{"Exfil Mode": "SMTP", "Username": "sales@radheatwaters.com", "Password": "waters@789", "Host": "uscentral50.myserverhosts.com"}
Source: Process started | Author: Florian Roth: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\Swift Copy.exe' , ParentImage: C:\Users\user\Desktop\Swift Copy.exe, ParentProcessId: 6596, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 7108 |
Source: Process started | Author: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\Swift Copy.exe' , ParentImage: C:\Users\user\Desktop\Swift Copy.exe, ParentProcessId: 6596, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 7108 |
Source: 5.2.RegSvcs.exe.400000.0.unpack | Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "sales@radheatwaters.com", "Password": "waters@789", "Host": "uscentral50.myserverhosts.com"} |
Source: Swift Copy.exe | Virustotal: Detection: 63% | Perma Link |
Source: Swift Copy.exe | Metadefender: Detection: 45% | Perma Link |
Source: Swift Copy.exe | ReversingLabs: Detection: 81% |
Source: 5.2.RegSvcs.exe.400000.0.unpack | Avira: Label: TR/Spy.Gen8 |
Source: Swift Copy.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED |
Source: Swift Copy.exe | Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: | Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000005.00000003.879911787.000000000616C000.00000004.00000001.sdmp, NXLun.exe, 0000000C.00000000.751818499.0000000000322000.00000002.00020000.sdmp, NXLun.exe, 0000000E.00000000.769239763.00000000006A2000.00000002.00020000.sdmp, NXLun.exe.5.dr |
Source: | Binary string: System.EnterpriseServices.Wrapper.pdb source: NXLun.exe, 0000000E.00000002.771944861.0000000004E90000.00000002.00000001.sdmp |
Source: | Binary string: RegSvcs.pdb source: NXLun.exe, NXLun.exe.5.dr |
Source: global traffic | TCP traffic: 192.168.2.4:49763 -> 174.136.12.72:587 |
Source: Joe Sandbox View | IP Address: 174.136.12.72 174.136.12.72 |
Source: global traffic | TCP traffic: 192.168.2.4:49763 -> 174.136.12.72:587 |
Source: unknown | DNS traffic detected: queries for: uscentral50.myserverhosts.com |
Source: RegSvcs.exe, 00000005.00000002.913952724.0000000003041000.00000004.00000001.sdmp | String found in binary or memory: http://127.0.0.1:HTTP/1.1 |
Source: RegSvcs.exe, 00000005.00000002.913952724.0000000003041000.00000004.00000001.sdmp | String found in binary or memory: http://DynDns.comDynDNS |
Source: RegSvcs.exe, 00000005.00000002.915479058.00000000061A6000.00000004.00000001.sdmp | String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04 |
Source: RegSvcs.exe, 00000005.00000002.915479058.00000000061A6000.00000004.00000001.sdmp | String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06 |
Source: RegSvcs.exe, 00000005.00000002.915430072.0000000006150000.00000004.00000001.sdmp | String found in binary or memory: http://crl.comodoca.com/COMOD |
Source: RegSvcs.exe, 00000005.00000002.915479058.00000000061A6000.00000004.00000001.sdmp | String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q |
Source: RegSvcs.exe, 00000005.00000002.915479058.00000000061A6000.00000004.00000001.sdmp | String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0 |
Source: Swift Copy.exe | String found in binary or memory: http://i.imgur.com/blkrqBo.gifiThis |
Source: RegSvcs.exe, 00000005.00000002.913952724.0000000003041000.00000004.00000001.sdmp | String found in binary or memory: http://knrDOu.com |
Source: RegSvcs.exe, 00000005.00000002.915479058.00000000061A6000.00000004.00000001.sdmp | String found in binary or memory: http://ocsp.comodoca.com0 |
Source: RegSvcs.exe, 00000005.00000002.915479058.00000000061A6000.00000004.00000001.sdmp | String found in binary or memory: http://ocsp.comodoca.com0K |
Source: RegSvcs.exe, 00000005.00000002.914343205.00000000033A1000.00000004.00000001.sdmp | String found in binary or memory: http://uscentral50.myserverhosts.com |
Source: Swift Copy.exe, 00000000.00000003.651279811.0000000005F1D000.00000004.00000001.sdmp | String found in binary or memory: http://www.ascendercorp.com/typedesigners.html |
Source: Swift Copy.exe, 00000000.00000003.650768353.0000000005EE8000.00000004.00000001.sdmp | String found in binary or memory: http://www.carterandcone.com |
Source: Swift Copy.exe, 00000000.00000003.646781257.0000000005EFB000.00000004.00000001.sdmp | String found in binary or memory: http://www.fonts.com |
Source: Swift Copy.exe, 00000000.00000003.648730703.0000000005EE7000.00000004.00000001.sdmp, Swift Copy.exe, 00000000.00000003.648289536.0000000005EEE000.00000004.00000001.sdmp | String found in binary or memory: http://www.founder.com.cn/cn |
Source: Swift Copy.exe, 00000000.00000003.649167632.0000000005EE6000.00000004.00000001.sdmp | String found in binary or memory: http://www.founder.com.cn/cn/ |
Source: Swift Copy.exe, 00000000.00000003.648981932.0000000005EE8000.00000004.00000001.sdmp | String found in binary or memory: http://www.founder.com.cn/cn/) |
Source: Swift Copy.exe, 00000000.00000003.649325158.0000000005EE6000.00000004.00000001.sdmp | String found in binary or memory: http://www.founder.com.cn/cn_ |
Source: Swift Copy.exe, 00000000.00000003.646436458.0000000005EE3000.00000004.00000001.sdmp | String found in binary or memory: http://www.sajatypeworks.come |
Source: Swift Copy.exe, 00000000.00000003.646436458.0000000005EE3000.00000004.00000001.sdmp | String found in binary or memory: http://www.sajatypeworks.comeb |
Source: Swift Copy.exe, 00000000.00000003.646436458.0000000005EE3000.00000004.00000001.sdmp | String found in binary or memory: http://www.sajatypeworks.comr |
Source: Swift Copy.exe, 00000000.00000003.646436458.0000000005EE3000.00000004.00000001.sdmp | String found in binary or memory: http://www.sajatypeworks.comt |
Source: RegSvcs.exe, 00000005.00000002.913952724.0000000003041000.00000004.00000001.sdmp | String found in binary or memory: https://api.ipify.org%$ |
Source: RegSvcs.exe, 00000005.00000002.913952724.0000000003041000.00000004.00000001.sdmp | String found in binary or memory: https://api.ipify.org%GETMozilla/5.0 |
Source: RegSvcs.exe, 00000005.00000002.913952724.0000000003041000.00000004.00000001.sdmp | String found in binary or memory: https://ieCyjsGVULsHnV35yt1w.com |
Source: RegSvcs.exe, 00000005.00000002.915479058.00000000061A6000.00000004.00000001.sdmp | String found in binary or memory: https://sectigo.com/CPS0 |
Source: Swift Copy.exe | String found in binary or memory: https://static.hummingbird.me/anime/poster_images/000/010/716/large/0fd8df1b586e60a0b1591cd8555c072f |
Source: RegSvcs.exe, 00000005.00000002.912796480.0000000000402000.00000040.00000001.sdmp | String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip |
Source: RegSvcs.exe, 00000005.00000002.913952724.0000000003041000.00000004.00000001.sdmp | String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha |
Source: 5.2.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b8EBE0887u002d52DAu002d4DF7u002dAB51u002d183BD1532218u007d/u0038B181F2Au002d08E3u002d4851u002d889Cu002dF1A7A4D42382.cs | Large array initialization: .cctor: array initializer size 11961 |
Source: Swift Copy.exe, DNivaRVr0UVDkJ7TUW/Y7YycAhjkVqtbt4cEc.cs | Long String: Length: 10292 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 5_2_010A2D50 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 5_2_010ADC00 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 5_2_010A2768 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 5_2_010AAB78 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 5_2_010A1FF0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 5_2_010B2210 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 5_2_010B0290 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 5_2_010B64C0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 5_2_010B4788 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 5_2_010B7680 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 5_2_010BCD08 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 5_2_013E47A0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 5_2_013E4761 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 5_2_013E4781 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 5_2_013ED660 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 5_2_062B9650 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 5_2_062BB190 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 5_2_062B5DF0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 5_2_062B6E58 |
Source: Joe Sandbox View | Dropped File: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe 43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50 |
Source: Swift Copy.exe, 00000000.00000000.644424930.0000000000BA8000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenameWindowsIdenti.exe2 vs Swift Copy.exe |
Source: Swift Copy.exe | Binary or memory string: OriginalFilenameWindowsIdenti.exe2 vs Swift Copy.exe |
Source: Swift Copy.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED |
Source: 5.2.RegSvcs.exe.400000.0.unpack, A/b2.cs | Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor' |
Source: 5.2.RegSvcs.exe.400000.0.unpack, A/b2.cs | Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor' |
Source: Swift Copy.exe, u69hr273pZXtuR9Feq/K0AK1lI66eynLEt88F.cs | Base64 encoded string: 'iVBORw0KGgoAAAANSUhEUgAAACgAAAAoCAYAAACM/rhtAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAKRJREFUeNpi/P//P8NgBkwMgxyMOnDUgaMOHHXgqANHHTjqwAEGoNYMMgYCeyA+CZIiAm8HYhWaugeLA58T6TgY3ohk/l4S9aLjvejuwRbFEiR6WhGJ/YvCAMTQz0LlFOM5mospBBSnQVo7cDQNjqZBaqTBpyQ66hEt0yC2msSDhNrkEhBr0bKqYxwdWRh14KgDRx046sBRB446cNSBQ9qBAAEGAPhFqjdpHPl0AAAAAElFTkSuQmCC' |
Source: Swift Copy.exe, DNivaRVr0UVDkJ7TUW/Y7YycAhjkVqtbt4cEc.cs | Base64 encoded string: 'iVBORw0KGgoAAAANSUhEUgAAAN8AAADHCAYAAACZfIbaAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAB27SURBVHhe7ZyHW5TXtofvP3Gfe+95To4tsQIWVER6b0rv0qUjiF3sBWwgauw5KYoxURMr9koQ0VhQI2rsCIiKgA1bUH937T0zgIbkOPrpR1nz5H0Y1Azz7b3evdba+2P+q4/dEDAM8+lh+RhGJVg+hlEJlo9hVILlYxiVYPkYRiVYPoZRCZaPYVSC5WMYlWD5GEYlWD6GUQmWj2FUguVjGJVg+RhGJVg+hlEJlo9hVILlYxiVYPkYRiVYPoZRCZaPYVSC5WMYlWD5GEYlWD6GUQmWj2FUguVjGJVg+RhGJVg+hlEJlo9hVILlYxiVYPkYRiVYPoZRCZaPYVSC5WMYlWD5GEYlWD6GUYlmIl8wejdB0/+WYRoj4kRDQ9y0jNhpBvJpB8026E10f84w70Tj2GmIn6ZjrnmgunxykGjAetkGvgULyLwLGtk0MRPwp9hpKuaaCyrKpxkcY7sQ9LUPR3+HKAx0SoKVyyjYuU2E4+BpcHbPgKvHnEbMZRgtFA/us+HiPgtOg2fA3m0SrF3GwNwpBSYOsTC2D2si5poXKsmnXbFolepLgzTAMQZmzsPgMGgKPLwWItBvFUIC1iMyaBuih+widiNGsodhtOzG0OCdiArejvDAjQjwXQVPzyVwHpQBK+dR6G8fJRd2EW/NNQuqJ5+szwNlxrNwTqFsNwFe3otpIH9GUthhjIg8jfHRlzEptpQow+TYcoZpRBkmxpQgLfoaRkeeR2LIYUQEbIOv1zdwcpuJgY6J6GcfQQKGkngaAZuORfVQQT4xCCGyLBCDY+06BoM9sxDkn0MZbgeGRxxDWswlTI4rwfT4O0hPrNZSwzBvMDOxCjMSKjE1rhzjh17CiIgixA3ZjyDfNXAbPA+2LmkkYZKMt962zS/7fWL5RMYTfV6ozHimjvGybg+lEnN4xAmMi76IqfHlmJV0H3OGPcK85CfITHkmyUp5zjD1ZEpEbDzF3ORaGTMzScS06CtIoiwY4rcB7h6LYOMynuItTCMf0XRcqsMnlE9z8aLc7EsZb6BTgtxc8fVZSWVmPmW5SmQkPiThniE75SXmp7xAVvJTZA6rxbxhjxnmT4jYyKQYyUp+TvFSR3HzCrOTHiNt6DUMCzmKYN91VIJmoK9dJMUdlZ6EpvJ6OzbV4ZPJJ5teeaQQABOHaCo3x8odq7DADRgVdZoG7RFmJz6WzIp/iKlDyzA+7DxGBh/HyKBjGBFYiNTAI4T4yrRdRAwcwYigQowecgrjQs9hYsRVzIitxNykZ5iT9BRTY+9gbNQVxATtg4f7lzC1T0Rf2wj0sRXlZ6CMw+Yg4SeVT5zB9LTxl+Wm2B728/0a8aH7MTH2KpUSf2BO4hOkx93HlKgKku0Uot1zEey0GkGO3yDQYSUC7FdoEc+Ztog/zb+//XIEUDyEuqxF1OAtSPTJo4X6EjJo0Z6b9AIZCbWYFleD4WFF8PdaBUuHUTCxjYGxbRh6UfyJONQI2HSsfio+oXyarGdk4wszp2EY5JlFWe9nucEyjfq8hakg+R5TxruDMSG/k3g74WOzFE4DJsPBZALs+4+FXb/RxBhCPGfaJmL+R8t4cDWbCU+rhbRAr0Wy/1FMi75Lme8FQQs5MTbqMkJ818PGMQ2mtvEwtgmDkbWvTAAiAzYVp58SVeQzd06Bh9cieUYzMqoIMxJvY9GI17RyVSEt7DKSfAsQ6PidlM7UMBIDDCOIcImJAdM2ETEQARMRA4Zh8rl5rwRY9x2JQeZzMJSqpIkRNzAr4QmJ95x6wjrq/a4izO9n2DtNIvkSYGwdCgNLTxhZ+VAGDCABRempXvmpinwWzqnw9l6GuJD9GDu0GBlJlfiS5JsRc4t6vJOIpFJisMUcOcDdOzqiRycnGHRygcHnBH3twbQ5NPPvqokBLT07e6B3V19Y9k5CkNN3VDFRLMU/oNLzKeanvMSkmOuI9N8MR6epGGibiD5WIehuNhgGFl7oae0nS081d0A/sXz+Uj5LlxHw8VmBhNA8jIu+gFlJ9/DlyNeYHl2K4QFHEOr6I5xNp8C4qx+++JcZOrezQJf21ujawbaeboKOdkybQTPnXTvY1NO9oz2J6SSzoZ/dcowKPo106vXmJj1B9vBXmBJ7A1EBW+DkPB1mtknoYzkE3Qa6oYe5B4wsddlPPQGbmXw3G8k3Fcbd/NH5X0I8Kylc944O6PG5Iwy/cIZhZxcYET27MK0do87OMPjCSc59j04OUjohZI9OjpQRnWU7opNvZlz1G/INbSyfRTC6DXBB94Ga7Gdk5Yte1iSgjToCNiv5pkn5ChDi8oNWvkDKepb14hl87kwT4Yre3QajT3cPGPfwQF8DT6aV06e7O3p1HSTnXiy |