Loading ...

Play interactive tourEdit tour

Analysis Report order pdf.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:221740
Start date:10.04.2020
Start time:10:47:16
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 8m 7s
Hypervisor based Inspection enabled:false
Report type:light
Sample file name:order pdf.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:12
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.troj.spyw.evad.winEXE@13/10@1/1
EGA Information:
  • Successful, ratio: 60%
HDC Information:Failed
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
  • TCP Packets have been reduced to 100
  • Excluded IPs from analysis (whitelisted): 2.18.68.82, 67.26.83.254, 67.26.139.254, 8.248.117.254, 67.27.157.254, 8.248.121.254
  • Excluded domains from analysis (whitelisted): fs.microsoft.com, audownload.windowsupdate.nsatc.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
AgentTesla
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation111Startup Items1Startup Items1Software Packing1Credential Dumping2Security Software Discovery111Application Deployment SoftwareData from Local System2Data Encrypted11Uncommonly Used Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaScripting11Registry Run Keys / Startup Folder21Process Injection112Disabling Security Tools11Input Capture11File and Directory Discovery1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumStandard Cryptographic Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationHidden Files and Directories1Path InterceptionDeobfuscate/Decode Files or Information1Credentials in Registry1System Information Discovery114Windows Remote ManagementInput Capture11Automated ExfiltrationStandard Non-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingScripting11Credentials in FilesVirtualization/Sandbox Evasion3Logon ScriptsClipboard Data1Data EncryptedStandard Application Layer Protocol11SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessObfuscated Files or Information1Account ManipulationProcess Discovery2Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceMasquerading1Brute ForceRemote System Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskHidden Files and Directories1Two-Factor Authentication InterceptionNetwork SniffingPass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionVirtualization/Sandbox Evasion3Bash HistoryNetwork Service ScanningRemote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess Injection112Input PromptSystem Network Connections DiscoveryWindows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction
Trusted RelationshipPowerShellChange Default File AssociationExploitation for Privilege EscalationDLL Side-Loading1KeychainProcess DiscoveryTaint Shared ContentAudio CaptureCommonly Used PortConnection ProxyData Encrypted for Impact

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Found malware configurationShow sources
Source: RegAsm.exe.1624.4.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "=0A0qxyaAR", "URL: ": "http://OysMCylj1pBryKTY7.org", "To: ": "nwekeboxs@fiscalitate.eu", "ByHost: ": "mail.fiscalitate.eu:587", "Password: ": "=0A5lnyIHiWBl6W", "From: ": ""}
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\ActionQueue\wksprt.exeVirustotal: Detection: 46%Perma Link
Source: C:\Users\user\ActionQueue\wksprt.exeMetadefender: Detection: 22%Perma Link
Source: C:\Users\user\ActionQueue\wksprt.exeReversingLabs: Detection: 55%
Multi AV Scanner detection for submitted fileShow sources
Source: order pdf.exeVirustotal: Detection: 46%Perma Link
Source: order pdf.exeMetadefender: Detection: 22%Perma Link
Source: order pdf.exeReversingLabs: Detection: 55%
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 4.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

Networking:

barindex
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.2.5:49751 -> 176.223.209.5:587
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
Uses SMTP (mail sending)Show sources
Source: global trafficTCP traffic: 192.168.2.5:49751 -> 176.223.209.5:587
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: mail.fiscalitate.eu
Urls found in memory or binary dataShow sources
Source: RegAsm.exe, 00000004.00000002.1216569781.0000000002DBB000.00000004.00000001.sdmpString found in binary or memory: http://OysMCylj1pBryKTY7.org
Source: RegAsm.exe, 00000004.00000002.1213763996.0000000000AB0000.00000004.00000020.sdmpString found in binary or memory: http://OysMCylj1pBryKTY7.org413111d3B88A00104B2A6676
Source: RegAsm.exe, 00000004.00000002.1216569781.0000000002DBB000.00000004.00000001.sdmpString found in binary or memory: http://OysMCylj1pBryKTY7.orgtO
Source: RegAsm.exe, 00000004.00000002.1216569781.0000000002DBB000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: RegAsm.exe, 00000004.00000002.1216569781.0000000002DBB000.00000004.00000001.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/0
Source: RegAsm.exe, 00000004.00000002.1216569781.0000000002DBB000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
Source: RegAsm.exe, 00000004.00000002.1216569781.0000000002DBB000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: RegAsm.exe, 00000004.00000002.1216569781.0000000002DBB000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: RegAsm.exe, 00000004.00000002.1216569781.0000000002DBB000.00000004.00000001.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
Source: RegAsm.exe, 00000004.00000002.1216569781.0000000002DBB000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a global keyboard hookShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Creates a window with clipboard capturing capabilitiesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWindow created: window name: CLIPBRDWNDCLASS

System Summary:

barindex
Binary is likely a compiled AutoIt script fileShow sources
Source: order pdf.exe, 00000000.00000000.794439154.000000000092F000.00000002.00020000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.
Source: order pdf.exe, 00000000.00000000.794439154.000000000092F000.00000002.00020000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"
Source: wksprt.exe, 00000005.00000000.899243190.000000000089F000.00000002.00020000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.
Source: wksprt.exe, 00000005.00000000.899243190.000000000089F000.00000002.00020000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"
Source: order pdf.exeString found in binary or memory: This is a third-party compiled AutoIt script.
Source: order pdf.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer"
Initial sample is a PE file and has a suspicious nameShow sources
Source: initial sampleStatic PE information: Filename: order pdf.exe
Abnormal high CPU UsageShow sources
Source: C:\Users\user\Desktop\order pdf.exeProcess Stats: CPU usage > 98%
Detected potential crypto functionShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_04FBE470
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_04FBFCA8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_04FBECA0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_04FB001C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_04FBFA90
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_04FBE46B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_04FBDF6E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_04FBE26D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_04FBF0E7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_04FBF159
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_04FBF3BB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_04FBE1A8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_04FBE2A3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_04FBFC99
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_04FBDF1F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_04FBEC90
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_04FBE289
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_04FBFA80
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_05946DD8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_05946788
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_05944F78
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_05945620
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_05943594
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_05946DC8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_0594388B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_05942417
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_0594047C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_05942708
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_05944F6C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_05943687
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_05945610
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_05DE4D58
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_05DEA168
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_05DE80F0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_05DEC0F0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_05DEF4A8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_05DEE828
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_05DEAC28
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_05DE8C20
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_05DE33F8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_05DECF98
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_05DE7B90
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_05DEEB68
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_05DE3718
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_05DE56B8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_05DE9A78
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_05DEFA10
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_05DE41B0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_05DEA15B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_05DE3D7B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_05DE80E0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_05DEAC1B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_05DE8C10
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_05DE9038
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_05DE3FF6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_05DE7B80
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_05DE337D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_05DE370B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_05DE96D3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_05DE56AB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_05DE865E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_05DE9A68
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_05EE4D89
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_05EE3D48
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_05EE40D8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_05EE22A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_05EE0070
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_05EE3020
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_05EE71E8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_05EE7196
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_05EE3D38
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_05EE40C8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_05EE2293
Source: C:\Users\user\AppData\Local\Temp\UoOfbM\UoOfbM.exeCode function: 6_2_04F401B7
Source: C:\Users\user\AppData\Local\Temp\UoOfbM\UoOfbM.exeCode function: 10_2_027001B7
Dropped file seen in connection with other malwareShow sources
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\UoOfbM\UoOfbM.exe 44F129DE312409D8A2DF55F655695E1D48D0DB6F20C5C7803EB0032D8E6B53D0
PE file contains strange resourcesShow sources
Source: order pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: order pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: order pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: order pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: order pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: order pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wksprt.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wksprt.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wksprt.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wksprt.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wksprt.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: wksprt.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: security.dll
Yara signature matchShow sources
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ActionQueue.url, type: DROPPEDMatched rule: Methodology_Suspicious_Shortcut_Local_URL author = @itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson), description = Detects local script usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
.NET source code contains calls to encryption/decryption functionsShow sources
Source: 4.2.RegAsm.exe.400000.0.unpack, xld.csCryptographic APIs: 'TransformFinalBlock'
Source: 4.2.RegAsm.exe.400000.0.unpack, xld.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Classification labelShow sources
Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@13/10@1/1
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\order pdf.exeFile created: C:\Users\user\ActionQueueJump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1768:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2300:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4776:120:WilError_01
Creates temporary filesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\UoOfbMJump to behavior
Executes visual basic scriptsShow sources
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\ActionQueue\ActionQueue.vbs'
PE file has an executable .text section and no other executable sectionShow sources
Source: order pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Local\Temp\UoOfbM\UoOfbM.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\UoOfbM\UoOfbM.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Local\Temp\UoOfbM\UoOfbM.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Local\Temp\UoOfbM\UoOfbM.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\UoOfbM\UoOfbM.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Local\Temp\UoOfbM\UoOfbM.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Queries process information (via WMI, Win32_Process)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Reads ini filesShow sources
Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\order pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Reads the hosts fileShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample is known by AntivirusShow sources
Source: order pdf.exeVirustotal: Detection: 46%
Source: order pdf.exeMetadefender: Detection: 22%
Source: order pdf.exeReversingLabs: Detection: 55%
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\order pdf.exeFile read: C:\Users\user\Desktop\order pdf.exeJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\order pdf.exe 'C:\Users\user\Desktop\order pdf.exe'
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\ActionQueue\ActionQueue.vbs'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe
Source: unknownProcess created: C:\Users\user\ActionQueue\wksprt.exe 'C:\Users\user\ActionQueue\wksprt.exe'
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\UoOfbM\UoOfbM.exe 'C:\Users\user\AppData\Local\Temp\UoOfbM\UoOfbM.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\UoOfbM\UoOfbM.exe 'C:\Users\user\AppData\Local\Temp\UoOfbM\UoOfbM.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\order pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\ActionQueue\wksprt.exe 'C:\Users\user\ActionQueue\wksprt.exe'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32
Uses Microsoft SilverlightShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
Checks if Microsoft Office is installedShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Submission file is bigger than most known malware samplesShow sources
Source: order pdf.exeStatic file information: File size 1796608 > 1048576
Uses new MSVCR DllsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
PE file contains a mix of data directories often seen in goodwareShow sources
Source: order pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: order pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: order pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: order pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: order pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: order pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
PE file contains a debug data directoryShow sources
Source: order pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains paths to debug symbolsShow sources
Source: Binary string: RegAsm.pdb source: UoOfbM.exe, UoOfbM.exe.4.dr
Source: Binary string: mscorrc.pdb source: RegAsm.exe, 00000004.00000002.1219290186.0000000005E20000.00000002.00000001.sdmp
PE file contains a valid data directory to section mappingShow sources
Source: order pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: order pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: order pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: order pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: order pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_057F1F99 push 7340C310h; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_05948B29 push esp; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_05EE0B12 push es; ret

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Users\user\Desktop\order pdf.exeFile created: C:\Users\user\ActionQueue\wksprt.exeJump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\UoOfbM\UoOfbM.exeJump to dropped file

Boot Survival:

barindex
Creates a start menu entry (Start Menu\Programs\Startup)Show sources
Source: C:\Users\user\Desktop\order pdf.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ActionQueue.urlJump to behavior
Stores files to the Windows start menu directoryShow sources
Source: C:\Users\user\Desktop\order pdf.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ActionQueue.urlJump to behavior
Creates an autostart registry keyShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run UoOfbMJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run UoOfbMJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Temp\UoOfbM\UoOfbM.exe:Zone.Identifier read attributes | delete
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\order pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\order pdf.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\ActionQueue\wksprt.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\ActionQueue\wksprt.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\UoOfbM\UoOfbM.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\UoOfbM\UoOfbM.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\UoOfbM\UoOfbM.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\UoOfbM\UoOfbM.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\UoOfbM\UoOfbM.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\UoOfbM\UoOfbM.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\UoOfbM\UoOfbM.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\UoOfbM\UoOfbM.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\UoOfbM\UoOfbM.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\UoOfbM\UoOfbM.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\UoOfbM\UoOfbM.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\UoOfbM\UoOfbM.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\UoOfbM\UoOfbM.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\UoOfbM\UoOfbM.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\UoOfbM\UoOfbM.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\UoOfbM\UoOfbM.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\UoOfbM\UoOfbM.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\UoOfbM\UoOfbM.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\UoOfbM\UoOfbM.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\UoOfbM\UoOfbM.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\UoOfbM\UoOfbM.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\UoOfbM\UoOfbM.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\UoOfbM\UoOfbM.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\UoOfbM\UoOfbM.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\UoOfbM\UoOfbM.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\UoOfbM\UoOfbM.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Contains long sleeps (>= 3 min)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\UoOfbM\UoOfbM.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\UoOfbM\UoOfbM.exeThread delayed: delay time: 922337203685477
Found WSH timer for Javascript or VBS script (likely evasive script)Show sources
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 4884Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 3212Thread sleep count: 58 > 30
Source: C:\Users\user\AppData\Local\Temp\UoOfbM\UoOfbM.exe TID: 2680Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\UoOfbM\UoOfbM.exe TID: 3040Thread sleep time: -922337203685477s >= -30000s
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeLast function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeLast function: Thread delayed
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: RegAsm.exe, 00000004.00000002.1218422563.0000000005410000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: RegAsm.exe, 00000004.00000002.1214676156.0000000000CF6000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
Source: RegAsm.exe, 00000004.00000002.1218422563.0000000005410000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: RegAsm.exe, 00000004.00000002.1218422563.0000000005410000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: RegAsm.exe, 00000004.00000002.1214676156.0000000000CF6000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: RegAsm.exe, 00000004.00000002.1218422563.0000000005410000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Queries a list of all running processesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess information queried: ProcessInformation

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeCode function: 4_2_05946DD8 LdrInitializeThunk,
Enables debug privilegesShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess token adjusted: Debug
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeMemory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

barindex
Maps a DLL or memory area into another processShow sources
Source: C:\Users\user\Desktop\order pdf.exeSection loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe protection: execute and read and write
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\order pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\ActionQueue\wksprt.exe 'C:\Users\user\ActionQueue\wksprt.exe'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: order pdf.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Uses netsh to modify the Windows network and firewall settingsShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile

Stealing of Sensitive Information:

barindex
Yara detected AgentTeslaShow sources
Source: Yara matchFile source: 00000004.00000002.1213463344.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.1216569781.0000000002DBB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1624, type: MEMORY
Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6c4zjj0s.default\cookies.sqlite
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Tries to harvest and steal ftp login credentialsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
Tries to steal Mail credentials (via file access)Show sources
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Yara detected Credential StealerShow sources
Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1624, type: MEMORY

Remote Access Functionality:

barindex
Yara detected AgentTeslaShow sources
Source: Yara matchFile source: 00000004.00000002.1213463344.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.1216569781.0000000002DBB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1624, type: MEMORY
Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE

Malware Configuration

Threatname: Agenttesla

{"Username: ": "=0A0qxyaAR", "URL: ": "http://OysMCylj1pBryKTY7.org", "To: ": "nwekeboxs@fiscalitate.eu", "ByHost: ": "mail.fiscalitate.eu:587", "Password: ": "=0A5lnyIHiWBl6W", "From: ": ""}

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 221740 Sample: order pdf.exe Startdate: 10/04/2020 Architecture: WINDOWS Score: 100 43 Found malware configuration 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 Sigma detected: RegAsm connects to smtp port 2->47 49 5 other signatures 2->49 8 order pdf.exe 4 2->8         started        12 wscript.exe 1 2->12         started        14 UoOfbM.exe 4 2->14         started        16 UoOfbM.exe 3 2->16         started        process3 file4 35 C:\Users\user\ActionQueue\wksprt.exe, PE32 8->35 dropped 37 C:\Users\user\AppData\...\ActionQueue.url, MS 8->37 dropped 61 Maps a DLL or memory area into another process 8->61 18 RegAsm.exe 1 15 8->18         started        23 wksprt.exe 12->23         started        25 conhost.exe 14->25         started        27 conhost.exe 16->27         started        signatures5 process6 dnsIp7 39 fiscalitate.eu 176.223.209.5, 49751, 49752, 49753 unknown United Kingdom 18->39 41 mail.fiscalitate.eu 18->41 33 C:\Users\user\AppData\Local\...\UoOfbM.exe, PE32 18->33 dropped 51 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->51 53 Tries to steal Mail credentials (via file access) 18->53 55 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 18->55 59 4 other signatures 18->59 29 netsh.exe 3 18->29         started        57 Multi AV Scanner detection for dropped file 23->57 file8 signatures9 process10 process11 31 conhost.exe 29->31         started       

Simulations

Behavior and APIs

TimeTypeDescription
10:47:43AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ActionQueue.url
10:48:22AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run UoOfbM C:\Users\user\AppData\Local\Temp\UoOfbM\UoOfbM.exe
10:48:31AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run UoOfbM C:\Users\user\AppData\Local\Temp\UoOfbM\UoOfbM.exe

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
order pdf.exe46%VirustotalBrowse
order pdf.exe22%MetadefenderBrowse
order pdf.exe55%ReversingLabsWin32.Trojan.Injector

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\ActionQueue\wksprt.exe46%VirustotalBrowse
C:\Users\user\ActionQueue\wksprt.exe22%MetadefenderBrowse
C:\Users\user\ActionQueue\wksprt.exe55%ReversingLabsWin32.Trojan.Injector
C:\Users\user\AppData\Local\Temp\UoOfbM\UoOfbM.exe1%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\UoOfbM\UoOfbM.exe0%MetadefenderBrowse

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
4.2.RegAsm.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

Domains

SourceDetectionScannerLabelLink
fiscalitate.eu0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://OysMCylj1pBryKTY7.org0%Avira URL Cloudsafe
http://OysMCylj1pBryKTY7.orgtO0%Avira URL Cloudsafe
http://cps.letsencrypt.org00%URL Reputationsafe
http://ocsp.int-x3.letsencrypt.org0/0%URL Reputationsafe
http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
http://OysMCylj1pBryKTY7.org413111d3B88A00104B2A66760%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ActionQueue.urlMethodology_Suspicious_Shortcut_Local_URLDetects local script usage for .URL persistence@itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson)
  • 0x13:$file: URL=file:///
  • 0x0:$url_explicit: [InternetShortcut]

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.1213463344.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000004.00000002.1216569781.0000000002DBB000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      Process Memory Space: RegAsm.exe PID: 1624JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        Process Memory Space: RegAsm.exe PID: 1624JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          4.2.RegAsm.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

            Sigma Overview


            System Summary:

            barindex
            Sigma detected: Drops script at startup locationShow sources
            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\order pdf.exe, ProcessId: 4016, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ActionQueue.url
            Sigma detected: RegAsm connects to smtp portShow sources
            Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 176.223.209.5, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, Initiated: true, ProcessId: 1624, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49751

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASN

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            unknown444444.exeGet hashmaliciousBrowse
            • 127.0.0.1
            http://193.218.118.140Get hashmaliciousBrowse
            • 193.218.118.140
            https://support.zuriwebs.com/extend/914297382.zipGet hashmaliciousBrowse
            • 92.118.24.60
            https://annmariegasbarre.com/wp-content/uploads/2020/04/extend/328797815/328797815.zipGet hashmaliciousBrowse
            • 52.114.132.12
            http://rishtiindia.com/wp-content/uploads/2020/04/extend/0486042/0486042.zipGet hashmaliciousBrowse
            • 52.114.77.34
            https://angel918.com/extend/30658781/30658781.zipGet hashmaliciousBrowse
            • 92.118.24.60
            MyJio_android_25feb2020.apkGet hashmaliciousBrowse
            • 173.194.76.188
            #Ud574#Ud0b9 #Ube44#Ud2b8#Ucf54#Uc778.xlsmGet hashmaliciousBrowse
            • 198.12.66.107
            http://pelokazi-spiritualcoach.co.zaGet hashmaliciousBrowse
            • 43.225.52.117
            https://alamosaco.buzz/l/kl/0nfile/0nfile/oneddrive/login-option.php?cmd=login_submit&id=b05101270e4d86f40c173c689e509cf1b05101270e4d86f40c173c689e509cf1&session=b05101270e4d86f40c173c689e509cf1b05101270e4d86f40c173c689e509cf1Get hashmaliciousBrowse
            • 104.16.132.229
            http://brianfishermrks.com/AerospaceGet hashmaliciousBrowse
            • 107.180.1.11
            http://u5863809.ct.sendgrid.net/ls/click?upn=wDDBrMehaMBe8DJWG3V-2BBrvSPTwDIZHdvE6VNU1Ve-2FhOdxM2dlrtNyAWjQgSRz5PchJLSPMA786rR2PJz3W-2BKA-3D-3DbSBm_qOdW-2F2nFZnnvQgWX2YkWwuMO1b26Jj37F9sO7sAemjaNPqOWCdnrIC9NzTUEvlzDLHE6v4Rh0xNqwBwCfWgqhWvULB3CqUb7UZ0-2Ft4ZJ6tow6Nfc28m90ZSNYEUGHYVS28yz-2F-2BrAzWrgoQmKaN0Zu3rNsWofvwQ76IFUeXBlqRADjyn-2F0UsV-2FpNuAezZ-2FBDpmakuv-2F-2Bl7sAHe6ncaDDN9e7DoYnIhRqBlU6GOfHKUSFXoVhx9NLwwlcsyUCqh2mnGet hashmaliciousBrowse
            • 167.89.118.35
            https://app.the100hd.com.br/wp-admin/perGet hashmaliciousBrowse
            • 104.27.147.246
            http://vlcplugin.com/vlc813?dl=1Get hashmaliciousBrowse
            • 99.86.163.195
            https://clck.ru/MsKX5Get hashmaliciousBrowse
            • 94.152.157.68
            https://u15538628.ct.sendgrid.net/ls/click?upn=tQCliXorQxhmXk-2BACkzOURSSzmQZFoW2d7grkVLbOCW-2BvVg9ABT0EvKFOD-2BI1s-2FoG6A2rdzFuFvWyvSzj0wDaDk78H3CguurALPIuwBLhz1Pg5RDkEXWsQOy7DWXzdjtmX4__PjCeEjNOcquy5sRoCMEOzdl65JIZNmhI8-2FhG3ztZj1RLopV8ykmNkSmj0kGHgqKoP8HAzd2Jpct9Gz3qHwM-2Bvs2aIeNA1jaK2kRDIcvEQXmbwzC3BEbf0GbinRyhmgbrBJDBGlqo5heq3-2BbE-2BPNkuz7RFS6Lh45HomQCluuARo-2ByEBo3z8-2BgWZ-2FCSOXmXA81A6527ilZIJMznG7MoewxetnWM5mAyIg-2BG1odlKOpL9hOXJJPPSSjZLOVRU1n-2F5wnGet hashmaliciousBrowse
            • 104.16.133.229
            https://u15538628.ct.sendgrid.net/ls/click?upn=tQCliXorQxhmXk-2BACkzOURSSzmQZFoW2d7grkVLbOCW-2BvVg9ABT0EvKFOD-2BI1s-2FoX2l6cb1wJUDR-2B5Ao3F3W7hIghXXI-2BYRUAAXyYK8aIKpJyvRcnNq6-2BPOU6pFfG9t5NBdj_-2Bq0lRGGLx-2FdU6Wr43ea3-2BbeBbao6u9fdP0oQxB7ArFVHSqwCp9uY8-2FTfUfm1Eajdbyj2majsZ5wJ9GMz6T2dTEEWZX2E6c-2FNqos8HXGKr7UrNAbvlhPAfPhzqQEh2TD0wXokgME2cCan3EeIxfqdF5qTBzp-2FGV9m7PxOP5R2MnIq-2BcvtL8-2Fo2BOARlQEUNAJyI7q8TXha4zcCkcK-2BHLKAr8j92QPBxrqnewg9L4dl2okuEdLUuTXLVwprGrVHgkdGet hashmaliciousBrowse
            • 104.16.133.229
            https://bolivia-infos.com/Redirectingnow/redirect1Get hashmaliciousBrowse
            • 162.219.248.137
            Taxfiles.docGet hashmaliciousBrowse
            • 78.142.18.29
            https://www.surveygizmo.com/s3/5543930/CCHECK-009478Get hashmaliciousBrowse
            • 152.199.23.37

            JA3 Fingerprints

            No context

            Dropped Files

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            C:\Users\user\AppData\Local\Temp\UoOfbM\UoOfbM.exeRENew Orders and sales contract 2020001.exeGet hashmaliciousBrowse
              0987654324.exeGet hashmaliciousBrowse
                request.exeGet hashmaliciousBrowse
                  UNWILLABLESTA.exeGet hashmaliciousBrowse
                    order pdf.exeGet hashmaliciousBrowse
                      https://www.dropbox.com/s/4yh0zci0kay8ilk/TT%20%20Receipt%20DC.tbz2?dl=1Get hashmaliciousBrowse
                        Final Order.exeGet hashmaliciousBrowse
                          PURCHASE09812.exeGet hashmaliciousBrowse
                            https://onedrive.live.com/download?cid=61A3EAC2BCA27FDA&resid=61A3EAC2BCA27FDA%21233&authkey=AKpvzN9GJTSfJNoGet hashmaliciousBrowse
                              2020_226_827636644.exeGet hashmaliciousBrowse
                                https://onedrive.live.com/download?cid=54EB1006C6C9FFF0&resid=54EB1006C6C9FFF0%21272&authkey=ADHeIrrdde6OXNEGet hashmaliciousBrowse
                                  Tuition_Payment-TT.exeGet hashmaliciousBrowse
                                    EDUCATION DOCUMENTS.exeGet hashmaliciousBrowse
                                      Tuition Fee-TT #2020027.exeGet hashmaliciousBrowse
                                        Tuition Fee-TT #2020027.exeGet hashmaliciousBrowse
                                          sample.exeGet hashmaliciousBrowse
                                            New Appication_2020-92383746.exeGet hashmaliciousBrowse
                                              PI2020IV7739.exeGet hashmaliciousBrowse
                                                PROFORMA INVOICE_EXPO66120_SCAN DOC_pdf.exeGet hashmaliciousBrowse
                                                  Order Specification Sheet 4576534.exeGet hashmaliciousBrowse

                                                    Screenshots

                                                    Thumbnails

                                                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.