Analysis Report Proforma Invoice No. 14214.exe

Overview

General Information

Sample Name: Proforma Invoice No. 14214.exe
Analysis ID: 433051
MD5: 7c8ebff62083aaaa70e6ca8311776afa
SHA1: ae068ca1a02edd4f2e50657a1f223e86f1bbe499
SHA256: 70840e5d766990e38d2a5e209106d19fb19e9c1b77fc2eb1b870f698da1f1a84
Tags: exe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Modifies the hosts file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Process Start Without DLL
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection:

barindex
Found malware configuration
Source: 2.2.RegSvcs.exe.400000.0.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "anando@citechco.net", "Password": "Webana@321#", "Host": "mail.citechco.net"}
Multi AV Scanner detection for submitted file
Source: Proforma Invoice No. 14214.exe Virustotal: Detection: 37% Perma Link
Source: Proforma Invoice No. 14214.exe ReversingLabs: Detection: 28%
Machine Learning detection for sample
Source: Proforma Invoice No. 14214.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 2.2.RegSvcs.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 2.0.RegSvcs.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8

Compliance:

barindex
Uses 32bit PE files
Source: Proforma Invoice No. 14214.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Source: Proforma Invoice No. 14214.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: ITypeLib.pdbh source: Proforma Invoice No. 14214.exe
Source: Binary string: RegSvcs.pdb, source: NXLun.exe, 0000000A.00000002.418746456.0000000000692000.00000002.00020000.sdmp, NXLun.exe, 0000000D.00000002.440030386.00000000003E2000.00000002.00020000.sdmp, NXLun.exe.2.dr
Source: Binary string: ITypeLib.pdb source: Proforma Invoice No. 14214.exe
Source: Binary string: System.EnterpriseServices.Wrapper.pdb source: NXLun.exe, 0000000A.00000002.419412855.0000000002B40000.00000002.00000001.sdmp, NXLun.exe, 0000000D.00000002.440906669.0000000004BE0000.00000002.00000001.sdmp
Source: Binary string: RegSvcs.pdb source: NXLun.exe, NXLun.exe.2.dr

Networking:

barindex
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49742 -> 203.191.33.181:587
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.6:49742 -> 203.191.33.181:587
Source: unknown DNS traffic detected: queries for: mail.citechco.net
Source: RegSvcs.exe, 00000002.00000002.604865648.0000000002FC1000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegSvcs.exe, 00000002.00000002.604865648.0000000002FC1000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: RegSvcs.exe, 00000002.00000002.605727213.00000000032DB000.00000004.00000001.sdmp, RegSvcs.exe, 00000002.00000002.604865648.0000000002FC1000.00000004.00000001.sdmp, RegSvcs.exe, 00000002.00000002.606044540.0000000003355000.00000004.00000001.sdmp String found in binary or memory: http://Ustq4cbAUDG33rrxc.org
Source: RegSvcs.exe, 00000002.00000002.605929038.000000000332A000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: RegSvcs.exe, 00000002.00000002.610640634.000000000638F000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: RegSvcs.exe, 00000002.00000002.605929038.000000000332A000.00000004.00000001.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: RegSvcs.exe, 00000002.00000002.604865648.0000000002FC1000.00000004.00000001.sdmp String found in binary or memory: http://kRGqzl.com
Source: RegSvcs.exe, 00000002.00000002.605929038.000000000332A000.00000004.00000001.sdmp String found in binary or memory: http://mail.citechco.net
Source: RegSvcs.exe, 00000002.00000002.605929038.000000000332A000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: RegSvcs.exe, 00000002.00000002.605929038.000000000332A000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.sectigo.com0
Source: Proforma Invoice No. 14214.exe, 00000000.00000002.352422358.0000000002D41000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000002.00000002.604865648.0000000002FC1000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.org%$
Source: RegSvcs.exe, 00000002.00000002.604865648.0000000002FC1000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: RegSvcs.exe, 00000002.00000002.605929038.000000000332A000.00000004.00000001.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: Proforma Invoice No. 14214.exe, 00000000.00000002.352826103.0000000002D7F000.00000004.00000001.sdmp String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
Source: Proforma Invoice No. 14214.exe, 00000000.00000002.353706824.0000000003D49000.00000004.00000001.sdmp, RegSvcs.exe, 00000002.00000000.344864623.0000000000402000.00000040.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: RegSvcs.exe, 00000002.00000002.604865648.0000000002FC1000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Spam, unwanted Advertisements and Ransom Demands:

barindex
Modifies the hosts file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior

System Summary:

barindex
.NET source code contains very large array initializations
Source: 2.2.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bEB1FE0F0u002dD3F7u002d4CA7u002dA6E6u002d30D966CA64F5u007d/u0035A9A7DD3u002dC878u002d49AAu002dA3CCu002d93748952BFF0.cs Large array initialization: .cctor: array initializer size 11946
Source: 2.0.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bEB1FE0F0u002dD3F7u002d4CA7u002dA6E6u002d30D966CA64F5u007d/u0035A9A7DD3u002dC878u002d49AAu002dA3CCu002d93748952BFF0.cs Large array initialization: .cctor: array initializer size 11946
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Proforma Invoice No. 14214.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Code function: 0_2_006D8024 0_2_006D8024
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Code function: 0_2_006D2696 0_2_006D2696
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Code function: 0_2_0122C788 0_2_0122C788
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Code function: 0_2_0122AD88 0_2_0122AD88
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Code function: 0_2_02A30281 0_2_02A30281
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Code function: 0_2_02A31945 0_2_02A31945
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Code function: 0_2_02A30239 0_2_02A30239
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Code function: 0_2_02A30268 0_2_02A30268
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Code function: 0_2_02A30007 0_2_02A30007
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Code function: 0_2_02A30040 0_2_02A30040
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Code function: 0_2_02D1A130 0_2_02D1A130
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Code function: 0_2_02D1A120 0_2_02D1A120
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Code function: 0_2_02D19EC0 0_2_02D19EC0
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Code function: 0_2_02D19EBF 0_2_02D19EBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0162BD70 2_2_0162BD70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_016205EF 2_2_016205EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_01624B80 2_2_01624B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_016296F8 2_2_016296F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_01628E80 2_2_01628E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_016253C8 2_2_016253C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_016252CA 2_2_016252CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_016B47A0 2_2_016B47A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_016B4730 2_2_016B4730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_016B4790 2_2_016B4790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_016B46B0 2_2_016B46B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_016BD670 2_2_016BD670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06546508 2_2_06546508
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06546850 2_2_06546850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_065490D8 2_2_065490D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06547120 2_2_06547120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06895690 2_2_06895690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0689A208 2_2_0689A208
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe 43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: String function: 0654BEC0 appears 48 times
PE file contains strange resources
Source: Proforma Invoice No. 14214.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: Proforma Invoice No. 14214.exe, 00000000.00000002.350087012.00000000007AE000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameITypeLib.exe< vs Proforma Invoice No. 14214.exe
Source: Proforma Invoice No. 14214.exe, 00000000.00000002.352422358.0000000002D41000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamefIuXDFbZUwhAPkOKPtFUUkLyKIoWxpLX.exe4 vs Proforma Invoice No. 14214.exe
Source: Proforma Invoice No. 14214.exe, 00000000.00000002.353965910.0000000003EBE000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameDSASignature.dll@ vs Proforma Invoice No. 14214.exe
Source: Proforma Invoice No. 14214.exe, 00000000.00000002.353706824.0000000003D49000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameKygo.dll* vs Proforma Invoice No. 14214.exe
Source: Proforma Invoice No. 14214.exe Binary or memory string: OriginalFilenameITypeLib.exe< vs Proforma Invoice No. 14214.exe
Uses 32bit PE files
Source: Proforma Invoice No. 14214.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Source: Proforma Invoice No. 14214.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Proforma Invoice No. 14214.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs Cryptographic APIs: 'CreateDecryptor'
Source: Proforma Invoice No. 14214.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Proforma Invoice No. 14214.exe.6d0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Proforma Invoice No. 14214.exe.6d0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.Proforma Invoice No. 14214.exe.6d0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.Proforma Invoice No. 14214.exe.6d0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.400000.0.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.400000.0.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 2.0.RegSvcs.exe.400000.0.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 2.0.RegSvcs.exe.400000.0.unpack, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: classification engine Classification label: mal100.troj.adwa.spyw.evad.winEXE@7/6@2/1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0654CC4C UserClientDllInitialize,KiUserExceptionDispatcher,GetFirmwareType,GetDateFormatAWorker,ClientThreadSetup,SendMessageTimeoutW,GetMessageW,CreateToolhelp32Snapshot,SetThreadDpiAwarenessContext,SetClipboardData,KiUserExceptionDispatcher,CreateActCtxWWorker,KiUserExceptionDispatcher,SetXStateFeaturesMask,LdrInitializeThunk, 2_2_0654CC4C
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Proforma Invoice No. 14214.exe.log Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Mutant created: \Sessions\1\BaseNamedObjects\XxuFpYNIkvOt
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6176:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5116:120:WilError_01
Source: Proforma Invoice No. 14214.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Proforma Invoice No. 14214.exe, 00000000.00000002.352826103.0000000002D7F000.00000004.00000001.sdmp Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: Proforma Invoice No. 14214.exe, 00000000.00000002.352826103.0000000002D7F000.00000004.00000001.sdmp Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: Proforma Invoice No. 14214.exe, 00000000.00000002.352826103.0000000002D7F000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: Proforma Invoice No. 14214.exe, 00000000.00000002.352826103.0000000002D7F000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: Proforma Invoice No. 14214.exe, 00000000.00000002.352826103.0000000002D7F000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: Proforma Invoice No. 14214.exe, 00000000.00000002.352826103.0000000002D7F000.00000004.00000001.sdmp Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: Proforma Invoice No. 14214.exe, 00000000.00000002.352826103.0000000002D7F000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: Proforma Invoice No. 14214.exe, 00000000.00000002.352826103.0000000002D7F000.00000004.00000001.sdmp Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: Proforma Invoice No. 14214.exe, 00000000.00000002.352826103.0000000002D7F000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
Source: Proforma Invoice No. 14214.exe Virustotal: Detection: 37%
Source: Proforma Invoice No. 14214.exe ReversingLabs: Detection: 28%
Source: unknown Process created: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe 'C:\Users\user\Desktop\Proforma Invoice No. 14214.exe'
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe 'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe'
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe 'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe'
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: Proforma Invoice No. 14214.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Proforma Invoice No. 14214.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Proforma Invoice No. 14214.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: ITypeLib.pdbh source: Proforma Invoice No. 14214.exe
Source: Binary string: RegSvcs.pdb, source: NXLun.exe, 0000000A.00000002.418746456.0000000000692000.00000002.00020000.sdmp, NXLun.exe, 0000000D.00000002.440030386.00000000003E2000.00000002.00020000.sdmp, NXLun.exe.2.dr
Source: Binary string: ITypeLib.pdb source: Proforma Invoice No. 14214.exe
Source: Binary string: System.EnterpriseServices.Wrapper.pdb source: NXLun.exe, 0000000A.00000002.419412855.0000000002B40000.00000002.00000001.sdmp, NXLun.exe, 0000000D.00000002.440906669.0000000004BE0000.00000002.00000001.sdmp
Source: Binary string: RegSvcs.pdb source: NXLun.exe, NXLun.exe.2.dr

Data Obfuscation:

barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: Proforma Invoice No. 14214.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs .Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 0.2.Proforma Invoice No. 14214.exe.6d0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs .Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 0.0.Proforma Invoice No. 14214.exe.6d0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs .Net Code: stackVariable5.GetMethod("GetDelegateForFunctionPointer", V_0)
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Code function: 0_2_0122EC7A push eax; ret 0_2_0122EC81
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Code function: 0_2_02D18351 pushad ; retf 0_2_02D18352
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Code function: 0_2_02D18369 pushad ; retf 0_2_02D1836A
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Code function: 0_2_02D181ED pushad ; retf 0_2_02D181EF
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Code function: 0_2_02D186A8 pushad ; retf 0_2_02D186A9
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Code function: 0_2_02D1F613 push cs; ret 0_2_02D1F621
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Code function: 0_2_02D137B8 push edx; retf 0_2_02D13896
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Code function: 0_2_02D1F707 push edx; ret 0_2_02D1F70D
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Code function: 0_2_02D18444 pushad ; retf 0_2_02D18445
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Code function: 0_2_02D1846F pushad ; retf 0_2_02D18471
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Code function: 0_2_02D12428 push edx; retf 0_2_02D1243A
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Code function: 0_2_02D1842C pushad ; retf 0_2_02D1842D
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Code function: 0_2_02D16547 pushad ; retf 0_2_02D16556
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Code function: 0_2_02D17AD8 pushad ; retf 0_2_02D17AD9
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Code function: 0_2_02D14AF0 pushad ; retf 0_2_02D14AFE
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Code function: 0_2_02D17AB4 pushad ; retf 0_2_02D17AB5
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Code function: 0_2_02D129EF pushad ; ret 0_2_02D12A03
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Code function: 0_2_02D17E56 pushad ; retf 0_2_02D17E57
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Code function: 0_2_02D17E44 pushad ; retf 0_2_02D17E46
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Code function: 0_2_02D17E7A pushad ; retf 0_2_02D17E7C
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Code function: 0_2_02D17E6E pushad ; retf 0_2_02D17E6F
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Code function: 0_2_02D17E13 pushad ; retf 0_2_02D17E14
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Code function: 0_2_02D17F38 pushad ; retf 0_2_02D17F39
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Code function: 0_2_02D17F26 pushad ; retf 0_2_02D17F28
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Code function: 0_2_02D17CBA pushad ; retf 0_2_02D17CBB
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Code function: 0_2_02D17D80 pushad ; retf 0_2_02D17D81
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Code function: 0_2_02D17DAB pushad ; retf 0_2_02D17DAD
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Code function: 0_2_02D17D57 pushad ; retf 0_2_02D17D58
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Code function: 0_2_02D17D68 pushad ; retf 0_2_02D17D69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_016234EC push eax; retf 2_2_016234ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0162ECF1 push es; ret 2_2_0162ED00
Source: initial sample Static PE information: section name: .text entropy: 7.85165302364
Source: Proforma Invoice No. 14214.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs High entropy of concatenated method names: '.cctor', 'jPJmt4', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 0.2.Proforma Invoice No. 14214.exe.6d0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs High entropy of concatenated method names: '.cctor', 'jPJmt4', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 0.0.Proforma Invoice No. 14214.exe.6d0000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs High entropy of concatenated method names: '.cctor', 'jPJmt4', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File created: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NXLun Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NXLun Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe:Zone.Identifier read attributes | delete Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 00000000.00000002.352826103.0000000002D7F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Proforma Invoice No. 14214.exe PID: 6440, type: MEMORY
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Proforma Invoice No. 14214.exe, 00000000.00000002.352826103.0000000002D7F000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Proforma Invoice No. 14214.exe, 00000000.00000002.352826103.0000000002D7F000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 1184 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 8673 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe TID: 6444 Thread sleep time: -103006s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe TID: 6604 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe TID: 6388 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe TID: 6292 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Thread delayed: delay time: 103006 Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: RegSvcs.exe, 00000002.00000002.610252863.0000000006160000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: Proforma Invoice No. 14214.exe, 00000000.00000002.352826103.0000000002D7F000.00000004.00000001.sdmp Binary or memory string: vmware
Source: Proforma Invoice No. 14214.exe, 00000000.00000002.352826103.0000000002D7F000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Proforma Invoice No. 14214.exe, 00000000.00000002.352826103.0000000002D7F000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Proforma Invoice No. 14214.exe, 00000000.00000002.352826103.0000000002D7F000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: Proforma Invoice No. 14214.exe, 00000000.00000002.352826103.0000000002D7F000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: Proforma Invoice No. 14214.exe, 00000000.00000002.352826103.0000000002D7F000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: RegSvcs.exe, 00000002.00000002.610252863.0000000006160000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: RegSvcs.exe, 00000002.00000002.610252863.0000000006160000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Proforma Invoice No. 14214.exe, 00000000.00000002.352826103.0000000002D7F000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: Proforma Invoice No. 14214.exe, 00000000.00000002.352826103.0000000002D7F000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: Proforma Invoice No. 14214.exe, 00000000.00000002.352826103.0000000002D7F000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: RegSvcs.exe, 00000002.00000002.610640634.000000000638F000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: RegSvcs.exe, 00000002.00000002.610252863.0000000006160000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_01627190 LdrInitializeThunk, 2_2_01627190
Enables debug privileges
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Modifies the hosts file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Jump to behavior
Source: RegSvcs.exe, 00000002.00000002.604756079.0000000001A60000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: RegSvcs.exe, 00000002.00000002.604756079.0000000001A60000.00000002.00000001.sdmp Binary or memory string: Progman
Source: RegSvcs.exe, 00000002.00000002.604756079.0000000001A60000.00000002.00000001.sdmp Binary or memory string: &Program Manager
Source: RegSvcs.exe, 00000002.00000002.604756079.0000000001A60000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Queries volume information: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe Queries volume information: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe Queries volume information: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06545594 GetUserNameW, 2_2_06545594
Source: C:\Users\user\Desktop\Proforma Invoice No. 14214.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Modifies the hosts file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000002.00000000.344864623.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.603094924.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.353706824.0000000003D49000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Proforma Invoice No. 14214.exe.3e01450.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Proforma Invoice No. 14214.exe.3e01450.1.raw.unpack, type: UNPACKEDPE
Yara detected AgentTesla
Source: Yara match File source: 00000002.00000000.344864623.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.603094924.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.605727213.00000000032DB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.353706824.0000000003D49000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Proforma Invoice No. 14214.exe PID: 6440, type: MEMORY
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 6564, type: MEMORY
Source: Yara match File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Proforma Invoice No. 14214.exe.3e01450.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Proforma Invoice No. 14214.exe.3e01450.1.raw.unpack, type: UNPACKEDPE
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000002.00000002.604865648.0000000002FC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 6564, type: MEMORY

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000002.00000000.344864623.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.603094924.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.353706824.0000000003D49000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Proforma Invoice No. 14214.exe.3e01450.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Proforma Invoice No. 14214.exe.3e01450.1.raw.unpack, type: UNPACKEDPE
Yara detected AgentTesla
Source: Yara match File source: 00000002.00000000.344864623.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.603094924.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.605727213.00000000032DB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.353706824.0000000003D49000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Proforma Invoice No. 14214.exe PID: 6440, type: MEMORY
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 6564, type: MEMORY
Source: Yara match File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Proforma Invoice No. 14214.exe.3e01450.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Proforma Invoice No. 14214.exe.3e01450.1.raw.unpack, type: UNPACKEDPE
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs