Loading ...

Play interactive tourEdit tour

Analysis Report Pagamento.exe

Overview

General Information

Sample Name:Pagamento.exe
Analysis ID:321143
MD5:b8197d8952605ea1ed36ea874152a251
SHA1:39a6ba55c24c9962174acb056d12b5cfa9eff646
SHA256:c40b22f18e596d932438b11f44d1f78c3c217a5d96a31b884a72ff83994df03b
Tags:AgentTesla

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Sigma detected: RegAsm connects to smtp port
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Installs a global keyboard hook
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • Pagamento.exe (PID: 6380 cmdline: 'C:\Users\user\Desktop\Pagamento.exe' MD5: B8197D8952605EA1ED36EA874152A251)
    • RegAsm.exe (PID: 4652 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • RegAsm.exe (PID: 4680 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "n5HeQHK5F6L", "URL: ": "http://t3WjFakexhm5e07NJ.net", "To: ": "info.greatdeck@greatdeck.co", "ByHost: ": "mail.greatdeck.co:587", "Password: ": "Yzeo2nGT", "From: ": "info.greatdeck@greatdeck.co"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.340132480.00000000058A2000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000000.00000002.338315730.0000000004EE0000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000002.00000002.591883662.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.340576792.0000000006A49000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000002.00000002.593236496.0000000002F11000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.RegAsm.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0.2.Pagamento.exe.58a0000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

                Sigma Overview

                System Summary:

                barindex
                Sigma detected: RegAsm connects to smtp portShow sources
                Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 162.222.226.70, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, Initiated: true, ProcessId: 4680, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49751

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Found malware configurationShow sources
                Source: RegAsm.exe.4680.2.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "n5HeQHK5F6L", "URL: ": "http://t3WjFakexhm5e07NJ.net", "To: ": "info.greatdeck@greatdeck.co", "ByHost: ": "mail.greatdeck.co:587", "Password: ": "Yzeo2nGT", "From: ": "info.greatdeck@greatdeck.co"}
                Machine Learning detection for sampleShow sources
                Source: Pagamento.exeJoe Sandbox ML: detected
                Source: 2.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8

                Networking:

                barindex
                Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.6:49751 -> 162.222.226.70:587
                Source: global trafficTCP traffic: 192.168.2.6:49751 -> 162.222.226.70:587
                Source: Joe Sandbox ViewIP Address: 162.222.226.70 162.222.226.70
                Source: Joe Sandbox ViewASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
                Source: global trafficTCP traffic: 192.168.2.6:49751 -> 162.222.226.70:587
                Source: unknownDNS traffic detected: queries for: g.msn.com
                Source: RegAsm.exe, 00000002.00000002.593236496.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                Source: RegAsm.exe, 00000002.00000002.593236496.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: http://Bvcujr.com
                Source: RegAsm.exe, 00000002.00000002.593236496.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                Source: RegAsm.exe, 00000002.00000002.593886268.0000000003269000.00000004.00000001.sdmpString found in binary or memory: http://greatdeck.co
                Source: RegAsm.exe, 00000002.00000002.593886268.0000000003269000.00000004.00000001.sdmpString found in binary or memory: http://mail.greatdeck.co
                Source: RegAsm.exe, 00000002.00000002.593820435.0000000003227000.00000004.00000001.sdmpString found in binary or memory: http://t3WjFakexhm5e07NJ.net
                Source: RegAsm.exe, 00000002.00000002.593820435.0000000003227000.00000004.00000001.sdmpString found in binary or memory: http://t3WjFakexhm5e07NJ.netP
                Source: RegAsm.exe, 00000002.00000002.593236496.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.orgGETMozilla/5.0
                Source: Pagamento.exe, 00000000.00000002.340132480.00000000058A2000.00000040.00000001.sdmp, RegAsm.exe, 00000002.00000002.591883662.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/
                Source: RegAsm.exe, 00000002.00000002.593236496.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
                Source: Pagamento.exe, 00000000.00000002.340132480.00000000058A2000.00000040.00000001.sdmp, RegAsm.exe, 00000002.00000002.591883662.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                Source: RegAsm.exe, 00000002.00000002.593236496.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                Key, Mouse, Clipboard, Microphone and Screen Capturing:

                barindex
                Installs a global keyboard hookShow sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
                Source: Pagamento.exe, 00000000.00000002.336548068.00000000015E0000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                System Summary:

                barindex
                Source: C:\Users\user\Desktop\Pagamento.exeCode function: 0_2_00E6EF010_2_00E6EF01
                Source: C:\Users\user\Desktop\Pagamento.exeCode function: 0_2_015D04F00_2_015D04F0
                Source: C:\Users\user\Desktop\Pagamento.exeCode function: 0_2_015D04E10_2_015D04E1
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00FFD8E02_2_00FFD8E0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00FF44302_2_00FF4430
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00FF4EFA2_2_00FF4EFA
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00FFC6D02_2_00FFC6D0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00FF8F382_2_00FF8F38
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00FF99A02_2_00FF99A0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_010060482_2_01006048
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_01003CDB2_2_01003CDB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0100EBA02_2_0100EBA0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_010012002_2_01001200
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0100CED02_2_0100CED0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0100A50E2_2_0100A50E
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0100A5102_2_0100A510
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0100E7302_2_0100E730
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_01006A302_2_01006A30
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_02C95EA82_2_02C95EA8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_02C957212_2_02C95721
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_02C964902_2_02C96490
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_02C924102_2_02C92410
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_02C9F5182_2_02C9F518
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_02C9D8802_2_02C9D880
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_02C9F5602_2_02C9F560
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_02D1E1982_2_02D1E198
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_02D10F582_2_02D10F58
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_02D197102_2_02D19710
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_059D75382_2_059D7538
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_059D94F82_2_059D94F8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_059D6C682_2_059D6C68
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_059DC9AF2_2_059DC9AF
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_059D250B2_2_059D250B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_059D26702_2_059D2670
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_059D26602_2_059D2660
                Source: Pagamento.exe, 00000000.00000002.340132480.00000000058A2000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameKSNqaOSyHMGbBIJqcKRgjDNxy.exe4 vs Pagamento.exe
                Source: Pagamento.exe, 00000000.00000002.336548068.00000000015E0000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Pagamento.exe
                Source: Pagamento.exe, 00000000.00000002.337648660.0000000004811000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameQDUeTPNJmXbyMcBK.bounce.exe4 vs Pagamento.exe
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                Source: Pagamento.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/1@3/1
                Source: C:\Users\user\Desktop\Pagamento.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Pagamento.exe.logJump to behavior
                Source: Pagamento.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\Pagamento.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Users\user\Desktop\Pagamento.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\Pagamento.exe 'C:\Users\user\Desktop\Pagamento.exe'
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                Source: C:\Users\user\Desktop\Pagamento.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
                Source: C:\Users\user\Desktop\Pagamento.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: Pagamento.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: Pagamento.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_01003AA5 push esp; iretd 2_2_01003AA6
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_02C9B57F push edi; retn 0000h2_2_02C9B581
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_059D7F00 push 8BF04589h; iretd 2_2_059D7F8C
                Source: initial sampleStatic PE information: section name: .text entropy: 7.86500961586
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                Source: C:\Users\user\Desktop\Pagamento.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pagamento.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pagamento.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pagamento.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pagamento.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pagamento.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pagamento.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pagamento.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pagamento.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pagamento.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pagamento.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pagamento.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pagamento.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pagamento.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pagamento.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pagamento.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pagamento.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Pagamento.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion:

                barindex
                Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Source: C:\Users\user\Desktop\Pagamento.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 735Jump to behavior
                Source: C:\Users\user\Desktop\Pagamento.exe TID: 5756Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6444Thread sleep count: 63 > 30Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6444Thread sleep count: 735 > 30Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -56188s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -55188s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -76782s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -49688s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -49188s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -71532s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -69282s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -45688s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -44188s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -65532s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -42188s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -41688s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -60282s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -59532s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -57282s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -56532s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -54282s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -51282s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -32188s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -30188s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -31032s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -58688s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -58500s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -56500s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -53188s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -52688s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -75141s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -49594s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -48094s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -45500s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -44094s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -43906s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -43406s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -43188s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -43000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -42094s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -39500s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -58500s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -38000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -37500s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -37094s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -36000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -53250s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -35094s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -34000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -33594s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -33094s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -32688s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -48000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -31594s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -31188s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -30688s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -30094s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -57874s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -56782s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -55688s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -54594s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -54374s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -52374s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -51000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -50594s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -48594s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -47874s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -47000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -46000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -45094s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -44594s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -42688s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -42500s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -41782s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -41594s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -41094s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -40688s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4528Thread sleep time: -40000s >= -30000sJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeLast function: Thread delayed
                Source: RegAsm.exe, 00000002.00000002.597108036.0000000005EE0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                Source: RegAsm.exe, 00000002.00000002.597108036.0000000005EE0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                Source: RegAsm.exe, 00000002.00000002.597108036.0000000005EE0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                Source: RegAsm.exe, 00000002.00000002.597285084.0000000005FDC000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: RegAsm.exe, 00000002.00000002.597108036.0000000005EE0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00FF27B8 LdrInitializeThunk,2_2_00FF27B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\Pagamento.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion:

                barindex
                Maps a DLL or memory area into another processShow sources
                Source: C:\Users\user\Desktop\Pagamento.exeSection loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\Desktop\Pagamento.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
                Source: C:\Users\user\Desktop\Pagamento.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
                Source: RegAsm.exe, 00000002.00000002.592906286.0000000001710000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                Source: RegAsm.exe, 00000002.00000002.592906286.0000000001710000.00000002.00000001.sdmpBinary or memory string: Progman
                Source: RegAsm.exe, 00000002.00000002.592906286.0000000001710000.00000002.00000001.sdmpBinary or memory string: &Program Manager
                Source: RegAsm.exe, 00000002.00000002.592906286.0000000001710000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\Pagamento.exeQueries volume information: C:\Users\user\Desktop\Pagamento.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\Pagamento.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: unknown VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information:

                barindex
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 00000000.00000002.340132480.00000000058A2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.338315730.0000000004EE0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.591883662.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.340576792.0000000006A49000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Pagamento.exe PID: 6380, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4680, type: MEMORY
                Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Pagamento.exe.58a0000.1.unpack, type: UNPACKEDPE
                Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                Tries to harvest and steal browser information (history, passwords, etc)Show sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Tries to harvest and steal ftp login credentialsShow sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\Jump to behavior
                Tries to steal Mail credentials (via file access)Show sources
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                Source: Yara matchFile source: 00000002.00000002.593236496.0000000002F11000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4680, type: MEMORY

                Remote Access Functionality:

                barindex
                Yara detected AgentTeslaShow sources
                Source: Yara matchFile source: 00000000.00000002.340132480.00000000058A2000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.338315730.0000000004EE0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.591883662.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.340576792.0000000006A49000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Pagamento.exe PID: 6380, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4680, type: MEMORY
                Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.Pagamento.exe.58a0000.1.unpack, type: UNPACKEDPE

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid AccountsWindows Management Instrumentation211DLL Side-Loading1Process Injection112Masquerading1OS Credential Dumping2Query Registry1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1Virtualization/Sandbox Evasion13Input Capture111Security Software Discovery111Remote Desktop ProtocolInput Capture111Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Credentials in Registry1Virtualization/Sandbox Evasion13SMB/Windows Admin SharesArchive Collected Data1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSProcess Discovery2Distributed Component Object ModelData from Local System2Scheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information2LSA SecretsApplication Window Discovery1SSHClipboard Data1Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing3Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup ItemsDLL Side-Loading1DCSyncSystem Information Discovery114Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped