930 CEST 587 49728 50.116.103.43 192.168.2.4 250-server.allxo.com Hello 980108 [91.132.136.174]250-SIZE 52428800250-8BITMIME250-PIPELINING250-AUTH PLAIN LOGIN250-STARTTLS250 HELP
Aug 4, 2020 08:11:52.915546894 CEST 49728 587 192.168.2.4 50.116.103.43 STARTTLS
Aug 4, 2020 08:11:53.057800055 CEST 587 49728 50.116.103.43 192.168.2.4 220 TLS go ahead
TimestampSourcePort
DestPort Source IP Dest IP Commands
Start time: 08:10:57
Start date: 04/08/2020
Path: C:\Users\user\Desktop\Inv.exe
Wow64 process (32bit): true
Commandline: 'C:\Users\user\Desktop\Inv.exe'
Imagebase: 0x670000
File size: 679424 bytes
MD5 hash: DBBA4A1CFB0C5E47B375461AA25F09FC
Has administrator privileges: false
Programmed in: .Net C# or VB.NET
Analysis Process: Inv.exe PID: 6820 Parent PID: 5584Analysis Process: Inv.exe PID: 6820 Parent PID: 5584
General
Copyright null 2020 Page 21 of 27
File ActivitiesFile Activities
Yara matches: Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.229272296.0000000003AA9000.00000004.00000001.sdmp, Author: Joe SecurityRule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.229071925.0000000002B20000.00000004.00000001.sdmp, Author: Joe SecurityRule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.228988270.0000000002AA1000.00000004.00000001.sdmp, Author: Joe Security
Reputation: low
File Path Access Attributes Options Completion CountSourceAddress Symbol
C:\Users\user read data or list directory | synchronize
device directory file | synchronous io non alert | open for backup ident | open reparse point
object name collision 1 6D62CF06 unknown
C:\Users\user\AppData\Roaming read data or list directory | synchronize
device directory file | synchronous io non alert | open for backup ident | open reparse point
object name collision 1 6D62CF06 unknown
C:\Users\user\AppData\Roaming\&startupname&.exe read data or list directory | read attributes | delete | write dac | synchronize | generic read | generic write
device sequential only | non directory file
success or wait 1 6C47DD66 CopyFileW
C:\Users\user\AppData\Roaming\&startupname&.exe\:Zone.Identifier:$DATA
read data or list directory | synchronize | generic write
device sequential only | synchronous io non alert
success or wait 1 6C47DD66 CopyFileW
C:\Users\user\AppData\Local\Temp\tmpBE4B.tmp read attributes | synchronize | generic read
device synchronous io non alert | non directory file
success or wait 1 6C477038 GetTempFileNameW
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Inv.exe.log
read attributes | synchronize | generic write
device synchronous io non alert | non directory file
success or wait 1 6D93C78D CreateFileW
File Path Completion CountSourceAddress Symbol
C:\Users\user\AppData\Local\Temp\tmpBE4B.tmp success or wait 1 6C476A95 DeleteFileW
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
File CreatedFile Created
File DeletedFile Deleted
File WrittenFile Written
Copyright null 2020 Page 22 of 27
C:\Users\user\AppData\Roaming\&startupname&.exe 0 262144 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 a1 f4 27 5f 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 40 09 00 00 1c 01 00 00 00 00 00 0e 5f 09 00 00 20 00 00 00 60 09 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 0a 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....'_.................@..........._... ...`....@.. ....................................@................................
success or wait 3 6C47DD66 CopyFileW
C:\Users\user\AppData\Roaming\&startupname&.exe:Zone.Identifier
0 26 5b 5a 6f 6e 65 54 72 61 6e 73 66 65 72 5d 0d 0a 0d 0a 5a 6f 6e 65 49 64 3d 30
[ZoneTransfer]....ZoneId=0 success or wait 1 6C47DD66 CopyFileW
C:\Users\user\AppData\Local\Temp\tmpBE4B.tmp unknown 1646 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 31 36 22 3f 3e 0d 0a 3c 54 61 73 6b 20 76 65 72 73 69 6f 6e 3d 22 31 2e 32 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 77 69 6e 64 6f 77 73 2f 32 30 30 34 2f 30 32 2f 6d 69 74 2f 74 61 73 6b 22 3e 0d 0a 20 20 3c 52 65 67 69 73 74 72 61 74 69 6f 6e 49 6e 66 6f 3e 0d 0a 20 20 20 20 3c 44 61 74 65 3e 32 30 31 34 2d 31 30 2d 32 35 54 31 34 3a 32 37 3a 34 34 2e 38 39 32 39 30 32 37 3c 2f 44 61 74 65 3e 0d 0a 20 20 20 20 3c 41 75 74 68 6f 72 3e 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 6a 6f 6e 65 73 3c 2f 41 75 74 68 6f 72 3e 0d 0a 20 20 3c 2f 52 65 67 69 73 74 72 61 74 69 6f 6e 49 6e
<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationIn
success or wait 1 6C471B4F WriteFile
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
Copyright null 2020 Page 23 of 27
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Inv.exe.log
unknown 1314 31 2c 22 66 75 73 69 6f 6e 22 2c 22 47 41 43 22 2c 30 0d 0a 31 2c 22 57 69 6e 52 54 22 2c 22 4e 6f 74 41 70 70 22 2c 31 0d 0a 32 2c 22 4d 69 63 72 6f 73 6f 66 74 2e 56 69 73 75 61 6c 42 61 73 69 63 2c 20 56 65 72 73 69 6f 6e 3d 31 30 2e 30 2e 30 2e 30 2c 20 43 75 6c 74 75 72 65 3d 6e 65 75 74 72 61 6c 2c 20 50 75 62 6c 69 63 4b 65 79 54 6f 6b 65 6e 3d 62 30 33 66 35 66 37 66 31 31 64 35 30 61 33 61 22 2c 30 0d 0a 32 2c 22 53 79 73 74 65 6d 2e 57 69 6e 64 6f 77 73 2e 46 6f 72 6d 73 2c 20 56 65 72 73 69 6f 6e 3d 34 2e 30 2e 30 2e 30 2c 20 43 75 6c 74 75 72 65 3d 6e 65 75 74 72 61 6c 2c 20 50 75 62 6c 69 63 4b 65 79 54 6f 6b 65 6e 3d 62 37 37 61 35 63 35 36 31 39 33 34 65 30 38 39 22 2c 30 0d 0a 33 2c 22 53 79 73 74 65 6d 2c 20 56 65 72 73 69 6f 6e 3d 34 2e
1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.
success or wait 1 6D93C907 WriteFile
File Path Offset Length Value Ascii Completion CountSourceAddress Symbol
File Path Offset Length Completion CountSourceAddress Symbol
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6D605705 unknown
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 6135 success or wait 1 6D605705 unknown
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4097 success or wait 1 6D605705 unknown
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4098 success or wait 1 6D605705 unknown
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 7976 success or wait 1 6D605705 unknown
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll.aux
unknown 176 success or wait 1 6D5603DE ReadFile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6D60CA54 ReadFile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 6135 success or wait 1 6D60CA54 ReadFile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4097 success or wait 1 6D60CA54 ReadFile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4098 success or wait 1 6D60CA54 ReadFile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 7976 success or wait 1 6D60CA54 ReadFile
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll.aux
unknown 620 success or wait 1 6D5603DE ReadFile
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll.aux
unknown 864 success or wait 1 6D5603DE ReadFile
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll.aux
unknown 900 success or wait 1 6D5603DE ReadFile
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll.aux
unknown 748 success or wait 1 6D5603DE ReadFile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6D605705 unknown
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 6135 success or wait 1 6D605705 unknown
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4097 success or wait 1 6D605705 unknown
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4098 success or wait 2 6D605705 unknown
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 7976 success or wait 1 6D605705 unknown
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4121 success or wait 1 6D605705 unknown
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4253 success or wait 1 6D605705 unknown
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 8171 end of file 1 6D605705 unknown
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 1 6C471B4F ReadFile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 1 6C471B4F ReadFile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 2 6C471B4F ReadFile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 1 6C471B4F ReadFile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 1 6C471B4F ReadFile
File ReadFile Read
Copyright null 2020 Page 24 of 27
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 1 6C471B4F ReadFile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 2 6C471B4F ReadFile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 end of file 1 6C471B4F ReadFile
File Path Offset Length Completion CountSourceAddress Symbol
File ActivitiesFile Activities
Start time: 08:11:05
Start date: 04/08/2020
Path: C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit): true
Commandline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmpBE4B.tmp'
Imagebase: 0x3b0000
File size: 185856 bytes
MD5 hash: 15FF7D8324231381BAD48A052F85DF04
Has administrator privileges: false
Programmed in: C, C++ or other language
Reputation: low
File Path Access Attributes Options Completion CountSourceAddress Symbol
File Path Offset Length Completion CountSourceAddress Symbol
C:\Users\user\AppData\Local\Temp\tmpBE4B.tmp unknown 2 success or wait 1 3BAB22 ReadFile
C:\Users\user\AppData\Local\Temp\tmpBE4B.tmp unknown 1647 success or wait 1 3BABD9 ReadFile
Start time: 08:11:05
Start date: 04/08/2020
Path: C:\Windows\System32\conhost.exe
Wow64 process (32bit): false
Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase: 0x7ff73df90000
File size: 625664 bytes
MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496
Has administrator privileges: false
Programmed in: C, C++ or other language
Reputation: low
Start time: 08:11:06
Start date: 04/08/2020
Path: C:\Users\user\Desktop\Inv.exe
Wow64 process (32bit): true
Analysis Process: schtasks.exe PID: 6976 Parent PID: 6820Analysis Process: schtasks.exe PID: 6976 Parent PID: 6820
General
File ReadFile Read
Analysis Process: conhost.exe PID: 6984 Parent PID: 6976Analysis Process: conhost.exe PID: 6984 Parent PID: 6976
General
Analysis Process: Inv.exe PID: 7020 Parent PID: 6820Analysis Process: Inv.exe PID: 7020 Parent PID: 6820
General
Copyright null 2020 Page 25 of 27
File ActivitiesFile Activities
Commandline: C:\Users\user\Desktop\Inv.exe
Imagebase: 0x9d0000
File size: 679424 bytes
MD5 hash: DBBA4A1CFB0C5E47B375461AA25F09FC
Has administrator privileges: false
Programmed in: .Net C# or VB.NET
Yara matches: Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.480748598.0000000002E38000.00000004.00000001.sdmp, Author: Joe SecurityRule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.480748598.0000000002E38000.00000004.00000001.sdmp, Author: Joe SecurityRule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.477584981.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
Reputation: low
File Path Access Attributes Options Completion CountSourceAddress Symbol
C:\Users\user read data or list directory | synchronize
device directory file | synchronous io non alert | open for backup ident | open reparse point
object name collision 1 6D62CF06 unknown
C:\Users\user\AppData\Roaming read data or list directory | synchronize
device directory file | synchronous io non alert | open for backup ident | open reparse point
object name collision 1 6D62CF06 unknown
File Path Offset Length Completion CountSourceAddress Symbol
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6D605705 unknown
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 6135 success or wait 1 6D605705 unknown
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4097 success or wait 1 6D605705 unknown
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4098 success or wait 1 6D605705 unknown
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 7976 success or wait 1 6D605705 unknown
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll.aux
unknown 176 success or wait 1 6D5603DE ReadFile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6D60CA54 ReadFile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 6135 success or wait 1 6D60CA54 ReadFile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4097 success or wait 1 6D60CA54 ReadFile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4098 success or wait 1 6D60CA54 ReadFile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 7976 success or wait 1 6D60CA54 ReadFile
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll.aux
unknown 620 success or wait 1 6D5603DE ReadFile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6D605705 unknown
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 6135 success or wait 1 6D605705 unknown
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4097 success or wait 1 6D605705 unknown
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4098 success or wait 2 6D605705 unknown
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 7976 success or wait 1 6D605705 unknown
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4121 success or wait 1 6D605705 unknown
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4253 success or wait 1 6D605705 unknown
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 8171 end of file 1 6D605705 unknown
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll.aux
unknown 900 success or wait 1 6D5603DE ReadFile
C:\Program Files (x86)\jDownloader\config\database.script unknown 4096 success or wait 1 6C471B4F ReadFile
C:\Program Files (x86)\jDownloader\config\database.script unknown 4096 end of file 1 6C471B4F ReadFile
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll.aux
unknown 748 success or wait 1 6D5603DE ReadFile
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll.aux
unknown 864 success or wait 1 6D5603DE ReadFile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 1 6C471B4F ReadFile
File CreatedFile Created
File ReadFile Read
Copyright null 2020 Page 26 of 27
Disassembly
Code Analysis
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 1 6C471B4F ReadFile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 2 6C471B4F ReadFile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 1 6C471B4F ReadFile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 1 6C471B4F ReadFile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 1 6C471B4F ReadFile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 2 6C471B4F ReadFile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 end of file 1 6C471B4F ReadFile
File Path Offset Length Completion CountSourceAddress Symbol
Copyright null 2020 Page 27 of 27