Loading ...

Play interactive tourEdit tour

Analysis Report faktura_ODfk0021.exe

Overview

General Information

Sample Name:faktura_ODfk0021.exe
Analysis ID:387666
MD5:b7b1644fce14205acecbe822df95749a
SHA1:4cbfa9cf4b8dc27bf2b2a2463761092d5c2402e7
SHA256:f760c40ea4cca84e06c511f96c8d43525350e3f52c97c1baa30528d9c4fbcfec
Infos:

Most interesting Screenshot:

Detection

AgentTesla GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Potential malicious icon found
Yara detected AgentTesla
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • faktura_ODfk0021.exe (PID: 3784 cmdline: 'C:\Users\user\Desktop\faktura_ODfk0021.exe' MD5: B7B1644FCE14205ACECBE822DF95749A)
    • RegAsm.exe (PID: 6328 cmdline: 'C:\Users\user\Desktop\faktura_ODfk0021.exe' MD5: 6FD7592411112729BF6B1F2F6C34899F)
      • conhost.exe (PID: 6336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=1aKE_k9PJVE2kZn5sEN4ZiJNhonuPIbPw", "Injection Process": ["RegAsm.exe", "RegSvcs.exe", "MSBuild.exe"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.499283716.000000001DA11000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000003.00000002.499283716.000000001DA11000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000003.00000002.491326318.0000000000C21000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
        Process Memory Space: RegAsm.exe PID: 6328JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: RegAsm.exe PID: 6328JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 1 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 00000003.00000002.491326318.0000000000C21000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1aKE_k9PJVE2kZn5sEN4ZiJNhonuPIbPw", "Injection Process": ["RegAsm.exe", "RegSvcs.exe", "MSBuild.exe"]}
            Source: faktura_ODfk0021.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: unknownHTTPS traffic detected: 172.217.23.33:443 -> 192.168.2.7:49712 version: TLS 1.2

            Networking:

            barindex
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=download&id=1aKE_k9PJVE2kZn5sEN4ZiJNhonuPIbPw
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: unknownDNS traffic detected: queries for: doc-0s-04-docs.googleusercontent.com
            Source: RegAsm.exe, 00000003.00000002.499283716.000000001DA11000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
            Source: RegAsm.exe, 00000003.00000002.499283716.000000001DA11000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
            Source: RegAsm.exe, 00000003.00000002.491961756.0000000000FFA000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: RegAsm.exe, 00000003.00000002.491961756.0000000000FFA000.00000004.00000020.sdmpString found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
            Source: RegAsm.exe, 00000003.00000002.491961756.0000000000FFA000.00000004.00000020.sdmpString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
            Source: RegAsm.exe, 00000003.00000002.491961756.0000000000FFA000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr202
            Source: RegAsm.exe, 00000003.00000002.491961756.0000000000FFA000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1o1core0
            Source: RegAsm.exe, 00000003.00000002.491961756.0000000000FFA000.00000004.00000020.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
            Source: RegAsm.exe, 00000003.00000002.499283716.000000001DA11000.00000004.00000001.sdmpString found in binary or memory: http://zQsfOZ.com
            Source: RegAsm.exe, 00000003.00000002.491917908.0000000000FE7000.00000004.00000020.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
            Source: RegAsm.exe, 00000003.00000002.491961756.0000000000FFA000.00000004.00000020.sdmpString found in binary or memory: https://doc-0s-04-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/uq2l008j
            Source: RegAsm.exeString found in binary or memory: https://drive.google.com/uc?export=download&id=1aKE_k9PJVE2kZn5sEN4ZiJNhonuPIbPw
            Source: RegAsm.exe, 00000003.00000002.491961756.0000000000FFA000.00000004.00000020.sdmpString found in binary or memory: https://pki.goog/repository/0
            Source: RegAsm.exe, 00000003.00000002.499283716.000000001DA11000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
            Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
            Source: unknownHTTPS traffic detected: 172.217.23.33:443 -> 192.168.2.7:49712 version: TLS 1.2

            System Summary:

            barindex
            Potential malicious icon foundShow sources
            Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
            Source: C:\Users\user\Desktop\faktura_ODfk0021.exeCode function: 0_2_022B3BC4 NtResumeThread,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00C23BC4 NtQueryInformationProcess,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00C236EE NtProtectVirtualMemory,
            Source: C:\Users\user\Desktop\faktura_ODfk0021.exeCode function: 0_2_004015B4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1D9E47A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1D9E4790
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1D9E4773
            Source: faktura_ODfk0021.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: faktura_ODfk0021.exe, 00000000.00000002.324592390.0000000002A30000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCass7.exeFE2XADP vs faktura_ODfk0021.exe
            Source: faktura_ODfk0021.exe, 00000000.00000002.323533035.0000000000412000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCass7.exe vs faktura_ODfk0021.exe
            Source: faktura_ODfk0021.exeBinary or memory string: OriginalFilenameCass7.exe vs faktura_ODfk0021.exe
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
            Source: faktura_ODfk0021.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: classification engineClassification label: mal100.rans.troj.evad.winEXE@4/0@1/1
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6336:120:WilError_01
            Source: faktura_ODfk0021.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\faktura_ODfk0021.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Users\user\Desktop\faktura_ODfk0021.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\faktura_ODfk0021.exe 'C:\Users\user\Desktop\faktura_ODfk0021.exe'
            Source: C:\Users\user\Desktop\faktura_ODfk0021.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\faktura_ODfk0021.exe'
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\faktura_ODfk0021.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\faktura_ODfk0021.exe'
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
            Source: Window RecorderWindow detected: More than 3 window changes detected

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: 00000003.00000002.491326318.0000000000C21000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6328, type: MEMORY
            Source: C:\Users\user\Desktop\faktura_ODfk0021.exeCode function: 0_2_00401E78 pushfd ; retn 0000h
            Source: C:\Users\user\Desktop\faktura_ODfk0021.exeCode function: 0_2_004066CF push ebp; retf
            Source: C:\Users\user\Desktop\faktura_ODfk0021.exeCode function: 0_2_00406D53 push 38BB86EFh; retf
            Source: C:\Users\user\Desktop\faktura_ODfk0021.exeCode function: 0_2_022B0104 push ADC64FC2h; iretd
            Source: C:\Users\user\Desktop\faktura_ODfk0021.exeCode function: 0_2_022B0F63 push ds; retf
            Source: C:\Users\user\Desktop\faktura_ODfk0021.exeCode function: 0_2_022B0174 push ADC64FC2h; iretd
            Source: C:\Users\user\Desktop\faktura_ODfk0021.exeCode function: 0_2_022B2F47 push edx; retf
            Source: C:\Users\user\Desktop\faktura_ODfk0021.exeCode function: 0_2_022B0144 push ADC64FC2h; iretd
            Source: C:\Users\user\Desktop\faktura_ODfk0021.exeCode function: 0_2_022B01AC push ADC64FC2h; iretd
            Source: C:\Users\user\Desktop\faktura_ODfk0021.exeCode function: 0_2_022B1DFB push edx; retf
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_1D9EC598 push 941FABA6h; retf
            Source: C:\Users\user\Desktop\faktura_ODfk0021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\faktura_ODfk0021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\faktura_ODfk0021.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion:

            barindex
            Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00C231D9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00C233E3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00C233FD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00C2323A
            Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
            Source: C:\Users\user\Desktop\faktura_ODfk0021.exeRDTSC instruction interceptor: First address: 00000000022B1C7E second address: 00000000022B1CBD instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a push ecx 0x0000000b test ax, cx 0x0000000e test dl, 00000017h 0x00000011 call 00007F21FCFA4CE6h 0x00000016 call 00007F21FCFA4CD8h 0x0000001b lfence 0x0000001e mov edx, dword ptr [7FFE0014h] 0x00000024 lfence 0x00000027 ret 0x00000028 mov esi, edx 0x0000002a pushad 0x0000002b rdtsc
            Source: C:\Users\user\Desktop\faktura_ODfk0021.exeRDTSC instruction interceptor: First address: 00000000022B1CBD second address: 00000000022B1CBD instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F21FCF9DB48h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e add edi, edx 0x00000020 test eax, eax 0x00000022 dec ecx 0x00000023 cmp bh, bh 0x00000025 cmp ecx, 00000000h 0x00000028 jne 00007F21FCF9DB1Eh 0x0000002a pushad 0x0000002b nop 0x0000002c nop 0x0000002d mov eax, 00000001h 0x00000032 cpuid 0x00000034 popad 0x00000035 push ecx 0x00000036 test ax, cx 0x00000039 test dl, 00000017h 0x0000003c call 00007F21FCF9DB66h 0x00000041 call 00007F21FCF9DB58h 0x00000046 lfence 0x00000049 mov edx, dword ptr [7FFE0014h] 0x0000004f lfence 0x00000052 ret 0x00000053 mov esi, edx 0x00000055 pushad 0x00000056 rdtsc
            Source: C:\Users\user\Desktop\faktura_ODfk0021.exeRDTSC instruction interceptor: First address: 00000000022B347F second address: 00000000022B347F instructions:
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRDTSC instruction interceptor: First address: 0000000000C233C1 second address: 0000000000C233C1 instructions:
            Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
            Tries to detect Any.runShow sources
            Source: C:\Users\user\Desktop\faktura_ODfk0021.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: C:\Users\user\Desktop\faktura_ODfk0021.exeFile opened: C:\Program Files\qga\qga.exe
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Program Files\qga\qga.exe
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: RegAsm.exe, 00000003.00000002.491326318.0000000000C21000.00000040.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE8
            Source: RegAsm.exeBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\user\Desktop\faktura_ODfk0021.exeRDTSC instruction interceptor: First address: 00000000022B1C7E second address: 00000000022B1CBD instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a push ecx 0x0000000b test ax, cx 0x0000000e test dl, 00000017h 0x00000011 call 00007F21FCFA4CE6h 0x00000016 call 00007F21FCFA4CD8h 0x0000001b lfence 0x0000001e mov edx, dword ptr [7FFE0014h] 0x00000024 lfence 0x00000027 ret 0x00000028 mov esi, edx 0x0000002a pushad 0x0000002b rdtsc
            Source: C:\Users\user\Desktop\faktura_ODfk0021.exeRDTSC instruction interceptor: First address: 00000000022B1CBD second address: 00000000022B1CBD instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F21FCF9DB48h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e add edi, edx 0x00000020 test eax, eax 0x00000022 dec ecx 0x00000023 cmp bh, bh 0x00000025 cmp ecx, 00000000h 0x00000028 jne 00007F21FCF9DB1Eh 0x0000002a pushad 0x0000002b nop 0x0000002c nop 0x0000002d mov eax, 00000001h 0x00000032 cpuid 0x00000034 popad 0x00000035 push ecx 0x00000036 test ax, cx 0x00000039 test dl, 00000017h 0x0000003c call 00007F21FCF9DB66h 0x00000041 call 00007F21FCF9DB58h 0x00000046 lfence 0x00000049 mov edx, dword ptr [7FFE0014h] 0x0000004f lfence 0x00000052 ret 0x00000053 mov esi, edx 0x00000055 pushad 0x00000056 rdtsc
            Source: C:\Users\user\Desktop\faktura_ODfk0021.exeRDTSC instruction interceptor: First address: 00000000022B1DAB second address: 00000000022B1DAB instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F21FCFA60E7h 0x0000001d popad 0x0000001e call 00007F21FCFA4CDAh 0x00000023 lfence 0x00000026 rdtsc
            Source: C:\Users\user\Desktop\faktura_ODfk0021.exeRDTSC instruction interceptor: First address: 00000000022B347F second address: 00000000022B347F instructions:
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRDTSC instruction interceptor: First address: 0000000000C21DAB second address: 0000000000C21DAB instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F21FCFA60E7h 0x0000001d popad 0x0000001e call 00007F21FCFA4CDAh 0x00000023 lfence 0x00000026 rdtsc
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRDTSC instruction interceptor: First address: 0000000000C233C1 second address: 0000000000C233C1 instructions:
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00C216D0 rdtsc
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 3333
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 6505
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6196Thread sleep time: -23980767295822402s >= -30000s
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477
            Source: RegAsm.exe, 00000003.00000002.491326318.0000000000C21000.00000040.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe8
            Source: RegAsm.exe, 00000003.00000002.491917908.0000000000FE7000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
            Source: RegAsm.exeBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformation

            Anti Debugging:

            barindex
            Hides threads from debuggersShow sources
            Source: C:\Users\user\Desktop\faktura_ODfk0021.exeThread information set: HideFromDebugger
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread information set: HideFromDebugger
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread information set: HideFromDebugger
            Source: C:\Users\user\Desktop\faktura_ODfk0021.exeProcess queried: DebugPort
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPort
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00C216D0 rdtsc
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00C233E3 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00C21BF5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00C233FD mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00C22FBC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00C22D7E mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: Debug
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: page read and write | page guard

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Writes to foreign memory regionsShow sources
            Source: C:\Users\user\Desktop\faktura_ODfk0021.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: C20000
            Source: C:\Users\user\Desktop\faktura_ODfk0021.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\faktura_ODfk0021.exe'
            Source: RegAsm.exe, 00000003.00000002.492429654.0000000001420000.00000002.00000001.sdmpBinary or memory string: uProgram Manager
            Source: RegAsm.exe, 00000003.00000002.492429654.0000000001420000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: RegAsm.exe, 00000003.00000002.492429654.0000000001420000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: RegAsm.exe, 00000003.00000002.492429654.0000000001420000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00C23314 cpuid
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

            Stealing of Sensitive Information:

            barindex
            Yara detected AgentTeslaShow sources
            Source: Yara matchFile source: 00000003.00000002.499283716.000000001DA11000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6328, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.499283716.000000001DA11000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6328, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected AgentTeslaShow sources
            Source: Yara matchFile source: 00000003.00000002.499283716.000000001DA11000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6328, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation211DLL Side-Loading1Process Injection112Disable or Modify Tools1OS Credential DumpingSecurity Software Discovery731Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1Virtualization/Sandbox Evasion341LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection112Security Account ManagerVirtualization/Sandbox Evasion341SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol12Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery423VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

            Behavior Graph

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            faktura_ODfk0021.exe9%ReversingLabsWin32.Worm.Wbvb

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
            http://DynDns.comDynDNS0%URL Reputationsafe
            http://DynDns.comDynDNS0%URL Reputationsafe
            http://DynDns.comDynDNS0%URL Reputationsafe
            http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
            http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
            http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
            http://zQsfOZ.com0%Avira URL Cloudsafe
            http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
            http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
            http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
            https://pki.goog/repository/00%URL Reputationsafe
            https://pki.goog/repository/00%URL Reputationsafe
            https://pki.goog/repository/00%URL Reputationsafe
            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
            https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
            http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
            http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
            http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            googlehosted.l.googleusercontent.com
            172.217.23.33
            truefalse
              high
              doc-0s-04-docs.googleusercontent.com
              unknown
              unknownfalse
                high

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://127.0.0.1:HTTP/1.1RegAsm.exe, 00000003.00000002.499283716.000000001DA11000.00000004.00000001.sdmpfalse
                • Avira URL Cloud: safe
                low
                http://DynDns.comDynDNSRegAsm.exe, 00000003.00000002.499283716.000000001DA11000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                http://pki.goog/gsr2/GTS1O1.crt0RegAsm.exe, 00000003.00000002.491961756.0000000000FFA000.00000004.00000020.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                unknown
                https://doc-0s-04-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/uq2l008jRegAsm.exe, 00000003.00000002.491961756.0000000000FFA000.00000004.00000020.sdmpfalse
                  high
                  http://zQsfOZ.comRegAsm.exe, 00000003.00000002.499283716.000000001DA11000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://crl.pki.goog/gsr2/gsr2.crl0?RegAsm.exe, 00000003.00000002.491961756.0000000000FFA000.00000004.00000020.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  https://pki.goog/repository/0RegAsm.exe, 00000003.00000002.491961756.0000000000FFA000.00000004.00000020.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haRegAsm.exe, 00000003.00000002.499283716.000000001DA11000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  http://crl.pki.goog/GTS1O1core.crl0RegAsm.exe, 00000003.00000002.491961756.0000000000FFA000.00000004.00000020.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown

                  Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public

                  IPDomainCountryFlagASNASN NameMalicious
                  172.217.23.33
                  googlehosted.l.googleusercontent.comUnited States
                  15169GOOGLEUSfalse

                  General Information

                  Joe Sandbox Version:31.0.0 Emerald
                  Analysis ID:387666
                  Start date:15.04.2021
                  Start time:14:02:16
                  Joe Sandbox Product:CloudBasic
                  Overall analysis duration:0h 6m 14s
                  Hypervisor based Inspection enabled:false
                  Report type:light
                  Sample file name:faktura_ODfk0021.exe
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                  Number of analysed new started processes analysed:27
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • HDC enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Detection:MAL
                  Classification:mal100.rans.troj.evad.winEXE@4/0@1/1
                  EGA Information:Failed
                  HDC Information:
                  • Successful, ratio: 17% (good quality ratio 7.2%)
                  • Quality average: 25.8%
                  • Quality standard deviation: 32%
                  HCA Information:
                  • Successful, ratio: 94%
                  • Number of executed functions: 0
                  • Number of non-executed functions: 0
                  Cookbook Comments:
                  • Adjust boot time
                  • Enable AMSI
                  • Found application associated with file extension: .exe
                  Warnings:
                  Show All
                  • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                  • TCP Packets have been reduced to 100
                  • Excluded IPs from analysis (whitelisted): 131.253.33.200, 13.107.22.200, 20.82.210.154, 40.88.32.150, 92.122.145.220, 92.122.144.200, 13.64.90.137, 172.217.20.238, 52.255.188.83, 2.20.143.16, 2.20.142.210, 51.103.5.186, 104.43.193.48, 23.32.238.234, 23.32.238.177, 52.155.217.156, 20.54.26.129
                  • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, drive.google.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, consumerrp-displaycatalog-aks2eap.md.mp.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • VT rate limit hit for: /opt/package/joesandbox/database/analysis/387666/sample/faktura_ODfk0021.exe

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  14:03:56API Interceptor543x Sleep call for process: RegAsm.exe modified

                  Joe Sandbox View / Context

                  IPs

                  No context

                  Domains

                  No context

                  ASN

                  No context

                  JA3 Fingerprints

                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                  37f463bf4616ecd445d4a1937da06e19documents-1865367136.xlsbGet hashmaliciousBrowse
                  • 172.217.23.33
                  documents-1522654785.xlsbGet hashmaliciousBrowse
                  • 172.217.23.33
                  documents-1988650417.xlsbGet hashmaliciousBrowse
                  • 172.217.23.33
                  documents-852304211.xlsbGet hashmaliciousBrowse
                  • 172.217.23.33
                  Tooligram_PRO.exeGet hashmaliciousBrowse
                  • 172.217.23.33
                  documents-1884913828.xlsbGet hashmaliciousBrowse
                  • 172.217.23.33
                  documents-1097636918.xlsbGet hashmaliciousBrowse
                  • 172.217.23.33
                  documents-798055763.xlsbGet hashmaliciousBrowse
                  • 172.217.23.33
                  documents-590513756.xlsbGet hashmaliciousBrowse
                  • 172.217.23.33
                  #Ud83d#Udcde Bpost.be AudioMessage 59-20596.htmGet hashmaliciousBrowse
                  • 172.217.23.33
                  VoicePlayback (01_47) for steph.miller tsbbank .htmlGet hashmaliciousBrowse
                  • 172.217.23.33
                  Factura proforma, nuevo pedido.exeGet hashmaliciousBrowse
                  • 172.217.23.33
                  documents-1321106901.xlsbGet hashmaliciousBrowse
                  • 172.217.23.33
                  BR-424305.htmGet hashmaliciousBrowse
                  • 172.217.23.33
                  0901e76c84536f06b_2500332020005403099_0901e76c4489e546f06b_250020214405500030995.WsFGet hashmaliciousBrowse
                  • 172.217.23.33
                  mail_6512365134_7863_20210413.htmlGet hashmaliciousBrowse
                  • 172.217.23.33
                  Cocha904.htmGet hashmaliciousBrowse
                  • 172.217.23.33
                  documents-1136727851.xlsbGet hashmaliciousBrowse
                  • 172.217.23.33
                  Lista comenzilor.exeGet hashmaliciousBrowse
                  • 172.217.23.33
                  documents-2136656015.xlsbGet hashmaliciousBrowse
                  • 172.217.23.33

                  Dropped Files

                  No context

                  Created / dropped Files

                  No created / dropped files found

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Entropy (8bit):5.82523235745994
                  TrID:
                  • Win32 Executable (generic) a (10002005/4) 99.15%
                  • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
                  • Generic Win/DOS Executable (2004/3) 0.02%
                  • DOS Executable Generic (2002/1) 0.02%
                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                  File name:faktura_ODfk0021.exe
                  File size:73728
                  MD5:b7b1644fce14205acecbe822df95749a
                  SHA1:4cbfa9cf4b8dc27bf2b2a2463761092d5c2402e7
                  SHA256:f760c40ea4cca84e06c511f96c8d43525350e3f52c97c1baa30528d9c4fbcfec
                  SHA512:8110f60d9c116b277a247b059099100afaf3ebf4fd9e685686c043b78119e2ebf3e5793128c6c607b992d231a92101956b4738a213e0ca6bf8f291d2e68a0a7e
                  SSDEEP:1536:A35XClFvvI5WX5sdzUPgKYxVm18htRXPA:EXClBI5zi1utFPA
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L.....w`.....................0....................@................

                  File Icon

                  Icon Hash:20047c7c70f0e004

                  Static PE Info

                  General

                  Entrypoint:0x4015b4
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                  DLL Characteristics:
                  Time Stamp:0x6077DFAB [Thu Apr 15 06:39:39 2021 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:fff80e017e94a979a89868fcc864e987

                  Entrypoint Preview

                  Instruction
                  push 0040179Ch
                  call 00007F21FCF8FE35h
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  xor byte ptr [eax], al
                  add byte ptr [eax], al
                  inc eax
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add al, al
                  scasb
                  push edx
                  xor cl, cl
                  mov edx, C1B4469Ah
                  cmp al, 4Eh
                  jne 00007F21FCF8FE80h
                  int1
                  mov ebx, 00000000h
                  add byte ptr [eax], al
                  add dword ptr [eax], eax
                  add byte ptr [eax], al
                  or cl, byte ptr [726F460Ah]
                  push ebx
                  push 00000075h
                  jnc 00007F21FCF8FEADh
                  jc 00007F21FCF8FEACh
                  jc 00007F21FCF8FE77h
                  add byte ptr [eax], ah
                  dec ecx
                  or ax, 00000000h
                  add byte ptr [eax], al
                  dec esp
                  xor dword ptr [eax], eax
                  add eax, 6D740047h
                  mov ebp, A34121E1h
                  jne 00007F21FCF8FE9Dh
                  into
                  mov ebp, B5608642h
                  wait
                  in al, FAh
                  insd
                  dec eax
                  inc edi
                  dec ebx
                  sbb dword ptr [edx], 24BD732Fh
                  loopne 00007F21FCF8FE50h
                  cmp cl, byte ptr [edi-53h]
                  xor ebx, dword ptr [ecx-48EE309Ah]
                  or al, 00h
                  stosb
                  add byte ptr [eax-2Dh], ah
                  xchg eax, ebx
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  cmp eax, 52000001h
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  push cs
                  add byte ptr [ebx+45h], al
                  dec esi
                  push esp
                  inc ebp
                  push edx
                  dec eax
                  inc ecx
                  dec esp
                  inc esi
                  inc edx
                  inc ecx
                  inc ebx
                  dec ebx
                  add byte ptr [42000B01h], cl

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0xf8640x28.text
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x120000x8e0.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
                  IMAGE_DIRECTORY_ENTRY_IAT0x10000x15c.text
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x10000xee240xf000False0.473046875data6.47418964724IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  .data0x100000x12a80x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                  .rsrc0x120000x8e00x1000False0.16552734375data1.93654602979IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountry
                  RT_ICON0x127b00x130data
                  RT_ICON0x124c80x2e8data
                  RT_ICON0x123a00x128GLS_BINARY_LSB_FIRST
                  RT_GROUP_ICON0x123700x30data
                  RT_VERSION0x121500x220dataChineseTaiwan

                  Imports

                  DLLImport
                  MSVBVM60.DLL_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaVarTstLt, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaAryConstruct2, __vbaObjVar, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, __vbaStrToUnicode, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, _CIlog, __vbaFileOpen, __vbaNew2, __vbaR8Str, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarAdd, __vbaLateMemCall, __vbaStrToAnsi, __vbaVarDup, __vbaFpI4, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

                  Version Infos

                  DescriptionData
                  Translation0x0404 0x04b0
                  InternalNameCass7
                  FileVersion1.00
                  CompanyNameADP
                  ProductNameADP
                  ProductVersion1.00
                  FileDescriptionADP
                  OriginalFilenameCass7.exe

                  Possible Origin

                  Language of compilation systemCountry where language is spokenMap
                  ChineseTaiwan

                  Network Behavior

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Apr 15, 2021 14:03:48.067195892 CEST49712443192.168.2.7172.217.23.33
                  Apr 15, 2021 14:03:48.110661030 CEST44349712172.217.23.33192.168.2.7
                  Apr 15, 2021 14:03:48.110769033 CEST49712443192.168.2.7172.217.23.33
                  Apr 15, 2021 14:03:48.111541986 CEST49712443192.168.2.7172.217.23.33
                  Apr 15, 2021 14:03:48.156805038 CEST44349712172.217.23.33192.168.2.7
                  Apr 15, 2021 14:03:48.170378923 CEST44349712172.217.23.33192.168.2.7
                  Apr 15, 2021 14:03:48.170437098 CEST44349712172.217.23.33192.168.2.7
                  Apr 15, 2021 14:03:48.170475006 CEST44349712172.217.23.33192.168.2.7
                  Apr 15, 2021 14:03:48.170511961 CEST44349712172.217.23.33192.168.2.7
                  Apr 15, 2021 14:03:48.170531034 CEST49712443192.168.2.7172.217.23.33
                  Apr 15, 2021 14:03:48.170556068 CEST49712443192.168.2.7172.217.23.33
                  Apr 15, 2021 14:03:48.170574903 CEST49712443192.168.2.7172.217.23.33
                  Apr 15, 2021 14:03:48.181966066 CEST49712443192.168.2.7172.217.23.33
                  Apr 15, 2021 14:03:48.225636959 CEST44349712172.217.23.33192.168.2.7
                  Apr 15, 2021 14:03:48.225717068 CEST49712443192.168.2.7172.217.23.33
                  Apr 15, 2021 14:03:48.227636099 CEST49712443192.168.2.7172.217.23.33
                  Apr 15, 2021 14:03:48.275768995 CEST44349712172.217.23.33192.168.2.7
                  Apr 15, 2021 14:03:48.827013969 CEST44349712172.217.23.33192.168.2.7
                  Apr 15, 2021 14:03:48.827038050 CEST44349712172.217.23.33192.168.2.7
                  Apr 15, 2021 14:03:48.827056885 CEST44349712172.217.23.33192.168.2.7
                  Apr 15, 2021 14:03:48.827074051 CEST44349712172.217.23.33192.168.2.7
                  Apr 15, 2021 14:03:48.827090025 CEST44349712172.217.23.33192.168.2.7
                  Apr 15, 2021 14:03:48.827107906 CEST49712443192.168.2.7172.217.23.33
                  Apr 15, 2021 14:03:48.827148914 CEST49712443192.168.2.7172.217.23.33
                  Apr 15, 2021 14:03:48.830087900 CEST44349712172.217.23.33192.168.2.7
                  Apr 15, 2021 14:03:48.830108881 CEST44349712172.217.23.33192.168.2.7
                  Apr 15, 2021 14:03:48.830226898 CEST49712443192.168.2.7172.217.23.33
                  Apr 15, 2021 14:03:48.830244064 CEST49712443192.168.2.7172.217.23.33
                  Apr 15, 2021 14:03:48.833547115 CEST44349712172.217.23.33192.168.2.7
                  Apr 15, 2021 14:03:48.833617926 CEST49712443192.168.2.7172.217.23.33
                  Apr 15, 2021 14:03:48.833900928 CEST44349712172.217.23.33192.168.2.7
                  Apr 15, 2021 14:03:48.833956957 CEST49712443192.168.2.7172.217.23.33
                  Apr 15, 2021 14:03:48.836338997 CEST44349712172.217.23.33192.168.2.7
                  Apr 15, 2021 14:03:48.836359978 CEST44349712172.217.23.33192.168.2.7
                  Apr 15, 2021 14:03:48.836402893 CEST49712443192.168.2.7172.217.23.33
                  Apr 15, 2021 14:03:48.836492062 CEST49712443192.168.2.7172.217.23.33
                  Apr 15, 2021 14:03:48.839488029 CEST44349712172.217.23.33192.168.2.7
                  Apr 15, 2021 14:03:48.839509964 CEST44349712172.217.23.33192.168.2.7
                  Apr 15, 2021 14:03:48.839556932 CEST49712443192.168.2.7172.217.23.33
                  Apr 15, 2021 14:03:48.839572906 CEST49712443192.168.2.7172.217.23.33
                  Apr 15, 2021 14:03:48.842108965 CEST44349712172.217.23.33192.168.2.7
                  Apr 15, 2021 14:03:48.842129946 CEST44349712172.217.23.33192.168.2.7
                  Apr 15, 2021 14:03:48.842190981 CEST49712443192.168.2.7172.217.23.33
                  Apr 15, 2021 14:03:48.870493889 CEST44349712172.217.23.33192.168.2.7
                  Apr 15, 2021 14:03:48.870529890 CEST44349712172.217.23.33192.168.2.7
                  Apr 15, 2021 14:03:48.870584011 CEST49712443192.168.2.7172.217.23.33
                  Apr 15, 2021 14:03:48.870604038 CEST49712443192.168.2.7172.217.23.33
                  Apr 15, 2021 14:03:48.872016907 CEST44349712172.217.23.33192.168.2.7
                  Apr 15, 2021 14:03:48.872037888 CEST44349712172.217.23.33192.168.2.7
                  Apr 15, 2021 14:03:48.872087955 CEST49712443192.168.2.7172.217.23.33
                  Apr 15, 2021 14:03:48.872103930 CEST49712443192.168.2.7172.217.23.33
                  Apr 15, 2021 14:03:48.875106096 CEST44349712172.217.23.33192.168.2.7
                  Apr 15, 2021 14:03:48.875178099 CEST49712443192.168.2.7172.217.23.33
                  Apr 15, 2021 14:03:48.875179052 CEST44349712172.217.23.33192.168.2.7
                  Apr 15, 2021 14:03:48.875221968 CEST49712443192.168.2.7172.217.23.33
                  Apr 15, 2021 14:03:48.878283024 CEST44349712172.217.23.33192.168.2.7
                  Apr 15, 2021 14:03:48.878315926 CEST44349712172.217.23.33192.168.2.7
                  Apr 15, 2021 14:03:48.878360033 CEST49712443192.168.2.7172.217.23.33
                  Apr 15, 2021 14:03:48.878376961 CEST49712443192.168.2.7172.217.23.33
                  Apr 15, 2021 14:03:48.881469011 CEST44349712172.217.23.33192.168.2.7
                  Apr 15, 2021 14:03:48.881489992 CEST44349712172.217.23.33192.168.2.7
                  Apr 15, 2021 14:03:48.881541967 CEST49712443192.168.2.7172.217.23.33
                  Apr 15, 2021 14:03:48.881562948 CEST49712443192.168.2.7172.217.23.33
                  Apr 15, 2021 14:03:48.884577036 CEST44349712172.217.23.33192.168.2.7
                  Apr 15, 2021 14:03:48.884596109 CEST44349712172.217.23.33192.168.2.7
                  Apr 15, 2021 14:03:48.884650946 CEST49712443192.168.2.7172.217.23.33
                  Apr 15, 2021 14:03:48.884666920 CEST49712443192.168.2.7172.217.23.33
                  Apr 15, 2021 14:03:48.887749910 CEST44349712172.217.23.33192.168.2.7
                  Apr 15, 2021 14:03:48.887769938 CEST44349712172.217.23.33192.168.2.7
                  Apr 15, 2021 14:03:48.887830973 CEST49712443192.168.2.7172.217.23.33
                  Apr 15, 2021 14:03:48.887850046 CEST49712443192.168.2.7172.217.23.33
                  Apr 15, 2021 14:03:48.891469955 CEST44349712172.217.23.33192.168.2.7
                  Apr 15, 2021 14:03:48.891490936 CEST44349712172.217.23.33192.168.2.7
                  Apr 15, 2021 14:03:48.891549110 CEST49712443192.168.2.7172.217.23.33
                  Apr 15, 2021 14:03:48.891566992 CEST49712443192.168.2.7172.217.23.33
                  Apr 15, 2021 14:03:48.893946886 CEST44349712172.217.23.33192.168.2.7
                  Apr 15, 2021 14:03:48.893965960 CEST44349712172.217.23.33192.168.2.7
                  Apr 15, 2021 14:03:48.894023895 CEST49712443192.168.2.7172.217.23.33
                  Apr 15, 2021 14:03:48.894038916 CEST49712443192.168.2.7172.217.23.33
                  Apr 15, 2021 14:03:48.896811008 CEST44349712172.217.23.33192.168.2.7
                  Apr 15, 2021 14:03:48.896835089 CEST44349712172.217.23.33192.168.2.7
                  Apr 15, 2021 14:03:48.896909952 CEST49712443192.168.2.7172.217.23.33
                  Apr 15, 2021 14:03:48.896928072 CEST49712443192.168.2.7172.217.23.33
                  Apr 15, 2021 14:03:48.899534941 CEST44349712172.217.23.33192.168.2.7
                  Apr 15, 2021 14:03:48.899559975 CEST44349712172.217.23.33192.168.2.7
                  Apr 15, 2021 14:03:48.899627924 CEST49712443192.168.2.7172.217.23.33
                  Apr 15, 2021 14:03:48.902324915 CEST44349712172.217.23.33192.168.2.7
                  Apr 15, 2021 14:03:48.902348042 CEST44349712172.217.23.33192.168.2.7
                  Apr 15, 2021 14:03:48.902396917 CEST49712443192.168.2.7172.217.23.33
                  Apr 15, 2021 14:03:48.902439117 CEST49712443192.168.2.7172.217.23.33
                  Apr 15, 2021 14:03:48.905139923 CEST44349712172.217.23.33192.168.2.7
                  Apr 15, 2021 14:03:48.905163050 CEST44349712172.217.23.33192.168.2.7
                  Apr 15, 2021 14:03:48.905225992 CEST49712443192.168.2.7172.217.23.33
                  Apr 15, 2021 14:03:48.905249119 CEST49712443192.168.2.7172.217.23.33
                  Apr 15, 2021 14:03:48.907919884 CEST44349712172.217.23.33192.168.2.7
                  Apr 15, 2021 14:03:48.907943964 CEST44349712172.217.23.33192.168.2.7
                  Apr 15, 2021 14:03:48.907994032 CEST49712443192.168.2.7172.217.23.33
                  Apr 15, 2021 14:03:48.908011913 CEST49712443192.168.2.7172.217.23.33
                  Apr 15, 2021 14:03:48.910749912 CEST44349712172.217.23.33192.168.2.7
                  Apr 15, 2021 14:03:48.910773993 CEST44349712172.217.23.33192.168.2.7

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Apr 15, 2021 14:02:58.001298904 CEST6050153192.168.2.78.8.8.8
                  Apr 15, 2021 14:02:58.028203964 CEST5377553192.168.2.78.8.8.8
                  Apr 15, 2021 14:02:58.058664083 CEST53605018.8.8.8192.168.2.7
                  Apr 15, 2021 14:02:58.078428984 CEST53537758.8.8.8192.168.2.7
                  Apr 15, 2021 14:02:58.918658972 CEST5183753192.168.2.78.8.8.8
                  Apr 15, 2021 14:02:58.971151114 CEST53518378.8.8.8192.168.2.7
                  Apr 15, 2021 14:03:01.249994040 CEST5541153192.168.2.78.8.8.8
                  Apr 15, 2021 14:03:01.313597918 CEST53554118.8.8.8192.168.2.7
                  Apr 15, 2021 14:03:02.082735062 CEST6366853192.168.2.78.8.8.8
                  Apr 15, 2021 14:03:02.132936001 CEST53636688.8.8.8192.168.2.7
                  Apr 15, 2021 14:03:25.237613916 CEST5464053192.168.2.78.8.8.8
                  Apr 15, 2021 14:03:25.297434092 CEST53546408.8.8.8192.168.2.7
                  Apr 15, 2021 14:03:34.548943043 CEST5873953192.168.2.78.8.8.8
                  Apr 15, 2021 14:03:34.601429939 CEST53587398.8.8.8192.168.2.7
                  Apr 15, 2021 14:03:35.794125080 CEST6033853192.168.2.78.8.8.8
                  Apr 15, 2021 14:03:35.847773075 CEST53603388.8.8.8192.168.2.7
                  Apr 15, 2021 14:03:46.109419107 CEST5871753192.168.2.78.8.8.8
                  Apr 15, 2021 14:03:46.161365986 CEST53587178.8.8.8192.168.2.7
                  Apr 15, 2021 14:03:47.373816967 CEST5976253192.168.2.78.8.8.8
                  Apr 15, 2021 14:03:47.439893961 CEST53597628.8.8.8192.168.2.7
                  Apr 15, 2021 14:03:47.792176008 CEST5432953192.168.2.78.8.8.8
                  Apr 15, 2021 14:03:47.840761900 CEST53543298.8.8.8192.168.2.7
                  Apr 15, 2021 14:03:48.000417948 CEST5805253192.168.2.78.8.8.8
                  Apr 15, 2021 14:03:48.065246105 CEST53580528.8.8.8192.168.2.7
                  Apr 15, 2021 14:03:49.373032093 CEST5400853192.168.2.78.8.8.8
                  Apr 15, 2021 14:03:49.422008991 CEST53540088.8.8.8192.168.2.7
                  Apr 15, 2021 14:03:50.169035912 CEST5945153192.168.2.78.8.8.8
                  Apr 15, 2021 14:03:50.217751026 CEST53594518.8.8.8192.168.2.7
                  Apr 15, 2021 14:03:51.300374031 CEST5291453192.168.2.78.8.8.8
                  Apr 15, 2021 14:03:51.352650881 CEST53529148.8.8.8192.168.2.7
                  Apr 15, 2021 14:03:51.501138926 CEST6456953192.168.2.78.8.8.8
                  Apr 15, 2021 14:03:51.553962946 CEST53645698.8.8.8192.168.2.7
                  Apr 15, 2021 14:03:53.317539930 CEST5281653192.168.2.78.8.8.8
                  Apr 15, 2021 14:03:53.366446018 CEST53528168.8.8.8192.168.2.7
                  Apr 15, 2021 14:03:53.370409966 CEST5078153192.168.2.78.8.8.8
                  Apr 15, 2021 14:03:53.431273937 CEST53507818.8.8.8192.168.2.7
                  Apr 15, 2021 14:03:53.534626007 CEST5423053192.168.2.78.8.8.8
                  Apr 15, 2021 14:03:53.591490030 CEST53542308.8.8.8192.168.2.7
                  Apr 15, 2021 14:03:53.930619955 CEST5491153192.168.2.78.8.8.8
                  Apr 15, 2021 14:03:53.995644093 CEST53549118.8.8.8192.168.2.7
                  Apr 15, 2021 14:03:54.716515064 CEST4995853192.168.2.78.8.8.8
                  Apr 15, 2021 14:03:54.765275955 CEST53499588.8.8.8192.168.2.7
                  Apr 15, 2021 14:03:55.815452099 CEST5086053192.168.2.78.8.8.8
                  Apr 15, 2021 14:03:55.864136934 CEST53508608.8.8.8192.168.2.7
                  Apr 15, 2021 14:03:57.120651960 CEST5045253192.168.2.78.8.8.8
                  Apr 15, 2021 14:03:57.171350956 CEST53504528.8.8.8192.168.2.7
                  Apr 15, 2021 14:03:58.016098022 CEST5973053192.168.2.78.8.8.8
                  Apr 15, 2021 14:03:58.064745903 CEST53597308.8.8.8192.168.2.7
                  Apr 15, 2021 14:03:59.269495964 CEST5931053192.168.2.78.8.8.8
                  Apr 15, 2021 14:03:59.318136930 CEST53593108.8.8.8192.168.2.7
                  Apr 15, 2021 14:04:03.113909960 CEST5191953192.168.2.78.8.8.8
                  Apr 15, 2021 14:04:03.165693998 CEST53519198.8.8.8192.168.2.7
                  Apr 15, 2021 14:04:03.949346066 CEST6429653192.168.2.78.8.8.8
                  Apr 15, 2021 14:04:03.998048067 CEST53642968.8.8.8192.168.2.7
                  Apr 15, 2021 14:04:04.109407902 CEST5668053192.168.2.78.8.8.8
                  Apr 15, 2021 14:04:04.170857906 CEST53566808.8.8.8192.168.2.7
                  Apr 15, 2021 14:04:07.334784985 CEST5882053192.168.2.78.8.8.8
                  Apr 15, 2021 14:04:07.383415937 CEST53588208.8.8.8192.168.2.7
                  Apr 15, 2021 14:04:09.763413906 CEST6098353192.168.2.78.8.8.8
                  Apr 15, 2021 14:04:09.829746008 CEST53609838.8.8.8192.168.2.7
                  Apr 15, 2021 14:04:37.423278093 CEST4924753192.168.2.78.8.8.8
                  Apr 15, 2021 14:04:37.480350971 CEST53492478.8.8.8192.168.2.7
                  Apr 15, 2021 14:04:38.373917103 CEST5228653192.168.2.78.8.8.8
                  Apr 15, 2021 14:04:38.422718048 CEST53522868.8.8.8192.168.2.7
                  Apr 15, 2021 14:04:39.550192118 CEST5606453192.168.2.78.8.8.8
                  Apr 15, 2021 14:04:39.601758957 CEST53560648.8.8.8192.168.2.7
                  Apr 15, 2021 14:04:40.353152037 CEST6374453192.168.2.78.8.8.8
                  Apr 15, 2021 14:04:40.401917934 CEST53637448.8.8.8192.168.2.7
                  Apr 15, 2021 14:04:43.477310896 CEST6145753192.168.2.78.8.8.8
                  Apr 15, 2021 14:04:43.536140919 CEST53614578.8.8.8192.168.2.7
                  Apr 15, 2021 14:05:00.910329103 CEST5836753192.168.2.78.8.8.8
                  Apr 15, 2021 14:05:01.012533903 CEST53583678.8.8.8192.168.2.7
                  Apr 15, 2021 14:05:01.575809956 CEST6059953192.168.2.78.8.8.8
                  Apr 15, 2021 14:05:01.816560984 CEST53605998.8.8.8192.168.2.7
                  Apr 15, 2021 14:05:02.398222923 CEST5957153192.168.2.78.8.8.8
                  Apr 15, 2021 14:05:02.455689907 CEST53595718.8.8.8192.168.2.7
                  Apr 15, 2021 14:05:02.689614058 CEST5268953192.168.2.78.8.8.8
                  Apr 15, 2021 14:05:02.754874945 CEST53526898.8.8.8192.168.2.7
                  Apr 15, 2021 14:05:02.902904034 CEST5029053192.168.2.78.8.8.8
                  Apr 15, 2021 14:05:02.990034103 CEST53502908.8.8.8192.168.2.7
                  Apr 15, 2021 14:05:03.557638884 CEST6042753192.168.2.78.8.8.8
                  Apr 15, 2021 14:05:03.686425924 CEST53604278.8.8.8192.168.2.7
                  Apr 15, 2021 14:05:04.432878017 CEST5620953192.168.2.78.8.8.8
                  Apr 15, 2021 14:05:04.489887953 CEST53562098.8.8.8192.168.2.7
                  Apr 15, 2021 14:05:05.141227961 CEST5958253192.168.2.78.8.8.8
                  Apr 15, 2021 14:05:05.198559999 CEST53595828.8.8.8192.168.2.7
                  Apr 15, 2021 14:05:06.189922094 CEST6094953192.168.2.78.8.8.8
                  Apr 15, 2021 14:05:06.250034094 CEST53609498.8.8.8192.168.2.7
                  Apr 15, 2021 14:05:07.184478045 CEST5854253192.168.2.78.8.8.8
                  Apr 15, 2021 14:05:07.241842031 CEST53585428.8.8.8192.168.2.7
                  Apr 15, 2021 14:05:07.915469885 CEST5917953192.168.2.78.8.8.8
                  Apr 15, 2021 14:05:07.972846031 CEST53591798.8.8.8192.168.2.7

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                  Apr 15, 2021 14:03:48.000417948 CEST192.168.2.78.8.8.80xe7beStandard query (0)doc-0s-04-docs.googleusercontent.comA (IP address)IN (0x0001)

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                  Apr 15, 2021 14:03:48.065246105 CEST8.8.8.8192.168.2.70xe7beNo error (0)doc-0s-04-docs.googleusercontent.comgooglehosted.l.googleusercontent.comCNAME (Canonical name)IN (0x0001)
                  Apr 15, 2021 14:03:48.065246105 CEST8.8.8.8192.168.2.70xe7beNo error (0)googlehosted.l.googleusercontent.com172.217.23.33A (IP address)IN (0x0001)

                  HTTPS Packets

                  TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                  Apr 15, 2021 14:03:48.170511961 CEST172.217.23.33443192.168.2.749712CN=*.googleusercontent.com, O=Google LLC, L=Mountain View, ST=California, C=US CN=GTS CA 1O1, O=Google Trust Services, C=USCN=GTS CA 1O1, O=Google Trust Services, C=US CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2Tue Mar 16 20:32:57 CET 2021 Thu Jun 15 02:00:42 CEST 2017Tue Jun 08 21:32:56 CEST 2021 Wed Dec 15 01:00:42 CET 2021771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,037f463bf4616ecd445d4a1937da06e19
                  CN=GTS CA 1O1, O=Google Trust Services, C=USCN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2Thu Jun 15 02:00:42 CEST 2017Wed Dec 15 01:00:42 CET 2021

                  Code Manipulations

                  Statistics

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Start time:14:03:03
                  Start date:15/04/2021
                  Path:C:\Users\user\Desktop\faktura_ODfk0021.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Users\user\Desktop\faktura_ODfk0021.exe'
                  Imagebase:0x400000
                  File size:73728 bytes
                  MD5 hash:B7B1644FCE14205ACECBE822DF95749A
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:Visual Basic
                  Reputation:low

                  General

                  Start time:14:03:25
                  Start date:15/04/2021
                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                  Wow64 process (32bit):true
                  Commandline:'C:\Users\user\Desktop\faktura_ODfk0021.exe'
                  Imagebase:0x840000
                  File size:64616 bytes
                  MD5 hash:6FD7592411112729BF6B1F2F6C34899F
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Yara matches:
                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.499283716.000000001DA11000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.499283716.000000001DA11000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_GuLoader, Description: Yara detected GuLoader, Source: 00000003.00000002.491326318.0000000000C21000.00000040.00000001.sdmp, Author: Joe Security
                  Reputation:high

                  General

                  Start time:14:03:25
                  Start date:15/04/2021
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff774ee0000
                  File size:625664 bytes
                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Disassembly

                  Code Analysis

                  Reset < >