Analysis Report PRODUCT LIST _IMG.exe

Overview

General Information

Sample Name: PRODUCT LIST _IMG.exe
Analysis ID: 289647
MD5: 9a28fb8644f6c9413772f5bb0d41e2f0
SHA1: bda74e1af9c7d634647fe4aacab9baf628f5a6bb
SHA256: bc7988fcd34bc5f8313b980f83197c4e9e41437097e8911e2744388ad026bd1a
Tags: exe

Most interesting Screenshot:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
.NET source code contains very large array initializations
Allocates memory in foreign processes
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: PRODUCT LIST _IMG.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: PRODUCT LIST _IMG.exe Virustotal: Detection: 33% Perma Link
Source: PRODUCT LIST _IMG.exe ReversingLabs: Detection: 22%
Machine Learning detection for sample
Source: PRODUCT LIST _IMG.exe Joe Sandbox ML: detected
Source: RegAsm.exe, 0000000B.00000002.638876591.0000000002381000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegAsm.exe, 0000000B.00000002.638876591.0000000002381000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: RegAsm.exe, 0000000B.00000002.638876591.0000000002381000.00000004.00000001.sdmp String found in binary or memory: http://VNgxdn.com
Source: i.dll.0.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: PRODUCT LIST _IMG.exe, 00000000.00000003.428873431.00000000061B9000.00000004.00000001.sdmp, PRODUCT LIST _IMG.exe, 00000000.00000003.428941437.00000000061B9000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.c
Source: i.dll.0.dr String found in binary or memory: http://ocsp.thawte.com0
Source: i.dll.0.dr String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: i.dll.0.dr String found in binary or memory: http://s2.symcb.com0
Source: i.dll.0.dr String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: i.dll.0.dr String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: i.dll.0.dr String found in binary or memory: http://sv.symcd.com0&
Source: i.dll.0.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: i.dll.0.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: i.dll.0.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: i.dll.0.dr String found in binary or memory: http://www.symauth.com/cps0(
Source: i.dll.0.dr String found in binary or memory: http://www.symauth.com/rpa00
Source: RegAsm.exe, 0000000B.00000002.638876591.0000000002381000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.orgGETMozilla/5.0
Source: PRODUCT LIST _IMG.exe, 00000000.00000003.509049844.00000000062EB000.00000004.00000001.sdmp String found in binary or memory: https://api.telegra
Source: RegAsm.exe, 0000000B.00000002.637339151.0000000000182000.00000040.00000001.sdmp String found in binary or memory: https://api.telegram.org/bot1322270726:AAE8ex2tDrvB9GA6y4VV0psQLtRL4yhRDdo/
Source: RegAsm.exe, 0000000B.00000002.638876591.0000000002381000.00000004.00000001.sdmp String found in binary or memory: https://api.telegram.org/bot1322270726:AAE8ex2tDrvB9GA6y4VV0psQLtRL4yhRDdo/sendDocumentdocument-----
Source: i.dll.0.dr String found in binary or memory: https://d.symcb.com/cps0%
Source: i.dll.0.dr String found in binary or memory: https://d.symcb.com/rpa0
Source: PRODUCT LIST _IMG.exe, 00000000.00000003.509049844.00000000062EB000.00000004.00000001.sdmp, RegAsm.exe, 0000000B.00000002.637339151.0000000000182000.00000040.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: RegAsm.exe, 0000000B.00000002.638876591.0000000002381000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

System Summary:

barindex
.NET source code contains very large array initializations
Source: PRODUCT LIST _IMG.exe, ??2u0028?4u003d???7u0040u007b3????/u0034??u002b?8u007c?u003c??57u005b???2?u002d6?u0040??.cs Large array initialization: ?,?70?=??:?5~?6: array initializer size 152576
Source: 0.0.PRODUCT LIST _IMG.exe.460000.0.unpack, ??2u0028?4u003d???7u0040u007b3????/u0034??u002b?8u007c?u003c??57u005b???2?u002d6?u0040??.cs Large array initialization: ?,?70?=??:?5~?6: array initializer size 152576
Source: 0.2.PRODUCT LIST _IMG.exe.460000.0.unpack, ??2u0028?4u003d???7u0040u007b3????/u0034??u002b?8u007c?u003c??57u005b???2?u002d6?u0040??.cs Large array initialization: ?,?70?=??:?5~?6: array initializer size 152576
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: PRODUCT LIST _IMG.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Code function: 0_2_00466262 0_2_00466262
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Code function: 0_2_00468825 0_2_00468825
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Code function: 0_2_00468535 0_2_00468535
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Code function: 0_2_00468935 0_2_00468935
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Code function: 11_2_000A3DFE 11_2_000A3DFE
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Code function: 11_2_022246E0 11_2_022246E0
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Code function: 11_2_022235EC 11_2_022235EC
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Code function: 11_2_022245EF 11_2_022245EF
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Code function: 11_2_022253D0 11_2_022253D0
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Code function: 11_2_0222D1A0 11_2_0222D1A0
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Code function: 11_2_05B32EC0 11_2_05B32EC0
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Code function: 11_2_05B30B78 11_2_05B30B78
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Code function: 11_2_05B30040 11_2_05B30040
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Code function: 11_2_05B3BBF8 11_2_05B3BBF8
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\RegAsm.exe FFE4480CCC81B061F725C54587E9D1BA96547D27FE28083305D75796F2EB3E74
Sample file is different than original file name gathered from version info
Source: PRODUCT LIST _IMG.exe, 00000000.00000003.509049844.00000000062EB000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamexaHKChGrfothPYhKLzQJlrwrpNjDFQhLzXzRsq.exe4 vs PRODUCT LIST _IMG.exe
Source: PRODUCT LIST _IMG.exe, 00000000.00000003.506287450.00000000064F5000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameRegAsm.exeT vs PRODUCT LIST _IMG.exe
Tries to load missing DLLs
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/3@0/0
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PRODUCT LIST _IMG.exe.log Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe File created: C:\Users\user\AppData\Local\Temp\b1f92ac9-345d-4ee6-83d6-512dab76f3b9 Jump to behavior
Source: PRODUCT LIST _IMG.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: PRODUCT LIST _IMG.exe Virustotal: Detection: 33%
Source: PRODUCT LIST _IMG.exe ReversingLabs: Detection: 22%
Source: unknown Process created: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe 'C:\Users\user\Desktop\PRODUCT LIST _IMG.exe'
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Process created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: PRODUCT LIST _IMG.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: PRODUCT LIST _IMG.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: RegAsm.pdb source: PRODUCT LIST _IMG.exe, 00000000.00000003.506287450.00000000064F5000.00000004.00000001.sdmp, RegAsm.exe, RegAsm.exe.0.dr
Source: Binary string: RegAsm.pdb4 source: PRODUCT LIST _IMG.exe, 00000000.00000003.506287450.00000000064F5000.00000004.00000001.sdmp, RegAsm.exe, 0000000B.00000000.505091197.00000000000A2000.00000002.00020000.sdmp, RegAsm.exe.0.dr
Source: Binary string: C:\Dropbox\Dev\ag.v66\Libraries\MSILJitter\bin\RELEASE\win32\AgileDotNetRT.pdb source: i.dll.0.dr

Data Obfuscation:

barindex
PE file contains sections with non-standard names
Source: i.dll.0.dr Static PE information: section name: .didat
Source: i.dll.0.dr Static PE information: section name: .00cfg
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Code function: 0_2_00464144 push ss; retf 002Ah 0_2_0046420A
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Code function: 0_2_00463D72 push cs; retf 0_2_00463E57
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Code function: 0_2_00462393 pushfd ; retf 0_2_00462397
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Code function: 0_2_0046269D push esp; rep ret 0_2_004626ED
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Code function: 11_2_000A4289 push es; retf 11_2_000A4294
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Code function: 11_2_000A4469 push cs; retf 11_2_000A449E
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Code function: 11_2_000A44A3 push es; retf 11_2_000A44A4
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Code function: 11_2_05B37B26 push esp; iretd 11_2_05B37B25
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Code function: 11_2_05B37B19 push esp; iretd 11_2_05B37B25
Source: initial sample Static PE information: section name: .text entropy: 7.38245937622

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe File created: C:\Users\user\AppData\Local\Temp\b1f92ac9-345d-4ee6-83d6-512dab76f3b9\i.dll Jump to dropped file
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe File created: C:\Users\user\AppData\Local\Temp\RegAsm.exe Jump to dropped file
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe RDTSC instruction interceptor: First address: 0000000073491D36 second address: 0000000073492A87 instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [ebp-10h], eax 0x00000005 mov dword ptr [ebp-0Ch], edx 0x00000008 mov eax, dword ptr [ebp-10h] 0x0000000b sub eax, dword ptr [ebp-08h] 0x0000000e mov edx, dword ptr [ebp-0Ch] 0x00000011 sbb edx, dword ptr [ebp-04h] 0x00000014 pop edi 0x00000015 pop esi 0x00000016 pop ebx 0x00000017 mov esp, ebp 0x00000019 pop ebp 0x0000001a ret 0x0000001b mov dword ptr [734A53C0h], eax 0x00000020 mov dword ptr [734A53C4h], edx 0x00000026 mov dword ptr [ebp-0Ch], 00000000h 0x0000002d jmp 00007FC270D882EBh 0x0000002f mov eax, dword ptr [ebp-0Ch] 0x00000032 cmp eax, dword ptr [ebp+08h] 0x00000035 jnl 00007FC270D88326h 0x00000037 rdtsc
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Window / User API: threadDelayed 428 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe TID: 4824 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe TID: 4996 Thread sleep count: 189 > 30 Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe TID: 6900 Thread sleep count: 129 > 30 Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe TID: 6900 Thread sleep count: 428 > 30 Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe TID: 4768 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 4308 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 6976 Thread sleep count: 226 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 6976 Thread sleep count: 61 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 4308 Thread sleep time: -58186s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 4308 Thread sleep time: -52874s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 4308 Thread sleep time: -52686s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 4308 Thread sleep time: -51186s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 4308 Thread sleep time: -50686s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 4308 Thread sleep time: -49186s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 4308 Thread sleep time: -47686s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 4308 Thread sleep time: -47186s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 4308 Thread sleep time: -45686s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 4308 Thread sleep time: -44186s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 4308 Thread sleep time: -43686s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 4308 Thread sleep time: -34874s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 4308 Thread sleep time: -34686s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 4308 Thread sleep time: -31186s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe TID: 4308 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Last function: Thread delayed
Source: RegAsm.exe, 0000000B.00000002.642185850.0000000005530000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: RegAsm.exe, 0000000B.00000002.642185850.0000000005530000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: RegAsm.exe, 0000000B.00000002.642185850.0000000005530000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: RegAsm.exe, 0000000B.00000002.642185850.0000000005530000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Memory allocated: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 180000 protect: page execute and read and write Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Process created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe Jump to behavior
Source: RegAsm.exe, 0000000B.00000002.638601902.0000000000CD0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 0000000B.00000002.638601902.0000000000CD0000.00000002.00000001.sdmp Binary or memory string: NProgram Manager
Source: RegAsm.exe, 0000000B.00000002.638601902.0000000000CD0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: RegAsm.exe, 0000000B.00000002.638601902.0000000000CD0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Queries volume information: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Utilities.v4.0\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.v4.0.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Queries volume information: C:\Users\user\AppData\Local\Temp\RegAsm.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PRODUCT LIST _IMG.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000000.00000003.512025324.0000000006995000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.511720075.0000000006994000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.637339151.0000000000182000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.513888831.0000000006995000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.511687221.0000000006994000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.639005721.0000000002402000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.512281428.0000000006995000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.510897867.000000000698C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.506497242.00000000062DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PRODUCT LIST _IMG.exe PID: 6480, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 3128, type: MEMORY
Source: Yara match File source: 11.2.RegAsm.exe.180000.1.unpack, type: UNPACKEDPE
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 3128, type: MEMORY

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000000.00000003.512025324.0000000006995000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.511720075.0000000006994000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.637339151.0000000000182000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.513888831.0000000006995000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.511687221.0000000006994000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.639005721.0000000002402000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.512281428.0000000006995000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.510897867.000000000698C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.506497242.00000000062DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PRODUCT LIST _IMG.exe PID: 6480, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 3128, type: MEMORY
Source: Yara match File source: 11.2.RegAsm.exe.180000.1.unpack, type: UNPACKEDPE