Analysis Report Transferencia

Overview

General Information

Sample Name:	Transferencia (renamed file extension from none to exe)
Analysis ID:	384290
MD5:	7c22c3e3b8726dd1b03e69c203590026
SHA1:	7715be6b73e52535d81b083a3dfd95568a729782
SHA256:	96fb89fdc3873864981ec26c355111c26c7ab5132770ead9d1d97bdfac32e566
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Contain functionality to detect virtual machines

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Contains functionality to hide a thread from the debugger

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Found potential dummy code loops (likely to delay analysis)

Hides threads from debuggers

Machine Learning detection for sample

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Found large amount of non-executed APIs

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: Transferencia.exe	Virustotal: Detection: 28%			Perma Link
Source: Transferencia.exe	ReversingLabs: Detection: 68%

Machine Learning detection for sample

Source: Transferencia.exe

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Source: Transferencia.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: RegAsm.exe, 0000000B.00000002.902853536.000000000133A000.00000004.00000001.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1cUL0K7dYgbhK7vN-RFg
Source: RegAsm.exe, 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1cUL0K7dYgbhK7vN-RFgTfWB-AllHwx8q

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\Transferencia.exe

Code function: 0_2_004145B8 OpenClipboard,

0_2_004145B8

System Summary:

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\Transferencia.exe

Process Stats: CPU usage > 98%

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01372C3F NtSetInformationThread,	11_2_01372C3F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_0137849A NtProtectVirtualMemory,	11_2_0137849A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01370724 EnumWindows,NtSetInformationThread,	11_2_01370724
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01370BF8 NtSetInformationThread,LoadLibraryA,	11_2_01370BF8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_0137096A NtSetInformationThread,	11_2_0137096A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01370942 NtSetInformationThread,	11_2_01370942
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_0137099A NtSetInformationThread,	11_2_0137099A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_013709FC NtSetInformationThread,	11_2_013709FC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_013769E2 NtSetInformationThread,	11_2_013769E2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_013709C6 NtSetInformationThread,	11_2_013709C6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01376409 NtSetInformationThread,LoadLibraryA,	11_2_01376409
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01370878 NtSetInformationThread,	11_2_01370878
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_0137846D NtProtectVirtualMemory,	11_2_0137846D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_0137844B NtProtectVirtualMemory,	11_2_0137844B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_0137084A NtSetInformationThread,	11_2_0137084A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01370848 NtSetInformationThread,	11_2_01370848
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_013708BA NtSetInformationThread,	11_2_013708BA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_013764F1 NtSetInformationThread,	11_2_013764F1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_013708E7 NtSetInformationThread,	11_2_013708E7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01377BEA NtSetInformationThread,	11_2_01377BEA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01370A24 NtSetInformationThread,	11_2_01370A24
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01370A6E NtSetInformationThread,	11_2_01370A6E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01370AC7 NtSetInformationThread,	11_2_01370AC7

PE file contains strange resources

Source: Transferencia.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: Transferencia.exe, 00000000.00000002.903176673.00000000020A0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameYCIETRA.exeFE2X vs Transferencia.exe
Source: Transferencia.exe, 00000000.00000002.903176673.00000000020A0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameYCIETRA.exeFE2X0 vs Transferencia.exe
Source: Transferencia.exe, 00000000.00000002.903176673.00000000020A0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameYCIETRA.exeFE2XG vs Transferencia.exe
Source: Transferencia.exe, 00000000.00000002.903176673.00000000020A0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameYCIETRA.exeFE2X5 vs Transferencia.exe
Source: Transferencia.exe, 00000000.00000002.903176673.00000000020A0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameYCIETRA.exeFE2Xx vs Transferencia.exe
Source: Transferencia.exe, 00000000.00000002.903176673.00000000020A0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename vs Transferencia.exe
Source: Transferencia.exe, 00000000.00000000.633684850.0000000000419000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameYCIETRA.exe vs Transferencia.exe
Source: Transferencia.exe	Binary or memory string: OriginalFilenameYCIETRA.exe vs Transferencia.exe

Tries to load missing DLLs

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Section loaded: sfc.dll

Jump to behavior

Uses 32bit PE files

Source: Transferencia.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal96.troj.evad.winEXE@4/0@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7096:120:WilError_01

Source: C:\Users\user\Desktop\Transferencia.exe

File created: C:\Users\user\AppData\Local\Temp\~DF41317356142881DA.TMP

Jump to behavior

Source: Transferencia.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Transferencia.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\Transferencia.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Transferencia.exe	Virustotal: Detection: 28%
Source: Transferencia.exe	ReversingLabs: Detection: 68%

Source: unknown	Process created: C:\Users\user\Desktop\Transferencia.exe 'C:\Users\user\Desktop\Transferencia.exe'
Source: C:\Users\user\Desktop\Transferencia.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\Transferencia.exe'
Source: C:\Users\user\Desktop\Transferencia.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\Transferencia.exe'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: Window Recorder

Window detected: More than 3 window changes detected

Data Obfuscation:

Yara detected GuLoader

Source: Yara match	File source: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7080, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_00404E48 pushfd ; iretd	0_2_00404E49
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_00404049 pushfd ; iretd	0_2_0040404D
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_0040904D push eax; ret	0_2_00409056
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_004020CE pushfd ; iretd	0_2_004020FD
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_00402EEA push dword ptr [edi-4B012F33h]; retf	0_2_00402EFD
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_004020FE pushfd ; iretd	0_2_00402101
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_00407E96 push esi; iretd	0_2_00407E9D
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_0040336C push fs; ret	0_2_00403405
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_00408F70 push eax; ret	0_2_00408F7E
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_00408976 push eax; ret	0_2_0040897A
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_00402302 pushfd ; iretd	0_2_00402305
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_0040911A push eax; iretd	0_2_00409182
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_00402BD9 pushfd ; iretd	0_2_00402BE1
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_00402F92 pushfd ; iretd	0_2_00402F95

Source: C:\Users\user\Desktop\Transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contain functionality to detect virtual machines

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: C:\Program Files\Qemu-ga\qemu-ga.exe C:\Program Files\Qemu-ga\qemu-ga.exe		11_2_01374236
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: C:\Program Files\Qemu-ga\qemu-ga.exe C:\Program Files\Qemu-ga\qemu-ga.exe		11_2_0137421B

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01370CFF LoadLibraryA,	11_2_01370CFF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01370BF8 NtSetInformationThread,LoadLibraryA,	11_2_01370BF8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01370D04	11_2_01370D04
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01371DBB LoadLibraryA,	11_2_01371DBB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01370C23	11_2_01370C23
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01370CBA	11_2_01370CBA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01370B8E	11_2_01370B8E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01377E0C LoadLibraryA,	11_2_01377E0C

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\user\Desktop\Transferencia.exe	RDTSC instruction interceptor: First address: 0000000000423DB0 second address: 0000000000423DB0 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F48AD0D24F8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test al, bl 0x0000001f pop ecx 0x00000020 add edi, edx 0x00000022 jmp 00007F48AD0D2512h 0x00000024 cmp dh, 00000056h 0x00000027 dec ecx 0x00000028 cmp ecx, 00000000h 0x0000002b jne 00007F48AD0D244Ch 0x00000031 push ecx 0x00000032 jmp 00007F48AD0D2512h 0x00000034 push esi 0x00000035 jmp 00007F48AD0D2537h 0x00000037 call 00007F48AD0D24CCh 0x0000003c pop esi 0x0000003d jmp esi 0x0000003f pop esi 0x00000040 call 00007F48AD0D2568h 0x00000045 call 00007F48AD0D2508h 0x0000004a lfence 0x0000004d mov edx, dword ptr [7FFE0014h] 0x00000053 lfence 0x00000056 ret 0x00000057 mov esi, edx 0x00000059 pushad 0x0000005a rdtsc
Source: C:\Users\user\Desktop\Transferencia.exe	RDTSC instruction interceptor: First address: 0000000000427E3E second address: 0000000000427E3E instructions:
Source: C:\Users\user\Desktop\Transferencia.exe	RDTSC instruction interceptor: First address: 0000000000420CE2 second address: 0000000000420CE2 instructions:

Tries to detect Any.run

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\qga\qga.exe			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: RegAsm.exe

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Transferencia.exe	RDTSC instruction interceptor: First address: 0000000000423DB0 second address: 0000000000423DB0 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F48AD0D24F8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test al, bl 0x0000001f pop ecx 0x00000020 add edi, edx 0x00000022 jmp 00007F48AD0D2512h 0x00000024 cmp dh, 00000056h 0x00000027 dec ecx 0x00000028 cmp ecx, 00000000h 0x0000002b jne 00007F48AD0D244Ch 0x00000031 push ecx 0x00000032 jmp 00007F48AD0D2512h 0x00000034 push esi 0x00000035 jmp 00007F48AD0D2537h 0x00000037 call 00007F48AD0D24CCh 0x0000003c pop esi 0x0000003d jmp esi 0x0000003f pop esi 0x00000040 call 00007F48AD0D2568h 0x00000045 call 00007F48AD0D2508h 0x0000004a lfence 0x0000004d mov edx, dword ptr [7FFE0014h] 0x00000053 lfence 0x00000056 ret 0x00000057 mov esi, edx 0x00000059 pushad 0x0000005a rdtsc
Source: C:\Users\user\Desktop\Transferencia.exe	RDTSC instruction interceptor: First address: 0000000000424092 second address: 0000000000424092 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F48ACAC7A70h 0x0000001d popad 0x0000001e call 00007F48ACAC4545h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Desktop\Transferencia.exe	RDTSC instruction interceptor: First address: 0000000000427E3E second address: 0000000000427E3E instructions:
Source: C:\Users\user\Desktop\Transferencia.exe	RDTSC instruction interceptor: First address: 0000000000420CE2 second address: 0000000000420CE2 instructions:
Source: C:\Users\user\Desktop\Transferencia.exe	RDTSC instruction interceptor: First address: 0000000000420FA9 second address: 0000000000421036 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b add edi, 00010000h 0x00000011 jmp 00007F48AD0D2516h 0x00000013 test bh, ah 0x00000015 push edi 0x00000016 test ch, dh 0x00000018 add edi, 04h 0x0000001b push edi 0x0000001c pushad 0x0000001d mov ax, 0E01h 0x00000021 cmp ax, 00000E01h 0x00000025 jne 00007F48AD0D1D9Fh 0x0000002b popad 0x0000002c add edi, 04h 0x0000002f push edi 0x00000030 jmp 00007F48AD0D251Ah 0x00000032 test ecx, ebx 0x00000034 push 0003E800h 0x00000039 cmp ax, 00001CE5h 0x0000003d pushad 0x0000003e lfence 0x00000041 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000001374092 second address: 0000000001374092 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F48ACAC7A70h 0x0000001d popad 0x0000001e call 00007F48ACAC4545h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000001370FA9 second address: 0000000001371036 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b add edi, 00010000h 0x00000011 jmp 00007F48AD0D2516h 0x00000013 test bh, ah 0x00000015 push edi 0x00000016 test ch, dh 0x00000018 add edi, 04h 0x0000001b push edi 0x0000001c pushad 0x0000001d mov ax, 0E01h 0x00000021 cmp ax, 00000E01h 0x00000025 jne 00007F48AD0D1D9Fh 0x0000002b popad 0x0000002c add edi, 04h 0x0000002f push edi 0x00000030 jmp 00007F48AD0D251Ah 0x00000032 test ecx, ebx 0x00000034 push 0003E800h 0x00000039 cmp ax, 00001CE5h 0x0000003d pushad 0x0000003e lfence 0x00000041 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 11_2_01372C3F rdtsc

11_2_01372C3F

Found large amount of non-executed APIs

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

API coverage: 7.2 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 7056

Thread sleep time: -1020000s >= -30000s

Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: RegAsm.exe

Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Contains functionality to hide a thread from the debugger

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 11_2_01372C3F NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,?,00000000,00000000

11_2_01372C3F

Found potential dummy code loops (likely to delay analysis)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process Stats: CPU usage > 90% for more than 60s

Hides threads from debuggers

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Thread information set: HideFromDebugger

Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process queried: DebugPort

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 11_2_01372C3F rdtsc

11_2_01372C3F

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 11_2_01375079 LdrInitializeThunk,

11_2_01375079

Contains functionality to read the PEB

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_013729A6 mov eax, dword ptr fs:[00000030h]	11_2_013729A6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_0137299C mov eax, dword ptr fs:[00000030h]	11_2_0137299C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_013729E7 mov eax, dword ptr fs:[00000030h]	11_2_013729E7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_013760E3 mov eax, dword ptr fs:[00000030h]	11_2_013760E3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01373B32 mov eax, dword ptr fs:[00000030h]	11_2_01373B32
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01371FD0 mov eax, dword ptr fs:[00000030h]	11_2_01371FD0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01372A37 mov eax, dword ptr fs:[00000030h]	11_2_01372A37
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01377E22 mov eax, dword ptr fs:[00000030h]	11_2_01377E22
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01376E17 mov eax, dword ptr fs:[00000030h]	11_2_01376E17
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01377E0C mov eax, dword ptr fs:[00000030h]	11_2_01377E0C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01372696 mov eax, dword ptr fs:[00000030h]	11_2_01372696
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01372684 mov eax, dword ptr fs:[00000030h]	11_2_01372684
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_013726DC mov eax, dword ptr fs:[00000030h]	11_2_013726DC

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: Transferencia.exe, 00000000.00000002.903129431.0000000000C90000.00000002.00000001.sdmp, RegAsm.exe, 0000000B.00000002.903149361.0000000001B80000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: Transferencia.exe, 00000000.00000002.903129431.0000000000C90000.00000002.00000001.sdmp, RegAsm.exe, 0000000B.00000002.903149361.0000000001B80000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Transferencia.exe, 00000000.00000002.903129431.0000000000C90000.00000002.00000001.sdmp, RegAsm.exe, 0000000B.00000002.903149361.0000000001B80000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Transferencia.exe, 00000000.00000002.903129431.0000000000C90000.00000002.00000001.sdmp, RegAsm.exe, 0000000B.00000002.903149361.0000000001B80000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Transferencia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Transferencia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Transferencia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

AV Detection:

Multi AV Scanner detection for submitted file

Source: Transferencia.exe	Virustotal: Detection: 28%			Perma Link
Source: Transferencia.exe	ReversingLabs: Detection: 68%

Machine Learning detection for sample

Source: Transferencia.exe

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Source: Transferencia.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: RegAsm.exe, 0000000B.00000002.902853536.000000000133A000.00000004.00000001.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1cUL0K7dYgbhK7vN-RFg
Source: RegAsm.exe, 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1cUL0K7dYgbhK7vN-RFgTfWB-AllHwx8q

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\Transferencia.exe

Code function: 0_2_004145B8 OpenClipboard,

0_2_004145B8

System Summary:

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\Transferencia.exe

Process Stats: CPU usage > 98%

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01372C3F NtSetInformationThread,	11_2_01372C3F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_0137849A NtProtectVirtualMemory,	11_2_0137849A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01370724 EnumWindows,NtSetInformationThread,	11_2_01370724
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01370BF8 NtSetInformationThread,LoadLibraryA,	11_2_01370BF8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_0137096A NtSetInformationThread,	11_2_0137096A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01370942 NtSetInformationThread,	11_2_01370942
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_0137099A NtSetInformationThread,	11_2_0137099A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_013709FC NtSetInformationThread,	11_2_013709FC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_013769E2 NtSetInformationThread,	11_2_013769E2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_013709C6 NtSetInformationThread,	11_2_013709C6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01376409 NtSetInformationThread,LoadLibraryA,	11_2_01376409
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01370878 NtSetInformationThread,	11_2_01370878
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_0137846D NtProtectVirtualMemory,	11_2_0137846D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_0137844B NtProtectVirtualMemory,	11_2_0137844B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_0137084A NtSetInformationThread,	11_2_0137084A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01370848 NtSetInformationThread,	11_2_01370848
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_013708BA NtSetInformationThread,	11_2_013708BA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_013764F1 NtSetInformationThread,	11_2_013764F1
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_013708E7 NtSetInformationThread,	11_2_013708E7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01377BEA NtSetInformationThread,	11_2_01377BEA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01370A24 NtSetInformationThread,	11_2_01370A24
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01370A6E NtSetInformationThread,	11_2_01370A6E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01370AC7 NtSetInformationThread,	11_2_01370AC7

PE file contains strange resources

Source: Transferencia.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: Transferencia.exe, 00000000.00000002.903176673.00000000020A0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameYCIETRA.exeFE2X vs Transferencia.exe
Source: Transferencia.exe, 00000000.00000002.903176673.00000000020A0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameYCIETRA.exeFE2X0 vs Transferencia.exe
Source: Transferencia.exe, 00000000.00000002.903176673.00000000020A0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameYCIETRA.exeFE2XG vs Transferencia.exe
Source: Transferencia.exe, 00000000.00000002.903176673.00000000020A0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameYCIETRA.exeFE2X5 vs Transferencia.exe
Source: Transferencia.exe, 00000000.00000002.903176673.00000000020A0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameYCIETRA.exeFE2Xx vs Transferencia.exe
Source: Transferencia.exe, 00000000.00000002.903176673.00000000020A0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename vs Transferencia.exe
Source: Transferencia.exe, 00000000.00000000.633684850.0000000000419000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameYCIETRA.exe vs Transferencia.exe
Source: Transferencia.exe	Binary or memory string: OriginalFilenameYCIETRA.exe vs Transferencia.exe

Tries to load missing DLLs

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Section loaded: sfc.dll

Jump to behavior

Uses 32bit PE files

Source: Transferencia.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal96.troj.evad.winEXE@4/0@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7096:120:WilError_01

Source: C:\Users\user\Desktop\Transferencia.exe

File created: C:\Users\user\AppData\Local\Temp\~DF41317356142881DA.TMP

Jump to behavior

Source: Transferencia.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Transferencia.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\Transferencia.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Transferencia.exe	Virustotal: Detection: 28%
Source: Transferencia.exe	ReversingLabs: Detection: 68%

Source: unknown	Process created: C:\Users\user\Desktop\Transferencia.exe 'C:\Users\user\Desktop\Transferencia.exe'
Source: C:\Users\user\Desktop\Transferencia.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\Transferencia.exe'
Source: C:\Users\user\Desktop\Transferencia.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe 'C:\Users\user\Desktop\Transferencia.exe'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: Window Recorder

Window detected: More than 3 window changes detected

Data Obfuscation:

Yara detected GuLoader

Source: Yara match	File source: 0000000B.00000002.902860214.0000000001370000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7080, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_00404E48 pushfd ; iretd	0_2_00404E49
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_00404049 pushfd ; iretd	0_2_0040404D
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_0040904D push eax; ret	0_2_00409056
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_004020CE pushfd ; iretd	0_2_004020FD
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_00402EEA push dword ptr [edi-4B012F33h]; retf	0_2_00402EFD
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_004020FE pushfd ; iretd	0_2_00402101
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_00407E96 push esi; iretd	0_2_00407E9D
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_0040336C push fs; ret	0_2_00403405
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_00408F70 push eax; ret	0_2_00408F7E
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_00408976 push eax; ret	0_2_0040897A
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_00402302 pushfd ; iretd	0_2_00402305
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_0040911A push eax; iretd	0_2_00409182
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_00402BD9 pushfd ; iretd	0_2_00402BE1
Source: C:\Users\user\Desktop\Transferencia.exe	Code function: 0_2_00402F92 pushfd ; iretd	0_2_00402F95

Source: C:\Users\user\Desktop\Transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Transferencia.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contain functionality to detect virtual machines

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: C:\Program Files\Qemu-ga\qemu-ga.exe C:\Program Files\Qemu-ga\qemu-ga.exe		11_2_01374236
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: C:\Program Files\Qemu-ga\qemu-ga.exe C:\Program Files\Qemu-ga\qemu-ga.exe		11_2_0137421B

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01370CFF LoadLibraryA,	11_2_01370CFF
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01370BF8 NtSetInformationThread,LoadLibraryA,	11_2_01370BF8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01370D04	11_2_01370D04
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01371DBB LoadLibraryA,	11_2_01371DBB
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01370C23	11_2_01370C23
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01370CBA	11_2_01370CBA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01370B8E	11_2_01370B8E
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01377E0C LoadLibraryA,	11_2_01377E0C

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Source: C:\Users\user\Desktop\Transferencia.exe	RDTSC instruction interceptor: First address: 0000000000423DB0 second address: 0000000000423DB0 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F48AD0D24F8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test al, bl 0x0000001f pop ecx 0x00000020 add edi, edx 0x00000022 jmp 00007F48AD0D2512h 0x00000024 cmp dh, 00000056h 0x00000027 dec ecx 0x00000028 cmp ecx, 00000000h 0x0000002b jne 00007F48AD0D244Ch 0x00000031 push ecx 0x00000032 jmp 00007F48AD0D2512h 0x00000034 push esi 0x00000035 jmp 00007F48AD0D2537h 0x00000037 call 00007F48AD0D24CCh 0x0000003c pop esi 0x0000003d jmp esi 0x0000003f pop esi 0x00000040 call 00007F48AD0D2568h 0x00000045 call 00007F48AD0D2508h 0x0000004a lfence 0x0000004d mov edx, dword ptr [7FFE0014h] 0x00000053 lfence 0x00000056 ret 0x00000057 mov esi, edx 0x00000059 pushad 0x0000005a rdtsc
Source: C:\Users\user\Desktop\Transferencia.exe	RDTSC instruction interceptor: First address: 0000000000427E3E second address: 0000000000427E3E instructions:
Source: C:\Users\user\Desktop\Transferencia.exe	RDTSC instruction interceptor: First address: 0000000000420CE2 second address: 0000000000420CE2 instructions:

Tries to detect Any.run

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	File opened: C:\Program Files\qga\qga.exe			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: RegAsm.exe

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Transferencia.exe	RDTSC instruction interceptor: First address: 0000000000423DB0 second address: 0000000000423DB0 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F48AD0D24F8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test al, bl 0x0000001f pop ecx 0x00000020 add edi, edx 0x00000022 jmp 00007F48AD0D2512h 0x00000024 cmp dh, 00000056h 0x00000027 dec ecx 0x00000028 cmp ecx, 00000000h 0x0000002b jne 00007F48AD0D244Ch 0x00000031 push ecx 0x00000032 jmp 00007F48AD0D2512h 0x00000034 push esi 0x00000035 jmp 00007F48AD0D2537h 0x00000037 call 00007F48AD0D24CCh 0x0000003c pop esi 0x0000003d jmp esi 0x0000003f pop esi 0x00000040 call 00007F48AD0D2568h 0x00000045 call 00007F48AD0D2508h 0x0000004a lfence 0x0000004d mov edx, dword ptr [7FFE0014h] 0x00000053 lfence 0x00000056 ret 0x00000057 mov esi, edx 0x00000059 pushad 0x0000005a rdtsc
Source: C:\Users\user\Desktop\Transferencia.exe	RDTSC instruction interceptor: First address: 0000000000424092 second address: 0000000000424092 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F48ACAC7A70h 0x0000001d popad 0x0000001e call 00007F48ACAC4545h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Desktop\Transferencia.exe	RDTSC instruction interceptor: First address: 0000000000427E3E second address: 0000000000427E3E instructions:
Source: C:\Users\user\Desktop\Transferencia.exe	RDTSC instruction interceptor: First address: 0000000000420CE2 second address: 0000000000420CE2 instructions:
Source: C:\Users\user\Desktop\Transferencia.exe	RDTSC instruction interceptor: First address: 0000000000420FA9 second address: 0000000000421036 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b add edi, 00010000h 0x00000011 jmp 00007F48AD0D2516h 0x00000013 test bh, ah 0x00000015 push edi 0x00000016 test ch, dh 0x00000018 add edi, 04h 0x0000001b push edi 0x0000001c pushad 0x0000001d mov ax, 0E01h 0x00000021 cmp ax, 00000E01h 0x00000025 jne 00007F48AD0D1D9Fh 0x0000002b popad 0x0000002c add edi, 04h 0x0000002f push edi 0x00000030 jmp 00007F48AD0D251Ah 0x00000032 test ecx, ebx 0x00000034 push 0003E800h 0x00000039 cmp ax, 00001CE5h 0x0000003d pushad 0x0000003e lfence 0x00000041 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000001374092 second address: 0000000001374092 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F48ACAC7A70h 0x0000001d popad 0x0000001e call 00007F48ACAC4545h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000001370FA9 second address: 0000000001371036 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b add edi, 00010000h 0x00000011 jmp 00007F48AD0D2516h 0x00000013 test bh, ah 0x00000015 push edi 0x00000016 test ch, dh 0x00000018 add edi, 04h 0x0000001b push edi 0x0000001c pushad 0x0000001d mov ax, 0E01h 0x00000021 cmp ax, 00000E01h 0x00000025 jne 00007F48AD0D1D9Fh 0x0000002b popad 0x0000002c add edi, 04h 0x0000002f push edi 0x00000030 jmp 00007F48AD0D251Ah 0x00000032 test ecx, ebx 0x00000034 push 0003E800h 0x00000039 cmp ax, 00001CE5h 0x0000003d pushad 0x0000003e lfence 0x00000041 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 11_2_01372C3F rdtsc

11_2_01372C3F

Found large amount of non-executed APIs

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

API coverage: 7.2 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe TID: 7056

Thread sleep time: -1020000s >= -30000s

Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: RegAsm.exe

Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Contains functionality to hide a thread from the debugger

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 11_2_01372C3F NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,?,00000000,00000000

11_2_01372C3F

Found potential dummy code loops (likely to delay analysis)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process Stats: CPU usage > 90% for more than 60s

Hides threads from debuggers

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Thread information set: HideFromDebugger

Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Process queried: DebugPort

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 11_2_01372C3F rdtsc

11_2_01372C3F

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Code function: 11_2_01375079 LdrInitializeThunk,

11_2_01375079

Contains functionality to read the PEB

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_013729A6 mov eax, dword ptr fs:[00000030h]	11_2_013729A6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_0137299C mov eax, dword ptr fs:[00000030h]	11_2_0137299C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_013729E7 mov eax, dword ptr fs:[00000030h]	11_2_013729E7
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_013760E3 mov eax, dword ptr fs:[00000030h]	11_2_013760E3
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01373B32 mov eax, dword ptr fs:[00000030h]	11_2_01373B32
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01371FD0 mov eax, dword ptr fs:[00000030h]	11_2_01371FD0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01372A37 mov eax, dword ptr fs:[00000030h]	11_2_01372A37
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01377E22 mov eax, dword ptr fs:[00000030h]	11_2_01377E22
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01376E17 mov eax, dword ptr fs:[00000030h]	11_2_01376E17
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01377E0C mov eax, dword ptr fs:[00000030h]	11_2_01377E0C
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01372696 mov eax, dword ptr fs:[00000030h]	11_2_01372696
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_01372684 mov eax, dword ptr fs:[00000030h]	11_2_01372684
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe	Code function: 11_2_013726DC mov eax, dword ptr fs:[00000030h]	11_2_013726DC

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: Transferencia.exe, 00000000.00000002.903129431.0000000000C90000.00000002.00000001.sdmp, RegAsm.exe, 0000000B.00000002.903149361.0000000001B80000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: Transferencia.exe, 00000000.00000002.903129431.0000000000C90000.00000002.00000001.sdmp, RegAsm.exe, 0000000B.00000002.903149361.0000000001B80000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Transferencia.exe, 00000000.00000002.903129431.0000000000C90000.00000002.00000001.sdmp, RegAsm.exe, 0000000B.00000002.903149361.0000000001B80000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Transferencia.exe, 00000000.00000002.903129431.0000000000C90000.00000002.00000001.sdmp, RegAsm.exe, 0000000B.00000002.903149361.0000000001B80000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Transferencia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Transferencia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Transferencia.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

ID:	384290
Product:	CloudBasic
Start time:	21:11:21
Start date:	08.04.2021
Sample:	Transferencia
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	7c22c3e3b8726dd1b03e69c203590026
SHA1:	7715be6b73e52535d81b083a3dfd95568a729782
SHA256:	96fb89fdc3873864981ec26c355111c26c7ab5132770ead9d1d97bdfac32e566
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Analysis Report Transferencia

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Screenshots

Behavior Graph

Network Map