{"Exfil Mode": "SMTP", "Username": "compliance2@odessabd.com", "Password": "abc321", "Host": "mail.odessabd.com"}
Source: Process started | Author: Florian Roth: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\PI A19T010620.exe' , ParentImage: C:\Users\user\Desktop\PI A19T010620.exe, ParentProcessId: 7024, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6464 |
Source: Process started | Author: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\PI A19T010620.exe' , ParentImage: C:\Users\user\Desktop\PI A19T010620.exe, ParentProcessId: 7024, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6464 |
Source: 2.2.RegSvcs.exe.400000.0.unpack | Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "compliance2@odessabd.com", "Password": "abc321", "Host": "mail.odessabd.com"} |
Source: PI A19T010620.exe | Virustotal: Detection: 51% | Perma Link |
Source: PI A19T010620.exe | Metadefender: Detection: 42% | Perma Link |
Source: PI A19T010620.exe | ReversingLabs: Detection: 78% |
Source: PI A19T010620.exe | Joe Sandbox ML: detected |
Source: 2.2.RegSvcs.exe.400000.0.unpack | Avira: Label: TR/Spy.Gen8 |
Source: PI A19T010620.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED |
Source: PI A19T010620.exe | Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: | Binary string: RegSvcs.pdb, source: NXLun.exe, 00000009.00000002.744648798.00000000001B2000.00000002.00020000.sdmp, NXLun.exe, 0000000D.00000002.761737974.0000000000AB2000.00000002.00020000.sdmp, NXLun.exe.2.dr |
Source: | Binary string: RegSvcs.pdb source: NXLun.exe, NXLun.exe.2.dr |
Source: Joe Sandbox View | IP Address: 192.185.90.36 192.185.90.36 |
Source: Joe Sandbox View | ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US |
Source: unknown | DNS traffic detected: queries for: mail.odessabd.com |
Source: RegSvcs.exe, 00000002.00000002.901158157.0000000002401000.00000004.00000001.sdmp | String found in binary or memory: http://127.0.0.1:HTTP/1.1 |
Source: RegSvcs.exe, 00000002.00000002.901158157.0000000002401000.00000004.00000001.sdmp | String found in binary or memory: http://DynDns.comDynDNS |
Source: RegSvcs.exe, 00000002.00000002.901604014.0000000002788000.00000004.00000001.sdmp, RegSvcs.exe, 00000002.00000002.901542292.000000000275D000.00000004.00000001.sdmp, RegSvcs.exe, 00000002.00000002.901158157.0000000002401000.00000004.00000001.sdmp | String found in binary or memory: http://P02rvktl5O.com |
Source: RegSvcs.exe, 00000002.00000003.891861586.0000000005655000.00000004.00000001.sdmp | String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0 |
Source: RegSvcs.exe, 00000002.00000003.891861586.0000000005655000.00000004.00000001.sdmp | String found in binary or memory: http://cps.letsencrypt.o_ |
Source: RegSvcs.exe, 00000002.00000003.891861586.0000000005655000.00000004.00000001.sdmp | String found in binary or memory: http://cps.letsencrypt.org0 |
Source: RegSvcs.exe, 00000002.00000003.891861586.0000000005655000.00000004.00000001.sdmp | String found in binary or memory: http://cps.root-x1.letsencrypt.org0 |
Source: RegSvcs.exe, 00000002.00000003.891861586.0000000005655000.00000004.00000001.sdmp | String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0 |
Source: RegSvcs.exe, 00000002.00000003.880396544.0000000005619000.00000004.00000001.sdmp | String found in binary or memory: http://crl.microsoft.co9 |
Source: PI A19T010620.exe | String found in binary or memory: http://i.imgur.com/blkrqBo.gifiThis |
Source: RegSvcs.exe, 00000002.00000002.901158157.0000000002401000.00000004.00000001.sdmp | String found in binary or memory: http://mOEDeY.com |
Source: RegSvcs.exe, 00000002.00000002.901557138.0000000002765000.00000004.00000001.sdmp | String found in binary or memory: http://mail.odessabd.com |
Source: RegSvcs.exe, 00000002.00000002.901557138.0000000002765000.00000004.00000001.sdmp | String found in binary or memory: http://odessabd.com |
Source: RegSvcs.exe, 00000002.00000003.891861586.0000000005655000.00000004.00000001.sdmp | String found in binary or memory: http://r3.i.lencr.org/0 |
Source: RegSvcs.exe, 00000002.00000003.891861586.0000000005655000.00000004.00000001.sdmp | String found in binary or memory: http://r3.o.lencr.org0 |
Source: PI A19T010620.exe, 00000000.00000003.638876019.0000000001ADD000.00000004.00000001.sdmp | String found in binary or memory: http://www.founder.com.cn/cn |
Source: RegSvcs.exe, 00000002.00000003.891861586.0000000005655000.00000004.00000001.sdmp | String found in binary or memory: http://x1.c.lencr.org/0 |
Source: RegSvcs.exe, 00000002.00000003.891861586.0000000005655000.00000004.00000001.sdmp | String found in binary or memory: http://x1.i.lencr.org/0 |
Source: RegSvcs.exe, 00000002.00000002.901158157.0000000002401000.00000004.00000001.sdmp | String found in binary or memory: https://api.ipify.org%$ |
Source: RegSvcs.exe, 00000002.00000002.901158157.0000000002401000.00000004.00000001.sdmp | String found in binary or memory: https://api.ipify.org%GETMozilla/5.0 |
Source: PI A19T010620.exe | String found in binary or memory: https://static.hummingbird.me/anime/poster_images/000/010/716/large/0fd8df1b586e60a0b1591cd8555c072f |
Source: RegSvcs.exe, 00000002.00000002.899781379.0000000000402000.00000040.00000001.sdmp | String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip |
Source: RegSvcs.exe, 00000002.00000002.901158157.0000000002401000.00000004.00000001.sdmp | String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | File written: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: 2.2.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bD95BE525u002dE724u002d4092u002dAC05u002d1C2D15F5ED67u007d/CB5629C0u002dCF6Bu002d4547u002dA8F4u002d3F00408FA47B.cs | Large array initialization: .cctor: array initializer size 11946 |
Source: PI A19T010620.exe, UT1ISfP0HmUF7h5yru/aMxeoyTl2XtxGNHxhY.cs | Long String: Length: 10292 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 2_2_00699822 | 2_2_00699822 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 2_2_0069C128 | 2_2_0069C128 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 2_2_006905C8 | 2_2_006905C8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 2_2_00695ED0 | 2_2_00695ED0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 2_2_006973CC | 2_2_006973CC |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 2_2_00702D50 | 2_2_00702D50 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 2_2_0070D500 | 2_2_0070D500 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 2_2_0070AB78 | 2_2_0070AB78 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 2_2_00701FF0 | 2_2_00701FF0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 2_2_0070CCB0 | 2_2_0070CCB0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 2_2_0070F330 | 2_2_0070F330 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 2_2_00820270 | 2_2_00820270 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 2_2_008285E8 | 2_2_008285E8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 2_2_00824B98 | 2_2_00824B98 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 2_2_0082D1EA | 2_2_0082D1EA |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 2_2_008253E0 | 2_2_008253E0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 2_2_0082533A | 2_2_0082533A |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 2_2_022347A0 | 2_2_022347A0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 2_2_02233CCC | 2_2_02233CCC |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 2_2_022346B0 | 2_2_022346B0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | Code function: 2_2_02235471 | 2_2_02235471 |
Source: Joe Sandbox View | Dropped File: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe 43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50 |
Source: PI A19T010620.exe, 00000000.00000000.634626091.000000000110A000.00000002.00020000.sdmp | Binary or memory string: OriginalFilenameCompletionActionInvok.exe2 vs PI A19T010620.exe |
Source: PI A19T010620.exe | Binary or memory string: OriginalFilenameCompletionActionInvok.exe2 vs PI A19T010620.exe |
Source: PI A19T010620.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED |
Source: 2.2.RegSvcs.exe.400000.0.unpack, A/b2.cs | Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor' |
Source: 2.2.RegSvcs.exe.400000.0.unpack, A/b2.cs | Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor' |
Source: PI A19T010620.exe, UT1ISfP0HmUF7h5yru/aMxeoyTl2XtxGNHxhY.cs | Base64 encoded string: 'iVBORw0KGgoAAAANSUhEUgAAAN8AAADHCAYAAACZfIbaAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAB27SURBVHhe7ZyHW5TXtofvP3Gfe+95To4tsQIWVER6b0rv0qUjiF3sBWwgauw5KYoxURMr9koQ0VhQI2rsCIiKgA1bUH937T0zgIbkOPrpR1nz5H0Y1Azz7b3evdba+2P+q4/dEDAM8+lh+RhGJVg+hlEJlo9hVILlYxiVYPkYRiVYPoZRCZaPYVSC5WMYlWD5GEYlWD6GUQmWj2FUguVjGJVg+RhGJVg+hlEJlo9hVILlYxiVYPkYRiVYPoZRCZaPYVSC5WMYlWD5GEYlWD6GUQmWj2FUguVjGJVg+RhGJVg+hlEJlo9hVILlYxiVYPkYRiVYPoZRCZaPYVSC5WMYlWD5GEYlWD6GUYlmIl8wejdB0/+WYRoj4kRDQ9y0jNhpBvJpB8026E10f84w70Tj2GmIn6ZjrnmgunxykGjAetkGvgULyLwLGtk0MRPwp9hpKuaaCyrKpxkcY7sQ9LUPR3+HKAx0SoKVyyjYuU2E4+BpcHbPgKvHnEbMZRgtFA/us+HiPgtOg2fA3m0SrF3GwNwpBSYOsTC2D2si5poXKsmnXbFolepLgzTAMQZmzsPgMGgKPLwWItBvFUIC1iMyaBuih+widiNGsodhtOzG0OCdiArejvDAjQjwXQVPzyVwHpQBK+dR6G8fJRd2EW/NNQuqJ5+szwNlxrNwTqFsNwFe3otpIH9GUthhjIg8jfHRlzEptpQow+TYcoZpRBkmxpQgLfoaRkeeR2LIYUQEbIOv1zdwcpuJgY6J6GcfQQKGkngaAZuORfVQQT4xCCGyLBCDY+06BoM9sxDkn0MZbgeGRxxDWswlTI4rwfT4O0hPrNZSwzBvMDOxCjMSKjE1rhzjh17CiIgixA3ZjyDfNXAbPA+2LmkkYZKMt962zS/7fWL5RMYTfV6ozHimjvGybg+lEnN4xAmMi76IqfHlmJV0H3OGPcK85CfITHkmyUp5zjD1ZEpEbDzF3ORaGTMzScS06CtIoiwY4rcB7h6LYOMynuItTCMf0XRcqsMnlE9z8aLc7EsZb6BTgtxc8fVZSWVmPmW5SmQkPiThniE75SXmp7xAVvJTZA6rxbxhjxnmT4jYyKQYyUp+TvFSR3HzCrOTHiNt6DUMCzmKYN91VIJmoK9dJMUdlZ6EpvJ6OzbV4ZPJJ5teeaQQABOHaCo3x8odq7DADRgVdZoG7RFmJz6WzIp/iKlDyzA+7DxGBh/HyKBjGBFYiNTAI4T4yrRdRAwcwYigQowecgrjQs9hYsRVzIitxNykZ5iT9BRTY+9gbNQVxATtg4f7lzC1T0Rf2wj0sRXlZ6CMw+Yg4SeVT5zB9LTxl+Wm2B728/0a8aH7MTH2KpUSf2BO4hOkx93HlKgKku0Uot1zEey0GkGO3yDQYSUC7FdoEc+Ztog/zb+//XIEUDyEuqxF1OAtSPTJo4X6EjJo0Z6b9AIZCbWYFleD4WFF8PdaBUuHUTCxjYGxbRh6UfyJONQI2HSsfio+oXyarGdk4wszp2EY5JlFWe9nucEyjfq8hakg+R5TxruDMSG/k3g74WOzFE4DJsPBZALs+4+FXb/RxBhCPGfaJmL+R8t4cDWbCU+rhbRAr0Wy/1FMi75Lme8FQQs5MTbqMkJ818PGMQ2mtvEwtgmDkbWvTAAiAzYVp58SVeQzd06Bh9cieUYzMqoIMxJvY9GI17RyVSEt7DKSfAsQ6PidlM7UMBIDDCOIcImJAdM2ETEQARMRA4Zh8rl5rwRY9x2JQeZzMJSqpIkRNzAr4QmJ95x6wjrq/a4izO9n2DtNIvkSYGwdCgNLTxhZ+VAGDCABRempXvmpinwWzqnw9l6GuJD9GDu0GBlJlfiS5JsRc4t6vJOIpFJisMUcOcDdOzqiRycnGHRygcHnBH3twbQ5NPPvqokBLT07e6B3V19Y9k5CkNN3VDFRLMU/oNLzKeanvMSkmOuI9N8MR6epGGibiD5WIehuNhgGFl7oae0nS081d0A/sXz+Uj5LlxHw8VmBhNA8jIu+gFlJ9/DlyNeYHl2K4QFHEOr6I5xNp8C4qx+++JcZOrezQJf21ujawbaeboKOdkybQTPnXTvY1NO9oz2J6SSzoZ/dcowKPo106vXmJj1B9vBXmBJ7A1EBW+DkPB1mtknoYzkE3Qa6oYe5B4wsddlPPQGbmXw3G8k3Fcbd/NH5X0I8Kylc944O6PG5Iwy/cIZhZxcYET27MK0do87OMPjCSc59j04OUjohZI9OjpQRnWU7opNvZlz1G/INbSyfRTC6DXBB94Ga7Gdk5Yte1iSgjToCNiv5pkn5ChDi8oNWvkDKepb14hl87kwT4Yre3QajT3cPGPfwQF8DT6aV06e7O3p1HSTnXiy |