Analysis Report FAKTURA I RACHUNKI.exe

Overview

General Information

Sample Name: FAKTURA I RACHUNKI.exe
Analysis ID: 383950
MD5: ac62ebbbf6ec96f48a8cca64793bf8fb
SHA1: c1e10d41d090cb7d0505b46a1b48f3f533aa6aad
SHA256: 5708e5be9ec5564f3f16b38f87b0c7a0178274ed580a8566e31a995a80e353bb
Tags: GuLoader
Infos:

Most interesting Screenshot:

Detection

AgentTesla GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: RegAsm connects to smtp port
Yara detected AgentTesla
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection:

barindex
Found malware configuration
Source: RegAsm.exe.5612.2.memstr Malware Configuration Extractor: Agenttesla {"Username: ": "JrBJv6DyR8", "URL: ": "http://KeXrtgodXUi1h.com", "To: ": "syndic8@yandex.com", "ByHost: ": "mail.brimaq.com:587", "Password: ": "UXB9CyQFuVvwdgx", "From: ": "jaen@brimaq.com"}
Multi AV Scanner detection for submitted file
Source: FAKTURA I RACHUNKI.exe Virustotal: Detection: 21% Perma Link
Source: FAKTURA I RACHUNKI.exe ReversingLabs: Detection: 12%

Compliance:

barindex
Uses 32bit PE files
Source: FAKTURA I RACHUNKI.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: unknown HTTPS traffic detected: 172.217.168.33:443 -> 192.168.2.6:49717 version: TLS 1.2

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://KeXrtgodXUi1h.com
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49751 -> 78.128.8.31:587
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TELEPOINTBG TELEPOINTBG
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.6:49751 -> 78.128.8.31:587
Source: unknown DNS traffic detected: queries for: doc-0s-1k-docs.googleusercontent.com
Source: RegAsm.exe, 00000002.00000002.614309170.000000001DAE1000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegAsm.exe, 00000002.00000002.614309170.000000001DAE1000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: RegAsm.exe, 00000002.00000002.614309170.000000001DAE1000.00000004.00000001.sdmp String found in binary or memory: http://KeXrtgodXUi1h.com
Source: RegAsm.exe, 00000002.00000002.609079572.0000000001300000.00000004.00000020.sdmp String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: RegAsm.exe, 00000002.00000002.614309170.000000001DAE1000.00000004.00000001.sdmp String found in binary or memory: http://bbllRW.com
Source: RegAsm.exe, 00000002.00000002.614735524.000000001DE41000.00000004.00000001.sdmp String found in binary or memory: http://brimaq.com
Source: RegAsm.exe, 00000002.00000002.609079572.0000000001300000.00000004.00000020.sdmp String found in binary or memory: http://cps.letsencrypt.org0
Source: RegAsm.exe, 00000002.00000002.609079572.0000000001300000.00000004.00000020.sdmp String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: RegAsm.exe, 00000002.00000002.608987093.000000000129C000.00000004.00000020.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: RegAsm.exe, 00000002.00000002.609079572.0000000001300000.00000004.00000020.sdmp String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: RegAsm.exe, 00000002.00000002.609009636.00000000012BB000.00000004.00000020.sdmp String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: RegAsm.exe, 00000002.00000002.608987093.000000000129C000.00000004.00000020.sdmp String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: RegAsm.exe, 00000002.00000002.614735524.000000001DE41000.00000004.00000001.sdmp String found in binary or memory: http://mail.brimaq.com
Source: RegAsm.exe, 00000002.00000002.608987093.000000000129C000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: RegAsm.exe, 00000002.00000002.609009636.00000000012BB000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: RegAsm.exe, 00000002.00000002.609009636.00000000012BB000.00000004.00000020.sdmp String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: RegAsm.exe, 00000002.00000002.609079572.0000000001300000.00000004.00000020.sdmp String found in binary or memory: http://r3.i.lencr.org/0
Source: RegAsm.exe, 00000002.00000002.609079572.0000000001300000.00000004.00000020.sdmp String found in binary or memory: http://r3.o.lencr.org0
Source: RegAsm.exe, 00000002.00000002.608987093.000000000129C000.00000004.00000020.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
Source: RegAsm.exe, 00000002.00000002.608987093.000000000129C000.00000004.00000020.sdmp String found in binary or memory: https://doc-0s-1k-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ilq0gs3h
Source: RegAsm.exe String found in binary or memory: https://drive.google.com/uc?export=download&id=16YYVHnEy9_-NyGEipJqgNlcMWFoYiAxO
Source: RegAsm.exe, 00000002.00000002.608987093.000000000129C000.00000004.00000020.sdmp String found in binary or memory: https://pki.goog/repository/0
Source: RegAsm.exe, 00000002.00000002.614309170.000000001DAE1000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown HTTPS traffic detected: 172.217.168.33:443 -> 192.168.2.6:49717 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Code function: 0_2_0041112C OpenClipboard, 0_2_0041112C

System Summary:

barindex
Contains functionality to call native functions
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Code function: 0_2_023450CB NtResumeThread, 0_2_023450CB
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Code function: 0_2_02345294 NtResumeThread, 0_2_02345294
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Code function: 0_2_0234533A NtResumeThread, 0_2_0234533A
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Code function: 0_2_02345170 NtResumeThread, 0_2_02345170
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Code function: 0_2_02345162 NtResumeThread, 0_2_02345162
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Code function: 0_2_023453E8 NtResumeThread, 0_2_023453E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00F8525E NtSetInformationThread, 2_2_00F8525E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00F84E07 NtProtectVirtualMemory, 2_2_00F84E07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00F853E8 NtSetInformationThread, 2_2_00F853E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00F85294 NtSetInformationThread, 2_2_00F85294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00F8533A NtSetInformationThread, 2_2_00F8533A
Detected potential crypto function
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Code function: 0_2_00406B0F 0_2_00406B0F
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Code function: 0_2_023450CB 0_2_023450CB
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Code function: 0_2_02342036 0_2_02342036
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Code function: 0_2_02342022 0_2_02342022
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Code function: 0_2_02340E2E 0_2_02340E2E
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Code function: 0_2_0234087D 0_2_0234087D
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Code function: 0_2_023446F2 0_2_023446F2
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Code function: 0_2_02341CEE 0_2_02341CEE
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Code function: 0_2_0234173A 0_2_0234173A
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Code function: 0_2_02344328 0_2_02344328
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Code function: 0_2_02342B1B 0_2_02342B1B
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Code function: 0_2_02343D76 0_2_02343D76
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Code function: 0_2_02345170 0_2_02345170
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Code function: 0_2_02342372 0_2_02342372
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Code function: 0_2_02342379 0_2_02342379
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Code function: 0_2_02345162 0_2_02345162
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Code function: 0_2_0234156B 0_2_0234156B
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Code function: 0_2_02340954 0_2_02340954
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Code function: 0_2_023447A7 0_2_023447A7
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Code function: 0_2_02341587 0_2_02341587
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Code function: 0_2_023409E5 0_2_023409E5
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Code function: 0_2_023439C3 0_2_023439C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_01391900 2_2_01391900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0139B9B5 2_2_0139B9B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_013919E4 2_2_013919E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_01397898 2_2_01397898
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0139EE30 2_2_0139EE30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0139AAA8 2_2_0139AAA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_013987E0 2_2_013987E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_013A2020 2_2_013A2020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_013A2768 2_2_013A2768
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_013A2F6D 2_2_013A2F6D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_013AB740 2_2_013AB740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1CDA6720 2_2_1CDA6720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1CDA5000 2_2_1CDA5000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1CDAB288 2_2_1CDAB288
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1CDB34A0 2_2_1CDB34A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1CDB5D80 2_2_1CDB5D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1CDB4D00 2_2_1CDB4D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1CDB97D8 2_2_1CDB97D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1CDB8010 2_2_1CDB8010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1CDBAC90 2_2_1CDBAC90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1CDBDF78 2_2_1CDBDF78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1CDB1108 2_2_1CDB1108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1CDB1AD7 2_2_1CDB1AD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_1CDB1AE8 2_2_1CDB1AE8
PE file contains strange resources
Source: FAKTURA I RACHUNKI.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: FAKTURA I RACHUNKI.exe, 00000000.00000002.397678090.000000000041A000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamespiritu.exe vs FAKTURA I RACHUNKI.exe
Source: FAKTURA I RACHUNKI.exe Binary or memory string: OriginalFilenamespiritu.exe vs FAKTURA I RACHUNKI.exe
Tries to load missing DLLs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Uses 32bit PE files
Source: FAKTURA I RACHUNKI.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@6/1@3/2
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5608:120:WilError_01
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe File created: C:\Users\user\AppData\Local\Temp\~DF991822A0E7AF3EFE.TMP Jump to behavior
Source: FAKTURA I RACHUNKI.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: FAKTURA I RACHUNKI.exe Virustotal: Detection: 21%
Source: FAKTURA I RACHUNKI.exe ReversingLabs: Detection: 12%
Source: unknown Process created: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe 'C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe'
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe'
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe' Jump to behavior
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000002.00000002.608367607.0000000000F81000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 5612, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Code function: 0_2_00402465 pushfd ; iretd 0_2_00402494
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Code function: 0_2_00406C05 push C868CBC8h; retf 0_2_00406C0A
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Code function: 0_2_00406C0B push C868CBC8h; retf 0_2_00406C10
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Code function: 0_2_00406C11 push C868CBC8h; retf 0_2_00406C16
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Code function: 0_2_00406C17 push C868CBC8h; retf 0_2_00406C1C
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Code function: 0_2_00403281 push dword ptr [edi-4B012F33h]; retf 0_2_00403294
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Code function: 0_2_00402495 pushfd ; iretd 0_2_00402498
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Code function: 0_2_00402699 pushfd ; iretd 0_2_0040269C
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Code function: 0_2_00402F70 pushfd ; iretd 0_2_00402F78
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Code function: 0_2_00403703 push fs; ret 0_2_0040379C
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Code function: 0_2_00403329 pushfd ; iretd 0_2_0040332C
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Code function: 0_2_00406BC9 push C868CBC8h; retf 0_2_00406BCE
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Code function: 0_2_00406BCF push C868CBC8h; retf 0_2_00406BD4
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Code function: 0_2_00406BD5 push C868CBC8h; retf 0_2_00406BDA
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Code function: 0_2_00406BDB push C868CBC8h; retf 0_2_00406BE0
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Code function: 0_2_004051DF pushfd ; iretd 0_2_004051E0
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Code function: 0_2_004043E0 pushfd ; iretd 0_2_004043E4
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Code function: 0_2_00406BE1 push C868CBC8h; retf 0_2_00406BE6
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Code function: 0_2_00406BE7 push C868CBC8h; retf 0_2_00406BEC
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Code function: 0_2_00406BED push C868CBC8h; retf 0_2_00406BF2
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Code function: 0_2_00406BF3 push C868CBC8h; retf 0_2_00406BF8
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Code function: 0_2_00406BF9 push C868CBC8h; retf 0_2_00406BFE
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Code function: 0_2_00406BFF push C868CBC8h; retf 0_2_00406C04
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Code function: 0_2_0234006B push ebx; ret 0_2_02340072
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Code function: 0_2_02341131 pushfd ; iretd 0_2_02341132
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Code function: 0_2_02344504 push esi; retf 0_2_02344506
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_01398478 pushfd ; retf 551Fh 2_2_013987A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0139D23C push eax; iretd 2_2_0139D23D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_013A7A37 push edi; retn 0000h 2_2_013A7A39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_013A1E00 push edx; retf 2_2_013A1E0B

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe RDTSC instruction interceptor: First address: 0000000002342385 second address: 0000000002342385 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F4DA0B46EF8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test dx, ax 0x00000020 pop ecx 0x00000021 cmp dl, FFFFFF90h 0x00000024 add edi, edx 0x00000026 dec ecx 0x00000027 cmp ecx, 00000000h 0x0000002a jne 00007F4DA0B46EDBh 0x0000002c push ecx 0x0000002d cmp dl, bl 0x0000002f call 00007F4DA0B46F0Dh 0x00000034 call 00007F4DA0B46F08h 0x00000039 lfence 0x0000003c mov edx, dword ptr [7FFE0014h] 0x00000042 lfence 0x00000045 ret 0x00000046 mov esi, edx 0x00000048 pushad 0x00000049 rdtsc
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe RDTSC instruction interceptor: First address: 0000000002345485 second address: 0000000002345485 instructions:
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe RDTSC instruction interceptor: First address: 0000000002340984 second address: 0000000002340984 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe RDTSC instruction interceptor: First address: 0000000000F80B51 second address: 0000000000F80B51 instructions:
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Tries to detect Any.run
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: RegAsm.exe Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe RDTSC instruction interceptor: First address: 0000000002342385 second address: 0000000002342385 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F4DA0B46EF8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test dx, ax 0x00000020 pop ecx 0x00000021 cmp dl, FFFFFF90h 0x00000024 add edi, edx 0x00000026 dec ecx 0x00000027 cmp ecx, 00000000h 0x0000002a jne 00007F4DA0B46EDBh 0x0000002c push ecx 0x0000002d cmp dl, bl 0x0000002f call 00007F4DA0B46F0Dh 0x00000034 call 00007F4DA0B46F08h 0x00000039 lfence 0x0000003c mov edx, dword ptr [7FFE0014h] 0x00000042 lfence 0x00000045 ret 0x00000046 mov esi, edx 0x00000048 pushad 0x00000049 rdtsc
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe RDTSC instruction interceptor: First address: 00000000023424DB second address: 00000000023424DB instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F4DA05B9491h 0x0000001d popad 0x0000001e call 00007F4DA05B7370h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe RDTSC instruction interceptor: First address: 0000000002345485 second address: 0000000002345485 instructions:
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe RDTSC instruction interceptor: First address: 0000000002340984 second address: 0000000002340984 instructions:
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe RDTSC instruction interceptor: First address: 0000000000F824DB second address: 0000000000F824DB instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F4DA0B49021h 0x0000001d popad 0x0000001e call 00007F4DA0B46F00h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe RDTSC instruction interceptor: First address: 0000000000F80B51 second address: 0000000000F80B51 instructions:
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00F824D8 rdtsc 2_2_00F824D8
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Window / User API: threadDelayed 1095 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Window / User API: threadDelayed 8754 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4980 Thread sleep time: -14757395258967632s >= -30000s Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: RegAsm.exe, 00000002.00000002.608987093.000000000129C000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW
Source: RegAsm.exe Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00F824D8 rdtsc 2_2_00F824D8
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Code function: 0_2_02342E6B LdrInitializeThunk, 0_2_02342E6B
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00F822DB mov eax, dword ptr fs:[00000030h] 2_2_00F822DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00F849C5 mov eax, dword ptr fs:[00000030h] 2_2_00F849C5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00F84A48 mov eax, dword ptr fs:[00000030h] 2_2_00F84A48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00F83F39 mov eax, dword ptr fs:[00000030h] 2_2_00F83F39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00F84310 mov eax, dword ptr fs:[00000030h] 2_2_00F84310
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: F80000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe' Jump to behavior
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe' Jump to behavior
Source: RegAsm.exe, 00000002.00000002.609296297.00000000017B0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 00000002.00000002.609296297.00000000017B0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: RegAsm.exe, 00000002.00000002.609296297.00000000017B0000.00000002.00000001.sdmp Binary or memory string: &Program Manager
Source: RegAsm.exe, 00000002.00000002.609296297.00000000017B0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\FAKTURA I RACHUNKI.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000002.00000002.614309170.000000001DAE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 5612, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000002.00000002.614309170.000000001DAE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 5612, type: MEMORY

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000002.00000002.614309170.000000001DAE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 5612, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 383950 Sample: FAKTURA I RACHUNKI.exe Startdate: 08/04/2021 Architecture: WINDOWS Score: 100 24 Found malware configuration 2->24 26 Multi AV Scanner detection for submitted file 2->26 28 Sigma detected: RegAsm connects to smtp port 2->28 30 6 other signatures 2->30 7 FAKTURA I RACHUNKI.exe 1 2->7         started        process3 signatures4 32 Writes to foreign memory regions 7->32 34 Tries to detect Any.run 7->34 36 Hides threads from debuggers 7->36 10 RegAsm.exe 9 7->10         started        14 RegAsm.exe 7->14         started        process5 dnsIp6 18 brimaq.com 78.128.8.31, 49751, 587 TELEPOINTBG Bulgaria 10->18 20 mail.brimaq.com 10->20 22 2 other IPs or domains 10->22 38 Tries to steal Mail credentials (via file access) 10->38 40 Tries to harvest and steal ftp login credentials 10->40 42 Tries to harvest and steal browser information (history, passwords, etc) 10->42 52 2 other signatures 10->52 16 conhost.exe 10->16         started        44 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->44 46 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 14->46 48 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 14->48 50 Tries to detect virtualization through RDTSC time measurements 14->50 signatures7 process8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.217.168.33
 googlehosted.l.googleusercontent.com United States
15169 GOOGLEUS false
78.128.8.31
 brimaq.com Bulgaria
31083 TELEPOINTBG true

Contacted Domains

Name IP Active
brimaq.com 78.128.8.31 true
googlehosted.l.googleusercontent.com 172.217.168.33 true
mail.brimaq.com unknown unknown
doc-0s-1k-docs.googleusercontent.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://KeXrtgodXUi1h.com true
  • Avira URL Cloud: safe
 unknown