Play interactive tour

Edit tour

Analysis Report AMPUTERE.exe

Overview

General Information

Sample Name:	AMPUTERE.exe
Analysis ID:	379730
MD5:	f2fa3c87de32858f1244fb352873f399
SHA1:	3d6f6d635639c689a8e4709ccb379500b4e76096
SHA256:	2beda3caff1f808814294dca346cbe62ad229272d54696fe75e99388a73ff3cc
Tags:	exeGuLoader
Infos:
Most interesting Screenshot:

Detection

AgentTesla GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected GuLoader

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Hides threads from debuggers

Machine Learning detection for sample

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Startup

System is w10x64

AMPUTERE.exe (PID: 6608 cmdline: 'C:\Users\user\Desktop\AMPUTERE.exe' MD5: F2FA3C87DE32858F1244FB352873F399)

RegAsm.exe (PID: 6044 cmdline: 'C:\Users\user\Desktop\AMPUTERE.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)

conhost.exe (PID: 1212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000013.00000002.864518316.000000001DEE1000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000013.00000002.864518316.000000001DEE1000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Process Memory Space: RegAsm.exe PID: 6044	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegAsm.exe PID: 6044	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 6044	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Click to see the 1 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: AMPUTERE.exe

Avira: detected

Multi AV Scanner detection for submitted file

Show sources

Source: AMPUTERE.exe	Virustotal: Detection: 44%			Perma Link
Source: AMPUTERE.exe	ReversingLabs: Detection: 68%

Machine Learning detection for sample

Show sources

Source: AMPUTERE.exe

Joe Sandbox ML: detected

Source: AMPUTERE.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Source: unknown

HTTPS traffic detected: 216.58.215.225:443 -> 192.168.2.6:49747 version: TLS 1.2

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

DNS traffic detected: queries for: doc-14-a0-docs.googleusercontent.com

Source: RegAsm.exe, 00000013.00000002.864518316.000000001DEE1000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegAsm.exe, 00000013.00000002.864518316.000000001DEE1000.00000004.00000001.sdmp	String found in binary or memory: http://CFlLIU.com
Source: RegAsm.exe, 00000013.00000002.864518316.000000001DEE1000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: RegAsm.exe	String found in binary or memory: https://drive.google.com/uc?export=download&id=1YqpUxJBnjokc5FJGT-8XzuYbR97RtVG2
Source: RegAsm.exe, 00000013.00000002.864518316.000000001DEE1000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747

Source: unknown

HTTPS traffic detected: 216.58.215.225:443 -> 192.168.2.6:49747 version: TLS 1.2

Source: AMPUTERE.exe, 00000000.00000002.811048059.00000000005EA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\AMPUTERE.exe

Process Stats: CPU usage > 98%

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_01107349 NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_01106E63 NtProtectVirtualMemory,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_0110752F NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_0110755B NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_0110759F NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_01107583 NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_011075BB NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_011075E7 NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_01107417 NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_01107437 NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_01107457 NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_01107477 NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_011074A0 NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_011074DF NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_0110770C NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_01107747 NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_0110777F NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_01107363 NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_01107384 NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_011073B3 NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_011073CB NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_011073EB NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_01107603 NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_01106E22 NtProtectVirtualMemory,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_01106E47 NtProtectVirtualMemory,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_01107663 NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_011076AB NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_011076CB NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_1DC8B0BA NtQuerySystemInformation,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_1DC8B089 NtQuerySystemInformation,

Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_00409418
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_0040A862
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_0040A078
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_0040A478
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_0040943F
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_00409886
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_004094B0
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_0040A101
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_0040A50A
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_00409D0C
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_00409918
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_00409DED
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_00409588
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_0040A193
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_0040A595
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_004099A6
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_004095BE
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_00409649
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_0040A628
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_00409A2A
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_00409A2C
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_00409E30
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_0040A2C0
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_00409EC4
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_004096D5
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_0040A6FC
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_0040A6B3
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_00409ABB
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_0040A746
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_00409B50
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_0040A356
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_00409F5F
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_00409762
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_00409BE2
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_00409FE9
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_004097F4

Source: AMPUTERE.exe, 00000000.00000002.811248602.0000000002200000.00000002.00000001.sdmp

Binary or memory string: OriginalFilenameuser32j% vs AMPUTERE.exe

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Section loaded: sfc.dll

Source: AMPUTERE.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/0@1/1

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_1DC8AF3E AdjustTokenPrivileges,
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_1DC8AF07 AdjustTokenPrivileges,

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1212:120:WilError_01

Source: C:\Users\user\Desktop\AMPUTERE.exe

File created: C:\Users\user\AppData\Local\Temp\~DF371BB4A539764BA1.TMP

Jump to behavior

Source: AMPUTERE.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\AMPUTERE.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\AMPUTERE.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: AMPUTERE.exe	Virustotal: Detection: 44%
Source: AMPUTERE.exe	ReversingLabs: Detection: 68%

Source: unknown	Process created: C:\Users\user\Desktop\AMPUTERE.exe 'C:\Users\user\Desktop\AMPUTERE.exe'
Source: C:\Users\user\Desktop\AMPUTERE.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\AMPUTERE.exe'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\AMPUTERE.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\AMPUTERE.exe'

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6044, type: MEMORY

Source: AMPUTERE.exe

Static PE information: real checksum: 0x255bc should be: 0x22e67

Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_0040306C push esi; iretd
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_0040307A push esi; ret
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_004034DD push ebp; ret
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_004058EE push esi; ret
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_0040888A push esi; ret
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_004071F6 push esi; retf
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_0040723D push esi; ret
Source: C:\Users\user\Desktop\AMPUTERE.exe	Code function: 0_2_00404BEA push esi; iretd
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_01104B84 push dword ptr [ebp+77h]; ret
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_01107384 push cs; retn EB1Ah

Source: C:\Users\user\Desktop\AMPUTERE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AMPUTERE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AMPUTERE.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_01103317
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_011032A2

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\AMPUTERE.exe	RDTSC instruction interceptor: First address: 00000000005261EC second address: 00000000005261EC instructions:
Source: C:\Users\user\Desktop\AMPUTERE.exe	RDTSC instruction interceptor: First address: 0000000000526246 second address: 0000000000526246 instructions:
Source: C:\Users\user\Desktop\AMPUTERE.exe	RDTSC instruction interceptor: First address: 0000000000526315 second address: 0000000000526315 instructions:
Source: C:\Users\user\Desktop\AMPUTERE.exe	RDTSC instruction interceptor: First address: 00000000005233AC second address: 00000000005233AC instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F99848EE8F8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e test dh, ch 0x00000020 add edi, edx 0x00000022 test ecx, ebx 0x00000024 dec ecx 0x00000025 jmp 00007F99848EE90Ah 0x00000027 test bl, bl 0x00000029 cmp ecx, 00000000h 0x0000002c jne 00007F99848EE8A5h 0x0000002e push ecx 0x0000002f jmp 00007F99848EE90Ah 0x00000031 cmp bh, ah 0x00000033 cmp ah, bh 0x00000035 call 00007F99848EE93Fh 0x0000003a call 00007F99848EE908h 0x0000003f lfence 0x00000042 mov edx, dword ptr [7FFE0014h] 0x00000048 lfence 0x0000004b ret 0x0000004c mov esi, edx 0x0000004e pushad 0x0000004f rdtsc
Source: C:\Users\user\Desktop\AMPUTERE.exe	RDTSC instruction interceptor: First address: 0000000000526BD4 second address: 0000000000526BD4 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp byte ptr [ebx], FFFFFFB8h 0x0000000d jne 00007F99848EE922h 0x0000000f cmp ecx, 00002000h 0x00000015 jne 00007F99848EE7C6h 0x0000001b inc ecx 0x0000001c inc ebx 0x0000001d test cl, dl 0x0000001f cmp dword ptr [ebx], 9090C350h 0x00000025 jne 00007F99848EE926h 0x00000027 cmp edx, 257E6A7Fh 0x0000002d cmp edx, dword ptr [ebx] 0x0000002f jne 00007F99848EE916h 0x00000031 test dh, ch 0x00000033 cmp byte ptr [ebx], FFFFFFE8h 0x00000036 jne 00007F99848EE95Bh 0x00000038 cmp edi, 1B7EF1A7h 0x0000003e pushad 0x0000003f rdtsc
Source: C:\Users\user\Desktop\AMPUTERE.exe	RDTSC instruction interceptor: First address: 00000000005209F7 second address: 00000000005209F7 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000001101F83 second address: 0000000001101F83 instructions:

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\AMPUTERE.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\Desktop\AMPUTERE.exe	File opened: C:\Program Files\qga\qga.exe
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\qga\qga.exe

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: RegAsm.exe

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\AMPUTERE.exe	RDTSC instruction interceptor: First address: 00000000005261EC second address: 00000000005261EC instructions:
Source: C:\Users\user\Desktop\AMPUTERE.exe	RDTSC instruction interceptor: First address: 0000000000526246 second address: 0000000000526246 instructions:
Source: C:\Users\user\Desktop\AMPUTERE.exe	RDTSC instruction interceptor: First address: 0000000000526315 second address: 0000000000526315 instructions:
Source: C:\Users\user\Desktop\AMPUTERE.exe	RDTSC instruction interceptor: First address: 00000000005233AC second address: 00000000005233AC instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F99848EE8F8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e test dh, ch 0x00000020 add edi, edx 0x00000022 test ecx, ebx 0x00000024 dec ecx 0x00000025 jmp 00007F99848EE90Ah 0x00000027 test bl, bl 0x00000029 cmp ecx, 00000000h 0x0000002c jne 00007F99848EE8A5h 0x0000002e push ecx 0x0000002f jmp 00007F99848EE90Ah 0x00000031 cmp bh, ah 0x00000033 cmp ah, bh 0x00000035 call 00007F99848EE93Fh 0x0000003a call 00007F99848EE908h 0x0000003f lfence 0x00000042 mov edx, dword ptr [7FFE0014h] 0x00000048 lfence 0x0000004b ret 0x0000004c mov esi, edx 0x0000004e pushad 0x0000004f rdtsc
Source: C:\Users\user\Desktop\AMPUTERE.exe	RDTSC instruction interceptor: First address: 00000000005235B0 second address: 00000000005235B0 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F99845B8528h 0x0000001d popad 0x0000001e jmp 00007F99845B565Ah 0x00000020 test ch, dh 0x00000022 call 00007F99845B568Bh 0x00000027 lfence 0x0000002a rdtsc
Source: C:\Users\user\Desktop\AMPUTERE.exe	RDTSC instruction interceptor: First address: 0000000000526BD4 second address: 0000000000526BD4 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp byte ptr [ebx], FFFFFFB8h 0x0000000d jne 00007F99848EE922h 0x0000000f cmp ecx, 00002000h 0x00000015 jne 00007F99848EE7C6h 0x0000001b inc ecx 0x0000001c inc ebx 0x0000001d test cl, dl 0x0000001f cmp dword ptr [ebx], 9090C350h 0x00000025 jne 00007F99848EE926h 0x00000027 cmp edx, 257E6A7Fh 0x0000002d cmp edx, dword ptr [ebx] 0x0000002f jne 00007F99848EE916h 0x00000031 test dh, ch 0x00000033 cmp byte ptr [ebx], FFFFFFE8h 0x00000036 jne 00007F99848EE95Bh 0x00000038 cmp edi, 1B7EF1A7h 0x0000003e pushad 0x0000003f rdtsc
Source: C:\Users\user\Desktop\AMPUTERE.exe	RDTSC instruction interceptor: First address: 00000000005209F7 second address: 00000000005209F7 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 00000000011035B0 second address: 00000000011035B0 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F99848F17D8h 0x0000001d popad 0x0000001e jmp 00007F99848EE90Ah 0x00000020 test ch, dh 0x00000022 call 00007F99848EE93Bh 0x00000027 lfence 0x0000002a rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000001101F6C second address: 0000000001101F83 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 call 00007F99845B5BC9h 0x00000008 cmp dword ptr [edi+00000818h], 00000000h 0x0000000f je 00007F99845B5708h 0x00000015 test ah, ah 0x00000017 ret 0x00000018 cmp edx, A37443ABh 0x0000001e test edx, ecx 0x00000020 mov eax, dword ptr fs:[00000030h] 0x00000026 pushad 0x00000027 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000001101F83 second address: 0000000001101F83 instructions:

Source: C:\Users\user\Desktop\AMPUTERE.exe

Code function: 0_2_00409418 rdtsc

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 772	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 772	Thread sleep time: -3210000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 772	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread delayed: delay time: 30000
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread delayed: delay time: 30000

Source: RegAsm.exe, 00000013.00000002.865466102.00000000203F0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: RegAsm.exe, 00000013.00000002.865466102.00000000203F0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: RegAsm.exe	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: RegAsm.exe, 00000013.00000002.865466102.00000000203F0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: RegAsm.exe, 00000013.00000002.865466102.00000000203F0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process information queried: ProcessInformation

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\AMPUTERE.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread information set: HideFromDebugger
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Thread information set: HideFromDebugger

Source: C:\Users\user\Desktop\AMPUTERE.exe	Process queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\AMPUTERE.exe

Code function: 0_2_00409418 rdtsc

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 19_2_01104417 LdrInitializeThunk,

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_0110690F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_01106977 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_011031DF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_01106089 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_01105733 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 19_2_01103200 mov eax, dword ptr fs:[00000030h]

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process token adjusted: Debug

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\AMPUTERE.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe base: 1100000

Source: C:\Users\user\Desktop\AMPUTERE.exe

Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\AMPUTERE.exe'

Source: RegAsm.exe, 00000013.00000002.860438642.0000000001980000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 00000013.00000002.860438642.0000000001980000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: RegAsm.exe, 00000013.00000002.860438642.0000000001980000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: RegAsm.exe, 00000013.00000002.860438642.0000000001980000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 19_2_011069B3 cpuid

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000013.00000002.864518316.000000001DEE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6044, type: MEMORY

Source: Yara match	File source: 00000013.00000002.864518316.000000001DEE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6044, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000013.00000002.864518316.000000001DEE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6044, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	DLL Side-Loading1	Access Token Manipulation1	Disable or Modify Tools1	Input Capture1	Security Software Discovery731	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Process Injection112	Virtualization/Sandbox Evasion341	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	DLL Side-Loading1	Access Token Manipulation1	Security Account Manager	Virtualization/Sandbox Evasion341	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection112	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information1	LSA Secrets	System Information Discovery423	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	DLL Side-Loading1	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
AMPUTERE.exe	45%	Virustotal		Browse
AMPUTERE.exe	69%	ReversingLabs	Win32.Trojan.GenericML
AMPUTERE.exe	100%	Avira	HEUR/AGEN.1138570
AMPUTERE.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.AMPUTERE.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1138570		Download File
0.0.AMPUTERE.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1138570		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://CFlLIU.com	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
googlehosted.l.googleusercontent.com	216.58.215.225	true	false		high
doc-14-a0-docs.googleusercontent.com	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	RegAsm.exe, 00000013.00000002.864518316.000000001DEE1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://CFlLIU.com	RegAsm.exe, 00000013.00000002.864518316.000000001DEE1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://DynDns.comDynDNS	RegAsm.exe, 00000013.00000002.864518316.000000001DEE1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	RegAsm.exe, 00000013.00000002.864518316.000000001DEE1000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
216.58.215.225	googlehosted.l.googleusercontent.com	United States		15169	GOOGLEUS	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	379730
Start date:	01.04.2021
Start time:	07:40:53
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 1s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	AMPUTERE.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@4/0@1/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 95.9% (good quality ratio 37%) Quality average: 21.8% Quality standard deviation: 30.5%
HCA Information:	Successful, ratio: 87% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 52.255.188.83, 104.43.193.48, 168.61.161.212, 13.107.4.50, 104.43.139.144, 40.88.32.150, 20.82.210.154, 2.20.142.210, 2.20.142.209, 52.155.217.156, 20.54.26.129, 92.122.213.194, 92.122.213.247, 23.218.208.56, 216.58.215.238 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, 2-01-3cf7-0009.cdx.cedexis.net, b1ns.c-0001.c-msedge.net, wu-fg-shim.trafficmanager.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, drive.google.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, b1ns.au-msedge.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, c-0001.c-msedge.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, download.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
07:45:34	API Interceptor	158x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	martin.connor SWIFT Copy 2021.htm	Get hash	malicious	Browse	216.58.215.225
	xXeJaeHDWB.exe	Get hash	malicious	Browse	216.58.215.225
	Purchase_Order 3109.xls	Get hash	malicious	Browse	216.58.215.225
	Invoice_150.xlsm	Get hash	malicious	Browse	216.58.215.225
	FileZilla_3.53.1_win64_sponsored-setup.exe	Get hash	malicious	Browse	216.58.215.225
	#Ufffd.HTML	Get hash	malicious	Browse	216.58.215.225
	FileZilla_3.53.1_win64_sponsored-setup.exe	Get hash	malicious	Browse	216.58.215.225
	SecuriteInfo.com.Mal.GandCrypt-A.4160.exe	Get hash	malicious	Browse	216.58.215.225
	1Nqs1iTfMz.exe	Get hash	malicious	Browse	216.58.215.225
	yPkfbflyoh.exe	Get hash	malicious	Browse	216.58.215.225
	SOC_0#7198, INV#512 Via GoogleDocs gracechung.html	Get hash	malicious	Browse	216.58.215.225
	lv.exe	Get hash	malicious	Browse	216.58.215.225
	8637.xlsx	Get hash	malicious	Browse	216.58.215.225
	YtR0OI1H6G.exe	Get hash	malicious	Browse	216.58.215.225
	ABS Browser.exe	Get hash	malicious	Browse	216.58.215.225
	reciept-id.htm	Get hash	malicious	Browse	216.58.215.225
	Closure TP-Stamp.htm	Get hash	malicious	Browse	216.58.215.225
	Audio playback (7656) for joew Camrosa.htm	Get hash	malicious	Browse	216.58.215.225
	CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe	Get hash	malicious	Browse	216.58.215.225
	JYDy1dAHdW.exe	Get hash	malicious	Browse	216.58.215.225

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.402488868367982
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	AMPUTERE.exe
File size:	90112
MD5:	f2fa3c87de32858f1244fb352873f399
SHA1:	3d6f6d635639c689a8e4709ccb379500b4e76096
SHA256:	2beda3caff1f808814294dca346cbe62ad229272d54696fe75e99388a73ff3cc
SHA512:	46058516a19a7db0833fd84a17ab9f8a80b992e6ac76727abe879dd1bf2e5a04636b7436746b5a472dd67c1efa42a007a88779a2f1f6ec12d431a6be8a13a605
SSDEEP:	768:xKOhTQs/sICfEBiQPIHYqH3qkfNS1Z5EK8GEHPZNrLzrKBvY:1hkGxCfEBiiIjHBG8tHC
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1...1...1.......0...~...0.......0...Rich1...........PE..L......T................. ...0...............0....@................

File Icon


Icon Hash:	f1f8f6f0f0e4f831

Static PE Info

General
Entrypoint:	0x4016fc
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x540DA20E [Mon Sep 8 12:33:18 2014 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	c78f78af0a4b82efe93f926bf0040578

Entrypoint Preview

Instruction
push 0040CE4Ch
call 00007F9984FBFCD5h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
dec eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dl, al
push eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x11ec4	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x14000	0x1412	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1ac	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x114d8	0x12000	False	0.434828016493	data	5.9787925967	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x13000	0xa64	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x14000	0x1412	0x2000	False	0.291259765625	data	3.29525991326	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x14d4a	0x6c8	dBase III DBT, version number 0, next free block index 40
RT_ICON	0x143c2	0x988	dBase III DBT, version number 0, next free block index 40
RT_GROUP_ICON	0x143a0	0x22	data
RT_VERSION	0x14120	0x280	data	Guarani	Paraguay

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaAryMove, __vbaLenBstr, __vbaStrVarMove, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, __vbaLenBstrB, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFpR8, __vbaVarTstLt, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, __vbaObjVar, DllFunctionCall, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaDateVar, _CIlog, __vbaFileOpen, __vbaNew2, __vbaInStr, __vbaVar2Vec, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaLateMemCall, __vbaVarAdd, __vbaStrToAnsi, __vbaVarDup, __vbaFpI4, __vbaLateMemCallLd, _CIatan, __vbaStrMove, __vbaUI1Str, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

Version Infos

Description	Data
Translation	0x0474 0x04b0
InternalName	AMPUTERE
FileVersion	3.03
CompanyName	Panasonic
Comments	Panasonic
ProductName	Panasonic
ProductVersion	3.03
FileDescription	Panasonic
OriginalFilename	AMPUTERE.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
Guarani	Paraguay

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source IP	Dest IP
04/01/21-07:41:42.432040	ICMP	384	ICMP PING	192.168.2.6	13.107.4.50
04/01/21-07:41:42.464302	ICMP	449	ICMP Time-To-Live Exceeded in Transit	84.17.52.126	192.168.2.6
04/01/21-07:41:42.470500	ICMP	384	ICMP PING	192.168.2.6	13.107.4.50
04/01/21-07:41:42.502832	ICMP	449	ICMP Time-To-Live Exceeded in Transit	5.56.20.161	192.168.2.6
04/01/21-07:41:42.506701	ICMP	384	ICMP PING	192.168.2.6	13.107.4.50
04/01/21-07:41:42.540227	ICMP	449	ICMP Time-To-Live Exceeded in Transit	91.206.52.152	192.168.2.6
04/01/21-07:41:42.540792	ICMP	384	ICMP PING	192.168.2.6	13.107.4.50
04/01/21-07:41:46.555734	ICMP	384	ICMP PING	192.168.2.6	13.107.4.50
04/01/21-07:41:50.533063	ICMP	384	ICMP PING	192.168.2.6	13.107.4.50
04/01/21-07:41:54.533682	ICMP	384	ICMP PING	192.168.2.6	13.107.4.50
04/01/21-07:41:58.533986	ICMP	384	ICMP PING	192.168.2.6	13.107.4.50
04/01/21-07:42:03.273472	ICMP	384	ICMP PING	192.168.2.6	13.107.4.50
04/01/21-07:42:07.040459	ICMP	384	ICMP PING	192.168.2.6	13.107.4.50
04/01/21-07:42:11.039405	ICMP	384	ICMP PING	192.168.2.6	13.107.4.50
04/01/21-07:42:15.035238	ICMP	384	ICMP PING	192.168.2.6	13.107.4.50
04/01/21-07:42:19.071881	ICMP	384	ICMP PING	192.168.2.6	13.107.4.50
04/01/21-07:42:23.036318	ICMP	384	ICMP PING	192.168.2.6	13.107.4.50
04/01/21-07:42:27.037681	ICMP	384	ICMP PING	192.168.2.6	13.107.4.50
04/01/21-07:42:31.036811	ICMP	384	ICMP PING	192.168.2.6	13.107.4.50
04/01/21-07:42:31.069811	ICMP	408	ICMP Echo Reply	13.107.4.50	192.168.2.6

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 1, 2021 07:45:26.435566902 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.478147984 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.478259087 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.479070902 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.521552086 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.534030914 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.534054041 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.534066916 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.534079075 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.534224033 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.551301003 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.594008923 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.594080925 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.594995022 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.642653942 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.876184940 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.876216888 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.876230955 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.876246929 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.876261950 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.876364946 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.876398087 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.879012108 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.879033089 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.879138947 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.882077932 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.882103920 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.882241964 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.885045052 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.885070086 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.885191917 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.888066053 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.888092041 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.888215065 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.896469116 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.896631002 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.897058010 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.897149086 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.920533895 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.920563936 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.920715094 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.921978951 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.922003031 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.922103882 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.924967051 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.924994946 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.925097942 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.927953005 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.927983999 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.928090096 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.930926085 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.930965900 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.931082964 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.933958054 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.933989048 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.934043884 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.934098959 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.936952114 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.937001944 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.937047005 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.937093973 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.939922094 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.939948082 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.940052032 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.942869902 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.942890882 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.943018913 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.945904970 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.945930004 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.946086884 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.948846102 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.948868036 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.948987007 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.951828003 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.951868057 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.951960087 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.954854012 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.954925060 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.954963923 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.954986095 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.957878113 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.957906961 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.957998037 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.960839033 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.960863113 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.960953951 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.964852095 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.964884996 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.965053082 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.966298103 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.966320992 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.966459990 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.968224049 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.968250036 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.968362093 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.970232964 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.970264912 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.970804930 CEST	49747	443	192.168.2.6	216.58.215.225
Apr 1, 2021 07:45:26.972218037 CEST	443	49747	216.58.215.225	192.168.2.6
Apr 1, 2021 07:45:26.972256899 CEST	443	49747	216.58.215.225	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 1, 2021 07:41:38.070863008 CEST	54513	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:41:38.118454933 CEST	53	54513	8.8.8.8	192.168.2.6
Apr 1, 2021 07:41:38.879174948 CEST	62044	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:41:38.929502964 CEST	53	62044	8.8.8.8	192.168.2.6
Apr 1, 2021 07:41:39.825949907 CEST	63791	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:41:39.876066923 CEST	53	63791	8.8.8.8	192.168.2.6
Apr 1, 2021 07:41:41.726422071 CEST	64267	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:41:41.783688068 CEST	53	64267	8.8.8.8	192.168.2.6
Apr 1, 2021 07:41:42.364645004 CEST	49448	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:41:42.421184063 CEST	53	49448	8.8.8.8	192.168.2.6
Apr 1, 2021 07:41:43.635649920 CEST	60342	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:41:43.685589075 CEST	53	60342	8.8.8.8	192.168.2.6
Apr 1, 2021 07:41:51.600878000 CEST	61346	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:41:51.649561882 CEST	53	61346	8.8.8.8	192.168.2.6
Apr 1, 2021 07:41:52.768568993 CEST	51774	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:41:52.816342115 CEST	53	51774	8.8.8.8	192.168.2.6
Apr 1, 2021 07:41:53.692286968 CEST	56023	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:41:53.739046097 CEST	53	56023	8.8.8.8	192.168.2.6
Apr 1, 2021 07:41:54.686860085 CEST	58384	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:41:54.735239983 CEST	53	58384	8.8.8.8	192.168.2.6
Apr 1, 2021 07:41:56.208642006 CEST	60261	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:41:56.254461050 CEST	53	60261	8.8.8.8	192.168.2.6
Apr 1, 2021 07:41:57.274804115 CEST	56061	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:41:57.323487997 CEST	53	56061	8.8.8.8	192.168.2.6
Apr 1, 2021 07:41:58.575582027 CEST	58336	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:41:58.622155905 CEST	53	58336	8.8.8.8	192.168.2.6
Apr 1, 2021 07:41:59.844504118 CEST	53781	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:41:59.893209934 CEST	53	53781	8.8.8.8	192.168.2.6
Apr 1, 2021 07:42:04.149950981 CEST	54064	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:42:04.195872068 CEST	53	54064	8.8.8.8	192.168.2.6
Apr 1, 2021 07:42:05.189529896 CEST	52811	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:42:05.237653017 CEST	53	52811	8.8.8.8	192.168.2.6
Apr 1, 2021 07:42:07.419472933 CEST	55299	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:42:07.465405941 CEST	53	55299	8.8.8.8	192.168.2.6
Apr 1, 2021 07:42:08.486334085 CEST	63745	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:42:08.532182932 CEST	53	63745	8.8.8.8	192.168.2.6
Apr 1, 2021 07:42:09.296761036 CEST	50055	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:42:09.344470978 CEST	53	50055	8.8.8.8	192.168.2.6
Apr 1, 2021 07:42:11.085506916 CEST	61374	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:42:11.141558886 CEST	53	61374	8.8.8.8	192.168.2.6
Apr 1, 2021 07:42:33.522531986 CEST	50339	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:42:33.589736938 CEST	53	50339	8.8.8.8	192.168.2.6
Apr 1, 2021 07:42:35.327601910 CEST	63307	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:42:35.482263088 CEST	53	63307	8.8.8.8	192.168.2.6
Apr 1, 2021 07:42:36.180342913 CEST	49694	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:42:36.237016916 CEST	53	49694	8.8.8.8	192.168.2.6
Apr 1, 2021 07:42:37.043318987 CEST	54982	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:42:37.097539902 CEST	53	54982	8.8.8.8	192.168.2.6
Apr 1, 2021 07:42:37.534673929 CEST	50010	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:42:37.628061056 CEST	53	50010	8.8.8.8	192.168.2.6
Apr 1, 2021 07:42:38.209295988 CEST	63718	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:42:38.255273104 CEST	53	63718	8.8.8.8	192.168.2.6
Apr 1, 2021 07:42:38.802638054 CEST	62116	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:42:38.859879017 CEST	53	62116	8.8.8.8	192.168.2.6
Apr 1, 2021 07:42:39.162408113 CEST	63816	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:42:39.230982065 CEST	53	63816	8.8.8.8	192.168.2.6
Apr 1, 2021 07:42:39.300668955 CEST	55014	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:42:39.355036974 CEST	53	55014	8.8.8.8	192.168.2.6
Apr 1, 2021 07:42:40.345225096 CEST	62208	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:42:40.391186953 CEST	53	62208	8.8.8.8	192.168.2.6
Apr 1, 2021 07:42:41.812714100 CEST	57574	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:42:41.859698057 CEST	53	57574	8.8.8.8	192.168.2.6
Apr 1, 2021 07:42:42.381419897 CEST	51818	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:42:42.437664986 CEST	53	51818	8.8.8.8	192.168.2.6
Apr 1, 2021 07:42:56.505729914 CEST	56628	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:42:56.561142921 CEST	53	56628	8.8.8.8	192.168.2.6
Apr 1, 2021 07:43:14.194900990 CEST	60778	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:43:14.252999067 CEST	53	60778	8.8.8.8	192.168.2.6
Apr 1, 2021 07:43:22.684170961 CEST	53799	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:43:22.733340979 CEST	53	53799	8.8.8.8	192.168.2.6
Apr 1, 2021 07:43:28.743518114 CEST	54683	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:43:28.814992905 CEST	53	54683	8.8.8.8	192.168.2.6
Apr 1, 2021 07:45:25.612718105 CEST	59329	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:45:25.678809881 CEST	53	59329	8.8.8.8	192.168.2.6
Apr 1, 2021 07:45:26.367213011 CEST	64021	53	192.168.2.6	8.8.8.8
Apr 1, 2021 07:45:26.431298018 CEST	53	64021	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 1, 2021 07:45:26.367213011 CEST	192.168.2.6	8.8.8.8	0xfc91	Standard query (0)	doc-14-a0-docs.googleusercontent.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Apr 1, 2021 07:45:26.431298018 CEST	8.8.8.8	192.168.2.6	0xfc91	No error (0)	doc-14-a0-docs.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)
Apr 1, 2021 07:45:26.431298018 CEST	8.8.8.8	192.168.2.6	0xfc91	No error (0)	googlehosted.l.googleusercontent.com		216.58.215.225	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Apr 1, 2021 07:45:26.534079075 CEST	216.58.215.225	443	192.168.2.6	49747	CN=*.googleusercontent.com, O=Google LLC, L=Mountain View, ST=California, C=US CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GTS CA 1O1, O=Google Trust Services, C=US CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Tue Mar 16 20:32:57 CET 2021 Thu Jun 15 02:00:42 CEST 2017	Tue Jun 08 21:32:56 CEST 2021 Wed Dec 15 01:00:42 CET 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
Apr 1, 2021 07:45:26.534079075 CEST	216.58.215.225	443	192.168.2.6	49747	CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Thu Jun 15 02:00:42 CEST 2017	Wed Dec 15 01:00:42 CET 2021		37f463bf4616ecd445d4a1937da06e19

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: AMPUTERE.exe PID: 6608 Parent PID: 5964

General

Start time:	07:41:46
Start date:	01/04/2021
Path:	C:\Users\user\Desktop\AMPUTERE.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\AMPUTERE.exe'
Imagebase:	0x400000
File size:	90112 bytes
MD5 hash:	F2FA3C87DE32858F1244FB352873F399
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Analysis Process: RegAsm.exe PID: 6044 Parent PID: 6608

General

Start time:	07:45:13
Start date:	01/04/2021
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\AMPUTERE.exe'
Imagebase:	0xd30000
File size:	53248 bytes
MD5 hash:	529695608EAFBED00ACA9E61EF333A7C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000013.00000002.864518316.000000001DEE1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000013.00000002.864518316.000000001DEE1000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader, Description: Yara detected GuLoader, Source: 00000013.00000002.859923887.0000000001102000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: conhost.exe PID: 1212 Parent PID: 6044

General

Start time:	07:45:13
Start date:	01/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff614b90000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report AMPUTERE.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

Code Manipulations

Statistics

Behavior