Automated Malware Analysis Report for ORDER 5211009876.Exe

ID: 386799 Sample Name: ORDER 5211009876.exe Cookbook: default.jbs Time: 20:09:05 Date: 14/04/2021 Version: 31.0.0 Emerald Table of Contents

Table of Contents 2 Analysis Report ORDER 5211009876.exe 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Startup 4 Malware Configuration 4 Threatname: Agenttesla 4 Yara Overview 4 Memory Dumps 4 Unpacked PEs 5 Sigma Overview 5 System Summary: 5 Signature Overview 5 AV Detection: 5 System Summary: 5 Boot Survival: 5 Malware Analysis System Evasion: 6 HIPS / PFW / Operating System Protection Evasion: 6 Stealing of Sensitive Information: 6 Remote Access Functionality: 6 Mitre Att&ck Matrix 6 Behavior Graph 7 Screenshots 7 Thumbnails 7 Antivirus, Machine Learning and Genetic Malware Detection 8 Initial Sample 8 Dropped Files 8 Unpacked PE Files 8 Domains 8 URLs 9 Domains and IPs 10 Contacted Domains 10 URLs from Memory and Binaries 10 Contacted IPs 13 Public 14 General Information 14 Simulations 15 Behavior and APIs 15 Joe Sandbox View / Context 15 IPs 15 Domains 16 ASN 16 JA3 Fingerprints 16 Dropped Files 17 Created / dropped Files 17 Static File Info 18 General 18 File Icon 18 Static PE Info 18 General 19 Entrypoint Preview 19 Data Directories 20 Sections 21

Copyright Joe Security LLC 2021 Page 2 of 30 Resources 21 Imports 21 Version Infos 21 Network Behavior 21 Network Port Distribution 22 TCP Packets 22 UDP Packets 23 DNS Queries 23 DNS Answers 23 SMTP Packets 23 Code Manipulations 24 Statistics 24 Behavior 24 System Behavior 24 Analysis Process: ORDER 5211009876.exe PID: 3396 Parent PID: 5636 24 General 24 File Activities 25 File Created 25 File Deleted 25 File Written 25 File Read 27 Analysis Process: schtasks.exe PID: 6488 Parent PID: 3396 27 General 27 File Activities 28 File Read 28 Analysis Process: conhost.exe PID: 6504 Parent PID: 6488 28 General 28 Analysis Process: ORDER 5211009876.exe PID: 6540 Parent PID: 3396 28 General 28 Analysis Process: ORDER 5211009876.exe PID: 6588 Parent PID: 3396 28 General 28 File Activities 29 File Created 29 File Read 29 Disassembly 29 Code Analysis 29

Overview

General Information Detection Signatures Classification

Sample ORDER 5211009876.exe Name: FFoouunndd maalllwwaarrree ccoonnfffiiigguurrraatttiiioonn

Analysis ID: 386799 MFouuullltttniii dAA VmV SaSlcwcaaannrnene ecrrr o ddneeftittgeeucctrttiaiiootnino fnffoorrr ddrrroopppp… MD5: f59b0f9d9b8a789… Muullltttiii AAVV SSccaannnneerrr ddeettteecctttiiioonn fffoorrr sdsuruobbpmp… SHA1: Ransomware e4835a1a2ec55c… Multi AV Scanner detection for subm SMSiiigugmlti aaA dVde eSttteecccatttneendde::: rSS dccehhteeddcuutilloleendd ftttoeerm sppu bfffiiimlllee… Miner Spreading SHA256: 0a873d72d161d2… YSYaiagrrmaa add eedtteetccettecetdde dAA:g gSeecnnhttTTeedesusllaaed temp file mmaallliiiccciiioouusss YYaarrraa ddeettteeccttteedd AAggeenntttTTeesslllaa malicious

Tags: AgentTesla Evader Phishing sssuusssppiiiccciiioouusss YYaarrraa ddeettteeccttteedd AAngnttetiiiVnVMtT3e3sla suspicious Infos: cccllleeaann

clean ..Y.NNaEEraTT dsseootuuerrrcctee dcc ooAddneet i cVcooMnn3tttaaiiinnss vveerrryy lllaarrrgg… Exploiter Banker

Most interesting Screenshot: II.InNniiitEttiiiaaTlll ssaoamurpcplellee c iiisos d aae P PcEEo n fffiitilllaeei naasnn dvd e hhrayas sl a aar g …

Spyware Trojan / Bot AgentTesla IIInnjjijeteicactltts ss aa m PPpEEl e fffi iilillese iaiinn ttPtooE aa f fifflooerrr eaeiiniggdnn hpparrrosoc caee … Adware

Score: 100 MInajaeccchhtisiinn eae LPLeEeaa frrrinlneiiin nigng t dode eattte efcocttrtiiieooinng nfffoo prrr r ddorrrcooepppp… Range: 0 - 100 Maacchhiiinnee LLeeaarrrnniiinngg ddeettteecctttiiioonn fffoorrr sdsaraomppp… Whitelisted: false QMuauecerrhriiieiensse s sLeeennassriiitnttiiivivneeg B BdIIIeOtSeSc IItIninofffonor rrmfoara tsttiiioaonmn …p Confidence: 100% Quueerrriiieess sseennssiiitttiiivvee nBneeIOtttwwSoo rrIrknk f aoadrdmaapapttteieorrr n iiin n…

TQTrrruiiieessr i tettoos ddseetttneesccittt i svsaean nnddebbtowoxxoeersks aandndad p oottetthhre eirnrr… Startup TTrrriiieess tttoo hdhaearrtrvevecests ttst aanndd b ssotttexeaealsll P Pauuntttdtttyy o ///t hWeiiri… TTrrriiieess tttoo hhaarrrvveessttt aanndd ssttteeaalll bPbrrruootwtwyss /ee Wrrr iiinin…

System is w10x64 TTrrriiieess tttoo hhaarrrvveessttt aanndd ssttteeaalll ffbftttprpo llwloogsgieiinnr cicn… ORDER 5211009876.exe (PID: 3396 cmdline: 'C:\Users\user\Desktop\ORDER 5211009876.exe' MD5: F59B0F9D9B8A789B7E3D4AB8E0CCF737) TTrrriiieess tttoo shsttateeraavllel Msta aaiiillln ccdrrr eesddteeannltt tiifiaatplllss l o(((vvgiiiaian fffciiilll… schtasks.exe (PID: 6488 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\uxWltWT' /XML 'C:\Users\user\AppData\Local\Temp\tmp1DBD.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04) UTUrssieess stsocc hshtttaeasasklk sMs...eeaxxile ec oroerrr d aaettt.n..eetxixaeel s ttt oo( v aaiadd ddfi l … conhost.exe (PID: 6504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) ORDER 5211009876.exe (PID: 6540 cmdline: C:\Users\user\Desktop\ORDER 521100AU9An8snt7tetiiiv6svii .irrrseuucxsshe oto aMrrr s MDksa5a.c:ec hFhxii5einn9 eeoB rLL 0aeeFtaa.9errrnDnxiiei9nn Bggto 8 dd Aaee7dtttee8dcc9 …B7E3D4AB8E0CCF737) ORDER 5211009876.exe (PID: 6588 cmdline: C:\Users\user\Desktop\ORDER 5211009876.exe MD5: F59B0F9D9B8A789B7E3D4AB8E0CCF737) CAConontnivtttaairiiiunnss occara pMpaaabbciiillhliiitttiiinieeess Ltttooe addreenttteienccgttt vdvieiirrrtttueuaca… cleanup CCoonntttaaiiinnss ffcfuuannpccatttibiiooinlnitaaiellliiitsttyy t tottoo d aaecctcececests svs i lrllootuaaadd…

CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo cacacallcllll e nnsaasttti iivlvoeea ffdf…

CCoonntttaaiiinnss llflouonngcg t sisollleneeaeplpistsy ( ((t>>o== c 3a3 l ml niiinan)t))ive f

Malware Configuration CCrroreenaattatteeinss s aa l oDDniiirgrree csctltteIIInneppuusttt (oo>bb=jjje e3cc ttmt (((oionffft)tteenn fffoo…

CCrrreeaattteess aa pDprrrioroeccceetssInss p iiinun t s souubssjpepecentn d(doeefdtde mn ofoo…

DCDereettteaectcettteesd da T TpCCroPPc oeorrsr sUU DiDnP Ps utttrrrsaapfffffefiiicnc dooennd nn moonno… Threatname: Agenttesla DDeettteeccttteedd pTpoCotttePen notttiiriaa Ulll ccDrrryPypp tttrooa fffufuicnn ccotttniiioo nnon

DDrrerootpepscs t PePdEE p fffiioillleetessntial crypto function { "Exfil Mode": "SMTP", EDEnrnoaapbbslllee Pss E dd eefiblbeuusgg pprrriiivviiillleeggeess "SMTP Info": "[email protected]##smtp.vivaldi.net" } FEFonouaunbndlde asa hdhieiiggbhhu ngnu upmribvbeielerrr g ooefff s Wiiinnddooww /// UUss…

FFoouunndd iiainn llhliiinnigeehdd nnuoompp biiinnessrtt trroruufc cWtttiiiooinndsso (((wllliiikk /ee Ulllyys…

IIFIPPo auadndddr rrieensslisns essdee eennno piiinn i nccosotnnrnunecetcciotttiiiononsn (wwliikiitttheh l yoo… Yara Overview MIPaa ayyd ssdlllereeeespps ( ((seeevveaanssi iivivnee c lllooonopnpses))c) tttoio nhh iiinwndditeherr r o … Moaonyni iittstoolerrrsse pcce e(rrertttavaaiiinns irrrveeegg iilisosttotrrrypy s kk)ee tyyoss h /// i nvvadalelluur…

Memory Dumps PMPEEo n fffiiilltleeo rccsoo cnnetttaartiiinansisn s srttetrrraganinsggtreey rrrkeeessyoosuu rr/rc cveeasslu

QPEuue efrirrliiiee ssc ossenentnassiiniitttisiivv ese t prparrronocgcees srsseoosrrro iiiunnrfffocoerrrms aa… Source Rule Description Author Strings Quueerrriiieess ttsthheeen vsvoiotilllvuuem peer oiiinncfffeoosrrrmsoaartt tiiiononfno ((r(nmnaaam… 00000008.00000002.486705475.000000000040 JoeSecurity_AgentTesla_1 Yara detected Joe Security 2000.00000040.00000001.sdmp AgentTeslaSQSaaumerppielllees eethxxee ccvuuotttliiiuoomnn esst ttoionppfoss r wmwhhaiiitllleieo npp rrr(oonccaeem… 00000000.00000002.258890858.00000000028E JoeSecurity_AntiVM_3 Yara detected Joe Security SSaampplllee ffefiiillxleee iicissu ddtiiioiffffffnee rrrseetnonttpt ttsthh awannh ioloerrri iigpgiirinnoaacllel … 1000.00000004.00000001.sdmp AntiVM_3 00000008.00000002.493258053.000000000325 JoeSecurity_CredentialSte Yara detecUSUtesasdeme ssp 3l3e22 bfbiiliJitett o P PiesEE Sd fffieiiflllefceesusrreitnyt than original 1000.00000004.00000001.sdmp aler Credential Stealer UUsseess S3S2MbTTitP PP ((E(m faailieiilll sseennddiiinngg))) 00000000.00000002.260489955.00000000038E JoeSecurity_AgentTesla_1 Yara detected Joe Security 9000.00000004.00000001.sdmp AgentTeslaUUsseess cScooMddTee P oo b(bmfffuuassiccl aasttetiiioonnnd ittnteegcc)hhnniiiqquueess (((…

Uses code obfuscation techniques ( Copyright Joe Security LLC 2021 Page 4 of 30 Source Rule Description Author Strings Process Memory Space: ORDER 5211009876.exe PID: 65 JoeSecurity_AgentTesla_1 Yara detected Joe Security 88 AgentTesla Click to see the 3 entries

Unpacked PEs

Source Rule Description Author Strings 0.2.ORDER 5211009876.exe.39f7c28.2.unpack JoeSecurity_AgentTesla_1 Yara detected Joe Security AgentTesla 0.2.ORDER 5211009876.exe.39f7c28.2.raw.unpack JoeSecurity_AgentTesla_1 Yara detected Joe Security AgentTesla 0.2.ORDER 5211009876.exe.290e030.1.raw.unpack JoeSecurity_AntiVM_3 Yara detected Joe Security AntiVM_3 8.2.ORDER 5211009876.exe.400000.0.unpack JoeSecurity_AgentTesla_1 Yara detected Joe Security AgentTesla

Sigma Overview

System Summary:

Sigma detected: Scheduled temp file as task from temp location

Signature Overview

• AV Detection • Compliance • Software Vulnerabilities • Networking • Key, Mouse, Clipboard, Microphone and Screen Capturing • System Summary • Data Obfuscation • Persistence and Installation Behavior • Boot Survival • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection • Stealing of Sensitive Information • Remote Access Functionality

Click to jump to signature section

AV Detection:

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Machine Learning detection for dropped file

Machine Learning detection for sample

System Summary:

.NET source code contains very large array initializations

Initial sample is a PE file and has a suspicious name

Boot Survival:

Malware Analysis System Evasion:

Yara detected AntiVM3

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Stealing of Sensitive Information:

Yara detected AgentTesla

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Remote Access Functionality:

Yara detected AgentTesla

Mitre Att&ck Matrix

Initial Privilege Credential Lateral Command Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Valid Windows Management Scheduled Process Disable or Modify OS File and Directory Remote Archive Exfiltration Encrypted Accounts Instrumentation 2 1 1 Task/Job 1 Injection 1 1 2 Tools 1 Credential Discovery 1 Services Collected Over Other Channel 1 Dumping 2 Data 1 1 Network Medium Default Scheduled Task/Job 1 Boot or Scheduled Deobfuscate/Decode Input System Information Remote Data from Exfiltration Non-Standard Accounts Logon Task/Job 1 Files or Information 1 Capture 1 Discovery 1 1 4 Desktop Local Over Port 1 Initialization Protocol System 2 Bluetooth Scripts Domain At (Linux) Logon Script Logon Script Obfuscated Files or Credentials Query Registry 1 SMB/Windows Email Automated Non- Accounts (Windows) (Windows) Information 3 in Admin Shares Collection 1 Exfiltration Application Registry 1 Layer Protocol 1 Local At (Windows) Logon Script Logon Script Software Packing 3 NTDS Security Software Distributed Input Scheduled Application Accounts (Mac) (Mac) Discovery 3 2 1 Component Capture 1 Transfer Layer Object Model Protocol 1 1 Cloud Cron Network Network Logon Masquerading 1 LSA Process Discovery 2 SSH Keylogging Data Fallback Accounts Logon Script Script Secrets Transfer Channels Size Limits

Replication Launchd Rc.common Rc.common Virtualization/Sandbox Cached Virtualization/Sandbox VNC GUI Input Exfiltration Multiband Through Evasion 1 4 1 Domain Evasion 1 4 1 Capture Over C2 Communication Removable Credentials Channel Media External Scheduled Task Startup Startup Items Process DCSync Application Window Windows Web Portal Exfiltration Commonly Remote Items Injection 1 1 2 Discovery 1 Remote Capture Over Used Port Services Management Alternative Protocol Drive-by Command and Scripting Scheduled Scheduled Indicator Removal Proc Remote System Shared Credential Exfiltration Application Compromise Interpreter Task/Job Task/Job from Tools Filesystem Discovery 1 Webroot API Hooking Over Layer Protocol Symmetric Encrypted Non-C2 Protocol

Hide Legend Legend: Process

Behavior Graph Signature ID: 386799 Sample: ORDER 5211009876.exe Created File Startdate: 14/04/2021 Architecture: WINDOWS Score: 100 DNS/IP Info Is Dropped

Sigma detected: Scheduled Multi AV Scanner detection Found malware configuration temp file as task from 11 other signatures started for dropped file Is Windows Process temp location Number of created Registry Values

ORDER 5211009876.exe Number of created Files

7 Visual Basic

dropped dropped dropped dropped Delphi

C:\Users\user\AppData\Roaming\uxWltWT.exe, PE32 C:\Users\user\...\uxWltWT.exe:Zone.Identifier, ASCII C:\Users\user\AppData\Local\...\tmp1DBD.tmp, XML C:\Users\user\...\ORDER 5211009876.exe.log, ASCII Java

start.edN e t C s#tar teod r VB . N starEtedT

Injects a PE file into a foreign processes C, C++ or other language

Is malicious ORDER 5211009876.exe schtasks.exe ORDER 5211009876.exe Internet

2 1

smtp.vivaldi.net

31.209.137.12, 49727, 587 HRINGDU-ASIS Iceland

started

Tries to harvest and Tries to harvest and Tries to steal Mail steal Putty / WinSCP Tries to harvest and steal browser information credentials (via file information (sessions, steal ftp login credentials (history, passwords, access) passwords, etc) etc)

conhost.exe

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Initial Sample

Source Detection Scanner Label Link ORDER 5211009876.exe 44% Virustotal Browse ORDER 5211009876.exe 40% ReversingLabs ByteCode- MSIL.Trojan.AgentTesla ORDER 5211009876.exe 100% Joe Sandbox ML

Dropped Files

Source Detection Scanner Label Link C:\Users\user\AppData\Roaming\uxWltWT.exe 100% Joe Sandbox ML C:\Users\user\AppData\Roaming\uxWltWT.exe 40% ReversingLabs ByteCode- MSIL.Trojan.AgentTesla

Unpacked PE Files

Source Detection Scanner Label Link Download 8.2.ORDER 5211009876.exe.400000.0.unpack 100% Avira TR/Spy.Gen8 Download File

Domains

No Antivirus matches

Source Detection Scanner Label Link www.founder.com.cn/cnO 0% Avira URL Cloud safe 127.0.0.1:HTTP/1.1 0% Avira URL Cloud safe sdUjKq.com 0% Avira URL Cloud safe www.founder.com.cn/cn/bThe 0% URL Reputation safe www.founder.com.cn/cn/bThe 0% URL Reputation safe www.founder.com.cn/cn/bThe 0% URL Reputation safe www.founder.com.cn/cn/bThe 0% URL Reputation safe www.fontbureau.comicva 0% Avira URL Cloud safe www.fonts.comnc 0% Avira URL Cloud safe www.tiro.com 0% URL Reputation safe www.tiro.com 0% URL Reputation safe www.tiro.com 0% URL Reputation safe www.tiro.comF 0% Avira URL Cloud safe www.goodfont.co.kr 0% URL Reputation safe www.goodfont.co.kr 0% URL Reputation safe www.goodfont.co.kr 0% URL Reputation safe r3.i.lencr.org/0 0% URL Reputation safe r3.i.lencr.org/0 0% URL Reputation safe r3.i.lencr.org/0 0% URL Reputation safe www.sajatypeworks.com 0% URL Reputation safe www.sajatypeworks.com 0% URL Reputation safe www.sajatypeworks.com 0% URL Reputation safe www.jiyu-kobo.co.jp/9 0% URL Reputation safe www.jiyu-kobo.co.jp/9 0% URL Reputation safe www.jiyu-kobo.co.jp/9 0% URL Reputation safe www.typography.netD 0% URL Reputation safe www.typography.netD 0% URL Reputation safe www.typography.netD 0% URL Reputation safe www.founder.com.cn/cn/cThe 0% URL Reputation safe www.founder.com.cn/cn/cThe 0% URL Reputation safe www.founder.com.cn/cn/cThe 0% URL Reputation safe www.galapagosdesign.com/staff/dennis.htm 0% URL Reputation safe www.galapagosdesign.com/staff/dennis.htm 0% URL Reputation safe www.galapagosdesign.com/staff/dennis.htm 0% URL Reputation safe fontfabrik.com 0% URL Reputation safe fontfabrik.com 0% URL Reputation safe fontfabrik.com 0% URL Reputation safe www.sajatypeworks.comU 0% Avira URL Cloud safe Go3UduId9mtG.org 0% Avira URL Cloud safe www.jiyu-kobo.co.jp/ana 0% URL Reputation safe www.jiyu-kobo.co.jp/ana 0% URL Reputation safe www.jiyu-kobo.co.jp/ana 0% URL Reputation safe r3.o.lencr.org0 0% URL Reputation safe r3.o.lencr.org0 0% URL Reputation safe r3.o.lencr.org0 0% URL Reputation safe www.fonts.comn 0% URL Reputation safe www.fonts.comn 0% URL Reputation safe www.fonts.comn 0% URL Reputation safe www.galapagosdesign.com/DPlease 0% URL Reputation safe www.galapagosdesign.com/DPlease 0% URL Reputation safe www.galapagosdesign.com/DPlease 0% URL Reputation safe www.sandoll.co.kr 0% URL Reputation safe www.sandoll.co.kr 0% URL Reputation safe www.sandoll.co.kr 0% URL Reputation safe www.founder.cl 0% Avira URL Cloud safe www.urwpp.deDPlease 0% URL Reputation safe www.urwpp.deDPlease 0% URL Reputation safe www.urwpp.deDPlease 0% URL Reputation safe www.zhongyicts.com.cn 0% URL Reputation safe www.zhongyicts.com.cn 0% URL Reputation safe www.zhongyicts.com.cn 0% URL Reputation safe www.sakkal.com 0% URL Reputation safe

Copyright Joe Security LLC 2021 Page 9 of 30 Source Detection Scanner Label Link www.sakkal.com 0% URL Reputation safe www.sakkal.com 0% URL Reputation safe www.tiro.com% 0% Avira URL Cloud safe https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip 0% URL Reputation safe https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip 0% URL Reputation safe https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip 0% URL Reputation safe cps.root-x1.letsencrypt.org0 0% URL Reputation safe cps.root-x1.letsencrypt.org0 0% URL Reputation safe cps.root-x1.letsencrypt.org0 0% URL Reputation safe www.jiyu-kobo.co.jp/W 0% URL Reputation safe www.jiyu-kobo.co.jp/W 0% URL Reputation safe www.jiyu-kobo.co.jp/W 0% URL Reputation safe DynDns.comDynDNS 0% URL Reputation safe DynDns.comDynDNS 0% URL Reputation safe DynDns.comDynDNS 0% URL Reputation safe cps.letsencrypt.org0 0% URL Reputation safe cps.letsencrypt.org0 0% URL Reputation safe cps.letsencrypt.org0 0% URL Reputation safe https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32- 0% URL Reputation safe 0.4.3.6.zip%tordir%%ha https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32- 0% URL Reputation safe 0.4.3.6.zip%tordir%%ha https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32- 0% URL Reputation safe 0.4.3.6.zip%tordir%%ha www.tiro.comr 0% Avira URL Cloud safe www.founder.com.c 0% URL Reputation safe www.founder.com.c 0% URL Reputation safe www.founder.com.c 0% URL Reputation safe www.jiyu-kobo.co.jp/Krep 0% Avira URL Cloud safe www.founder.com.cn/cn/J 0% Avira URL Cloud safe www.sandoll.co.kre 0% Avira URL Cloud safe www.jiyu-kobo.co.jp/jp/ 0% URL Reputation safe www.jiyu-kobo.co.jp/jp/ 0% URL Reputation safe www.jiyu-kobo.co.jp/jp/ 0% URL Reputation safe www.fonts.comX 0% URL Reputation safe www.fonts.comX 0% URL Reputation safe www.fonts.comX 0% URL Reputation safe cps.rooCp 0% Avira URL Cloud safe www.carterandcone.coml 0% URL Reputation safe www.carterandcone.coml 0% URL Reputation safe www.carterandcone.coml 0% URL Reputation safe

Domains and IPs

Contacted Domains

Name IP Active Malicious Antivirus Detection Reputation smtp.vivaldi.net 31.209.137.12 true false high

URLs from Memory and Binaries

Name Source Malicious Antivirus Detection Reputation www.founder.com.cn/cnO ORDER 5211009876.exe, 00000000 false Avira URL Cloud: safe unknown .00000003.225479345.0000000005 864000.00000004.00000001.sdmp 127.0.0.1:HTTP/1.1 ORDER 5211009876.exe, 00000008 false Avira URL Cloud: safe low .00000002.493258053.0000000003 251000.00000004.00000001.sdmp www.fontbureau.com/designersG ORDER 5211009876.exe, 00000000 false high .00000002.263801520.0000000006 A72000.00000004.00000001.sdmp sdUjKq.com ORDER 5211009876.exe, 00000008 false Avira URL Cloud: safe unknown .00000002.493258053.0000000003 251000.00000004.00000001.sdmp

Copyright Joe Security LLC 2021 Page 10 of 30 Name Source Malicious Antivirus Detection Reputation www.fontbureau.com/designers/? ORDER 5211009876.exe, 00000000 false high .00000002.263801520.0000000006 A72000.00000004.00000001.sdmp www.founder.com.cn/cn/bThe ORDER 5211009876.exe, 00000000 false URL Reputation: safe unknown .00000002.263801520.0000000006 URL Reputation: safe A72000.00000004.00000001.sdmp URL Reputation: safe URL Reputation: safe www.fontbureau.comicva ORDER 5211009876.exe, 00000000 false Avira URL Cloud: safe unknown .00000002.262720902.0000000005 860000.00000004.00000001.sdmp www.fontbureau.com/designers? ORDER 5211009876.exe, 00000000 false high .00000002.263801520.0000000006 A72000.00000004.00000001.sdmp www.fonts.comnc ORDER 5211009876.exe, 00000000 false Avira URL Cloud: safe unknown .00000003.223481315.0000000005 87D000.00000004.00000001.sdmp www.tiro.com ORDER 5211009876.exe, 00000000 false URL Reputation: safe unknown .00000002.263801520.0000000006 URL Reputation: safe A72000.00000004.00000001.sdmp URL Reputation: safe smtp.vivaldi.net ORDER 5211009876.exe, 00000008 false high .00000002.495241420.0000000003 506000.00000004.00000001.sdmp www.fontbureau.com/designers ORDER 5211009876.exe, 00000000 false high .00000002.263801520.0000000006 A72000.00000004.00000001.sdmp www.tiro.comF ORDER 5211009876.exe, 00000000 false Avira URL Cloud: safe unknown .00000003.223907067.0000000005 87B000.00000004.00000001.sdmp www.goodfont.co.kr ORDER 5211009876.exe, 00000000 false URL Reputation: safe unknown .00000002.263801520.0000000006 URL Reputation: safe A72000.00000004.00000001.sdmp URL Reputation: safe ORDER 5211009876.exe, 00000000 false high https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstr .00000002.258890858.0000000002 ap.min.css 8E1000.00000004.00000001.sdmp r3.i.lencr.org/0 ORDER 5211009876.exe, 00000008 false URL Reputation: safe unknown .00000002.490900498.0000000001 URL Reputation: safe 588000.00000004.00000020.sdmp URL Reputation: safe www.fontbureau.com/designersR ORDER 5211009876.exe, 00000000 false high .00000003.228593121.0000000005 869000.00000004.00000001.sdmp www.sajatypeworks.com ORDER 5211009876.exe, 00000000 false URL Reputation: safe unknown .00000003.223481315.0000000005 URL Reputation: safe 87D000.00000004.00000001.sdmp, URL Reputation: safe ORDER 5211009876.exe, 0000000 0.00000002.263801520.000000000 6A72000.00000004.00000001.sdmp www.jiyu-kobo.co.jp/9 ORDER 5211009876.exe, 00000000 false URL Reputation: safe unknown .00000003.226608266.0000000005 URL Reputation: safe 864000.00000004.00000001.sdmp URL Reputation: safe www.typography.netD ORDER 5211009876.exe, 00000000 false URL Reputation: safe unknown .00000002.263801520.0000000006 URL Reputation: safe A72000.00000004.00000001.sdmp URL Reputation: safe www.founder.com.cn/cn/cThe ORDER 5211009876.exe, 00000000 false URL Reputation: safe unknown .00000002.263801520.0000000006 URL Reputation: safe A72000.00000004.00000001.sdmp URL Reputation: safe

www.galapagosdesign.com/staff/dennis.htm ORDER 5211009876.exe, 00000000 false URL Reputation: safe unknown .00000002.263801520.0000000006 URL Reputation: safe A72000.00000004.00000001.sdmp URL Reputation: safe fontfabrik.com ORDER 5211009876.exe, 00000000 false URL Reputation: safe unknown .00000002.263801520.0000000006 URL Reputation: safe A72000.00000004.00000001.sdmp URL Reputation: safe www.sajatypeworks.comU ORDER 5211009876.exe, 00000000 false Avira URL Cloud: safe unknown .00000003.223481315.0000000005 87D000.00000004.00000001.sdmp Go3UduId9mtG.org ORDER 5211009876.exe, 00000008 false Avira URL Cloud: safe unknown .00000002.493258053.0000000003 251000.00000004.00000001.sdmp, ORDER 5211009876.exe, 0000000 8.00000003.467267446.000000000 1374000.00000004.00000001.sdmp, ORDER 5211009876.exe, 000000 08.00000002.495514237.00000000 03533000.00000004.00000001.sdmp www.jiyu-kobo.co.jp/ana ORDER 5211009876.exe, 00000000 false URL Reputation: safe unknown .00000003.226608266.0000000005 URL Reputation: safe 864000.00000004.00000001.sdmp URL Reputation: safe r3.o.lencr.org0 ORDER 5211009876.exe, 00000008 false URL Reputation: safe unknown .00000002.490900498.0000000001 URL Reputation: safe 588000.00000004.00000020.sdmp URL Reputation: safe

Copyright Joe Security LLC 2021 Page 11 of 30 Name Source Malicious Antivirus Detection Reputation www.fonts.comn ORDER 5211009876.exe, 00000000 false URL Reputation: safe unknown .00000003.223502115.0000000005 URL Reputation: safe 87B000.00000004.00000001.sdmp URL Reputation: safe www.galapagosdesign.com/DPlease ORDER 5211009876.exe, 00000000 false URL Reputation: safe unknown .00000002.263801520.0000000006 URL Reputation: safe A72000.00000004.00000001.sdmp URL Reputation: safe www.fonts.com ORDER 5211009876.exe, 00000000 false high .00000003.223481315.0000000005 87D000.00000004.00000001.sdmp www.sandoll.co.kr ORDER 5211009876.exe, 00000000 false URL Reputation: safe unknown .00000002.263801520.0000000006 URL Reputation: safe A72000.00000004.00000001.sdmp, URL Reputation: safe ORDER 5211009876.exe, 0000000 0.00000003.224701785.000000000 5869000.00000004.00000001.sdmp www.founder.cl ORDER 5211009876.exe, 00000000 false Avira URL Cloud: safe unknown .00000003.225277579.0000000005 864000.00000004.00000001.sdmp www.urwpp.deDPlease ORDER 5211009876.exe, 00000000 false URL Reputation: safe unknown .00000002.263801520.0000000006 URL Reputation: safe A72000.00000004.00000001.sdmp URL Reputation: safe www.zhongyicts.com.cn ORDER 5211009876.exe, 00000000 false URL Reputation: safe unknown .00000002.263801520.0000000006 URL Reputation: safe A72000.00000004.00000001.sdmp URL Reputation: safe schemas.xmlsoap.org/ws/2005/05/identity/claims/name ORDER 5211009876.exe, 00000000 false high .00000002.258890858.0000000002 8E1000.00000004.00000001.sdmp www.sakkal.com ORDER 5211009876.exe, 00000000 false URL Reputation: safe unknown .00000002.263801520.0000000006 URL Reputation: safe A72000.00000004.00000001.sdmp URL Reputation: safe www.tiro.com% ORDER 5211009876.exe, 00000000 false Avira URL Cloud: safe low .00000003.223989513.0000000005 87B000.00000004.00000001.sdmp ORDER 5211009876.exe, 00000000 false URL Reputation: safe unknown https://www.theonionrouter.com/dist.torproject.org/torbrowser/ .00000002.260489955.0000000003 URL Reputation: safe 9.5.3/tor-win32-0.4.3.6.zip 8E9000.00000004.00000001.sdmp, URL Reputation: safe ORDER 5211009876.exe, 0000000 8.00000002.486705475.000000000 0402000.00000040.00000001.sdmp cps.root-x1.letsencrypt.org0 ORDER 5211009876.exe, 00000008 false URL Reputation: safe unknown .00000002.490900498.0000000001 URL Reputation: safe 588000.00000004.00000020.sdmp URL Reputation: safe www.apache.org/licenses/LICENSE-2.0 ORDER 5211009876.exe, 00000000 false high .00000002.263801520.0000000006 A72000.00000004.00000001.sdmp www.fontbureau.com ORDER 5211009876.exe, 00000000 false high .00000002.263801520.0000000006 A72000.00000004.00000001.sdmp www.jiyu-kobo.co.jp/W ORDER 5211009876.exe, 00000000 false URL Reputation: safe unknown .00000003.226608266.0000000005 URL Reputation: safe 864000.00000004.00000001.sdmp URL Reputation: safe DynDns.comDynDNS ORDER 5211009876.exe, 00000008 false URL Reputation: safe unknown .00000002.493258053.0000000003 URL Reputation: safe 251000.00000004.00000001.sdmp URL Reputation: safe cps.letsencrypt.org0 ORDER 5211009876.exe, 00000008 false URL Reputation: safe unknown .00000002.490900498.0000000001 URL Reputation: safe 588000.00000004.00000020.sdmp URL Reputation: safe ORDER 5211009876.exe, 00000008 false URL Reputation: safe unknown https://www.theonionrouter.com/dist.torproject.org/torbrowser/ .00000002.493258053.0000000003 URL Reputation: safe 9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha 251000.00000004.00000001.sdmp URL Reputation: safe www.tiro.comr ORDER 5211009876.exe, 00000000 false Avira URL Cloud: safe unknown .00000003.223907067.0000000005 87B000.00000004.00000001.sdmp www.founder.com.c ORDER 5211009876.exe, 00000000 false URL Reputation: safe unknown .00000003.225479345.0000000005 URL Reputation: safe 864000.00000004.00000001.sdmp URL Reputation: safe www.jiyu-kobo.co.jp/Krep ORDER 5211009876.exe, 00000000 false Avira URL Cloud: safe unknown .00000003.226608266.0000000005 864000.00000004.00000001.sdmp www.founder.com.cn/cn/J ORDER 5211009876.exe, 00000000 false Avira URL Cloud: safe unknown .00000003.225479345.0000000005 864000.00000004.00000001.sdmp www.sandoll.co.kre ORDER 5211009876.exe, 00000000 false Avira URL Cloud: safe unknown .00000003.224701785.0000000005 869000.00000004.00000001.sdmp www.jiyu-kobo.co.jp/jp/ ORDER 5211009876.exe, 00000000 false URL Reputation: safe unknown .00000003.226608266.0000000005 URL Reputation: safe 864000.00000004.00000001.sdmp URL Reputation: safe

Copyright Joe Security LLC 2021 Page 12 of 30 Name Source Malicious Antivirus Detection Reputation www.fonts.comX ORDER 5211009876.exe, 00000000 false URL Reputation: safe unknown .00000003.223516373.0000000005 URL Reputation: safe 87D000.00000004.00000001.sdmp URL Reputation: safe cps.rooCp ORDER 5211009876.exe, 00000008 false Avira URL Cloud: safe unknown .00000002.499043160.0000000006 F40000.00000004.00000001.sdmp www.carterandcone.coml ORDER 5211009876.exe, 00000000 false URL Reputation: safe unknown .00000002.263801520.0000000006 URL Reputation: safe A72000.00000004.00000001.sdmp URL Reputation: safe www.fontbureau.com/designers/cabarga.htmlN ORDER 5211009876.exe, 00000000 false high .00000002.263801520.0000000006 A72000.00000004.00000001.sdmp www.founder.com.cn/cn ORDER 5211009876.exe, 00000000 false URL Reputation: safe unknown .00000003.225259074.0000000005 URL Reputation: safe 89D000.00000004.00000001.sdmp URL Reputation: safe www.jiyu-kobo.co.jp/x ORDER 5211009876.exe, 00000000 false URL Reputation: safe unknown .00000003.226608266.0000000005 URL Reputation: safe 864000.00000004.00000001.sdmp URL Reputation: safe www.fontbureau.com/designers/frere-jones.html ORDER 5211009876.exe, 00000000 false high .00000002.263801520.0000000006 A72000.00000004.00000001.sdmp www.jiyu-kobo.co.jp/iv ORDER 5211009876.exe, 00000000 false Avira URL Cloud: safe unknown .00000003.226608266.0000000005 864000.00000004.00000001.sdmp www.jiyu-kobo.co.jp/ ORDER 5211009876.exe, 00000000 false URL Reputation: safe unknown .00000003.226608266.0000000005 URL Reputation: safe 864000.00000004.00000001.sdmp URL Reputation: safe www.fontbureau.como ORDER 5211009876.exe, 00000000 false URL Reputation: safe unknown .00000002.262720902.0000000005 URL Reputation: safe 860000.00000004.00000001.sdmp URL Reputation: safe www.fontbureau.com/designers8 ORDER 5211009876.exe, 00000000 false high .00000003.228911914.0000000005 86D000.00000004.00000001.sdmp, ORDER 5211009876.exe, 0000000 0.00000002.263801520.000000000 6A72000.00000004.00000001.sdmp www.jiyu-kobo.co.jp/Y0/0 ORDER 5211009876.exe, 00000000 false Avira URL Cloud: safe unknown .00000003.226608266.0000000005 864000.00000004.00000001.sdmp www.fontbureau.com/designers: ORDER 5211009876.exe, 00000000 false high .00000003.228593121.0000000005 869000.00000004.00000001.sdmp www.founder.com.cn/cnoT/ ORDER 5211009876.exe, 00000000 false Avira URL Cloud: safe unknown .00000003.225259074.0000000005 89D000.00000004.00000001.sdmp

Contacted IPs

25% < No. of IPs < 50% 50% < No. of IPs < 75%

75% < No. of IPs

Public

IP Domain Country Flag ASN ASN Name Malicious 31.209.137.12 smtp.vivaldi.net Iceland 51896 HRINGDU-ASIS false

General Information

Joe Sandbox Version: 31.0.0 Emerald Analysis ID: 386799 Start date: 14.04.2021 Start time: 20:09:05 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 9m 27s Hypervisor based Inspection enabled: false Report type: light Sample file name: ORDER 5211009876.exe Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes analysed: 29 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: MAL Classification: mal100.troj.spyw.evad.winEXE@8/4@1/1 EGA Information: Failed

Copyright Joe Security LLC 2021 Page 14 of 30 HDC Information: Successful, ratio: 1.7% (good quality ratio 1%) Quality average: 40.1% Quality standard deviation: 39.1% HCA Information: Successful, ratio: 99% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .exe

Warnings: Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 20.82.209.183, 13.88.21.125, 92.122.145.220, 23.57.80.111, 168.61.161.212, 52.147.198.201, 104.42.151.234, 23.32.238.234, 23.32.238.177, 20.54.26.129 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s- microsoft.com-c.edgekey.net, fs- wildcard.microsoft.com.edgekey.net, fs- wildcard.microsoft.com.edgekey.net.globalredir.aka dns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, www-bing-com.dual- a-0001.a-msedge.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt- microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, www.bing.com, fs.microsoft.com, dual-a-0001.a-msedge.net, ris- prod.trafficmanager.net, e1723.g.akamaiedge.net, skypedataprdcolcus17.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, a-0001.a- afdentry.net.trafficmanager.net, store-images.s- microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, skypedataprdcolwus16.cloudapp.net Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time Type Description 20:09:58 API Interceptor 709x Sleep call for process: ORDER 5211009876.exe modified

Joe Sandbox View / Context

IPs

Match Associated Sample Name / URL SHA 256 Detection Link Context 31.209.137.12 235080 MID-ATLANTIC SALT.exe Get hash malicious Browse Consignment Document.pdf.exe Get hash malicious Browse Due Invoices APR 2021.exe Get hash malicious Browse Purchase Order 01001O02.exe Get hash malicious Browse Payment advice.pdf.exe Get hash malicious Browse invoice2.exe Get hash malicious Browse Contact form.pdf.exe Get hash malicious Browse

Copyright Joe Security LLC 2021 Page 15 of 30 Match Associated Sample Name / URL SHA 256 Detection Link Context SOA 4-12-2021.exe Get hash malicious Browse MAR 2021.exe Get hash malicious Browse Files & Specification.pdf.exe Get hash malicious Browse Scan354673.PDF.exe Get hash malicious Browse CI-OMG2006023.exe Get hash malicious Browse MU3666.exe Get hash malicious Browse cts new.pdf.exe Get hash malicious Browse Document.pdf.exe Get hash malicious Browse E-Remittance Copy.pdf.exe Get hash malicious Browse MU3666.exe Get hash malicious Browse SOA.exe Get hash malicious Browse NO-HL2020926.exe Get hash malicious Browse AgentTesla.exe Get hash malicious Browse

Domains

Match Associated Sample Name / URL SHA 256 Detection Link Context smtp.vivaldi.net 235080 MID-ATLANTIC SALT.exe Get hash malicious Browse 31.209.137.12 Consignment Document.pdf.exe Get hash malicious Browse 31.209.137.12 Due Invoices APR 2021.exe Get hash malicious Browse 31.209.137.12 Purchase Order 01001O02.exe Get hash malicious Browse 31.209.137.12 Payment advice.pdf.exe Get hash malicious Browse 31.209.137.12 invoice2.exe Get hash malicious Browse 31.209.137.12 Contact form.pdf.exe Get hash malicious Browse 31.209.137.12 SOA 4-12-2021.exe Get hash malicious Browse 31.209.137.12 MAR 2021.exe Get hash malicious Browse 31.209.137.12 Files & Specification.pdf.exe Get hash malicious Browse 31.209.137.12 Scan354673.PDF.exe Get hash malicious Browse 31.209.137.12 CI-OMG2006023.exe Get hash malicious Browse 31.209.137.12 MU3666.exe Get hash malicious Browse 31.209.137.12 cts new.pdf.exe Get hash malicious Browse 31.209.137.12 Document.pdf.exe Get hash malicious Browse 31.209.137.12 E-Remittance Copy.pdf.exe Get hash malicious Browse 31.209.137.12 MU3666.exe Get hash malicious Browse 31.209.137.12 SOA.exe Get hash malicious Browse 31.209.137.12 NO-HL2020926.exe Get hash malicious Browse 31.209.137.12 AgentTesla.exe Get hash malicious Browse 31.209.137.12

ASN

Match Associated Sample Name / URL SHA 256 Detection Link Context HRINGDU-ASIS 235080 MID-ATLANTIC SALT.exe Get hash malicious Browse 31.209.137.12 Consignment Document.pdf.exe Get hash malicious Browse 31.209.137.12 Due Invoices APR 2021.exe Get hash malicious Browse 31.209.137.12 Purchase Order 01001O02.exe Get hash malicious Browse 31.209.137.12 Payment advice.pdf.exe Get hash malicious Browse 31.209.137.12 invoice2.exe Get hash malicious Browse 31.209.137.12 Contact form.pdf.exe Get hash malicious Browse 31.209.137.12 SOA 4-12-2021.exe Get hash malicious Browse 31.209.137.12 MAR 2021.exe Get hash malicious Browse 31.209.137.12 Files & Specification.pdf.exe Get hash malicious Browse 31.209.137.12 Scan354673.PDF.exe Get hash malicious Browse 31.209.137.12 CI-OMG2006023.exe Get hash malicious Browse 31.209.137.12 MU3666.exe Get hash malicious Browse 31.209.137.12 cts new.pdf.exe Get hash malicious Browse 31.209.137.12 Document.pdf.exe Get hash malicious Browse 31.209.137.12 E-Remittance Copy.pdf.exe Get hash malicious Browse 31.209.137.12 MU3666.exe Get hash malicious Browse 31.209.137.12 SOA.exe Get hash malicious Browse 31.209.137.12 NO-HL2020926.exe Get hash malicious Browse 31.209.137.12 AgentTesla.exe Get hash malicious Browse 31.209.137.12

JA3 Fingerprints

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ORDER 5211009876.exe.log

Process: C:\Users\user\Desktop\ORDER 5211009876.exe File Type: ASCII text, with CRLF line terminators Category: modified Size (bytes): 1216 Entropy (8bit): 5.355304211458859 Encrypted: false SSDEEP: 24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY MD5: 69206D3AF7D6EFD08F4B4726998856D3 SHA1: E778D4BF781F7712163CF5E2F5E7C15953E484CF SHA-256: A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87 SHA-512: CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF 8 Malicious: true Reputation: moderate, very likely benign file Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0. 0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System. ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeIma ges_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, Publi cKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration .ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Temp\tmp1DBD.tmp

Process: C:\Users\user\Desktop\ORDER 5211009876.exe File Type: XML 1.0 document, ASCII text, with CRLF line terminators Category: dropped Size (bytes): 1644 Entropy (8bit): 5.164601212358285 Encrypted: false SSDEEP: 24:2dH4+SEqC/a7hTlNMFpH/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBgoaBtn:cbhC7ZlNQF/rydbz9I3YODOLNdq3G MD5: 6C201CEA923F72BC732EAB46FF04F73D SHA1: D730C85813D7D7C89EBE6E09D98B01B4F11522EC SHA-256: 0CF52ECB4DFCD134C4CD702D588C1F4B2F608D599FDF4AF3FA67E67B8E6F4764 SHA-512: F884475FC376EE4F9ADCB2C04B616CBDC461C8DEF8ED9E8AA13C04775F460DE08E9781A6E7F5AC35B15031389F84DA8A88A786C744C9BB2CBDB095891B6B39 50 Malicious: true Reputation: low Preview: .... .. 2014- 10-25T14:27:44.8929027.. computer\user.. .. .. .. true.. computer\user.. .. .. false.. .. .. .. .. computer\user.. InteractiveToken.. LeastPrivilege.. .. .. .. StopExisting.. false.. true.. false.. t

C:\Users\user\AppData\Roaming\uxWltWT.exe

Process: C:\Users\user\Desktop\ORDER 5211009876.exe File Type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows Category: dropped Size (bytes): 1036288 Entropy (8bit): 7.129645450240472 Encrypted: false SSDEEP: 12288:fx50rNmwOKgwCviDn+j/M2hXtbvAb7Ux5V+vO8ZSBRkFsmFrTNnMKOfmsM7:+Nb6dLjZ5tbv44B7RazPnzF1 MD5: F59B0F9D9B8A789B7E3D4AB8E0CCF737 SHA1: E4835A1A2EC55CBB7E7665CE6EDC0FDBBFB90F5F SHA-256: 0A873D72D161D2ED545A8CA6534443ED9D15F377A135B1E8D8EED14A0D2FF68B SHA-512: 57D65817D12974C4F0041A12F9248F334B84513C5215721D0ADFE4506A1BEC91B22B07EDE70AEB567180D66B42CC9851379E3B786EB5DABE6EB1C789D055D41F Copyright Joe Security LLC 2021 Page 17 of 30 C:\Users\user\AppData\Roaming\uxWltWT.exe

Malicious: true Antivirus: Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 40% Reputation: low Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... PE..L...v3v`...... (...... G...... @...... @...... @...... G..O....`...... H...... text....'...... (...... `.rsrc...... `...... *...... @[email protected]...... @..B...... G...... H...... X...4...... @...... 0...... +.&.*....0...... +.&..(....*..0...... +.&...(.....*....0...... +.&.s...... S+. ."P. a%..Ê....M...... 4...+Ks...... !Z ..gMa+.s...... O8VQZ ....a+.s...... TZ x.p.a+.s...... *...0..V...... +.&.. .'qu .w. a%..Ê...... +...... +)~....o...... aK.Z @..ea+.. .O.!Z .H..a+..*...0..V...... +.&.. .Ums ...,a%..Ê...... +...... +)~....o...... Z ....a+

C:\Users\user\AppData\Roaming\uxWltWT.exe:Zone.Identifier

Process: C:\Users\user\Desktop\ORDER 5211009876.exe File Type: ASCII text, with CRLF line terminators Category: dropped Size (bytes): 26 Entropy (8bit): 3.95006375643621 Encrypted: false SSDEEP: 3:ggPYV:rPYV MD5: 187F488E27DB4AF347237FE461A079AD SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64 SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309 SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E Malicious: true Reputation: high, very likely benign file Preview: [ZoneTransfer]....ZoneId=0

Static File Info

General File type: PE32 executable (GUI) Intel 80386 Mono/.Net assemb ly, for MS Windows Entropy (8bit): 7.129645450240472 TrID: Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% File name: ORDER 5211009876.exe File size: 1036288 MD5: f59b0f9d9b8a789b7e3d4ab8e0ccf737 SHA1: e4835a1a2ec55cbb7e7665ce6edc0fdbbfb90f5f SHA256: 0a873d72d161d2ed545a8ca6534443ed9d15f377a135b1 e8d8eed14a0d2ff68b SHA512: 57d65817d12974c4f0041a12f9248f334b84513c5215721 d0adfe4506a1bec91b22b07ede70aeb567180d66b42cc9 851379e3b786eb5dabe6eb1c789d055d41f SSDEEP: 12288:fx50rNmwOKgwCviDn+j/M2hXtbvAb7Ux5V+vO8 ZSBRkFsmFrTNnMKOfmsM7:+Nb6dLjZ5tbv44B7RazP nzF1 File Content Preview: MZ...... @...... !..L.!Th is program cannot be run in DOS mode....$...... PE..L...v 3v`...... (...... G...... @...... @...... @......

File Icon

Icon Hash: cc92316d713396e8

Static PE Info

Copyright Joe Security LLC 2021 Page 18 of 30 General Entrypoint: 0x4e47de Entrypoint Section: .text Digitally signed: false Imagebase: 0x400000 Subsystem: windows gui Image File Characteristics: 32BIT_MACHINE, EXECUTABLE_IMAGE DLL Characteristics: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT Time Stamp: 0x60763376 [Wed Apr 14 00:12:38 2021 UTC] TLS Callbacks: CLR (.Net) Version: v4.0.30319 OS Version Major: 4 OS Version Minor: 0 File Version Major: 4 File Version Minor: 0 Subsystem Version Major: 4 Subsystem Version Minor: 0 Import Hash: f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction jmp dword ptr [00402000h] add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al

Copyright Joe Security LLC 2021 Page 19 of 30 Instruction add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al add byte ptr [eax], al

Data Directories

Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IMPORT 0xe478c 0x4f .text IMAGE_DIRECTORY_ENTRY_RESOURCE 0xe6000 0x1a400 .rsrc IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0 IMAGE_DIRECTORY_ENTRY_SECURITY 0x0 0x0

Copyright Joe Security LLC 2021 Page 20 of 30 Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_BASERELOC 0x102000 0xc .reloc IMAGE_DIRECTORY_ENTRY_DEBUG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0x0 0x0 IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IAT 0x2000 0x8 .text IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x2008 0x48 .text IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0

Sections

Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .text 0x2000 0xe27e4 0xe2800 False 0.749142004691 data 7.39073399949 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ .rsrc 0xe6000 0x1a400 0x1a400 False 0.140969122024 data 2.99724826344 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_READ .reloc 0x102000 0xc 0x200 False 0.044921875 data 0.101910425663 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_DISCARDABLE , IMAGE_SCN_MEM_READ

Resources

Name RVA Size Type Language Country RT_ICON 0xe6220 0x468 GLS_BINARY_LSB_FIRST RT_ICON 0xe6688 0x162a PNG image data, 256 x 256, 8-bit colormap, non- interlaced RT_ICON 0xe7cb4 0x25a8 dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0 RT_ICON 0xea25c 0x10a8 dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0 RT_ICON 0xeb304 0x10828 dBase III DBT, version number 0, next free block index 40 RT_ICON 0xfbb2c 0x4228 dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0 RT_GROUP_ICON 0xffd54 0x5a data RT_VERSION 0xffdb0 0x334 data RT_MANIFEST 0x1000e4 0x1ea XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL Import mscoree.dll _CorExeMain

Version Infos

Description Data Translation 0x0000 0x04b0 LegalCopyright Copyright 2020 Assembly Version 1.0.0.0 InternalName ICustomProperty.exe FileVersion 1.0.0.0 CompanyName LegalTrademarks Comments ProductName GameMaker ProductVersion 1.0.0.0 FileDescription GameMaker OriginalFilename ICustomProperty.exe

Network Behavior Copyright Joe Security LLC 2021 Page 21 of 30 Network Port Distribution

Total Packets: 43 • 53 (DNS) • 587 undefined

TCP Packets

Timestamp Source Port Dest Port Source IP Dest IP Apr 14, 2021 20:11:51.185751915 CEST 49727 587 192.168.2.5 31.209.137.12 Apr 14, 2021 20:11:51.274503946 CEST 587 49727 31.209.137.12 192.168.2.5 Apr 14, 2021 20:11:51.274656057 CEST 49727 587 192.168.2.5 31.209.137.12 Apr 14, 2021 20:11:52.513645887 CEST 587 49727 31.209.137.12 192.168.2.5 Apr 14, 2021 20:11:52.514533043 CEST 49727 587 192.168.2.5 31.209.137.12 Apr 14, 2021 20:11:52.602003098 CEST 587 49727 31.209.137.12 192.168.2.5 Apr 14, 2021 20:11:52.602061987 CEST 587 49727 31.209.137.12 192.168.2.5 Apr 14, 2021 20:11:52.602688074 CEST 49727 587 192.168.2.5 31.209.137.12 Apr 14, 2021 20:11:52.689891100 CEST 587 49727 31.209.137.12 192.168.2.5 Apr 14, 2021 20:11:52.739300966 CEST 49727 587 192.168.2.5 31.209.137.12 Apr 14, 2021 20:11:52.776143074 CEST 49727 587 192.168.2.5 31.209.137.12 Apr 14, 2021 20:11:52.869012117 CEST 587 49727 31.209.137.12 192.168.2.5 Apr 14, 2021 20:11:52.869057894 CEST 587 49727 31.209.137.12 192.168.2.5 Apr 14, 2021 20:11:52.869087934 CEST 587 49727 31.209.137.12 192.168.2.5 Apr 14, 2021 20:11:52.869282007 CEST 49727 587 192.168.2.5 31.209.137.12 Apr 14, 2021 20:11:52.876156092 CEST 49727 587 192.168.2.5 31.209.137.12 Apr 14, 2021 20:11:52.965557098 CEST 587 49727 31.209.137.12 192.168.2.5 Apr 14, 2021 20:11:53.020777941 CEST 49727 587 192.168.2.5 31.209.137.12 Apr 14, 2021 20:11:53.276148081 CEST 49727 587 192.168.2.5 31.209.137.12 Apr 14, 2021 20:11:53.365221977 CEST 587 49727 31.209.137.12 192.168.2.5 Apr 14, 2021 20:11:53.368182898 CEST 49727 587 192.168.2.5 31.209.137.12 Apr 14, 2021 20:11:53.455846071 CEST 587 49727 31.209.137.12 192.168.2.5 Apr 14, 2021 20:11:53.457087994 CEST 49727 587 192.168.2.5 31.209.137.12 Apr 14, 2021 20:11:53.587883949 CEST 587 49727 31.209.137.12 192.168.2.5 Apr 14, 2021 20:11:53.624505043 CEST 587 49727 31.209.137.12 192.168.2.5 Apr 14, 2021 20:11:53.632402897 CEST 49727 587 192.168.2.5 31.209.137.12 Apr 14, 2021 20:11:53.720947027 CEST 587 49727 31.209.137.12 192.168.2.5 Apr 14, 2021 20:11:53.723088026 CEST 587 49727 31.209.137.12 192.168.2.5 Apr 14, 2021 20:11:53.724627018 CEST 49727 587 192.168.2.5 31.209.137.12 Apr 14, 2021 20:11:53.841561079 CEST 587 49727 31.209.137.12 192.168.2.5 Apr 14, 2021 20:11:53.842820883 CEST 49727 587 192.168.2.5 31.209.137.12 Apr 14, 2021 20:11:53.931691885 CEST 587 49727 31.209.137.12 192.168.2.5 Apr 14, 2021 20:11:53.935290098 CEST 49727 587 192.168.2.5 31.209.137.12 Apr 14, 2021 20:11:53.935512066 CEST 49727 587 192.168.2.5 31.209.137.12 Apr 14, 2021 20:11:53.935616970 CEST 49727 587 192.168.2.5 31.209.137.12 Apr 14, 2021 20:11:53.935691118 CEST 49727 587 192.168.2.5 31.209.137.12 Apr 14, 2021 20:11:54.022834063 CEST 587 49727 31.209.137.12 192.168.2.5 Apr 14, 2021 20:11:54.022866011 CEST 587 49727 31.209.137.12 192.168.2.5 Apr 14, 2021 20:11:54.022881985 CEST 587 49727 31.209.137.12 192.168.2.5 Apr 14, 2021 20:11:54.043373108 CEST 587 49727 31.209.137.12 192.168.2.5 Apr 14, 2021 20:11:54.086035967 CEST 49727 587 192.168.2.5 31.209.137.12

Timestamp Source Port Dest Port Source IP Dest IP Apr 14, 2021 20:09:44.107270002 CEST 65307 53 192.168.2.5 8.8.8.8 Apr 14, 2021 20:09:44.142467022 CEST 64344 53 192.168.2.5 8.8.8.8 Apr 14, 2021 20:09:44.156084061 CEST 53 65307 8.8.8.8 192.168.2.5 Apr 14, 2021 20:09:44.191464901 CEST 53 64344 8.8.8.8 192.168.2.5 Apr 14, 2021 20:09:44.368768930 CEST 62060 53 192.168.2.5 8.8.8.8 Apr 14, 2021 20:09:44.417740107 CEST 53 62060 8.8.8.8 192.168.2.5 Apr 14, 2021 20:09:45.446734905 CEST 61805 53 192.168.2.5 8.8.8.8 Apr 14, 2021 20:09:45.500399113 CEST 53 61805 8.8.8.8 192.168.2.5 Apr 14, 2021 20:09:46.748461962 CEST 54795 53 192.168.2.5 8.8.8.8 Apr 14, 2021 20:09:46.807594061 CEST 53 54795 8.8.8.8 192.168.2.5 Apr 14, 2021 20:10:12.894309044 CEST 49557 53 192.168.2.5 8.8.8.8 Apr 14, 2021 20:10:12.956736088 CEST 53 49557 8.8.8.8 192.168.2.5 Apr 14, 2021 20:10:19.199362040 CEST 61733 53 192.168.2.5 8.8.8.8 Apr 14, 2021 20:10:19.250833035 CEST 53 61733 8.8.8.8 192.168.2.5 Apr 14, 2021 20:10:20.272073030 CEST 65447 53 192.168.2.5 8.8.8.8 Apr 14, 2021 20:10:20.324250937 CEST 53 65447 8.8.8.8 192.168.2.5 Apr 14, 2021 20:10:21.748418093 CEST 52441 53 192.168.2.5 8.8.8.8 Apr 14, 2021 20:10:21.801151991 CEST 53 52441 8.8.8.8 192.168.2.5 Apr 14, 2021 20:10:22.559482098 CEST 62176 53 192.168.2.5 8.8.8.8 Apr 14, 2021 20:10:22.612438917 CEST 53 62176 8.8.8.8 192.168.2.5 Apr 14, 2021 20:10:22.785927057 CEST 59596 53 192.168.2.5 8.8.8.8 Apr 14, 2021 20:10:22.834750891 CEST 53 59596 8.8.8.8 192.168.2.5 Apr 14, 2021 20:10:23.763811111 CEST 65296 53 192.168.2.5 8.8.8.8 Apr 14, 2021 20:10:23.815448046 CEST 53 65296 8.8.8.8 192.168.2.5 Apr 14, 2021 20:10:25.245830059 CEST 63183 53 192.168.2.5 8.8.8.8 Apr 14, 2021 20:10:25.295304060 CEST 53 63183 8.8.8.8 192.168.2.5 Apr 14, 2021 20:10:27.148330927 CEST 60151 53 192.168.2.5 8.8.8.8 Apr 14, 2021 20:10:27.198061943 CEST 53 60151 8.8.8.8 192.168.2.5 Apr 14, 2021 20:10:28.647408009 CEST 56969 53 192.168.2.5 8.8.8.8 Apr 14, 2021 20:10:28.707874060 CEST 53 56969 8.8.8.8 192.168.2.5 Apr 14, 2021 20:10:29.779011011 CEST 55161 53 192.168.2.5 8.8.8.8 Apr 14, 2021 20:10:29.828102112 CEST 53 55161 8.8.8.8 192.168.2.5 Apr 14, 2021 20:10:38.489861012 CEST 54757 53 192.168.2.5 8.8.8.8 Apr 14, 2021 20:10:38.549587965 CEST 53 54757 8.8.8.8 192.168.2.5 Apr 14, 2021 20:10:48.027400017 CEST 49992 53 192.168.2.5 8.8.8.8 Apr 14, 2021 20:10:48.096970081 CEST 53 49992 8.8.8.8 192.168.2.5 Apr 14, 2021 20:11:03.041523933 CEST 60075 53 192.168.2.5 8.8.8.8 Apr 14, 2021 20:11:03.094902992 CEST 53 60075 8.8.8.8 192.168.2.5 Apr 14, 2021 20:11:06.292263985 CEST 55016 53 192.168.2.5 8.8.8.8 Apr 14, 2021 20:11:06.349168062 CEST 53 55016 8.8.8.8 192.168.2.5 Apr 14, 2021 20:11:38.703578949 CEST 64345 53 192.168.2.5 8.8.8.8 Apr 14, 2021 20:11:38.752289057 CEST 53 64345 8.8.8.8 192.168.2.5 Apr 14, 2021 20:11:40.732465029 CEST 57128 53 192.168.2.5 8.8.8.8 Apr 14, 2021 20:11:40.792046070 CEST 53 57128 8.8.8.8 192.168.2.5 Apr 14, 2021 20:11:50.966463089 CEST 54791 53 192.168.2.5 8.8.8.8 Apr 14, 2021 20:11:51.028044939 CEST 53 54791 8.8.8.8 192.168.2.5

DNS Queries

Timestamp Source IP Dest IP Trans ID OP Code Name Type Class Apr 14, 2021 20:11:50.966463089 CEST 192.168.2.5 8.8.8.8 0x3008 Standard query smtp.vivaldi.net A (IP address) IN (0x0001) (0)

DNS Answers

Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class Apr 14, 2021 8.8.8.8 192.168.2.5 0x3008 No error (0) smtp.vivaldi.net 31.209.137.12 A (IP address) IN (0x0001) 20:11:51.028044939 CEST

SMTP Packets

Copyright Joe Security LLC 2021 Page 23 of 30 Source Dest Timestamp Port Port Source IP Dest IP Commands Apr 14, 2021 20:11:52.513645887 CEST 587 49727 31.209.137.12 192.168.2.5 220 smtp.vivaldi.net ESMTP Postfix (Ubuntu) Apr 14, 2021 20:11:52.514533043 CEST 49727 587 192.168.2.5 31.209.137.12 EHLO 813848 Apr 14, 2021 20:11:52.602061987 CEST 587 49727 31.209.137.12 192.168.2.5 250-smtp.vivaldi.net 250-PIPELINING 250-SIZE 36700160 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 SMTPUTF8 Apr 14, 2021 20:11:52.602688074 CEST 49727 587 192.168.2.5 31.209.137.12 STARTTLS Apr 14, 2021 20:11:52.689891100 CEST 587 49727 31.209.137.12 192.168.2.5 220 2.0.0 Ready to start TLS

Code Manipulations

Statistics

Behavior

• ORDER 5211009876.exe • schtasks.exe • conhost.exe • ORDER 5211009876.exe • ORDER 5211009876.exe

Click to jump to process

System Behavior

Analysis Process: ORDER 5211009876.exe PID: 3396 Parent PID: 5636

General

Start time: 20:09:51 Start date: 14/04/2021 Path: C:\Users\user\Desktop\ORDER 5211009876.exe Wow64 process (32bit): true Commandline: 'C:\Users\user\Desktop\ORDER 5211009876.exe' Imagebase: 0x440000 File size: 1036288 bytes MD5 hash: F59B0F9D9B8A789B7E3D4AB8E0CCF737 Has elevated privileges: true Has administrator privileges: true Programmed in: .Net C# or VB.NET

Copyright Joe Security LLC 2021 Page 24 of 30 Yara matches: Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.258890858.00000000028E1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.260489955.00000000038E9000.00000004.00000001.sdmp, Author: Joe Security Reputation: low

File Activities

File Created

Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user read data or list device directory file | object name collision 1 6DC4CF06 unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming read data or list device directory file | object name collision 1 6DC4CF06 unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming\uxWltWT.exe read data or list device sequential only | success or wait 1 6C9BDD66 CopyFileW directory | read non directory attributes | file delete | write dac | synchronize | generic read | generic write C:\Users\user\AppData\Roaming\uxWltWT.exe\:Zone.Identifier:$DATA read data or list device sequential only | success or wait 1 6C9BDD66 CopyFileW directory | synchronous io synchronize | non alert generic write C:\Users\user\AppData\Local\Temp\tmp1DBD.tmp read attributes | device synchronous io success or wait 1 6C9B7038 GetTempFileNameW synchronize | non alert | non generic read directory file C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ read attributes | device synchronous io success or wait 1 6DF5C78D CreateFileW ORDER 5211009876.exe.log synchronize | non alert | non generic write directory file

File Deleted

Source File Path Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\tmp1DBD.tmp success or wait 1 6C9B6A95 DeleteFileW

File Written

Source File Path Offset Length Value Ascii Completion Count Address Symbol

Copyright Joe Security LLC 2021 Page 25 of 30 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Roaming\uxWltWT.exe 0 262144 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 4 6C9BDD66 CopyFileW 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... PE..L...v3v`...... 00 00 00 00 00 00 00 ...... (...... G...... @.. 00 00 00 00 00 00 00 ...... @ 00 00 00 80 00 00 00 ...... @...... 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 76 33 76 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 08 00 00 28 0e 00 00 a6 01 00 00 00 00 00 de 47 0e 00 00 20 00 00 00 00 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 10 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 C:\Users\user\AppData\Roaming\uxWltWT.exe:Zone.Identifier 0 26 5b 5a 6f 6e 65 54 72 [ZoneTransfer]....ZoneId=0 success or wait 1 6C9BDD66 CopyFileW 61 6e 73 66 65 72 5d 0d 0a 0d 0a 5a 6f 6e 65 49 64 3d 30 C:\Users\user\AppData\Local\Temp\tmp1DBD.tmp unknown 1644 3c 3f 78 6d 6c 20 76 .. 22 31 2e 30 22 20 65 .. 72 73 69 6f 6e 3d 22 .. 31 2e 32 22 20 78 6d 2014-10- 6c 6e 73 3d 22 68 74 25T14:27:44.892 74 70 3a 2f 2f 73 63 9027.. 68 65 6d 61 73 2e 6d compu 69 63 72 6f 73 6f 66 ter\user.. 74 2e 63 6f 6d 2f 77

Copyright Joe Security LLC 2021 Page 26 of 30 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Mi unknown 1216 31 2c 22 66 75 73 69 1,"fusion","GAC",0..1,"Win success or wait 1 6DF5C907 WriteFile crosoft\CLR_v4.0_32\UsageLogs\ORDER 6f 6e 22 2c 22 47 41 RT", 5211009876.exe.log 43 22 2c 30 0d 0a 31 "NotApp",1..2,"System.Win 2c 22 57 69 6e 52 54 dows.Forms, 22 2c 22 4e 6f 74 41 Version=4.0.0.0, Cultur 70 70 22 2c 31 0d 0a e=neutral, 32 2c 22 53 79 73 74 PublicKeyToken=b77a 65 6d 2e 57 69 6e 64 5c561934e089",0..3,"Syste 6f 77 73 2e 46 6f 72 m, Version=4.0.0.0, 6d 73 2c 20 56 65 72 Culture=neutral, 73 69 6f 6e 3d 34 2e PublicKeyToken=b77a5c5 30 2e 30 2e 30 2c 20 61934e 43 75 6c 74 75 72 65 089","C:\Windows\assembl 3d 6e 65 75 74 72 61 y\NativeImages_v4.0.3 6c 2c 20 50 75 62 6c 69 63 4b 65 79 54 6f 6b 65 6e 3d 62 37 37 61 35 63 35 36 31 39 33 34 65 30 38 39 22 2c 30 0d 0a 33 2c 22 53 79 73 74 65 6d 2c 20 56 65 72 73 69 6f 6e 3d 34 2e 30 2e 30 2e 30 2c 20 43 75 6c 74 75 72 65 3d 6e 65 75 74 72 61 6c 2c 20 50 75 62 6c 69 63 4b 65 79 54 6f 6b 65 6e 3d 62 37 37 61 35 63 35 36 31 39 33 34 65 30 38 39 22 2c 22 43 3a 5c 57 69 6e 64 6f 77 73 5c 61 73 73 65 6d 62 6c 79 5c 4e 61 74 69 76 65 49 6d 61 67 65 73 5f 76 34 2e 30 2e 33

File Read

Analysis Process: schtasks.exe PID: 6488 Parent PID: 3396

General

Start time: 20:10:05 Start date: 14/04/2021 Path: C:\Windows\SysWOW64\schtasks.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\uxWltWT' /XML 'C:\Users\ user\AppData\Local\Temp\tmp1DBD.tmp' Imagebase: 0x1100000 File size: 185856 bytes MD5 hash: 15FF7D8324231381BAD48A052F85DF04

Copyright Joe Security LLC 2021 Page 27 of 30 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

File Activities

Source File Path Access Attributes Options Completion Count Address Symbol

File Read

Source File Path Offset Length Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\tmp1DBD.tmp unknown 2 success or wait 1 110AB22 ReadFile C:\Users\user\AppData\Local\Temp\tmp1DBD.tmp unknown 1645 success or wait 1 110ABD9 ReadFile

Analysis Process: conhost.exe PID: 6504 Parent PID: 6488

General

Start time: 20:10:05 Start date: 14/04/2021 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Imagebase: 0x7ff7ecfc0000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high

Analysis Process: ORDER 5211009876.exe PID: 6540 Parent PID: 3396

General

Start time: 20:10:06 Start date: 14/04/2021 Path: C:\Users\user\Desktop\ORDER 5211009876.exe Wow64 process (32bit): false Commandline: C:\Users\user\Desktop\ORDER 5211009876.exe Imagebase: 0x390000 File size: 1036288 bytes MD5 hash: F59B0F9D9B8A789B7E3D4AB8E0CCF737 Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low

Analysis Process: ORDER 5211009876.exe PID: 6588 Parent PID: 3396

General

Start time: 20:10:08 Start date: 14/04/2021 Path: C:\Users\user\Desktop\ORDER 5211009876.exe Wow64 process (32bit): true Copyright Joe Security LLC 2021 Page 28 of 30 Commandline: C:\Users\user\Desktop\ORDER 5211009876.exe Imagebase: 0x7ff797770000 File size: 1036288 bytes MD5 hash: F59B0F9D9B8A789B7E3D4AB8E0CCF737 Has elevated privileges: true Has administrator privileges: true Programmed in: .Net C# or VB.NET Yara matches: Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.486705475.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.493258053.0000000003251000.00000004.00000001.sdmp, Author: Joe Security Reputation: low

File Activities

File Created

File Read

Source File Path Offset Length Completion Count Address Symbol C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6DC25705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 6135 success or wait 1 6DC25705 unknown C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152 unknown 176 success or wait 1 6DB803DE ReadFile fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll.aux C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6DC2CA54 ReadFile C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7e unknown 620 success or wait 1 6DB803DE ReadFile efa3cd3e0ba98b5ebddbbc72e6\System.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Config unknown 864 success or wait 1 6DB803DE ReadFile uration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f unknown 900 success or wait 1 6DB803DE ReadFile 1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b2 unknown 748 success or wait 1 6DB803DE ReadFile 19d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll.aux C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6DC25705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 8171 end of file 1 6DC25705 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 1 6C9B1B4F ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 end of file 1 6C9B1B4F ReadFile C:\Program Files (x86)\jDownloader\config\database.script unknown 4096 success or wait 1 6C9B1B4F ReadFile C:\Program Files (x86)\jDownloader\config\database.script unknown 4096 end of file 1 6C9B1B4F ReadFile C:\Users\user\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D unknown 11168 success or wait 1 6C9B1B4F ReadFile C:\Users\user\AppData\Roaming\Microsoft\Protect\S-1-5-21-3853321935-2125563209- unknown 4096 success or wait 1 6C9B1B4F ReadFile 4053062332-1002\6b18839a-f7cc-414e-ba5d-3b3fbb5de4cf C:\Users\user\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D unknown 11168 success or wait 1 6C9B1B4F ReadFile C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data unknown 40960 success or wait 1 6C9B1B4F ReadFile

Disassembly

Code Analysis