Windows Analysis Report Documentos de env#U00edo.exe

Overview

General Information

Sample Name: Documentos de env#U00edo.exe
Analysis ID: 457991
MD5: a60166d50572eedc2e44b327e4928324
SHA1: 0b5c5afd46ab950959dc1e5fda5520ddae0c51a4
SHA256: 8a714868cf6bea9d1a01154cc98fa33abbe75350f06cf26d31538ed0aba6a808
Tags: exe
Infos:

Most interesting Screenshot:

Detection

GuLoader AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

GuLoader behavior detected
Multi AV Scanner detection for submitted file
Sigma detected: RegAsm connects to smtp port
Yara detected AgentTesla
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Executable has a suspicious name (potential lure to open the executable)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: Documentos de env#U00edo.exe Virustotal: Detection: 20% Perma Link

Compliance:

barindex
Uses 32bit PE files
Source: Documentos de env#U00edo.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: unknown HTTPS traffic detected: 216.58.208.174:443 -> 192.168.2.3:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.208.129:443 -> 192.168.2.3:49747 version: TLS 1.2

Networking:

barindex
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49754 -> 78.128.8.31:587
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 78.128.8.31 78.128.8.31
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TELEPOINTBG TELEPOINTBG
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.3:49754 -> 78.128.8.31:587
Source: unknown DNS traffic detected: queries for: drive.google.com
Source: RegAsm.exe, 00000014.00000002.1289141287.000000001DA41000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegAsm.exe, 00000014.00000002.1289141287.000000001DA41000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: RegAsm.exe, 00000014.00000002.1289141287.000000001DA41000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.1289609196.000000001DD94000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.1289517050.000000001DD50000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000003.862518902.00000000012F1000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.1289680896.000000001DDC6000.00000004.00000001.sdmp String found in binary or memory: http://SFk55itrh2ylIByRGIl.net
Source: RegAsm.exe, 00000014.00000003.894284187.0000000000E9A000.00000004.00000001.sdmp String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: RegAsm.exe, 00000014.00000002.1289609196.000000001DD94000.00000004.00000001.sdmp String found in binary or memory: http://brimaq.com
Source: RegAsm.exe, 00000014.00000002.1289141287.000000001DA41000.00000004.00000001.sdmp String found in binary or memory: http://cWlbEv.com
Source: RegAsm.exe, 00000014.00000002.1289609196.000000001DD94000.00000004.00000001.sdmp String found in binary or memory: http://cps.letsencrypt.org0
Source: RegAsm.exe, 00000014.00000003.894284187.0000000000E9A000.00000004.00000001.sdmp String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: RegAsm.exe, 00000014.00000002.1283640842.000000000125F000.00000004.00000020.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: RegAsm.exe, 00000014.00000003.894284187.0000000000E9A000.00000004.00000001.sdmp String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: RegAsm.exe, 00000014.00000002.1283704360.0000000001286000.00000004.00000001.sdmp String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: RegAsm.exe, 00000014.00000002.1283704360.0000000001286000.00000004.00000001.sdmp String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: RegAsm.exe, 00000014.00000002.1289609196.000000001DD94000.00000004.00000001.sdmp String found in binary or memory: http://mail.brimaq.com
Source: RegAsm.exe, 00000014.00000002.1283704360.0000000001286000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: RegAsm.exe, 00000014.00000002.1283704360.0000000001286000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: RegAsm.exe, 00000014.00000002.1283704360.0000000001286000.00000004.00000001.sdmp String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: RegAsm.exe, 00000014.00000002.1283558110.0000000001240000.00000004.00000020.sdmp String found in binary or memory: http://pki.goog/gsrr
Source: RegAsm.exe, 00000014.00000002.1282624893.0000000000E63000.00000004.00000001.sdmp String found in binary or memory: http://r3.i.l
Source: RegAsm.exe, 00000014.00000002.1289609196.000000001DD94000.00000004.00000001.sdmp String found in binary or memory: http://r3.i.lencr.org/0#
Source: RegAsm.exe, 00000014.00000002.1289609196.000000001DD94000.00000004.00000001.sdmp String found in binary or memory: http://r3.o.lencr.org0
Source: RegAsm.exe, 00000014.00000002.1283789594.00000000012A4000.00000004.00000001.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: RegAsm.exe, 00000014.00000002.1283789594.00000000012A4000.00000004.00000001.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: RegAsm.exe, 00000014.00000002.1282624893.0000000000E63000.00000004.00000001.sdmp String found in binary or memory: http://x1.kx
Source: RegAsm.exe, 00000014.00000002.1283558110.0000000001240000.00000004.00000020.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
Source: RegAsm.exe, 00000014.00000002.1283473550.00000000011F8000.00000004.00000020.sdmp String found in binary or memory: https://doc-10-00-docs.googleusercontent.com/)
Source: RegAsm.exe, 00000014.00000002.1283558110.0000000001240000.00000004.00000020.sdmp String found in binary or memory: https://doc-10-00-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/q5t04a04
Source: RegAsm.exe, 00000014.00000002.1283473550.00000000011F8000.00000004.00000020.sdmp String found in binary or memory: https://doc-10-00-docs.googleusercontent.com/g
Source: RegAsm.exe, 00000014.00000002.1283473550.00000000011F8000.00000004.00000020.sdmp String found in binary or memory: https://drive.google.com/
Source: RegAsm.exe, 00000014.00000002.1282413879.0000000000BC0000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.1283473550.00000000011F8000.00000004.00000020.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1u3UtP2e9N-KtyQTSuDKByxsCSqIoJWVk
Source: RegAsm.exe, 00000014.00000002.1283473550.00000000011F8000.00000004.00000020.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1u3UtP2e9N-KtyQTSuDKByxsCSqIoJWVknc
Source: RegAsm.exe, 00000014.00000002.1282413879.0000000000BC0000.00000004.00000001.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1u3UtP2e9N-KtyQTSuDKByxsCSqIoJWVkwininet.dllMozilla/5
Source: RegAsm.exe, 00000014.00000002.1283704360.0000000001286000.00000004.00000001.sdmp String found in binary or memory: https://pki.goog/repository/0
Source: RegAsm.exe, 00000014.00000002.1289141287.000000001DA41000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown HTTPS traffic detected: 216.58.208.174:443 -> 192.168.2.3:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.208.129:443 -> 192.168.2.3:49747 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe Code function: 0_2_004028B4 GetAsyncKeyState, 0_2_004028B4
Creates a DirectInput object (often for capturing keystrokes)
Source: Documentos de env#U00edo.exe, 00000000.00000002.580708415.000000000072A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Executable has a suspicious name (potential lure to open the executable)
Source: Documentos de env#U00edo.exe Static file information: Suspicious name
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Documentos de env#U00edo.exe
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe Process Stats: CPU usage > 98%
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process Stats: CPU usage > 98%
Detected potential crypto function
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 20_2_1CD2B8E8 20_2_1CD2B8E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 20_2_1CD25660 20_2_1CD25660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 20_2_1CD26D80 20_2_1CD26D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 20_2_1CDB2D50 20_2_1CDB2D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 20_2_1CDB2618 20_2_1CDB2618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 20_2_1CDB1FE0 20_2_1CDB1FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 20_2_1CDBDF68 20_2_1CDBDF68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 20_2_1CDBAB70 20_2_1CDBAB70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 20_2_1CDBC320 20_2_1CDBC320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 20_2_1CDBEE88 20_2_1CDBEE88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 20_2_1CDBF7C8 20_2_1CDBF7C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 20_2_1CDF6C84 20_2_1CDF6C84
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 20_2_1CDF0040 20_2_1CDF0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 20_2_1CDFFA40 20_2_1CDFFA40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 20_2_1CDF3620 20_2_1CDF3620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 20_2_1CDFC220 20_2_1CDFC220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 20_2_1CDF9368 20_2_1CDF9368
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 20_2_1D8B47A0 20_2_1D8B47A0
Sample file is different than original file name gathered from version info
Source: Documentos de env#U00edo.exe, 00000000.00000002.580697666.0000000000710000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs Documentos de env#U00edo.exe
Source: Documentos de env#U00edo.exe, 00000000.00000000.203569731.0000000000423000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamePROSODETICDEF.exe vs Documentos de env#U00edo.exe
Source: Documentos de env#U00edo.exe Binary or memory string: OriginalFilenamePROSODETICDEF.exe vs Documentos de env#U00edo.exe
Tries to load missing DLLs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Uses 32bit PE files
Source: Documentos de env#U00edo.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal100.spre.troj.spyw.evad.winEXE@4/1@4/3
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5024:120:WilError_01
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe File created: C:\Users\user\AppData\Local\Temp\~DFB9F937056F61369A.TMP Jump to behavior
Source: Documentos de env#U00edo.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe File read: C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1002\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Documentos de env#U00edo.exe Virustotal: Detection: 20%
Source: unknown Process created: C:\Users\user\Desktop\Documentos de env#U00edo.exe 'C:\Users\user\Desktop\Documentos de env#U00edo.exe'
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Documentos de env#U00edo.exe'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Documentos de env#U00edo.exe' Jump to behavior
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4a04656d-52aa-49de-8a09-cb178760e748}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe Code function: 0_2_00409055 push ss; ret 0_2_0040907F
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe Code function: 0_2_0040B45D push ss; iretd 0_2_0040B467
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe Code function: 0_2_004090A4 push ss; ret 0_2_004090B7
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe Code function: 0_2_00406151 push ss; iretd 0_2_00406163
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe Code function: 0_2_00407566 push edi; ret 0_2_00407567
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe Code function: 0_2_00408D20 push ss; iretd 0_2_00408D2F
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe Code function: 0_2_00409184 push ss; ret 0_2_00409193
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe Code function: 0_2_00407E4C push ss; iretd 0_2_00407F03
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe Code function: 0_2_0040B657 push ebp; ret 0_2_0040B668
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe Code function: 0_2_0040BE67 push ss; iretd 0_2_0040BEC2
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe Code function: 0_2_00409A90 push ss; iretd 0_2_00409AAB
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe Code function: 0_2_0040BEAF push ss; iretd 0_2_0040BEC2
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe Code function: 0_2_00409B6A push ss; iretd 0_2_00409B87
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe Code function: 0_2_022573AB push es; retf 0_2_022573AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 20_2_00F0B424 push edx; ret 20_2_00F0B42B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 20_2_1CDB0027 push eax; retf 20_2_1CDB0039
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 20_2_1CDB7A37 push edi; retn 0000h 20_2_1CDB7A39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 20_2_1D8BB9A1 pushfd ; retf 20_2_1D8BB9A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 20_2_1D8BBB6F pushfd ; retf 20_2_1D8BBB72
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe RDTSC instruction interceptor: First address: 000000000225916B second address: 000000000225916B instructions:
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe RDTSC instruction interceptor: First address: 000000000225AD54 second address: 000000000225AD54 instructions:
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe RDTSC instruction interceptor: First address: 00000000022571FE second address: 00000000022571FE instructions:
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe RDTSC instruction interceptor: First address: 000000000225441C second address: 000000000225441C instructions:
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe RDTSC instruction interceptor: First address: 0000000000F03CA3 second address: 0000000000F03CA3 instructions:
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Tries to detect Any.run
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: RegAsm.exe, 00000014.00000002.1282413879.0000000000BC0000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32USERPROFILE=HTTPS://DRIVE.GOOGLE.COM/UC?EXPORT=DOWNLOAD&ID=1U3UTP2E9N-KTYQTSUDKBYXSCSQIOJWVKWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKO
Source: Documentos de env#U00edo.exe, 00000000.00000002.581799628.0000000003C90000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.1282413879.0000000000BC0000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: Documentos de env#U00edo.exe, 00000000.00000002.580732268.000000000075E000.00000004.00000020.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE}[@W
Source: Documentos de env#U00edo.exe, 00000000.00000002.580732268.000000000075E000.00000004.00000020.sdmp Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: Documentos de env#U00edo.exe, 00000000.00000002.581799628.0000000003C90000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32USERPROFILE=WINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\REGASM.EXE\SYSWOW64\MSVBVM60.DLL
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe RDTSC instruction interceptor: First address: 000000000225916B second address: 000000000225916B instructions:
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe RDTSC instruction interceptor: First address: 000000000225AD54 second address: 000000000225AD54 instructions:
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe RDTSC instruction interceptor: First address: 000000000225621F second address: 000000000225621F instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, FA25E20Bh 0x00000013 xor eax, 8D2E0BD9h 0x00000018 xor eax, B706CE67h 0x0000001d add eax, 3FF2D84Ch 0x00000022 cpuid 0x00000024 bt ecx, 1Fh 0x00000028 jc 00007FB080D17B53h 0x0000002e popad 0x0000002f call 00007FB080D1489Ch 0x00000034 lfence 0x00000037 rdtsc
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe RDTSC instruction interceptor: First address: 00000000022571FE second address: 00000000022571FE instructions:
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe RDTSC instruction interceptor: First address: 000000000225441C second address: 000000000225441C instructions:
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe RDTSC instruction interceptor: First address: 0000000002254C41 second address: 0000000002254CD8 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 add ebx, E4F5C3BBh 0x00000009 xor ebx, F04BE065h 0x0000000f push ebx 0x00000010 mov ebx, dword ptr [ebp+00000269h] 0x00000016 mov dword ptr [ebp+0000027Dh], edi 0x0000001c mov edi, 6EA3B468h 0x00000021 cmp edx, eax 0x00000023 cmp ecx, ecx 0x00000025 xor edi, CF0FEDB9h 0x0000002b xor edi, 3ACEA381h 0x00000031 xor edi, 9B62FA50h 0x00000037 jmp 00007FB080A5394Ah 0x00000039 pushad 0x0000003a mov esi, 0000005Fh 0x0000003f rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe RDTSC instruction interceptor: First address: 0000000000F0621F second address: 0000000000F0621F instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, FA25E20Bh 0x00000013 xor eax, 8D2E0BD9h 0x00000018 xor eax, B706CE67h 0x0000001d add eax, 3FF2D84Ch 0x00000022 cpuid 0x00000024 bt ecx, 1Fh 0x00000028 jc 00007FB080D17B53h 0x0000002e popad 0x0000002f call 00007FB080D1489Ch 0x00000034 lfence 0x00000037 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe RDTSC instruction interceptor: First address: 0000000000F03CA3 second address: 0000000000F03CA3 instructions:
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Window / User API: threadDelayed 367 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Window / User API: threadDelayed 9469 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5032 Thread sleep time: -15679732462653109s >= -30000s Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: RegAsm.exe, 00000014.00000002.1282413879.0000000000BC0000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32USERPROFILE=https://drive.google.com/uc?export=download&id=1u3UtP2e9N-KtyQTSuDKByxsCSqIoJWVkwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Source: Documentos de env#U00edo.exe, 00000000.00000002.580732268.000000000075E000.00000004.00000020.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe}[@W
Source: Documentos de env#U00edo.exe, 00000000.00000002.581799628.0000000003C90000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32USERPROFILE=windir=\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe\syswow64\msvbvm60.dll
Source: RegAsm.exe, 00000014.00000002.1283473550.00000000011F8000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW
Source: Documentos de env#U00edo.exe, 00000000.00000002.581799628.0000000003C90000.00000004.00000001.sdmp, RegAsm.exe, 00000014.00000002.1282413879.0000000000BC0000.00000004.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: RegAsm.exe, 00000014.00000002.1283558110.0000000001240000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW}
Source: Documentos de env#U00edo.exe, 00000000.00000002.580732268.000000000075E000.00000004.00000020.sdmp Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 20_2_1CDF0040 LdrInitializeThunk, 20_2_1CDF0040
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: F00000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Documentos de env#U00edo.exe' Jump to behavior
Source: RegAsm.exe, 00000014.00000002.1284217440.0000000001800000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: RegAsm.exe, 00000014.00000002.1284217440.0000000001800000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 00000014.00000002.1284217440.0000000001800000.00000002.00000001.sdmp Binary or memory string: Progman
Source: RegAsm.exe, 00000014.00000002.1284217440.0000000001800000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
GuLoader behavior detected
Source: Initial file Signature Results: GuLoader behavior
Yara detected AgentTesla
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 5088, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000014.00000002.1289141287.000000001DA41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 5088, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 5088, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 457991 Sample: Documentos de env#U00edo.exe Startdate: 02/08/2021 Architecture: WINDOWS Score: 100 22 Multi AV Scanner detection for submitted file 2->22 24 Sigma detected: RegAsm connects to smtp port 2->24 26 GuLoader behavior detected 2->26 28 6 other signatures 2->28 7 Documentos de env#U00edo.exe 2 2->7         started        process3 signatures4 30 Writes to foreign memory regions 7->30 32 Tries to detect Any.run 7->32 34 Hides threads from debuggers 7->34 10 RegAsm.exe 9 7->10         started        process5 dnsIp6 16 brimaq.com 78.128.8.31, 49754, 587 TELEPOINTBG Bulgaria 10->16 18 googlehosted.l.googleusercontent.com 216.58.208.129, 443, 49747 GOOGLEUS United States 10->18 20 3 other IPs or domains 10->20 36 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 10->36 38 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 10->38 40 Tries to steal Mail credentials (via file access) 10->40 42 7 other signatures 10->42 14 conhost.exe 10->14         started        signatures7 process8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
216.58.208.174
 drive.google.com United States
15169 GOOGLEUS false
216.58.208.129
 googlehosted.l.googleusercontent.com United States
15169 GOOGLEUS false
78.128.8.31
 brimaq.com Bulgaria
31083 TELEPOINTBG true

Contacted Domains

Name IP Active
drive.google.com 216.58.208.174 true
brimaq.com 78.128.8.31 true
googlehosted.l.googleusercontent.com 216.58.208.129 true
doc-10-00-docs.googleusercontent.com unknown unknown
mail.brimaq.com unknown unknown