Analysis Report payment.exe

Overview

General Information

Sample Name: payment.exe
Analysis ID: 357249
MD5: 0780e01f6ac683c0529fb1d40aaca8b4
SHA1: d2c1ef0cab63992d4bea95fdf7838047997c46a7
SHA256: 0fc71d13ed4108b3afb81d9347063f9ef6ed9c3528a9c6e67a892c8a8db5fada
Tags: exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected GuLoader
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Executable has a suspicious name (potential lure to open the executable)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: payment.exe Virustotal: Detection: 56% Perma Link
Source: payment.exe ReversingLabs: Detection: 46%

Compliance:

barindex
Uses 32bit PE files
Source: payment.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: unknown DNS traffic detected: queries for: onedrive.live.com
Source: RegAsm.exe, 0000000F.00000002.597115330.000000001D081000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegAsm.exe, 0000000F.00000002.597115330.000000001D081000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: RegAsm.exe, 0000000F.00000002.597115330.000000001D081000.00000004.00000001.sdmp String found in binary or memory: http://kBTuTq.com
Source: RegAsm.exe String found in binary or memory: https://onedrive.live.com/download?cid=876616565B0E44B1&resid=876616565B0E44B1%213215&authkey=AC2zGE
Source: RegAsm.exe, 0000000F.00000002.597115330.000000001D081000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

System Summary:

barindex
Executable has a suspicious name (potential lure to open the executable)
Source: payment.exe Static file information: Suspicious name
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: payment.exe
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\payment.exe Process Stats: CPU usage > 98%
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_0056E697 NtProtectVirtualMemory, 15_2_0056E697
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_0056EC97 NtSetInformationThread, 15_2_0056EC97
Detected potential crypto function
Source: C:\Users\user\Desktop\payment.exe Code function: 0_2_00411464 0_2_00411464
Source: C:\Users\user\Desktop\payment.exe Code function: 0_2_00410C71 0_2_00410C71
Source: C:\Users\user\Desktop\payment.exe Code function: 0_2_00411817 0_2_00411817
Source: C:\Users\user\Desktop\payment.exe Code function: 0_2_00411016 0_2_00411016
Source: C:\Users\user\Desktop\payment.exe Code function: 0_2_004114E6 0_2_004114E6
Source: C:\Users\user\Desktop\payment.exe Code function: 0_2_00410CF8 0_2_00410CF8
Source: C:\Users\user\Desktop\payment.exe Code function: 0_2_0041108A 0_2_0041108A
Source: C:\Users\user\Desktop\payment.exe Code function: 0_2_004110AC 0_2_004110AC
Source: C:\Users\user\Desktop\payment.exe Code function: 0_2_0041156A 0_2_0041156A
Source: C:\Users\user\Desktop\payment.exe Code function: 0_2_0040411C 0_2_0040411C
Source: C:\Users\user\Desktop\payment.exe Code function: 0_2_0041191C 0_2_0041191C
Source: C:\Users\user\Desktop\payment.exe Code function: 0_2_00411133 0_2_00411133
Source: C:\Users\user\Desktop\payment.exe Code function: 0_2_004115F5 0_2_004115F5
Source: C:\Users\user\Desktop\payment.exe Code function: 0_2_0041199B 0_2_0041199B
Source: C:\Users\user\Desktop\payment.exe Code function: 0_2_00410E05 0_2_00410E05
Source: C:\Users\user\Desktop\payment.exe Code function: 0_2_00411237 0_2_00411237
Source: C:\Users\user\Desktop\payment.exe Code function: 0_2_004112D0 0_2_004112D0
Source: C:\Users\user\Desktop\payment.exe Code function: 0_2_00410E88 0_2_00410E88
Source: C:\Users\user\Desktop\payment.exe Code function: 0_2_0041134F 0_2_0041134F
Source: C:\Users\user\Desktop\payment.exe Code function: 0_2_00410B5E 0_2_00410B5E
Source: C:\Users\user\Desktop\payment.exe Code function: 0_2_00410F06 0_2_00410F06
Source: C:\Users\user\Desktop\payment.exe Code function: 0_2_0041170E 0_2_0041170E
Source: C:\Users\user\Desktop\payment.exe Code function: 0_2_004113D2 0_2_004113D2
Source: C:\Users\user\Desktop\payment.exe Code function: 0_2_00410BF4 0_2_00410BF4
Source: C:\Users\user\Desktop\payment.exe Code function: 0_2_00410F8F 0_2_00410F8F
Source: C:\Users\user\Desktop\payment.exe Code function: 0_2_00411796 0_2_00411796
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_0056D7F2 15_2_0056D7F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_1CF247B2 15_2_1CF247B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_1CF2D6D0 15_2_1CF2D6D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_1CF24827 15_2_1CF24827
PE file contains strange resources
Source: payment.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: payment.exe, 00000000.00000000.328356879.0000000000436000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameAncistrocladaceous5.exe vs payment.exe
Source: payment.exe Binary or memory string: OriginalFilenameAncistrocladaceous5.exe vs payment.exe
Tries to load missing DLLs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Uses 32bit PE files
Source: payment.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal100.troj.evad.winEXE@4/0@2/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4688:120:WilError_01
Source: C:\Users\user\Desktop\payment.exe File created: C:\Users\user\AppData\Local\Temp\~DFDAD0523DB1C225BD.TMP Jump to behavior
Source: payment.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\payment.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\payment.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: payment.exe Virustotal: Detection: 56%
Source: payment.exe ReversingLabs: Detection: 46%
Source: unknown Process created: C:\Users\user\Desktop\payment.exe 'C:\Users\user\Desktop\payment.exe'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\payment.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\payment.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\payment.exe' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\payment.exe Window detected: Number of UI elements: 15

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 0000000F.00000002.592476347.0000000000564000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 4660, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_00567050 push edi; ret 15_2_00567057
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_0056B050 push edi; ret 15_2_0056B057
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_0056705C push edi; ret 15_2_00567063
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_0056B05C push edi; ret 15_2_0056B063
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_00568058 push edi; ret 15_2_0056805F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_00565058 push edi; ret 15_2_0056505F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_00566058 push edi; ret 15_2_0056605F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_0056B044 push edi; ret 15_2_0056B04B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_00566040 push edi; ret 15_2_00566047
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_0056A040 push edi; ret 15_2_0056A047
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_0056804C push edi; ret 15_2_00568053
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_0056504C push edi; ret 15_2_00565053
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_0056604C push edi; ret 15_2_00566053
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_0056A04C push edi; ret 15_2_0056A053
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_00567049 push di; ret 15_2_0056704B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_00567074 push edi; ret 15_2_0056707B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_0056B074 push edi; ret 15_2_0056B07B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_00568070 push edi; ret 15_2_00568077
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_00565070 push edi; ret 15_2_00565077
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_00566070 push edi; ret 15_2_00566077
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_0056807C push edi; ret 15_2_00568083
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_0056607C push edi; ret 15_2_00566083
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_0056507C push edi; ret 15_2_00565083
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_0056A078 push edi; ret 15_2_0056A07F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_0056A066 push edi; ret 15_2_0056A067
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_00568064 push edi; ret 15_2_0056806B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_00565064 push edi; ret 15_2_0056506B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_00566064 push edi; ret 15_2_0056606B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_0056A06C push edi; ret 15_2_0056A073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_00567068 push edi; ret 15_2_0056706F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_0056A016 push edi; ret 15_2_0056A017
Source: initial sample Static PE information: section name: .text entropy: 6.80293275288
Source: C:\Users\user\Desktop\payment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\payment.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\payment.exe RDTSC instruction interceptor: First address: 00000000004468FB second address: 00000000004468FB instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FF4A85B8858h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e add edi, edx 0x00000020 dec ecx 0x00000021 jmp 00007FF4A85B8896h 0x00000023 test dx, bx 0x00000026 cmp ecx, 00000000h 0x00000029 jne 00007FF4A85B87ADh 0x0000002f jmp 00007FF4A85B8896h 0x00000031 cmp al, bl 0x00000033 push ecx 0x00000034 test ebx, eax 0x00000036 test cx, ax 0x00000039 call 00007FF4A85B891Ah 0x0000003e call 00007FF4A85B8868h 0x00000043 lfence 0x00000046 mov edx, dword ptr [7FFE0014h] 0x0000004c lfence 0x0000004f ret 0x00000050 mov esi, edx 0x00000052 pushad 0x00000053 rdtsc
Source: C:\Users\user\Desktop\payment.exe RDTSC instruction interceptor: First address: 00000000004414CD second address: 0000000000441549 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a pushad 0x0000000b mov ah, D8h 0x0000000d cmp ah, FFFFFFD8h 0x00000010 jne 00007FF4A85BC575h 0x00000016 popad 0x00000017 jmp 00007FF4A85B8896h 0x00000019 test al, cl 0x0000001b mov esi, 1A100000h 0x00000020 sub esi, 00001000h 0x00000026 push 00000004h 0x00000028 push 00003000h 0x0000002d mov dword ptr [ebp+64h], esi 0x00000030 mov ebx, ebp 0x00000032 pushad 0x00000033 mov ecx, 000000B2h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\payment.exe RDTSC instruction interceptor: First address: 0000000000441CC9 second address: 0000000000441CDC instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a push 0003E800h 0x0000000f pushad 0x00000010 lfence 0x00000013 rdtsc
Source: C:\Users\user\Desktop\payment.exe RDTSC instruction interceptor: First address: 000000000044215A second address: 000000000044215A instructions:
Source: C:\Users\user\Desktop\payment.exe RDTSC instruction interceptor: First address: 00000000004452BD second address: 00000000004452BD instructions:
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe RDTSC instruction interceptor: First address: 0000000000565193 second address: 0000000000565193 instructions:
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Tries to detect Any.run
Source: C:\Users\user\Desktop\payment.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\payment.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: RegAsm.exe Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\payment.exe RDTSC instruction interceptor: First address: 000000000044C4E9 second address: 000000000044C664 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 jmp 00007FF4A886B5AAh 0x00000005 test dl, al 0x00000007 jmp 00007FF4A886B5A6h 0x00000009 test bl, al 0x0000000b jmp 00007FF4A886B5AAh 0x0000000d cmp ecx, edx 0x0000000f jmp 00007FF4A886B5A6h 0x00000011 cmp cl, dl 0x00000013 jmp 00007FF4A886B5AAh 0x00000015 pushad 0x00000016 mov ebx, 00000057h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\payment.exe RDTSC instruction interceptor: First address: 000000000044C664 second address: 000000000044C119 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov eax, 00000539h 0x00000008 jmp 00007FF4A85B8896h 0x0000000a test ax, ax 0x0000000d mov ecx, dword ptr [ebp+1Ch] 0x00000010 jmp 00007FF4A85B8896h 0x00000012 cld 0x00000013 mov edx, 8802EDACh 0x00000018 call 00007FF4A85B6F2Eh 0x0000001d push esi 0x0000001e jmp 00007FF4A85B889Ah 0x00000020 test bl, bl 0x00000022 push edx 0x00000023 push ecx 0x00000024 jmp 00007FF4A85B889Ah 0x00000026 cmp dh, ah 0x00000028 cmp eax, 00000539h 0x0000002d jne 00007FF4A85B8A8Fh 0x00000033 jmp 00007FF4A85B8896h 0x00000035 test dh, 0000007Eh 0x00000038 push 6DDB9555h 0x0000003d call 00007FF4A85B98FFh 0x00000042 mov eax, dword ptr fs:[00000030h] 0x00000048 jmp 00007FF4A85B8896h 0x0000004a test bl, al 0x0000004c mov eax, dword ptr [eax+0Ch] 0x0000004f mov eax, dword ptr [eax+14h] 0x00000052 mov ecx, dword ptr [eax] 0x00000054 mov eax, ecx 0x00000056 jmp 00007FF4A85B889Ah 0x00000058 cmp ecx, edx 0x0000005a jmp 00007FF4A85B88F4h 0x0000005f jmp 00007FF4A85B8896h 0x00000061 pushad 0x00000062 mov ecx, 00000016h 0x00000067 rdtsc
Source: C:\Users\user\Desktop\payment.exe RDTSC instruction interceptor: First address: 000000000044C119 second address: 000000000044C304 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov ebx, dword ptr [eax+28h] 0x00000006 jmp 00007FF4A886B5AAh 0x00000008 test dl, al 0x0000000a cmp ebx, 00000000h 0x0000000d je 00007FF4A886B610h 0x00000013 push ebx 0x00000014 call 00007FF4A886B6A3h 0x00000019 jmp 00007FF4A886B5A6h 0x0000001b pushad 0x0000001c mov ecx, 00000025h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\payment.exe RDTSC instruction interceptor: First address: 00000000004468FB second address: 00000000004468FB instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FF4A85B8858h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e add edi, edx 0x00000020 dec ecx 0x00000021 jmp 00007FF4A85B8896h 0x00000023 test dx, bx 0x00000026 cmp ecx, 00000000h 0x00000029 jne 00007FF4A85B87ADh 0x0000002f jmp 00007FF4A85B8896h 0x00000031 cmp al, bl 0x00000033 push ecx 0x00000034 test ebx, eax 0x00000036 test cx, ax 0x00000039 call 00007FF4A85B891Ah 0x0000003e call 00007FF4A85B8868h 0x00000043 lfence 0x00000046 mov edx, dword ptr [7FFE0014h] 0x0000004c lfence 0x0000004f ret 0x00000050 mov esi, edx 0x00000052 pushad 0x00000053 rdtsc
Source: C:\Users\user\Desktop\payment.exe RDTSC instruction interceptor: First address: 0000000000446DCA second address: 0000000000446DCA instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FF4A8871918h 0x0000001d popad 0x0000001e call 00007FF4A886B655h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Desktop\payment.exe RDTSC instruction interceptor: First address: 00000000004414CD second address: 0000000000441549 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a pushad 0x0000000b mov ah, D8h 0x0000000d cmp ah, FFFFFFD8h 0x00000010 jne 00007FF4A85BC575h 0x00000016 popad 0x00000017 jmp 00007FF4A85B8896h 0x00000019 test al, cl 0x0000001b mov esi, 1A100000h 0x00000020 sub esi, 00001000h 0x00000026 push 00000004h 0x00000028 push 00003000h 0x0000002d mov dword ptr [ebp+64h], esi 0x00000030 mov ebx, ebp 0x00000032 pushad 0x00000033 mov ecx, 000000B2h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\payment.exe RDTSC instruction interceptor: First address: 000000000044F427 second address: 000000000044F530 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b cmp dword ptr [eax+10h], 00000000h 0x0000000f jne 00007FF4A886B98Dh 0x00000015 jmp 00007FF4A886B5A6h 0x00000017 test ax, 0000F517h 0x0000001b cmp dword ptr [eax+14h], 00000000h 0x0000001f jne 00007FF4A886B939h 0x00000025 cmp dword ptr [eax+18h], 00000000h 0x00000029 jne 00007FF4A886B92Fh 0x0000002f jmp 00007FF4A886B5A6h 0x00000031 cmp bx, dx 0x00000034 pop eax 0x00000035 jmp 00007FF4A886B5A6h 0x00000037 pushad 0x00000038 mov eax, 00000020h 0x0000003d rdtsc
Source: C:\Users\user\Desktop\payment.exe RDTSC instruction interceptor: First address: 0000000000441CC9 second address: 0000000000441CDC instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a push 0003E800h 0x0000000f pushad 0x00000010 lfence 0x00000013 rdtsc
Source: C:\Users\user\Desktop\payment.exe RDTSC instruction interceptor: First address: 000000000044215A second address: 000000000044215A instructions:
Source: C:\Users\user\Desktop\payment.exe RDTSC instruction interceptor: First address: 00000000004452BD second address: 00000000004452BD instructions:
Source: C:\Users\user\Desktop\payment.exe RDTSC instruction interceptor: First address: 000000000044608B second address: 0000000000446102 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b test bx, ax 0x0000000e cmp dword ptr [esp+08h], 0Ah 0x00000013 jg 00007FF4A886B5E2h 0x00000019 test ebx, edx 0x0000001b cmp ecx, 70DD50C1h 0x00000021 jmp 00007FF4A886E112h 0x00000026 call 00007FF4A88689FFh 0x0000002b pop eax 0x0000002c pushad 0x0000002d lfence 0x00000030 rdtsc
Source: C:\Users\user\Desktop\payment.exe RDTSC instruction interceptor: First address: 0000000000446102 second address: 00000000004497C4 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push edi 0x0000000c cmp bh, FFFFFF83h 0x0000000f push eax 0x00000010 test ax, ax 0x00000013 call 00007FF4A85BBE67h 0x00000018 jmp 00007FF4A85B889Ah 0x0000001a test bh, bh 0x0000001c jmp 00007FF4A85B8896h 0x0000001e pushad 0x0000001f mov ecx, 00000026h 0x00000024 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe RDTSC instruction interceptor: First address: 000000000056C4E9 second address: 000000000056C664 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 jmp 00007FF4A886B5AAh 0x00000005 test dl, al 0x00000007 jmp 00007FF4A886B5A6h 0x00000009 test bl, al 0x0000000b jmp 00007FF4A886B5AAh 0x0000000d cmp ecx, edx 0x0000000f jmp 00007FF4A886B5A6h 0x00000011 cmp cl, dl 0x00000013 jmp 00007FF4A886B5AAh 0x00000015 pushad 0x00000016 mov ebx, 00000057h 0x0000001b rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe RDTSC instruction interceptor: First address: 000000000056C664 second address: 000000000056C119 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov eax, 00000539h 0x00000008 jmp 00007FF4A85B8896h 0x0000000a test ax, ax 0x0000000d mov ecx, dword ptr [ebp+1Ch] 0x00000010 jmp 00007FF4A85B8896h 0x00000012 cld 0x00000013 mov edx, 8802EDACh 0x00000018 call 00007FF4A85B6F2Eh 0x0000001d push esi 0x0000001e jmp 00007FF4A85B889Ah 0x00000020 test bl, bl 0x00000022 push edx 0x00000023 push ecx 0x00000024 jmp 00007FF4A85B889Ah 0x00000026 cmp dh, ah 0x00000028 cmp eax, 00000539h 0x0000002d jne 00007FF4A85B8A8Fh 0x00000033 jmp 00007FF4A85B8896h 0x00000035 test dh, 0000007Eh 0x00000038 push 6DDB9555h 0x0000003d call 00007FF4A85B98FFh 0x00000042 mov eax, dword ptr fs:[00000030h] 0x00000048 jmp 00007FF4A85B8896h 0x0000004a test bl, al 0x0000004c mov eax, dword ptr [eax+0Ch] 0x0000004f mov eax, dword ptr [eax+14h] 0x00000052 mov ecx, dword ptr [eax] 0x00000054 mov eax, ecx 0x00000056 jmp 00007FF4A85B889Ah 0x00000058 cmp ecx, edx 0x0000005a jmp 00007FF4A85B88F4h 0x0000005f jmp 00007FF4A85B8896h 0x00000061 pushad 0x00000062 mov ecx, 00000016h 0x00000067 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe RDTSC instruction interceptor: First address: 000000000056C119 second address: 000000000056C304 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov ebx, dword ptr [eax+28h] 0x00000006 jmp 00007FF4A886B5AAh 0x00000008 test dl, al 0x0000000a cmp ebx, 00000000h 0x0000000d je 00007FF4A886B610h 0x00000013 push ebx 0x00000014 call 00007FF4A886B6A3h 0x00000019 jmp 00007FF4A886B5A6h 0x0000001b pushad 0x0000001c mov ecx, 00000025h 0x00000021 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe RDTSC instruction interceptor: First address: 0000000000566DCA second address: 0000000000566DCA instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FF4A85BEC08h 0x0000001d popad 0x0000001e call 00007FF4A85B8945h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe RDTSC instruction interceptor: First address: 0000000000561549 second address: 000000000056BD6F instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 add ebx, 64h 0x00000006 push ebx 0x00000007 jmp 00007FF4A886B5AAh 0x00000009 push si 0x0000000b mov si, 323Dh 0x0000000f pop si 0x00000011 push 00000000h 0x00000013 mov dword ptr [ebp+68h], 00000000h 0x0000001a add ebx, 04h 0x0000001d push ebx 0x0000001e cmp bx, ax 0x00000021 push FFFFFFFFh 0x00000023 test cl, bl 0x00000025 call 00007FF4A8875976h 0x0000002a jmp 00007FF4A8868408h 0x0000002f call 00007FF4A886E6BDh 0x00000034 pop ebx 0x00000035 cmp dword ptr [ebx], 00000000h 0x00000038 jne 00007FF4A886B819h 0x0000003e jmp 00007FF4A886B5A6h 0x00000040 cmp cl, dl 0x00000042 jmp 00007FF4A886B5AAh 0x00000044 test cx, cx 0x00000047 jmp 00007FF4A886B5A6h 0x00000049 pushad 0x0000004a mov ecx, 00000077h 0x0000004f rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe RDTSC instruction interceptor: First address: 000000000056F427 second address: 000000000056F530 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b cmp dword ptr [eax+10h], 00000000h 0x0000000f jne 00007FF4A85B8C7Dh 0x00000015 jmp 00007FF4A85B8896h 0x00000017 test ax, 0000F517h 0x0000001b cmp dword ptr [eax+14h], 00000000h 0x0000001f jne 00007FF4A85B8C29h 0x00000025 cmp dword ptr [eax+18h], 00000000h 0x00000029 jne 00007FF4A85B8C1Fh 0x0000002f jmp 00007FF4A85B8896h 0x00000031 cmp bx, dx 0x00000034 pop eax 0x00000035 jmp 00007FF4A85B8896h 0x00000037 pushad 0x00000038 mov eax, 00000020h 0x0000003d rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe RDTSC instruction interceptor: First address: 0000000000565193 second address: 0000000000565193 instructions:
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_0056EC97 rdtsc 15_2_0056EC97
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Window / User API: threadDelayed 717 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Window / User API: threadDelayed 9102 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5560 Thread sleep time: -24903104499507879s >= -30000s Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: RegAsm.exe, 0000000F.00000002.597861206.000000001FC20000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: RegAsm.exe, 0000000F.00000002.597861206.000000001FC20000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: RegAsm.exe Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: RegAsm.exe, 0000000F.00000002.597861206.000000001FC20000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: RegAsm.exe, 0000000F.00000002.597861206.000000001FC20000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\payment.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\payment.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_0056EC97 rdtsc 15_2_0056EC97
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_005664EC mov eax, dword ptr fs:[00000030h] 15_2_005664EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_00566534 mov eax, dword ptr fs:[00000030h] 15_2_00566534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_0056DC0F mov eax, dword ptr fs:[00000030h] 15_2_0056DC0F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_0056AC3D mov eax, dword ptr fs:[00000030h] 15_2_0056AC3D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_0056BF85 mov eax, dword ptr fs:[00000030h] 15_2_0056BF85
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\payment.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 560000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\payment.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\payment.exe' Jump to behavior
Source: RegAsm.exe, 0000000F.00000002.593288205.0000000000F10000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 0000000F.00000002.593288205.0000000000F10000.00000002.00000001.sdmp Binary or memory string: Progman
Source: RegAsm.exe, 0000000F.00000002.593288205.0000000000F10000.00000002.00000001.sdmp Binary or memory string: &Program Manager
Source: RegAsm.exe, 0000000F.00000002.593288205.0000000000F10000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_00565184 cpuid 15_2_00565184
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\payment.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\payment.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 0000000F.00000002.597115330.000000001D081000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 4660, type: MEMORY
Yara detected Credential Stealer
Source: Yara match File source: 0000000F.00000002.597115330.000000001D081000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 4660, type: MEMORY

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 0000000F.00000002.597115330.000000001D081000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 4660, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 357249 Sample: payment.exe Startdate: 24/02/2021 Architecture: WINDOWS Score: 100 22 Multi AV Scanner detection for submitted file 2->22 24 Yara detected GuLoader 2->24 26 Yara detected AgentTesla 2->26 28 3 other signatures 2->28 7 payment.exe 1 2->7         started        process3 signatures4 30 Writes to foreign memory regions 7->30 32 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 7->32 34 Tries to detect Any.run 7->34 36 2 other signatures 7->36 10 RegAsm.exe 9 7->10         started        process5 dnsIp6 16 onedrive.live.com 10->16 18 c3ixha.bl.files.1drv.com 10->18 20 bl-files.fe.1drv.com 10->20 38 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 10->38 40 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 10->40 42 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 10->42 44 3 other signatures 10->44 14 conhost.exe 10->14         started        signatures7 process8
No contacted IP infos

Contacted Domains

Name IP Active
onedrive.live.com unknown unknown
c3ixha.bl.files.1drv.com unknown unknown