Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.FileRepMalware.15492

Overview

General Information

Sample Name:SecuriteInfo.com.FileRepMalware.15492 (renamed file extension from 15492 to exe)
Analysis ID:289583
MD5:615dd990069d66c04da9a877277ebbee
SHA1:3ec5dc0c634f31efcbf6e3e05965e50f02ce14d1
SHA256:91cca65dd63f994875ccea2cdcc14894e6e7354552ec2481ca49d3d2d8f5dbbe

Most interesting Screenshot:

Detection

AgentTesla
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AgentTesla
.NET source code contains very large array initializations
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • SecuriteInfo.com.FileRepMalware.exe (PID: 5752 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exe' MD5: 615DD990069D66C04DA9A877277EBBEE)
    • RegAsm.exe (PID: 1300 cmdline: C:\Users\user\AppData\Local\Temp\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.478938330.0000000003638000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000B.00000002.622189097.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000001.00000002.479048114.00000000036F8000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        Process Memory Space: SecuriteInfo.com.FileRepMalware.exe PID: 5752JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: RegAsm.exe PID: 1300JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            11.2.RegAsm.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Multi AV Scanner detection for submitted fileShow sources
              Source: SecuriteInfo.com.FileRepMalware.exeReversingLabs: Detection: 16%
              Source: 11.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeCode function: 1_2_73493670 CryptQueryObject,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptMsgClose,CryptMsgGetParam,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptMsgClose,LocalAlloc,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptMsgClose,CryptMsgGetParam,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptMsgClose,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptMsgClose,1_2_73493670
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeCode function: 1_2_73493470 lstrcmpA,CryptDecodeObject,CertFreeCertificateContext,LocalAlloc,CertFreeCertificateContext,CryptDecodeObject,CertFreeCertificateContext,CertFreeCertificateContext,1_2_73493470
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeCode function: 1_2_73493499 lstrcmpA,CryptDecodeObject,CertFreeCertificateContext,1_2_73493499
              Source: RegAsm.exe, 0000000B.00000002.623856879.0000000003091000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
              Source: RegAsm.exe, 0000000B.00000002.623856879.0000000003091000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
              Source: SecuriteInfo.com.FileRepMalware.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
              Source: SecuriteInfo.com.FileRepMalware.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
              Source: SecuriteInfo.com.FileRepMalware.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
              Source: SecuriteInfo.com.FileRepMalware.exe, 00000001.00000002.478898559.00000000035E0000.00000004.00000001.sdmp, i.dll.1.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
              Source: SecuriteInfo.com.FileRepMalware.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
              Source: SecuriteInfo.com.FileRepMalware.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
              Source: SecuriteInfo.com.FileRepMalware.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
              Source: SecuriteInfo.com.FileRepMalware.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
              Source: SecuriteInfo.com.FileRepMalware.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
              Source: SecuriteInfo.com.FileRepMalware.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
              Source: SecuriteInfo.com.FileRepMalware.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
              Source: SecuriteInfo.com.FileRepMalware.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
              Source: RegAsm.exe, 0000000B.00000002.623856879.0000000003091000.00000004.00000001.sdmpString found in binary or memory: http://nScPPY.com
              Source: SecuriteInfo.com.FileRepMalware.exeString found in binary or memory: http://ocsp.digicert.com0A
              Source: SecuriteInfo.com.FileRepMalware.exeString found in binary or memory: http://ocsp.digicert.com0C
              Source: SecuriteInfo.com.FileRepMalware.exeString found in binary or memory: http://ocsp.digicert.com0N
              Source: SecuriteInfo.com.FileRepMalware.exe, 00000001.00000002.478898559.00000000035E0000.00000004.00000001.sdmp, i.dll.1.drString found in binary or memory: http://ocsp.thawte.com0
              Source: SecuriteInfo.com.FileRepMalware.exe, 00000001.00000002.478898559.00000000035E0000.00000004.00000001.sdmp, i.dll.1.drString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
              Source: SecuriteInfo.com.FileRepMalware.exe, 00000001.00000002.478898559.00000000035E0000.00000004.00000001.sdmp, i.dll.1.drString found in binary or memory: http://s2.symcb.com0
              Source: SecuriteInfo.com.FileRepMalware.exe, 00000001.00000002.478898559.00000000035E0000.00000004.00000001.sdmp, i.dll.1.drString found in binary or memory: http://sv.symcb.com/sv.crl0a
              Source: SecuriteInfo.com.FileRepMalware.exe, 00000001.00000002.478898559.00000000035E0000.00000004.00000001.sdmp, i.dll.1.drString found in binary or memory: http://sv.symcb.com/sv.crt0
              Source: SecuriteInfo.com.FileRepMalware.exe, 00000001.00000002.478898559.00000000035E0000.00000004.00000001.sdmp, i.dll.1.drString found in binary or memory: http://sv.symcd.com0&
              Source: SecuriteInfo.com.FileRepMalware.exe, 00000001.00000002.478898559.00000000035E0000.00000004.00000001.sdmp, i.dll.1.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
              Source: SecuriteInfo.com.FileRepMalware.exe, 00000001.00000002.478898559.00000000035E0000.00000004.00000001.sdmp, i.dll.1.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
              Source: SecuriteInfo.com.FileRepMalware.exe, 00000001.00000002.478898559.00000000035E0000.00000004.00000001.sdmp, i.dll.1.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
              Source: SecuriteInfo.com.FileRepMalware.exeString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
              Source: SecuriteInfo.com.FileRepMalware.exe, 00000001.00000002.478898559.00000000035E0000.00000004.00000001.sdmp, i.dll.1.drString found in binary or memory: http://www.symauth.com/cps0(
              Source: SecuriteInfo.com.FileRepMalware.exe, 00000001.00000002.478898559.00000000035E0000.00000004.00000001.sdmp, i.dll.1.drString found in binary or memory: http://www.symauth.com/rpa00
              Source: RegAsm.exe, 0000000B.00000002.623856879.0000000003091000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.orgGETMozilla/5.0
              Source: SecuriteInfo.com.FileRepMalware.exe, 00000001.00000002.478938330.0000000003638000.00000004.00000001.sdmp, RegAsm.exe, 0000000B.00000002.622189097.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot1369161190:AAFaOKHXywV8wgjKT4LfQi17Z4bjAgVbXGg/
              Source: RegAsm.exe, 0000000B.00000002.623856879.0000000003091000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot1369161190:AAFaOKHXywV8wgjKT4LfQi17Z4bjAgVbXGg/sendDocumentdocument-----
              Source: SecuriteInfo.com.FileRepMalware.exe, 00000001.00000002.478898559.00000000035E0000.00000004.00000001.sdmp, i.dll.1.drString found in binary or memory: https://d.symcb.com/cps0%
              Source: SecuriteInfo.com.FileRepMalware.exe, 00000001.00000002.478898559.00000000035E0000.00000004.00000001.sdmp, i.dll.1.drString found in binary or memory: https://d.symcb.com/rpa0
              Source: SecuriteInfo.com.FileRepMalware.exeString found in binary or memory: https://www.digicert.com/CPS0
              Source: SecuriteInfo.com.FileRepMalware.exe, 00000001.00000002.478938330.0000000003638000.00000004.00000001.sdmp, RegAsm.exe, 0000000B.00000002.622189097.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
              Source: RegAsm.exe, 0000000B.00000002.623856879.0000000003091000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

              System Summary:

              barindex
              .NET source code contains very large array initializationsShow sources
              Source: SecuriteInfo.com.FileRepMalware.exe, ??u003c30??u0021?u002c?96?u002f???7u007b?8u005d?4u007c????1u003a?/?u002d1??9?u0024??u007c4u00405??6?u007e??u0028.csLarge array initialization: ?~?1*8???<5?3?>?&9???-2?%??4?0: array initializer size 152576
              Source: 1.0.SecuriteInfo.com.FileRepMalware.exe.190000.0.unpack, ??u003c30??u0021?u002c?96?u002f???7u007b?8u005d?4u007c????1u003a?/?u002d1??9?u0024??u007c4u00405??6?u007e??u0028.csLarge array initialization: ?~?1*8???<5?3?>?&9???-2?%??4?0: array initializer size 152576
              Source: 1.2.SecuriteInfo.com.FileRepMalware.exe.190000.0.unpack, ??u003c30??u0021?u002c?96?u002f???7u007b?8u005d?4u007c????1u003a?/?u002d1??9?u0024??u007c4u00405??6?u007e??u0028.csLarge array initialization: ?~?1*8???<5?3?>?&9???-2?%??4?0: array initializer size 152576
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeCode function: 1_2_0239F3B0 CreateProcessAsUserW,1_2_0239F3B0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeCode function: 1_2_001988B51_2_001988B5
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeCode function: 1_2_00198CB51_2_00198CB5
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeCode function: 1_2_00198BA51_2_00198BA5
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeCode function: 1_2_001965E21_2_001965E2
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeCode function: 1_2_0239FB931_2_0239FB93
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeCode function: 1_2_0239A2581_2_0239A258
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeCode function: 1_2_0239A2571_2_0239A257
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 11_2_00CA3DFE11_2_00CA3DFE
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 11_2_014746A011_2_014746A0
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 11_2_014735A411_2_014735A4
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 11_2_014745B011_2_014745B0
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 11_2_0147539211_2_01475392
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 11_2_0147D2E111_2_0147D2E1
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 11_2_0147359811_2_01473598
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 11_2_0622753811_2_06227538
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 11_2_062290F811_2_062290F8
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 11_2_0622692011_2_06226920
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 11_2_06226C6811_2_06226C68
              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\RegAsm.exe FFE4480CCC81B061F725C54587E9D1BA96547D27FE28083305D75796F2EB3E74
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeCode function: String function: 02392D10 appears 60 times
              Source: SecuriteInfo.com.FileRepMalware.exeStatic PE information: invalid certificate
              Source: SecuriteInfo.com.FileRepMalware.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
              Source: SecuriteInfo.com.FileRepMalware.exe, 00000001.00000003.466814644.0000000005F85000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRegAsm.exeT vs SecuriteInfo.com.FileRepMalware.exe
              Source: SecuriteInfo.com.FileRepMalware.exe, 00000001.00000002.481067901.00000000734A9000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs SecuriteInfo.com.FileRepMalware.exe
              Source: SecuriteInfo.com.FileRepMalware.exe, 00000001.00000002.474877580.0000000002715000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNRqmBuLJfyXDsszhLtaLtnycUVRUSA.exe4 vs SecuriteInfo.com.FileRepMalware.exe
              Source: SecuriteInfo.com.FileRepMalware.exe, 00000001.00000002.473101649.00000000007CA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.FileRepMalware.exe
              Source: SecuriteInfo.com.FileRepMalware.exe, 00000001.00000002.479734532.00000000049D6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamefollow.dll. vs SecuriteInfo.com.FileRepMalware.exe
              Source: SecuriteInfo.com.FileRepMalware.exe, 00000001.00000002.480427172.0000000005A70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs SecuriteInfo.com.FileRepMalware.exe
              Source: SecuriteInfo.com.FileRepMalware.exe, 00000001.00000002.480337751.00000000058F0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamerunfileinmemoryLib.dllF vs SecuriteInfo.com.FileRepMalware.exe
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeSection loaded: sfc.dllJump to behavior
              Source: SecuriteInfo.com.FileRepMalware.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: classification engineClassification label: mal84.troj.evad.winEXE@3/3@0/0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.FileRepMalware.exe.logJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeFile created: C:\Users\user\AppData\Local\Temp\b1f92ac9-345d-4ee6-83d6-512dab76f3b9Jump to behavior
              Source: SecuriteInfo.com.FileRepMalware.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: SecuriteInfo.com.FileRepMalware.exeReversingLabs: Detection: 16%
              Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exe 'C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exe'
              Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exeJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: SecuriteInfo.com.FileRepMalware.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: SecuriteInfo.com.FileRepMalware.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
              Source: Binary string: RegAsm.pdb source: SecuriteInfo.com.FileRepMalware.exe, 00000001.00000003.466814644.0000000005F85000.00000004.00000001.sdmp, RegAsm.exe, RegAsm.exe.1.dr
              Source: Binary string: RegAsm.pdb4 source: SecuriteInfo.com.FileRepMalware.exe, 00000001.00000003.466814644.0000000005F85000.00000004.00000001.sdmp, RegAsm.exe, 0000000B.00000000.466026326.0000000000CA2000.00000002.00020000.sdmp, RegAsm.exe.1.dr
              Source: Binary string: C:\Dropbox\Dev\ag.v66\Libraries\MSILJitter\bin\RELEASE\win32\AgileDotNetRT.pdb source: SecuriteInfo.com.FileRepMalware.exe, 00000001.00000002.481009579.00000000734A3000.00000002.00020000.sdmp, i.dll.1.dr
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeCode function: 1_2_7349A090 GetCurrentProcess,GetCurrentProcess,GetFileVersionInfoSizeW,GetProcessHeap,HeapAlloc,GetFileVersionInfoW,VerQueryValueA,LoadLibraryW,GetProcAddress,GetProcessHeap,HeapFree,1_2_7349A090
              Source: i.dll.1.drStatic PE information: section name: .didat
              Source: i.dll.1.drStatic PE information: section name: .00cfg
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeCode function: 1_2_00192A1D push esp; rep ret 1_2_00192A6D
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeCode function: 1_2_00192713 pushfd ; retf 1_2_00192717
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeCode function: 1_2_001944C4 push ss; retf 002Ah1_2_0019458A
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeCode function: 1_2_001940F2 push cs; retf 1_2_001941D7
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 11_2_00CA4289 push es; retf 11_2_00CA4294
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 11_2_00CA4469 push cs; retf 11_2_00CA449E
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 11_2_00CA44A3 push es; retf 11_2_00CA44A4
              Source: initial sampleStatic PE information: section name: .text entropy: 7.45659781729
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeFile created: C:\Users\user\AppData\Local\Temp\b1f92ac9-345d-4ee6-83d6-512dab76f3b9\i.dllJump to dropped file
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeFile created: C:\Users\user\AppData\Local\Temp\RegAsm.exeJump to dropped file
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Tries to detect virtualization through RDTSC time measurementsShow sources
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeRDTSC instruction interceptor: First address: 0000000073491D36 second address: 0000000073492A87 instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [ebp-10h], eax 0x00000005 mov dword ptr [ebp-0Ch], edx 0x00000008 mov eax, dword ptr [ebp-10h] 0x0000000b sub eax, dword ptr [ebp-08h] 0x0000000e mov edx, dword ptr [ebp-0Ch] 0x00000011 sbb edx, dword ptr [ebp-04h] 0x00000014 pop edi 0x00000015 pop esi 0x00000016 pop ebx 0x00000017 mov esp, ebp 0x00000019 pop ebp 0x0000001a ret 0x0000001b mov dword ptr [734A53C0h], eax 0x00000020 mov dword ptr [734A53C4h], edx 0x00000026 mov dword ptr [ebp-0Ch], 00000000h 0x0000002d jmp 00007FF190B94CABh 0x0000002f mov eax, dword ptr [ebp-0Ch] 0x00000032 cmp eax, dword ptr [ebp+08h] 0x00000035 jnl 00007FF190B94CE6h 0x00000037 rdtsc
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeCode function: 1_2_73492A40 rdtsc 1_2_73492A40
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeWindow / User API: threadDelayed 456Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWindow / User API: threadDelayed 724Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exe TID: 6012Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exe TID: 1316Thread sleep count: 172 > 30Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exe TID: 6336Thread sleep count: 75 > 30Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exe TID: 6336Thread sleep count: 456 > 30Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exe TID: 5944Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 4608Thread sleep time: -3689348814741908s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 1308Thread sleep count: 68 > 30Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 1308Thread sleep count: 724 > 30Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 4608Thread sleep time: -59500s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 4608Thread sleep time: -58406s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 4608Thread sleep time: -56688s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 4608Thread sleep time: -55594s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 4608Thread sleep time: -49594s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 4608Thread sleep time: -48688s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 4608Thread sleep time: -48094s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 4608Thread sleep time: -47594s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 4608Thread sleep time: -43688s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 4608Thread sleep time: -40594s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 4608Thread sleep time: -60000s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeCode function: 1_2_734A0CF3 VirtualQuery,GetSystemInfo,1_2_734A0CF3
              Source: RegAsm.exe, 0000000B.00000002.627995947.00000000060C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
              Source: RegAsm.exe, 0000000B.00000002.627995947.00000000060C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
              Source: RegAsm.exe, 0000000B.00000002.627995947.00000000060C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
              Source: RegAsm.exe, 0000000B.00000002.627995947.00000000060C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeCode function: 1_2_73492A40 rdtsc 1_2_73492A40
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeCode function: 1_2_7349A090 GetCurrentProcess,GetCurrentProcess,GetFileVersionInfoSizeW,GetProcessHeap,HeapAlloc,GetFileVersionInfoW,VerQueryValueA,LoadLibraryW,GetProcAddress,GetProcessHeap,HeapFree,1_2_7349A090
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeCode function: 1_2_73499310 GetProcessHeap,HeapFree,1_2_73499310
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              Allocates memory in foreign processesShow sources
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeMemory allocated: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
              Injects a PE file into a foreign processesShow sources
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
              Writes to foreign memory regionsShow sources
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 402000Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 438000Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 43A000Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: F96008Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exeJump to behavior
              Source: RegAsm.exe, 0000000B.00000002.623655127.0000000001950000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: RegAsm.exe, 0000000B.00000002.623655127.0000000001950000.00000002.00000001.sdmpBinary or memory string: NProgram Manager
              Source: RegAsm.exe, 0000000B.00000002.623655127.0000000001950000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: RegAsm.exe, 0000000B.00000002.623655127.0000000001950000.00000002.00000001.sdmpBinary or memory string: Progmanlock
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Utilities.v4.0\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.v4.0.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegAsm.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeCode function: 1_2_7349B100 GetTempPathA,GetSystemTime,GetDateFormatA,GetTimeFormatA,CreateFileA,GetProcessHeap,HeapAlloc,InitializeCriticalSection,1_2_7349B100
              Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 11_2_06222654 GetUserNameW,11_2_06222654
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeCode function: 1_2_734925C0 GetVersionExW,1_2_734925C0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.FileRepMalware.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000001.00000002.478938330.0000000003638000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.622189097.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.479048114.00000000036F8000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.FileRepMalware.exe PID: 5752, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1300, type: MEMORY
              Source: Yara matchFile source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE

              Remote Access Functionality:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000001.00000002.478938330.0000000003638000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.622189097.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.479048114.00000000036F8000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.FileRepMalware.exe PID: 5752, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1300, type: MEMORY
              Source: Yara matchFile source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid Accounts1Windows Management Instrumentation211Valid Accounts1Valid Accounts1Masquerading1OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsNative API1DLL Side-Loading1Access Token Manipulation1Valid Accounts1LSASS MemorySecurity Software Discovery231Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Process Injection312Virtualization/Sandbox Evasion13Security Account ManagerVirtualization/Sandbox Evasion13SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)DLL Side-Loading1Access Token Manipulation1NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDisable or Modify Tools1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonProcess Injection312Cached Domain CredentialsAccount Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup ItemsDeobfuscate/Decode Files or Information1DCSyncSystem Owner/User Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobObfuscated Files or Information3Proc FilesystemSystem Information Discovery216Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
              Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Software Packing3/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
              Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)DLL Side-Loading1Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

              Behavior Graph

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.