Windows Analysis Report
charesworh.exe

Overview

General Information

Sample name: charesworh.exe
Analysis ID: 1428836
MD5: 590b450f25fafb87d58090f15d279e17
SHA1: 3f73fb4c40e67fe01b71bc1cb99dc4fb1a5b54b4
SHA256: 2dd7ca872acd828eeab12c42fb0a2fb96084876164525845d396ae489932aa7a
Tags: agentteslaexeFormbook
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Binary is likely a compiled AutoIt script file
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Found malware configuration
Source: 2.2.RegSvcs.exe.710000.0.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.cash4cars.nz", "Username": "logs@cash4cars.nz", "Password": "logs2024!"}
Multi AV Scanner detection for submitted file
Source: charesworh.exe ReversingLabs: Detection: 50%
Machine Learning detection for sample
Source: charesworh.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: charesworh.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: Binary string: RegSvcs.pdb, source: newfile.exe, 00000003.00000000.1516766156.0000000000E72000.00000002.00000001.01000000.00000006.sdmp, newfile.exe.2.dr
Source: Binary string: wntdll.pdbUGP source: charesworh.exe, 00000000.00000003.1396161490.0000000003E20000.00000004.00001000.00020000.00000000.sdmp, charesworh.exe, 00000000.00000003.1397980135.0000000003C80000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: charesworh.exe, 00000000.00000003.1396161490.0000000003E20000.00000004.00001000.00020000.00000000.sdmp, charesworh.exe, 00000000.00000003.1397980135.0000000003C80000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: RegSvcs.pdb source: newfile.exe, 00000003.00000000.1516766156.0000000000E72000.00000002.00000001.01000000.00000006.sdmp, newfile.exe.2.dr
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C84696 GetFileAttributesW,FindFirstFileW,FindClose, 0_2_00C84696
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C8C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 0_2_00C8C9C7
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C8C93C FindFirstFileW,FindClose, 0_2_00C8C93C
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C8F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00C8F200
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C8F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00C8F35D
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C8F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_00C8F65E
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C83A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00C83A2B
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C83D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00C83D4E
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C8BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_00C8BF27

Networking
barindex
Yara detected Generic Downloader
Source: Yara match File source: 2.2.RegSvcs.exe.710000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.charesworh.exe.1390000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1400012611.0000000001390000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.8:49706 -> 114.142.162.17:26
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View IP Address: 114.142.162.17 114.142.162.17
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SERVERMULE-AS-APNimbus2PtyLtdAU SERVERMULE-AS-APNimbus2PtyLtdAU
May check the online IP address of the machine
Source: unknown DNS query: name: ip-api.com
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C925E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile, 0_2_00C925E2
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: ip-api.com
Source: RegSvcs.exe, 00000002.00000002.2635779693.0000000002831000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com
Source: charesworh.exe, 00000000.00000002.1400012611.0000000001390000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2634689317.0000000000712000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2635779693.0000000002831000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2634989652.0000000000995000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: RegSvcs.exe, 00000002.00000002.2635779693.0000000002894000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mail.cash4cars.nz
Source: RegSvcs.exe, 00000002.00000002.2635779693.0000000002831000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: charesworh.exe, 00000000.00000002.1400012611.0000000001390000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2634689317.0000000000712000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.charesworh.exe.1390000.1.raw.unpack, cPKWk.cs .Net Code: hZd2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C9425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 0_2_00C9425A
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C94458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_00C94458
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C9425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 0_2_00C9425A
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C80219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState, 0_2_00C80219
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00CACDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 0_2_00CACDAC

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 2.2.RegSvcs.exe.710000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.charesworh.exe.1390000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.charesworh.exe.1390000.1.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000000.00000002.1400012611.0000000001390000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Binary is likely a compiled AutoIt script file
Source: C:\Users\user\Desktop\charesworh.exe Code function: This is a third-party compiled AutoIt script. 0_2_00C23B4C
Source: charesworh.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: charesworh.exe, 00000000.00000000.1384002707.0000000000CD5000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_3731d04b-4
Source: charesworh.exe, 00000000.00000000.1384002707.0000000000CD5000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_e75241d9-7
Source: charesworh.exe String found in binary or memory: This is a third-party compiled AutoIt script. memstr_47b33e29-9
Source: charesworh.exe String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_97ceaffa-c
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C840B1: CreateFileW,_memset,DeviceIoControl,CloseHandle, 0_2_00C840B1
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C78858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 0_2_00C78858
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C8545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 0_2_00C8545F
Detected potential crypto function
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C2E800 0_2_00C2E800
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C4DBB5 0_2_00C4DBB5
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00CA804A 0_2_00CA804A
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C2E060 0_2_00C2E060
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C34140 0_2_00C34140
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C42405 0_2_00C42405
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C56522 0_2_00C56522
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00CA0665 0_2_00CA0665
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C5267E 0_2_00C5267E
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C36843 0_2_00C36843
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C4283A 0_2_00C4283A
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C589DF 0_2_00C589DF
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00CA0AE2 0_2_00CA0AE2
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C56A94 0_2_00C56A94
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C38A0E 0_2_00C38A0E
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C7EB07 0_2_00C7EB07
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C88B13 0_2_00C88B13
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C4CD61 0_2_00C4CD61
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C57006 0_2_00C57006
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C33190 0_2_00C33190
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C3710E 0_2_00C3710E
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C21287 0_2_00C21287
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C433C7 0_2_00C433C7
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C4F419 0_2_00C4F419
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C416C4 0_2_00C416C4
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C35680 0_2_00C35680
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C358C0 0_2_00C358C0
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C478D3 0_2_00C478D3
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C41BB8 0_2_00C41BB8
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C59D05 0_2_00C59D05
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C2FE40 0_2_00C2FE40
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C41FD0 0_2_00C41FD0
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C4BFE6 0_2_00C4BFE6
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_01383650 0_2_01383650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_00C64AD0 2_2_00C64AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_00C6D230 2_2_00C6D230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_00C63EB8 2_2_00C63EB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_00C64200 2_2_00C64200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_05F68788 2_2_05F68788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_05F60040 2_2_05F60040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_05F6B380 2_2_05F6B380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_05F632D0 2_2_05F632D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_05F65910 2_2_05F65910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_05F6E830 2_2_05F6E830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_05F69BF0 2_2_05F69BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_05F60007 2_2_05F60007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_05F6ACA0 2_2_05F6ACA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_05F68EF0 2_2_05F68EF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_05F6E81F 2_2_05F6E81F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_064E3500 2_2_064E3500
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\charesworh.exe Code function: String function: 00C48B40 appears 42 times
Source: C:\Users\user\Desktop\charesworh.exe Code function: String function: 00C40D27 appears 70 times
Source: C:\Users\user\Desktop\charesworh.exe Code function: String function: 00C27F41 appears 35 times
Sample file is different than original file name gathered from version info
Source: charesworh.exe, 00000000.00000003.1398561609.0000000003F4D000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs charesworh.exe
Source: charesworh.exe, 00000000.00000003.1396530391.0000000003DA3000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs charesworh.exe
Source: charesworh.exe, 00000000.00000002.1400012611.0000000001390000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilename5c6f5efb-7c76-4283-af3e-eb17be5e53b7.exe4 vs charesworh.exe
Uses 32bit PE files
Source: charesworh.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Yara signature match
Source: 2.2.RegSvcs.exe.710000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.charesworh.exe.1390000.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.charesworh.exe.1390000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000000.00000002.1400012611.0000000001390000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.charesworh.exe.1390000.1.raw.unpack, cPs8D.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.charesworh.exe.1390000.1.raw.unpack, 72CF8egH.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.charesworh.exe.1390000.1.raw.unpack, G5CXsdn.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.charesworh.exe.1390000.1.raw.unpack, 3uPsILA6U.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.charesworh.exe.1390000.1.raw.unpack, 6oQOw74dfIt.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.charesworh.exe.1390000.1.raw.unpack, aMIWm.cs Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 0.2.charesworh.exe.1390000.1.raw.unpack, 3QjbQ514BDx.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.charesworh.exe.1390000.1.raw.unpack, 3QjbQ514BDx.cs Cryptographic APIs: 'TransformFinalBlock'
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@7/8@2/2
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C8A2D5 GetLastError,FormatMessageW, 0_2_00C8A2D5
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C78713 AdjustTokenPrivileges,CloseHandle, 0_2_00C78713
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C78CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 0_2_00C78CC3
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C8B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode, 0_2_00C8B59E
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C9F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 0_2_00C9F121
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C986D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear, 0_2_00C986D0
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C24FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource, 0_2_00C24FE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File created: C:\Users\user\AppData\Roaming\newfile Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1280:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6064:120:WilError_03
Source: C:\Users\user\Desktop\charesworh.exe File created: C:\Users\user\AppData\Local\Temp\aut92D3.tmp Jump to behavior
Source: charesworh.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\charesworh.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: charesworh.exe ReversingLabs: Detection: 50%
Source: unknown Process created: C:\Users\user\Desktop\charesworh.exe "C:\Users\user\Desktop\charesworh.exe"
Source: C:\Users\user\Desktop\charesworh.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\charesworh.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\newfile\newfile.exe "C:\Users\user\AppData\Roaming\newfile\newfile.exe"
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\newfile\newfile.exe "C:\Users\user\AppData\Roaming\newfile\newfile.exe"
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\charesworh.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\charesworh.exe" Jump to behavior
Source: C:\Users\user\Desktop\charesworh.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\charesworh.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\charesworh.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\charesworh.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\charesworh.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\charesworh.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\charesworh.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\charesworh.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\charesworh.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\charesworh.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\charesworh.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: charesworh.exe Static file information: File size 1067008 > 1048576
Source: charesworh.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: charesworh.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: charesworh.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: charesworh.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: charesworh.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: charesworh.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: charesworh.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: RegSvcs.pdb, source: newfile.exe, 00000003.00000000.1516766156.0000000000E72000.00000002.00000001.01000000.00000006.sdmp, newfile.exe.2.dr
Source: Binary string: wntdll.pdbUGP source: charesworh.exe, 00000000.00000003.1396161490.0000000003E20000.00000004.00001000.00020000.00000000.sdmp, charesworh.exe, 00000000.00000003.1397980135.0000000003C80000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: charesworh.exe, 00000000.00000003.1396161490.0000000003E20000.00000004.00001000.00020000.00000000.sdmp, charesworh.exe, 00000000.00000003.1397980135.0000000003C80000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: RegSvcs.pdb source: newfile.exe, 00000003.00000000.1516766156.0000000000E72000.00000002.00000001.01000000.00000006.sdmp, newfile.exe.2.dr
Source: charesworh.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: charesworh.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: charesworh.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: charesworh.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: charesworh.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C9C304 LoadLibraryA,GetProcAddress, 0_2_00C9C304
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C7031B push ecx; ret 0_2_00C70451
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C70457 push ecx; ret 0_2_00C70459
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C70453 push ecx; ret 0_2_00C70455
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C36701 push ecx; ret 0_2_00C36737
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C48B85 push ecx; ret 0_2_00C48B98
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C311AD push cs; ret 0_2_00C311AE
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C311B1 push cs; ret 0_2_00C311B6
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C31118 push cs; ret 0_2_00C3111E
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C31120 push cs; ret 0_2_00C311AA
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C35488 push eax; ret 0_2_00C354B2
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C354B4 push edx; ret 0_2_00C354E6
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C35470 push ebx; ret 0_2_00C35486
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C35400 push ebx; ret 0_2_00C35406
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C35408 push ebx; ret 0_2_00C35432
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C35507 push edx; ret 0_2_00C35512
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C3553F push ebx; ret 0_2_00C3554A
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C317E3 push ss; ret 0_2_00C317EC
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C317ED push ss; ret 0_2_00C317F0
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C317FD push ss; ret 0_2_00C31800
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File created: C:\Users\user\AppData\Roaming\newfile\newfile.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run newfile Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run newfile Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\newfile\newfile.exe:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C24A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_00C24A35
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00CA55FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 0_2_00CA55FD
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C433C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00C433C7
Source: C:\Users\user\Desktop\charesworh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\charesworh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: charesworh.exe PID: 6080, type: MEMORYSTR
Check if machine is in data center or colocation facility
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: charesworh.exe, 00000000.00000002.1400012611.0000000001390000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.2634689317.0000000000712000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Memory allocated: 2FB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Memory allocated: 3150000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Memory allocated: 5150000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Memory allocated: 22E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Memory allocated: 2590000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Memory allocated: 22E0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 2276 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 7582 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\charesworh.exe API coverage: 4.6 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe TID: 3340 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe TID: 3404 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C84696 GetFileAttributesW,FindFirstFileW,FindClose, 0_2_00C84696
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C8C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 0_2_00C8C9C7
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C8C93C FindFirstFileW,FindClose, 0_2_00C8C93C
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C8F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00C8F200
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C8F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00C8F35D
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C8F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_00C8F65E
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C83A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00C83A2B
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C83D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00C83D4E
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C8BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_00C8BF27
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C24AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_00C24AFE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99873 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99765 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99656 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99547 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99422 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99312 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99203 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99093 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98984 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98875 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98765 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98656 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98543 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98429 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98312 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98203 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98093 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97984 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97875 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97765 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97647 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97531 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97420 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97312 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97203 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97091 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96984 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96874 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96765 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96656 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96546 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96430 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96312 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96203 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96093 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95984 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95875 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95761 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95656 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95547 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95437 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95328 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95218 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95109 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 95000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 94890 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 94781 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 94672 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 94560 Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: RegSvcs.exe, 00000002.00000002.2634689317.0000000000712000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: vmware
Source: RegSvcs.exe, 00000002.00000002.2634689317.0000000000712000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: VMwareVBox
Source: RegSvcs.exe, 00000002.00000002.2637339494.00000000059EF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\charesworh.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\charesworh.exe API call chain: ExitProcess graph end node

Anti Debugging
barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_00C670B8 CheckRemoteDebuggerPresent, 2_2_00C670B8
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process queried: DebugPort Jump to behavior
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C941FD BlockInput, 0_2_00C941FD
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C23B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 0_2_00C23B4C
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C55CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_00C55CCC
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C9C304 LoadLibraryA,GetProcAddress, 0_2_00C9C304
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_01383540 mov eax, dword ptr fs:[00000030h] 0_2_01383540
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_013834E0 mov eax, dword ptr fs:[00000030h] 0_2_013834E0
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_01381ED0 mov eax, dword ptr fs:[00000030h] 0_2_01381ED0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C781F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 0_2_00C781F7
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C4A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00C4A395
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C4A364 SetUnhandledExceptionFilter, 0_2_00C4A364
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\charesworh.exe Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\charesworh.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 598008 Jump to behavior
Contains functionality to execute programs as a different user
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C78C93 LogonUserW, 0_2_00C78C93
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C23B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 0_2_00C23B4C
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C24A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_00C24A35
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C84EC9 mouse_event, 0_2_00C84EC9
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\charesworh.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\charesworh.exe" Jump to behavior
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C781F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 0_2_00C781F7
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C84C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 0_2_00C84C03
Source: charesworh.exe Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: charesworh.exe Binary or memory string: Shell_TrayWnd
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C4886B cpuid 0_2_00C4886B
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Queries volume information: C:\Users\user\AppData\Roaming\newfile\newfile.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Queries volume information: C:\Users\user\AppData\Roaming\newfile\newfile.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\newfile\newfile.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C550D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00C550D7
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C62230 GetUserNameW, 0_2_00C62230
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C5418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 0_2_00C5418A
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C24AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_00C24AFE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 2.2.RegSvcs.exe.710000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.charesworh.exe.1390000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.charesworh.exe.1390000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.2634689317.0000000000712000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2635779693.0000000002861000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1400012611.0000000001390000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2635779693.000000000288E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: charesworh.exe PID: 6080, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 5360, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\FTP Navigator\Ftplist.txt Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
OS version to string mapping found (often used in BOTs)
Source: charesworh.exe Binary or memory string: WIN_81
Source: charesworh.exe Binary or memory string: WIN_XP
Source: charesworh.exe Binary or memory string: WIN_XPe
Source: charesworh.exe Binary or memory string: WIN_VISTA
Source: charesworh.exe Binary or memory string: WIN_7
Source: charesworh.exe Binary or memory string: WIN_8
Source: charesworh.exe Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
Yara detected Credential Stealer
Source: Yara match File source: 2.2.RegSvcs.exe.710000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.charesworh.exe.1390000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.charesworh.exe.1390000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.2634689317.0000000000712000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2635779693.0000000002861000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1400012611.0000000001390000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: charesworh.exe PID: 6080, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 5360, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 2.2.RegSvcs.exe.710000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.charesworh.exe.1390000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.charesworh.exe.1390000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.2634689317.0000000000712000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2635779693.0000000002861000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1400012611.0000000001390000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2635779693.000000000288E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: charesworh.exe PID: 6080, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 5360, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C96596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket, 0_2_00C96596
Source: C:\Users\user\Desktop\charesworh.exe Code function: 0_2_00C96A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 0_2_00C96A5A
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1428836 Sample: charesworh.exe Startdate: 19/04/2024 Architecture: WINDOWS Score: 100 25 mail.cash4cars.nz 2->25 27 ip-api.com 2->27 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 7 other signatures 2->47 7 charesworh.exe 4 2->7         started        10 newfile.exe 2 2->10         started        12 newfile.exe 1 2->12         started        signatures3 process4 signatures5 49 Binary is likely a compiled AutoIt script file 7->49 51 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->51 53 Writes to foreign memory regions 7->53 55 Maps a DLL or memory area into another process 7->55 14 RegSvcs.exe 16 4 7->14         started        19 conhost.exe 10->19         started        21 conhost.exe 12->21         started        process6 dnsIp7 29 mail.cash4cars.nz 114.142.162.17, 26 SERVERMULE-AS-APNimbus2PtyLtdAU Australia 14->29 31 ip-api.com 208.95.112.1, 49705, 80 TUT-ASUS United States 14->31 23 C:\Users\user\AppData\Roaming\...\newfile.exe, PE32 14->23 dropped 33 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->33 35 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->35 37 Tries to steal Mail credentials (via file / registry access) 14->37 39 4 other signatures 14->39 file8 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
208.95.112.1
 ip-api.com United States
53334 TUT-ASUS false
114.142.162.17
 mail.cash4cars.nz Australia
133525 SERVERMULE-AS-APNimbus2PtyLtdAU true

Contacted Domains

Name IP Active
mail.cash4cars.nz 114.142.162.17 true
ip-api.com 208.95.112.1 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://ip-api.com/line/?fields=hosting false
    		high