Automated Malware Analysis Report for Inv.exe - Joe Sandbox

ID: 256530Sample Name: Inv.exeCookbook: default.jbsTime: 08:10:12Date: 04/08/2020Version: 29.0.0 Ocean Jasper

2444444444445555555556666777888888999

1212121314141515151515161718181818

1819

Table of Contents

Table of ContentsAnalysis Report Inv.exe

OverviewGeneral InformationDetectionSignaturesClassification

StartupMalware Configuration

Threatname: AgentteslaYara Overview

Memory DumpsUnpacked PEs

Sigma OverviewSystem Summary:

Signature OverviewAV Detection:Key, Mouse, Clipboard, Microphone and Screen Capturing:System Summary:Boot Survival:Malware Analysis System Evasion:HIPS / PFW / Operating System Protection Evasion:Stealing of Sensitive Information:Remote Access Functionality:

Mitre Att&ck MatrixBehavior GraphScreenshots

ThumbnailsAntivirus, Machine Learning and Genetic Malware Detection

Initial SampleDropped FilesUnpacked PE FilesDomainsURLs

Domains and IPsContacted DomainsURLs from Memory and BinariesContacted IPsPublic

General InformationSimulations

Behavior and APIsCreated / dropped FilesStatic File Info

GeneralFile IconStatic PE Info

GeneralEntrypoint PreviewData DirectoriesSectionsResourcesImportsVersion Infos

Network BehaviorNetwork Port Distribution

Copyright null 2020 of 27

19202020202121212121212222222224

25252525

2525

2525262626

2727

TCP PacketsUDP PacketsDNS QueriesDNS AnswersSMTP Packets

Code ManipulationsStatistics

BehaviorSystem Behavior

Analysis Process: Inv.exe PID: 6820 Parent PID: 5584GeneralFile Activities

File CreatedFile DeletedFile WrittenFile Read

Analysis Process: schtasks.exe PID: 6976 Parent PID: 6820GeneralFile Activities

File Read

Analysis Process: conhost.exe PID: 6984 Parent PID: 6976General

Analysis Process: Inv.exe PID: 7020 Parent PID: 6820GeneralFile Activities

File CreatedFile Read

DisassemblyCode Analysis


Analysis Report Inv.exe

Overview

General Information

Sample Name:

Inv.exe

Analysis ID: 256530

MD5: dbba4a1cfb0c5e4…

SHA1: 601c3731d847b3…

SHA256: 2349240bbb67cb…

Most interesting Screenshot:

Detection

AgentTeslaAgentTeslaScore: 100

Range: 0 - 100

Whitelisted: false

Confidence: 100%

Signatures

Found malware configuration






Found malware configurationFound malware configuration

Sigma detected: Scheduled temp file






Sigma detected: Scheduled temp fileSigma detected: Scheduled temp file……

Yara detected AgentTesla






Yara detected AgentTeslaYara detected AgentTesla

Yara detected AntiVM_3






Yara detected AntiVM_3Yara detected AntiVM_3

Injects a PE file into a foreign proce






Injects a PE file into a foreign proceInjects a PE file into a foreign proce……

Installs a global keyboard hook






Installs a global keyboard hookInstalls a global keyboard hook

Machine Learning detection for dropp






Machine Learning detection for droppMachine Learning detection for dropp……

Machine Learning detection for samp






Machine Learning detection for sampMachine Learning detection for samp……

Queries sensitive BIOS Information






Queries sensitive BIOS Information Queries sensitive BIOS Information ……

Queries sensitive network adapter in






Queries sensitive network adapter inQueries sensitive network adapter in……

Tries to detect sandboxes and other






Tries to detect sandboxes and otherTries to detect sandboxes and other……

Tries to harvest and steal Putty / Wi






Tries to harvest and steal Putty / WiTries to harvest and steal Putty / Wi……

Tries to harvest and steal browser in






Tries to harvest and steal browser inTries to harvest and steal browser in……

Tries to harvest and steal ftp login c






Tries to harvest and steal ftp login cTries to harvest and steal ftp login c……

Tries to steal Mail credentials (via fil






Tries to steal Mail credentials (via filTries to steal Mail credentials (via fil……

Uses schtasks.exe or at.exe to add






Uses schtasks.exe or at.exe to add Uses schtasks.exe or at.exe to add ……

Contains capabilities to detect virtua






Contains capabilities to detect virtuaContains capabilities to detect virtua……

Contains functionality to access load






Contains functionality to access loadContains functionality to access load……

Contains long sleeps (>= 3 min)






Contains long sleeps (>= 3 min)Contains long sleeps (>= 3 min)

Creates a process in suspended mo






Creates a process in suspended moCreates a process in suspended mo……

Creates a window with clipboard cap






Creates a window with clipboard capCreates a window with clipboard cap……

Detected TCP or UDP traffic on non






Detected TCP or UDP traffic on nonDetected TCP or UDP traffic on non……

Detected potential crypto function






Detected potential crypto functionDetected potential crypto function

Drops PE files

Drops PE files

Drops PE files

Drops PE files

Drops PE files

Drops PE files

Drops PE filesDrops PE files

Enables debug privileges






Enables debug privilegesEnables debug privileges

Found a high number of Window / Us






Found a high number of Window / UsFound a high number of Window / Us……

Found inlined nop instructions (likely






Found inlined nop instructions (likelyFound inlined nop instructions (likely……

May sleep (evasive loops) to hinder






May sleep (evasive loops) to hinder May sleep (evasive loops) to hinder ……

PE file contains strange resources






PE file contains strange resourcesPE file contains strange resources

Queries sensitive processor informa






Queries sensitive processor informaQueries sensitive processor informa……

Queries the volume information (nam






Queries the volume information (namQueries the volume information (nam……

Sample execution stops while proce






Sample execution stops while proceSample execution stops while proce……

Sample file is different than original






Sample file is different than original Sample file is different than original ……

Uses SMTP (mail sending)






Uses SMTP (mail sending)Uses SMTP (mail sending)

Uses code obfuscation techniques (






Uses code obfuscation techniques (Uses code obfuscation techniques (……

Yara detected Credential Stealer






Yara detected Credential StealerYara detected Credential Stealer

Classification

Ransomware

Spreading

Phishing

Banker

Trojan / Bot

Adware

Spyware

Exploiter

Evader

Miner

clean

clean

clean

clean

clean

clean

clean

suspicious

suspicious

suspicious

suspicious

suspicious

suspicious

suspicious

malicious

malicious

malicious

malicious

malicious

malicious

malicious

System is w10x64

Inv.exe (PID: 6820 cmdline: 'C:\Users\user\Desktop\Inv.exe' MD5: DBBA4A1CFB0C5E47B375461AA25F09FC)

schtasks.exe (PID: 6976 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmpBE4B.tmp' MD5:

15FF7D8324231381BAD48A052F85DF04)conhost.exe (PID: 6984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Inv.exe (PID: 7020 cmdline: C:\Users\user\Desktop\Inv.exe MD5: DBBA4A1CFB0C5E47B375461AA25F09FC)

cleanup

{

"Username: ": "Q3wkYpYBQ7YH",

"URL: ": "http://2R77GrtX4rGdY1LV.com",

"To: ": "[email protected]",

"ByHost: ": "bottleless.com:587",

"Password: ": "TH3SbQazDws",

"From: ": "[email protected]"

}

Source Rule Description Author Strings

00000000.00000002.229272296.0000000003AA9000.00000004.00000001.sdmp

JoeSecurity_AgentTesla_1 Yara detected AgentTesla

Joe Security

00000003.00000002.480748598.0000000002E38000.00000004.00000001.sdmp


Joe Security

00000003.00000002.480748598.0000000002E38000.00000004.00000001.sdmp

JoeSecurity_CredentialStealer


Joe Security

00000003.00000002.477584981.0000000000402000.00000040.00000001.sdmp


Joe Security

Startup

Malware Configuration

Threatname: Agenttesla

Yara Overview

Memory Dumps


Sigma Overview

System Summary:

Sigma detected: Scheduled temp file as task from temp location

Signature Overview

• AV Detection

• Software Vulnerabilities

• Networking

• Key, Mouse, Clipboard, Microphone and Screen Capturing

• System Summary

• Data Obfuscation

• Persistence and Installation Behavior

• Boot Survival

• Hooking and other Techniques for Hiding and Protection

• Malware Analysis System Evasion

• Anti Debugging

• HIPS / PFW / Operating System Protection Evasion

• Language, Device and Operating System Detection

• Stealing of Sensitive Information

• Remote Access Functionality

Click to jump to signature section

AV Detection:


Machine Learning detection for dropped file

Machine Learning detection for sample

Key, Mouse, Clipboard, Microphone and Screen Capturing:


System Summary:

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Malware Analysis System Evasion:

00000000.00000002.229071925.0000000002B20000.00000004.00000001.sdmp

JoeSecurity_AntiVM_3 Yara detected AntiVM_3

Joe Security

Click to see the 5 entries



3.2.Inv.exe.400000.0.unpack JoeSecurity_AgentTesla_1 Yara detected AgentTesla

Joe Security

Unpacked PEs



Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Stealing of Sensitive Information:


Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Remote Access Functionality:


Mitre Att&ck Matrix

InitialAccess Execution Persistence

PrivilegeEscalation Defense Evasion

CredentialAccess Discovery

LateralMovement Collection Exfiltration

Commandand Control

ValidAccounts

Windows ManagementInstrumentation 2 1 1

ScheduledTask/Job 1

ProcessInjection 1 1 2

Disable or ModifyTools 1

OS CredentialDumping 2

Account Discovery 1 RemoteServices

ArchiveCollectedData 1 1

ExfiltrationOver OtherNetworkMedium

EncryptedChannel 1

DefaultAccounts

Scheduled Task/Job 1 Boot orLogonInitializationScripts

ScheduledTask/Job 1

Deobfuscate/DecodeFiles or Information 1

InputCapture 1 1

File and DirectoryDiscovery 1

RemoteDesktopProtocol

Data fromLocalSystem 2

ExfiltrationOverBluetooth

Non-StandardPort 1

DomainAccounts

At (Linux) Logon Script(Windows)

Logon Script(Windows)

Obfuscated Files orInformation 3

Credentials inRegistry 1

System InformationDiscovery 1 1 4

SMB/WindowsAdmin Shares

EmailCollection 1

AutomatedExfiltration

Non-ApplicationLayerProtocol 1

LocalAccounts

At (Windows) Logon Script(Mac)

Logon Script(Mac)

Software Packing 2 NTDS Security SoftwareDiscovery 2 2 1

DistributedComponentObject Model

InputCapture 1 1

ScheduledTransfer

ApplicationLayerProtocol 1

CloudAccounts

Cron NetworkLogon Script

Network LogonScript

Masquerading 1 LSA Secrets Virtualization/SandboxEvasion 1 4

SSH ClipboardData 1

DataTransferSize Limits

FallbackChannels

ReplicationThroughRemovableMedia

Launchd Rc.common Rc.common Virtualization/SandboxEvasion 1 4

CachedDomainCredentials

Process Discovery 2 VNC GUI InputCapture

ExfiltrationOver C2Channel

MultibandCommunication

ExternalRemoteServices

Scheduled Task StartupItems

Startup Items ProcessInjection 1 1 2

DCSync Application WindowDiscovery 1

WindowsRemoteManagement

Web PortalCapture

ExfiltrationOverAlternativeProtocol

CommonlyUsed Port

Drive-byCompromise

Command and ScriptingInterpreter

ScheduledTask/Job

ScheduledTask/Job

Indicator Removalfrom Tools

ProcFilesystem

System Owner/UserDiscovery 1

SharedWebroot

CredentialAPI Hooking

ExfiltrationOverSymmetricEncryptedNon-C2Protocol

ApplicationLayer Protocol

ExploitPublic-FacingApplication

PowerShell At (Linux) At (Linux) Masquerading /etc/passwdand/etc/shadow

Remote SystemDiscovery 1

SoftwareDeploymentTools

Data Staged ExfiltrationOverAsymmetricEncryptedNon-C2Protocol

Web Protocols


Behavior GraphID: 256530

Sample: Inv.exe

Startdate: 04/08/2020

Architecture: WINDOWS

Score: 100

Found malware configurationSigma detected: Scheduled

temp file as task fromtemp location

Yara detected AgentTesla 5 other signatures

Inv.exe

7

started

C:\Users\user\AppData\...\&startupname&.exe, PE32

dropped

C:\...\&startupname&.exe:Zone.Identifier, ASCII

dropped

C:\Users\user\AppData\Local\...\tmpBE4B.tmp, XML

dropped

C:\Users\user\AppData\Local\...\Inv.exe.log, ASCII

dropped

Queries sensitive networkadapter information

(via WMI, Win32_NetworkAdapter,often done to detect

virtual machines)

Queries sensitive BIOSInformation (via WMI,

Win32_Bios & Win32_BaseBoard,often done to detect

virtual machines)

Injects a PE file intoa foreign processes

Inv.exe

2

started

schtasks.exe

1

started

bottleless.com

50.116.103.43, 49728, 587

UNIFIEDLAYER-AS-1US

United States

Tries to harvest andsteal Putty / WinSCP

information (sessions,passwords, etc)

Tries to steal Mailcredentials (via file

access)

Tries to harvest andsteal ftp login credentials 2 other signatures

conhost.exe

started

Legend:

Process

Signature

Created File

DNS/IP Info

Is Dropped

Is Windows Process

Number of created Registry Values

Number of created Files

Visual Basic

Delphi

Java

.Net C# or VB.NET

C, C++ or other language

Is malicious

Internet

Hide Legend

ThumbnailsThis section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Graph

Screenshots


Source Detection Scanner Label Link

Inv.exe 100% Joe Sandbox ML


C:\Users\user\AppData\Roaming\&startupname&.exe 100% Joe Sandbox ML

No Antivirus matches

No Antivirus matches


www.founder.com.cn/cn/bThe 0% URL Reputation safe

www.founder.com.cn/cn/bThe 0% URL Reputation safe

www.tiro.com 0% URL Reputation safe

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs


www.tiro.com 0% URL Reputation safe

www.goodfont.co.kr 0% URL Reputation safe

www.goodfont.co.kr 0% URL Reputation safe

www.sajatypeworks.com 0% URL Reputation safe

www.sajatypeworks.com 0% URL Reputation safe

www.typography.netD 0% URL Reputation safe

www.typography.netD 0% URL Reputation safe

www.founder.com.cn/cn/cThe 0% URL Reputation safe

www.founder.com.cn/cn/cThe 0% URL Reputation safe

www.galapagosdesign.com/staff/dennis.htm 0% URL Reputation safe

www.galapagosdesign.com/staff/dennis.htm 0% URL Reputation safe

fontfabrik.com 0% URL Reputation safe

fontfabrik.com 0% URL Reputation safe

www.galapagosdesign.com/DPlease 0% URL Reputation safe

www.galapagosdesign.com/DPlease 0% URL Reputation safe

www.sandoll.co.kr 0% URL Reputation safe

www.sandoll.co.kr 0% URL Reputation safe

www.urwpp.deDPlease 0% URL Reputation safe

www.urwpp.deDPlease 0% URL Reputation safe

www.zhongyicts.com.cn 0% URL Reputation safe

www.zhongyicts.com.cn 0% URL Reputation safe

www.sakkal.com 0% URL Reputation safe

www.sakkal.com 0% URL Reputation safe

www.jiyu-kobo.co.jp/jp/ 0% URL Reputation safe

www.jiyu-kobo.co.jp/jp/ 0% URL Reputation safe

www.carterandcone.coml 0% URL Reputation safe

www.carterandcone.coml 0% URL Reputation safe

www.founder.com.cn/cn 0% URL Reputation safe

www.founder.com.cn/cn 0% URL Reputation safe

www.jiyu-kobo.co.jp/ 0% URL Reputation safe

www.jiyu-kobo.co.jp/ 0% URL Reputation safe


Name IP Active Malicious Antivirus Detection Reputation

asf-ris-prod-neurope.northeurope.cloudapp.azure.com

168.63.67.155 true false high

bottleless.com 50.116.103.43 true true unknown

Name Source Malicious Antivirus Detection Reputation

www.fontbureau.com/designersG Inv.exe, 00000000.00000002.231878509.0000000005B50000.00000002.00000001.sdmp

false high

www.sajatypeworks.com0 Inv.exe, 00000000.00000003.211334635.0000000005A7B000.00000004.00000001.sdmp

false unknown

www.fontbureau.com/designers/? Inv.exe, 00000000.00000002.231878509.0000000005B50000.00000002.00000001.sdmp

false high

www.founder.com.cn/cn/bThe Inv.exe, 00000000.00000002.231878509.0000000005B50000.00000002.00000001.sdmp

false URL Reputation: safeURL Reputation: safe

unknown

www.fontbureau.com/designers? Inv.exe, 00000000.00000002.231878509.0000000005B50000.00000002.00000001.sdmp

false high

www.sajatypeworks.comn-u Inv.exe, 00000000.00000003.211334635.0000000005A7B000.00000004.00000001.sdmp

false unknown

www.jiyu-kobo.co.jp/jp/a= Inv.exe, 00000000.00000003.214177129.0000000005A64000.00000004.00000001.sdmp

false unknown

Domains and IPs

Contacted Domains

URLs from Memory and Binaries


www.sandoll.co.krndo Inv.exe, 00000000.00000003.212536162.0000000005A66000.00000004.00000001.sdmp

false unknown

www.founder.com.cn/cnA Inv.exe, 00000000.00000003.213164088.0000000005A64000.00000004.00000001.sdmp

false unknown

www.tiro.com Inv.exe, 00000000.00000002.231878509.0000000005B50000.00000002.00000001.sdmp


unknown

www.fontbureau.com/designers Inv.exe, 00000000.00000002.231878509.0000000005B50000.00000002.00000001.sdmp, Inv.exe, 00000000.00000003.216337971.0000000005A69000.00000004.00000001.sdmp, Inv.exe, 00000000.00000003.216809722.0000000005A6D000.00000004.00000001.sdmp

false high

www.goodfont.co.kr Inv.exe, 00000000.00000002.231878509.0000000005B50000.00000002.00000001.sdmp


unknown

www.jiyu-kobo.co.jp/Verd Inv.exe, 00000000.00000003.214177129.0000000005A64000.00000004.00000001.sdmp

false unknown

www.jiyu-kobo.co.jp/-cz Inv.exe, 00000000.00000003.214177129.0000000005A64000.00000004.00000001.sdmp

false unknown

www.fontbureau.comiona Inv.exe, 00000000.00000002.231822336.0000000005A60000.00000004.00000001.sdmp

false unknown

www.sajatypeworks.com Inv.exe, 00000000.00000002.231878509.0000000005B50000.00000002.00000001.sdmp


unknown

www.typography.netD Inv.exe, 00000000.00000002.231878509.0000000005B50000.00000002.00000001.sdmp


unknown

www.founder.com.cn/cn/cThe Inv.exe, 00000000.00000002.231878509.0000000005B50000.00000002.00000001.sdmp


unknown

www.galapagosdesign.com/staff/dennis.htm Inv.exe, 00000000.00000002.231878509.0000000005B50000.00000002.00000001.sdmp


unknown

fontfabrik.com Inv.exe, 00000000.00000002.231878509.0000000005B50000.00000002.00000001.sdmp


unknown

2R77GrtX4rGdY1LV.com Inv.exe, 00000003.00000002.480748598.0000000002E38000.00000004.00000001.sdmp

true unknown

www.fonts.comic Inv.exe, 00000000.00000003.211491106.0000000005A7B000.00000004.00000001.sdmp

false unknown

cert.int-x3.letsencrypt.org/0 Inv.exe, 00000003.00000002.481972288.0000000002F62000.00000004.00000001.sdmp

false high

www.galapagosdesign.com/DPlease Inv.exe, 00000000.00000002.231878509.0000000005B50000.00000002.00000001.sdmp


unknown

www.jiyu-kobo.co.jp/Y0 Inv.exe, 00000000.00000003.214177129.0000000005A64000.00000004.00000001.sdmp

false unknown

www.fonts.com Inv.exe, 00000000.00000002.231878509.0000000005B50000.00000002.00000001.sdmp

false high

www.sandoll.co.kr Inv.exe, 00000000.00000002.231878509.0000000005B50000.00000002.00000001.sdmp


unknown

www.urwpp.deDPlease Inv.exe, 00000000.00000002.231878509.0000000005B50000.00000002.00000001.sdmp


unknown

www.zhongyicts.com.cn Inv.exe, 00000000.00000002.231878509.0000000005B50000.00000002.00000001.sdmp


unknown

schemas.xmlsoap.org/ws/2005/05/identity/claims/name Inv.exe, 00000000.00000002.228988270.0000000002AA1000.00000004.00000001.sdmp

false high

www.sakkal.com Inv.exe, 00000000.00000002.231878509.0000000005B50000.00000002.00000001.sdmp


unknown



cps.root-x1.letsencrypt.org0 Inv.exe, 00000003.00000002.481972288.0000000002F62000.00000004.00000001.sdmp

false unknown

www.apache.org/licenses/LICENSE-2.0 Inv.exe, 00000000.00000002.231878509.0000000005B50000.00000002.00000001.sdmp

false high

www.fontbureau.com Inv.exe, 00000000.00000002.231878509.0000000005B50000.00000002.00000001.sdmp

false high

www.jiyu-kobo.co.jp/U Inv.exe, 00000000.00000003.214177129.0000000005A64000.00000004.00000001.sdmp

false unknown

www.fonts.comc Inv.exe, 00000000.00000003.211388065.0000000005A7B000.00000004.00000001.sdmp

false unknown

www.fonts.comto Inv.exe, 00000000.00000003.211431826.0000000005A7B000.00000004.00000001.sdmp

false unknown

2R77GrtX4rGdY1LV.com$ Inv.exe, 00000003.00000002.480748598.0000000002E38000.00000004.00000001.sdmp

false low

cps.letsencrypt.org0 Inv.exe, 00000003.00000002.481972288.0000000002F62000.00000004.00000001.sdmp

false unknown

www.sandoll.co.krt Inv.exe, 00000000.00000003.212536162.0000000005A66000.00000004.00000001.sdmp

false unknown

ocsp.int-x3.letsencrypt.org0/ Inv.exe, 00000003.00000002.481972288.0000000002F62000.00000004.00000001.sdmp

false unknown

www.tiro.comn Inv.exe, 00000000.00000003.211774793.0000000005A7B000.00000004.00000001.sdmp

false unknown

www.jiyu-kobo.co.jp/uchef Inv.exe, 00000000.00000003.214177129.0000000005A64000.00000004.00000001.sdmp

false unknown

www.founder.com.cn/cn~ Inv.exe, 00000000.00000003.213164088.0000000005A64000.00000004.00000001.sdmp

false unknown

www.tiro.comlic Inv.exe, 00000000.00000003.211744394.0000000005A7B000.00000004.00000001.sdmp

false unknown

2R77GrtX4rGdY1LV.com1-5-21-3853321935-2125563209-4053062332-1002_Classes

Inv.exe, 00000003.00000003.310050379.0000000000B84000.00000004.00000001.sdmp

false low

www.jiyu-kobo.co.jp/jp/ Inv.exe, 00000000.00000003.214177129.0000000005A64000.00000004.00000001.sdmp


unknown

en.w Inv.exe, 00000000.00000003.210914982.000000000130D000.00000004.00000001.sdmp

false unknown

www.fontbureau.comgritop Inv.exe, 00000000.00000002.231822336.0000000005A60000.00000004.00000001.sdmp

false unknown

www.carterandcone.coml Inv.exe, 00000000.00000002.231878509.0000000005B50000.00000002.00000001.sdmp


unknown

bottleless.com Inv.exe, 00000003.00000002.481913612.0000000002F56000.00000004.00000001.sdmp

false unknown

www.founder.com.cn/cn/ Inv.exe, 00000000.00000003.213164088.0000000005A64000.00000004.00000001.sdmp

false unknown

www.fontbureau.com/designers/cabarga.htmlN Inv.exe, 00000000.00000002.231878509.0000000005B50000.00000002.00000001.sdmp

false high

www.jiyu-kobo.co.jp/z Inv.exe, 00000000.00000003.214177129.0000000005A64000.00000004.00000001.sdmp

false unknown

www.founder.com.cn/cn Inv.exe, 00000000.00000002.231878509.0000000005B50000.00000002.00000001.sdmp


unknown

www.fontbureau.com/designers/frere-user.html Inv.exe, 00000000.00000002.231878509.0000000005B50000.00000002.00000001.sdmp

false high

www.jiyu-kobo.co.jp/p Inv.exe, 00000000.00000003.214177129.0000000005A64000.00000004.00000001.sdmp

false unknown



General Information

Joe Sandbox Version: 29.0.0 Ocean Jasper

www.fontbureau.comm Inv.exe, 00000000.00000002.231822336.0000000005A60000.00000004.00000001.sdmp

false unknown

www.jiyu-kobo.co.jp/ Inv.exe, 00000000.00000002.231878509.0000000005B50000.00000002.00000001.sdmp


unknown

www.founder.com.cn/cn1_ Inv.exe, 00000000.00000003.212967208.0000000005A9D000.00000004.00000001.sdmp

false unknown

www.jiyu-kobo.co.jp/i Inv.exe, 00000000.00000003.214177129.0000000005A64000.00000004.00000001.sdmp

false unknown

www.fontbureau.com/designers8 Inv.exe, 00000000.00000002.231878509.0000000005B50000.00000002.00000001.sdmp, Inv.exe, 00000000.00000003.216809722.0000000005A6D000.00000004.00000001.sdmp

false high

www.founder.com.cn/cn%_ Inv.exe, 00000000.00000003.212967208.0000000005A9D000.00000004.00000001.sdmp

false unknown

www.fontbureau.com/designers: Inv.exe, 00000000.00000003.216337971.0000000005A69000.00000004.00000001.sdmp

false high

www.founder.com.cn/cnk-s Inv.exe, 00000000.00000003.212967208.0000000005A9D000.00000004.00000001.sdmp

false unknown


No. of IPs < 25%

25% < No. of IPs < 50%

50% < No. of IPs < 75%

75% < No. of IPs

IP Country Flag ASN ASN Name Malicious

50.116.103.43 United States 46606 UNIFIEDLAYER-AS-1US true

Contacted IPs

Public


Analysis ID: 256530

Start date: 04.08.2020

Start time: 08:10:12

Joe Sandbox Product: CloudBasic

Overall analysis duration: 0h 8m 28s

Hypervisor based Inspection enabled: false

Report type: light

Sample file name: Inv.exe

Cookbook file name: default.jbs

Analysis system description: w10x64 Windows 10 64 bit v1803 with Office Professional Plus 2016, IE 11, Adobe Reader DC 19, Java 8 Update 211

Number of analysed new started processes analysed: 23

Number of new started drivers analysed: 0

Number of existing processes analysed: 0

Number of existing drivers analysed: 0

Number of injected processes analysed: 0

Technologies: HCA enabledEGA enabledHDC enabledAMSI enabled

Analysis Mode: default

Analysis stop reason: Timeout

Detection: MAL

Classification: mal100.troj.spyw.evad.winEXE@6/4@1/1

EGA Information: Failed

HDC Information: Successful, ratio: 1.4% (good quality ratio 1.1%)Quality average: 58.4%Quality standard deviation: 37.4%

HCA Information: Successful, ratio: 98%Number of executed functions: 0Number of non-executed functions: 0

Cookbook Comments: Adjust boot timeEnable AMSIFound application associated with file extension: .exe

Warnings:Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exeExcluded IPs from analysis (whitelisted): 51.132.208.181, 23.10.249.43, 23.10.249.26, 23.54.113.104, 23.0.174.184, 23.0.174.185, 51.104.139.180, 52.155.217.156Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, arc.msn.com.nsatc.net, fs.microsoft.com, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.netReport size getting too big, too many NtAllocateVirtualMemory calls found.Report size getting too big, too many NtOpenKeyEx calls found.Report size getting too big, too many NtProtectVirtualMemory calls found.Report size getting too big, too many NtQueryValueKey calls found.

Show All

Simulations


Time Type Description

08:11:03 API Interceptor 720x Sleep call for process: Inv.exe modified

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Inv.exe.log

Process: C:\Users\user\Desktop\Inv.exe

File Type: ASCII text, with CRLF line terminators

Size (bytes): 1314

Entropy (8bit): 5.350128552078965

Encrypted: false

MD5: 1DC1A2DCC9EFAA84EABF4F6D6066565B

SHA1: B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9

SHA-256: 28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF

SHA-512: 95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7

Malicious: true

Reputation: low

Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Temp\tmpBE4B.tmp


File Type: XML 1.0 document, ASCII text, with CRLF line terminators

Size (bytes): 1646

Entropy (8bit): 5.173904955402888

Encrypted: false

MD5: 90D043FA85862B4CDFF66AA784AA584F

SHA1: 245FBD7FE81BBB8C85EB04167C73AB037E151CD7

SHA-256: 7F257D3E237135AF660C7041D66A0785228110559D066B10527ECC71F7AC2F44

SHA-512: 7B78AE82E047C7FD39C27A2C3C592536F7EA6DB391DC7142333E118EDD528DBD76A682904A0299E1AB9940EC6EAD35FE8208E1BC97E296DCE57A7BCB9D4F0022

Malicious: true

Reputation: low

Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Roaming\&startupname&.exe


File Type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

Size (bytes): 679424

Entropy (8bit): 7.469364253170773

Encrypted: false

MD5: DBBA4A1CFB0C5E47B375461AA25F09FC

SHA1: 601C3731D847B3B3FDBCF188CCD99AA29E01ABF6

SHA-256: 2349240BBB67CB6B51D03EEE0E68060F8C1BF067C4845CF48E00CD0A9EEADEED

SHA-512: B6315F52662BC6AF31AB9C2F29BF0EE5EC2527C3A88EF093DB2001071D2D79EF570F1A5DB08C54A1D51DF7BCDD80DCFE7A070AB3C9683784FF6139D8B7F2ACBC

Malicious: true

Antivirus: Antivirus: Joe Sandbox ML, Detection: 100%

Reputation: low

Behavior and APIs

Created / dropped Files


Static File Info

GeneralFile type: PE32 executable (GUI) Intel 80386 Mono/.Net assemb

ly, for MS Windows

Entropy (8bit): 7.469364253170773

TrID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%Win32 Executable (generic) a (10002005/4) 49.78%Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%Generic Win/DOS Executable (2004/3) 0.01%DOS Executable Generic (2002/1) 0.01%

File name: Inv.exe

File size: 679424

MD5: dbba4a1cfb0c5e47b375461aa25f09fc

SHA1: 601c3731d847b3b3fdbcf188ccd99aa29e01abf6

SHA256: 2349240bbb67cb6b51d03eee0e68060f8c1bf067c4845cf48e00cd0a9eeadeed

SHA512: b6315f52662bc6af31ab9c2f29bf0ee5ec2527c3a88ef093db2001071d2d79ef570f1a5db08c54a1d51df7bcdd80dcfe7a070ab3c9683784ff6139d8b7f2acbc

SSDEEP: 12288:ntNJ8Mrg2iNfbgic+dXHuuin4rmd/EeujQTjGV3/ORXUVh9Ha:ntN3g1Z9c+ZHu14a9EvAq3WRXYX

File Content Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....'_.................@..........._... ...`....@.. ....................................@................................

File Icon

Icon Hash: 0060c07479010100

Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....'_.................@..........._... ...`....@.. ....................................@..................................^..K....`............................................................................... ............... ..H............text....?... ...@.................. ..`.rsrc........`.......B..............@[email protected]...............\[email protected].................^......H.......l....+..........H...t~...........................................0..&.......+.&...(....(.............(.....o.....*...................0..........+.&.+.&. ....8,......(.... ....8.......(....8<... ............E........"[email protected]... ....8.......(....8....& ....8.......(.....(....9....& ....8.......(.... ....8.....*.^+.&...(....(....(.....*.+.&..*..+.&..*.J+.&.........(....*.J+.&.........(....*.J+.&.........(....*.J+.&.........(....*.J+.&.........(....*..+.&

C:\Users\user\AppData\Roaming\&startupname&.exe

C:\Users\user\AppData\Roaming\&startupname&.exe:Zone.Identifier


File Type: ASCII text, with CRLF line terminators

Size (bytes): 26

Entropy (8bit): 3.95006375643621

Encrypted: false

MD5: 187F488E27DB4AF347237FE461A079AD

SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64

SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E

Malicious: true

Reputation: low

Preview:[ZoneTransfer]....ZoneId=0

GeneralEntrypoint: 0x495f0e

Entrypoint Section: .text

Digitally signed: false

Imagebase: 0x400000

Subsystem: windows gui

Static PE Info


Image File Characteristics: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

DLL Characteristics: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Time Stamp: 0x5F27F4A1 [Mon Aug 3 11:27:29 2020 UTC]

TLS Callbacks:

CLR (.Net) Version: v4.0.30319

OS Version Major: 4

OS Version Minor: 0

File Version Major: 4

File Version Minor: 0

Subsystem Version Major: 4

Subsystem Version Minor: 0

Import Hash: f34d5f2d4577ed6d9ceec516c1f5a744

General

Instruction

jmp dword ptr [00402000h]

add byte ptr [eax], al















































Entrypoint Preview




















































Instruction

Name Virtual Address Virtual Size Is in Section

IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0

IMAGE_DIRECTORY_ENTRY_IMPORT 0x95ec0 0x4b .text

IMAGE_DIRECTORY_ENTRY_RESOURCE 0x96000 0x11804 .rsrc

IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0

IMAGE_DIRECTORY_ENTRY_SECURITY 0x0 0x0

IMAGE_DIRECTORY_ENTRY_BASERELOC 0xa8000 0xc .reloc

IMAGE_DIRECTORY_ENTRY_DEBUG 0x0 0x0

IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0

IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0

IMAGE_DIRECTORY_ENTRY_TLS 0x0 0x0

Data Directories


IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x0 0x0

IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0

IMAGE_DIRECTORY_ENTRY_IAT 0x2000 0x8 .text

IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0

IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x2008 0x48 .text

IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0

Name Virtual Address Virtual Size Is in Section

Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics

.text 0x2000 0x93f14 0x94000 False 0.829870275549 SysEx File - 7.65466418298 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

.rsrc 0x96000 0x11804 0x11a00 False 0.373379321809 data 4.88368012601 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

.reloc 0xa8000 0xc 0x200 False 0.044921875 data 0.101910425663 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Name RVA Size Type Language Country

RT_ICON 0x96370 0x2e8 data

RT_ICON 0x96658 0x128 GLS_BINARY_LSB_FIRST

RT_ICON 0x96780 0xea8 data

RT_ICON 0x97628 0x8a8 data

RT_ICON 0x97ed0 0x568 GLS_BINARY_LSB_FIRST

RT_ICON 0x98438 0x464d PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced

RT_ICON 0x9ca88 0x4228 dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967295

RT_ICON 0xa0cb0 0x25a8 data

RT_ICON 0xa3258 0x1a68 data

RT_ICON 0xa4cc0 0x10a8 data

RT_ICON 0xa5d68 0x988 data

RT_ICON 0xa66f0 0x6b8 data

RT_ICON 0xa6da8 0x468 GLS_BINARY_LSB_FIRST

RT_GROUP_ICON 0xa7210 0xbc data

RT_VERSION 0xa72cc 0x34c data

RT_MANIFEST 0xa7618 0x1ea XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

DLL Import

mscoree.dll _CorExeMain

Description Data

Translation 0x0000 0x04b0

LegalCopyright Copyright Custume Me 2019

Assembly Version 1.0.0.0

InternalName yhAFvNveTd.exe

FileVersion 1.0.0.0

CompanyName Custume Me

LegalTrademarks

Comments

ProductName Parampaa

ProductVersion 1.0.0.0

FileDescription Parampaa

OriginalFilename yhAFvNveTd.exe

Network Behavior

Sections

Resources

Imports

Version Infos


Network Port Distribution

Total Packets: 35

• 53 (DNS)

• 587 undefined

Timestamp Source Port Dest Port Source IP Dest IP

Aug 4, 2020 08:11:48.526885986 CEST 49728 587 192.168.2.4 50.116.103.43

Aug 4, 2020 08:11:48.661958933 CEST 587 49728 50.116.103.43 192.168.2.4

Aug 4, 2020 08:11:48.662116051 CEST 49728 587 192.168.2.4 50.116.103.43

Aug 4, 2020 08:11:52.775135040 CEST 587 49728 50.116.103.43 192.168.2.4

Aug 4, 2020 08:11:52.778963089 CEST 49728 587 192.168.2.4 50.116.103.43

Aug 4, 2020 08:11:52.915221930 CEST 587 49728 50.116.103.43 192.168.2.4

Aug 4, 2020 08:11:52.915546894 CEST 49728 587 192.168.2.4 50.116.103.43

Aug 4, 2020 08:11:53.057800055 CEST 587 49728 50.116.103.43 192.168.2.4

Aug 4, 2020 08:11:53.110872030 CEST 49728 587 192.168.2.4 50.116.103.43

Aug 4, 2020 08:11:53.234931946 CEST 49728 587 192.168.2.4 50.116.103.43

Aug 4, 2020 08:11:53.386358023 CEST 587 49728 50.116.103.43 192.168.2.4

Aug 4, 2020 08:11:53.386450052 CEST 587 49728 50.116.103.43 192.168.2.4

Aug 4, 2020 08:11:53.386532068 CEST 49728 587 192.168.2.4 50.116.103.43

Aug 4, 2020 08:11:53.386558056 CEST 587 49728 50.116.103.43 192.168.2.4

Aug 4, 2020 08:11:53.390436888 CEST 49728 587 192.168.2.4 50.116.103.43

Aug 4, 2020 08:11:53.526855946 CEST 587 49728 50.116.103.43 192.168.2.4

Aug 4, 2020 08:11:53.579674959 CEST 49728 587 192.168.2.4 50.116.103.43

Aug 4, 2020 08:11:53.851332903 CEST 49728 587 192.168.2.4 50.116.103.43

Aug 4, 2020 08:11:53.986567974 CEST 587 49728 50.116.103.43 192.168.2.4

Aug 4, 2020 08:11:53.988300085 CEST 49728 587 192.168.2.4 50.116.103.43

Aug 4, 2020 08:11:54.124540091 CEST 587 49728 50.116.103.43 192.168.2.4

Aug 4, 2020 08:11:54.125386000 CEST 49728 587 192.168.2.4 50.116.103.43

Aug 4, 2020 08:11:54.300699949 CEST 587 49728 50.116.103.43 192.168.2.4

Aug 4, 2020 08:11:54.308904886 CEST 587 49728 50.116.103.43 192.168.2.4

Aug 4, 2020 08:11:54.310067892 CEST 49728 587 192.168.2.4 50.116.103.43

Aug 4, 2020 08:11:54.445458889 CEST 587 49728 50.116.103.43 192.168.2.4

Aug 4, 2020 08:11:54.445997000 CEST 49728 587 192.168.2.4 50.116.103.43

Aug 4, 2020 08:11:54.621643066 CEST 587 49728 50.116.103.43 192.168.2.4

Aug 4, 2020 08:11:54.776187897 CEST 587 49728 50.116.103.43 192.168.2.4

Aug 4, 2020 08:11:54.776814938 CEST 49728 587 192.168.2.4 50.116.103.43

Aug 4, 2020 08:11:54.912034988 CEST 587 49728 50.116.103.43 192.168.2.4

Aug 4, 2020 08:11:54.914423943 CEST 49728 587 192.168.2.4 50.116.103.43

Aug 4, 2020 08:11:54.914606094 CEST 49728 587 192.168.2.4 50.116.103.43

Aug 4, 2020 08:11:54.915432930 CEST 49728 587 192.168.2.4 50.116.103.43

Aug 4, 2020 08:11:54.915515900 CEST 49728 587 192.168.2.4 50.116.103.43

Aug 4, 2020 08:11:55.049621105 CEST 587 49728 50.116.103.43 192.168.2.4

Aug 4, 2020 08:11:55.049674988 CEST 587 49728 50.116.103.43 192.168.2.4

Aug 4, 2020 08:11:55.050230980 CEST 587 49728 50.116.103.43 192.168.2.4

Aug 4, 2020 08:11:55.050262928 CEST 587 49728 50.116.103.43 192.168.2.4

Aug 4, 2020 08:11:55.068192959 CEST 587 49728 50.116.103.43 192.168.2.4

Aug 4, 2020 08:11:55.126701117 CEST 49728 587 192.168.2.4 50.116.103.43

TCP Packets


Timestamp Source Port Dest Port Source IP Dest IP

Aug 4, 2020 08:11:16.343913078 CEST 60674 53 192.168.2.4 8.8.8.8

Aug 4, 2020 08:11:16.357618093 CEST 53 60674 8.8.8.8 192.168.2.4

Aug 4, 2020 08:11:21.879592896 CEST 54414 53 192.168.2.4 8.8.8.8

Aug 4, 2020 08:11:21.911478996 CEST 53 54414 8.8.8.8 192.168.2.4

Aug 4, 2020 08:11:24.160145044 CEST 62217 53 192.168.2.4 8.8.8.8

Aug 4, 2020 08:11:24.191515923 CEST 53 62217 8.8.8.8 192.168.2.4

Aug 4, 2020 08:11:42.118902922 CEST 62645 53 192.168.2.4 8.8.8.8

Aug 4, 2020 08:11:42.150262117 CEST 53 62645 8.8.8.8 192.168.2.4

Aug 4, 2020 08:11:43.195971966 CEST 61821 53 192.168.2.4 8.8.8.8

Aug 4, 2020 08:11:43.209985971 CEST 53 61821 8.8.8.8 192.168.2.4

Aug 4, 2020 08:11:48.223282099 CEST 58618 53 192.168.2.4 8.8.8.8

Aug 4, 2020 08:11:48.429869890 CEST 53 58618 8.8.8.8 192.168.2.4

Aug 4, 2020 08:11:53.100792885 CEST 60967 53 192.168.2.4 8.8.8.8

Aug 4, 2020 08:11:53.114653111 CEST 53 60967 8.8.8.8 192.168.2.4

Aug 4, 2020 08:12:13.084856033 CEST 50987 53 192.168.2.4 8.8.8.8

Aug 4, 2020 08:12:13.101197958 CEST 53 50987 8.8.8.8 192.168.2.4

Aug 4, 2020 08:12:13.498830080 CEST 52517 53 192.168.2.4 8.8.8.8

Aug 4, 2020 08:12:13.513168097 CEST 53 52517 8.8.8.8 192.168.2.4

Aug 4, 2020 08:12:13.941891909 CEST 54004 53 192.168.2.4 8.8.8.8

Aug 4, 2020 08:12:13.956748009 CEST 53 54004 8.8.8.8 192.168.2.4

Aug 4, 2020 08:12:14.328084946 CEST 53431 53 192.168.2.4 8.8.8.8

Aug 4, 2020 08:12:14.342156887 CEST 53 53431 8.8.8.8 192.168.2.4

Aug 4, 2020 08:12:14.386648893 CEST 59215 53 192.168.2.4 8.8.8.8

Aug 4, 2020 08:12:14.415805101 CEST 53 59215 8.8.8.8 192.168.2.4

Aug 4, 2020 08:12:14.920761108 CEST 58452 53 192.168.2.4 8.8.8.8

Aug 4, 2020 08:12:14.934847116 CEST 53 58452 8.8.8.8 192.168.2.4

Aug 4, 2020 08:12:15.332097054 CEST 55996 53 192.168.2.4 8.8.8.8

Aug 4, 2020 08:12:15.345973015 CEST 53 55996 8.8.8.8 192.168.2.4

Aug 4, 2020 08:12:27.420011044 CEST 50544 53 192.168.2.4 8.8.8.8

Aug 4, 2020 08:12:27.434170008 CEST 53 50544 8.8.8.8 192.168.2.4

Timestamp Source IP Dest IP Trans ID OP Code Name Type Class

Aug 4, 2020 08:11:48.223282099 CEST 192.168.2.4 8.8.8.8 0x1a85 Standard query (0)

bottleless.com A (IP address) IN (0x0001)

Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class

Aug 4, 2020 08:11:48.429869890 CEST

8.8.8.8 192.168.2.4 0x1a85 No error (0) bottleless.com 50.116.103.43 A (IP address) IN (0x0001)

Aug 4, 2020 08:12:14.415805101 CEST

8.8.8.8 192.168.2.4 0x11fa No error (0) asf-ris-prod-neurope.northeurope.cloudapp.azure.com

168.63.67.155 A (IP address) IN (0x0001)

Aug 4, 2020 08:12:27.434170008 CEST

8.8.8.8 192.168.2.4 0x44a No error (0) asf-ris-prod-neurope.northeurope.cloudapp.azure.com

168.63.67.155 A (IP address) IN (0x0001)

TimestampSourcePort

DestPort Source IP Dest IP Commands

Aug 4, 2020 08:11:52.775135040 CEST 587 49728 50.116.103.43 192.168.2.4 220-server.allxo.com ESMTP Exim 4.93 #2 Tue, 04 Aug 2020 00:11:51 -0600 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.

Aug 4, 2020 08:11:52.778963089 CEST 49728 587 192.168.2.4 50.116.103.43 EHLO 980108

UDP Packets

DNS Queries

DNS Answers

SMTP Packets


Code Manipulations

Statistics

Behavior

• Inv.exe

• schtasks.exe

• conhost.exe

• Inv.exe

Click to jump to process

System Behavior

Aug 4, 2020 08:11:52.915221930 CEST 587 49728 50.116.103.43 192.168.2.4 250-server.allxo.com Hello 980108 [91.132.136.174]250-SIZE 52428800250-8BITMIME250-PIPELINING250-AUTH PLAIN LOGIN250-STARTTLS250 HELP

Aug 4, 2020 08:11:52.915546894 CEST 49728 587 192.168.2.4 50.116.103.43 STARTTLS

Aug 4, 2020 08:11:53.057800055 CEST 587 49728 50.116.103.43 192.168.2.4 220 TLS go ahead

TimestampSourcePort

DestPort Source IP Dest IP Commands


Start date: 04/08/2020

Path: C:\Users\user\Desktop\Inv.exe

Wow64 process (32bit): true

Commandline: 'C:\Users\user\Desktop\Inv.exe'

Imagebase: 0x670000

File size: 679424 bytes

MD5 hash: DBBA4A1CFB0C5E47B375461AA25F09FC

Has administrator privileges: false

Programmed in: .Net C# or VB.NET

Analysis Process: Inv.exe PID: 6820 Parent PID: 5584Analysis Process: Inv.exe PID: 6820 Parent PID: 5584

General


File ActivitiesFile Activities

Yara matches: Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.229272296.0000000003AA9000.00000004.00000001.sdmp, Author: Joe SecurityRule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.229071925.0000000002B20000.00000004.00000001.sdmp, Author: Joe SecurityRule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.228988270.0000000002AA1000.00000004.00000001.sdmp, Author: Joe Security

Reputation: low

File Path Access Attributes Options Completion CountSourceAddress Symbol

C:\Users\user read data or list directory | synchronize

device directory file | synchronous io non alert | open for backup ident | open reparse point

object name collision 1 6D62CF06 unknown

C:\Users\user\AppData\Roaming read data or list directory | synchronize



C:\Users\user\AppData\Roaming\&startupname&.exe read data or list directory | read attributes | delete | write dac | synchronize | generic read | generic write

device sequential only | non directory file

success or wait 1 6C47DD66 CopyFileW

C:\Users\user\AppData\Roaming\&startupname&.exe\:Zone.Identifier:$DATA

read data or list directory | synchronize | generic write

device sequential only | synchronous io non alert


C:\Users\user\AppData\Local\Temp\tmpBE4B.tmp read attributes | synchronize | generic read

device synchronous io non alert | non directory file

success or wait 1 6C477038 GetTempFileNameW


read attributes | synchronize | generic write

device synchronous io non alert | non directory file

success or wait 1 6D93C78D CreateFileW

File Path Completion CountSourceAddress Symbol

C:\Users\user\AppData\Local\Temp\tmpBE4B.tmp success or wait 1 6C476A95 DeleteFileW

File Path Offset Length Value Ascii Completion CountSourceAddress Symbol

File CreatedFile Created

File DeletedFile Deleted

File WrittenFile Written


C:\Users\user\AppData\Roaming\&startupname&.exe 0 262144 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 a1 f4 27 5f 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 40 09 00 00 1c 01 00 00 00 00 00 0e 5f 09 00 00 20 00 00 00 60 09 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 0a 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....'_.................@..........._... ...`....@.. ....................................@................................


C:\Users\user\AppData\Roaming\&startupname&.exe:Zone.Identifier

0 26 5b 5a 6f 6e 65 54 72 61 6e 73 66 65 72 5d 0d 0a 0d 0a 5a 6f 6e 65 49 64 3d 30

[ZoneTransfer]....ZoneId=0 success or wait 1 6C47DD66 CopyFileW

C:\Users\user\AppData\Local\Temp\tmpBE4B.tmp unknown 1646 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 31 36 22 3f 3e 0d 0a 3c 54 61 73 6b 20 76 65 72 73 69 6f 6e 3d 22 31 2e 32 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 77 69 6e 64 6f 77 73 2f 32 30 30 34 2f 30 32 2f 6d 69 74 2f 74 61 73 6b 22 3e 0d 0a 20 20 3c 52 65 67 69 73 74 72 61 74 69 6f 6e 49 6e 66 6f 3e 0d 0a 20 20 20 20 3c 44 61 74 65 3e 32 30 31 34 2d 31 30 2d 32 35 54 31 34 3a 32 37 3a 34 34 2e 38 39 32 39 30 32 37 3c 2f 44 61 74 65 3e 0d 0a 20 20 20 20 3c 41 75 74 68 6f 72 3e 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 5c 6a 6f 6e 65 73 3c 2f 41 75 74 68 6f 72 3e 0d 0a 20 20 3c 2f 52 65 67 69 73 74 72 61 74 69 6f 6e 49 6e

<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationIn

success or wait 1 6C471B4F WriteFile




unknown 1314 31 2c 22 66 75 73 69 6f 6e 22 2c 22 47 41 43 22 2c 30 0d 0a 31 2c 22 57 69 6e 52 54 22 2c 22 4e 6f 74 41 70 70 22 2c 31 0d 0a 32 2c 22 4d 69 63 72 6f 73 6f 66 74 2e 56 69 73 75 61 6c 42 61 73 69 63 2c 20 56 65 72 73 69 6f 6e 3d 31 30 2e 30 2e 30 2e 30 2c 20 43 75 6c 74 75 72 65 3d 6e 65 75 74 72 61 6c 2c 20 50 75 62 6c 69 63 4b 65 79 54 6f 6b 65 6e 3d 62 30 33 66 35 66 37 66 31 31 64 35 30 61 33 61 22 2c 30 0d 0a 32 2c 22 53 79 73 74 65 6d 2e 57 69 6e 64 6f 77 73 2e 46 6f 72 6d 73 2c 20 56 65 72 73 69 6f 6e 3d 34 2e 30 2e 30 2e 30 2c 20 43 75 6c 74 75 72 65 3d 6e 65 75 74 72 61 6c 2c 20 50 75 62 6c 69 63 4b 65 79 54 6f 6b 65 6e 3d 62 37 37 61 35 63 35 36 31 39 33 34 65 30 38 39 22 2c 30 0d 0a 33 2c 22 53 79 73 74 65 6d 2c 20 56 65 72 73 69 6f 6e 3d 34 2e

1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.

success or wait 1 6D93C907 WriteFile


File Path Offset Length Completion CountSourceAddress Symbol

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6D605705 unknown





C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll.aux

unknown 176 success or wait 1 6D5603DE ReadFile

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6D60CA54 ReadFile





C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll.aux


C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll.aux


C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll.aux


C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll.aux









C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 8171 end of file 1 6D605705 unknown

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 1 6C471B4F ReadFile





File ReadFile Read




C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 end of file 1 6C471B4F ReadFile





Path: C:\Windows\SysWOW64\schtasks.exe


Commandline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\&startupname&' /XML 'C:\Users\user\AppData\Local\Temp\tmpBE4B.tmp'

Imagebase: 0x3b0000


MD5 hash: 15FF7D8324231381BAD48A052F85DF04


Programmed in: C, C++ or other language

Reputation: low



C:\Users\user\AppData\Local\Temp\tmpBE4B.tmp unknown 2 success or wait 1 3BAB22 ReadFile

C:\Users\user\AppData\Local\Temp\tmpBE4B.tmp unknown 1647 success or wait 1 3BABD9 ReadFile



Path: C:\Windows\System32\conhost.exe

Wow64 process (32bit): false

Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Imagebase: 0x7ff73df90000


MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496


Programmed in: C, C++ or other language

Reputation: low



Path: C:\Users\user\Desktop\Inv.exe


Analysis Process: schtasks.exe PID: 6976 Parent PID: 6820Analysis Process: schtasks.exe PID: 6976 Parent PID: 6820

General

File ReadFile Read

Analysis Process: conhost.exe PID: 6984 Parent PID: 6976Analysis Process: conhost.exe PID: 6984 Parent PID: 6976

General

Analysis Process: Inv.exe PID: 7020 Parent PID: 6820Analysis Process: Inv.exe PID: 7020 Parent PID: 6820

General



Commandline: C:\Users\user\Desktop\Inv.exe

Imagebase: 0x9d0000


MD5 hash: DBBA4A1CFB0C5E47B375461AA25F09FC


Programmed in: .Net C# or VB.NET

Yara matches: Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.480748598.0000000002E38000.00000004.00000001.sdmp, Author: Joe SecurityRule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.480748598.0000000002E38000.00000004.00000001.sdmp, Author: Joe SecurityRule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.477584981.0000000000402000.00000040.00000001.sdmp, Author: Joe Security

Reputation: low


C:\Users\user read data or list directory | synchronize



C:\Users\user\AppData\Roaming read data or list directory | synchronize









C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll.aux







C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll.aux









C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 8171 end of file 1 6D605705 unknown

C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll.aux


C:\Program Files (x86)\jDownloader\config\database.script unknown 4096 success or wait 1 6C471B4F ReadFile

C:\Program Files (x86)\jDownloader\config\database.script unknown 4096 end of file 1 6C471B4F ReadFile

C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll.aux


C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll.aux



File CreatedFile Created

File ReadFile Read


Disassembly

Code Analysis







C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 end of file 1 6C471B4F ReadFile



Automated Malware Analysis Report for Inv.exe - Joe Sandbox

Documents

Transcript of Automated Malware Analysis Report for Inv.exe - Joe Sandbox