Loading ...

Play interactive tourEdit tour

Windows Analysis Report HSBc20210216B1.exe

Overview

General Information

Sample Name:HSBc20210216B1.exe
Analysis ID:483659
MD5:ced0f1b2afd1d48ecb5dc8a563c836c9
SHA1:d999697f2b1111b7b72603bc9bee04cbf7a3664c
SHA256:8bd91aa543ff97c07aae2a257ea7f97729c4345be8c4c4e6dea2e1aa48324bc3
Tags:AgentTeslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Modifies the hosts file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • HSBc20210216B1.exe (PID: 6404 cmdline: 'C:\Users\user\Desktop\HSBc20210216B1.exe' MD5: CED0F1B2AFD1D48ECB5DC8A563C836C9)
    • RegSvcs.exe (PID: 6648 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • NXLun.exe (PID: 6692 cmdline: 'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe' MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 4088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • NXLun.exe (PID: 6780 cmdline: 'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe' MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 6832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "paola.micheli@copangroup.xyz", "Password": "gibson.1990", "Host": "us2.smtp.mailhostbox.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.490503848.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000005.00000002.490503848.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000001.00000002.249871977.0000000003061000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        00000001.00000002.251226749.0000000004069000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000001.00000002.251226749.0000000004069000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
            Click to see the 8 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              5.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                1.2.HSBc20210216B1.exe.412acb8.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  1.2.HSBc20210216B1.exe.412acb8.1.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    1.2.HSBc20210216B1.exe.412acb8.1.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 1 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
                      Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\HSBc20210216B1.exe' , ParentImage: C:\Users\user\Desktop\HSBc20210216B1.exe, ParentProcessId: 6404, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6648
                      Sigma detected: Possible Applocker BypassShow sources
                      Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\HSBc20210216B1.exe' , ParentImage: C:\Users\user\Desktop\HSBc20210216B1.exe, ParentProcessId: 6404, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6648

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 1.2.HSBc20210216B1.exe.412acb8.1.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "paola.micheli@copangroup.xyz", "Password": "gibson.1990", "Host": "us2.smtp.mailhostbox.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: HSBc20210216B1.exeVirustotal: Detection: 20%Perma Link
                      Source: HSBc20210216B1.exeReversingLabs: Detection: 16%
                      Source: 5.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: HSBc20210216B1.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: HSBc20210216B1.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000005.00000003.449772837.0000000005993000.00000004.00000001.sdmp, NXLun.exe, 00000012.00000002.314896853.0000000000A92000.00000002.00020000.sdmp, NXLun.exe, 00000017.00000000.328698652.0000000000C52000.00000002.00020000.sdmp, NXLun.exe.5.dr
                      Source: Binary string: RegSvcs.pdb source: NXLun.exe, NXLun.exe.5.dr
                      Source: Joe Sandbox ViewIP Address: 208.91.199.225 208.91.199.225
                      Source: global trafficTCP traffic: 192.168.2.3:49818 -> 208.91.199.225:587
                      Source: global trafficTCP traffic: 192.168.2.3:49818 -> 208.91.199.225:587
                      Source: RegSvcs.exe, 00000005.00000002.494922031.00000000026E1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: RegSvcs.exe, 00000005.00000002.494922031.00000000026E1000.00000004.00000001.sdmpString found in binary or memory: http://5c3LgjsgKO5q1r.com
                      Source: RegSvcs.exe, 00000005.00000002.494922031.00000000026E1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: RegSvcs.exe, 00000005.00000002.496366512.0000000002A40000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                      Source: HSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                      Source: RegSvcs.exe, 00000005.00000002.494922031.00000000026E1000.00000004.00000001.sdmpString found in binary or memory: http://jdPkJL.com
                      Source: RegSvcs.exe, 00000005.00000002.496366512.0000000002A40000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0A
                      Source: RegSvcs.exe, 00000005.00000002.496366512.0000000002A40000.00000004.00000001.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
                      Source: HSBc20210216B1.exe, 00000001.00000003.231640927.00000000060BF000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: HSBc20210216B1.exe, 00000001.00000003.232393260.00000000060C0000.00000004.00000001.sdmp, HSBc20210216B1.exe, 00000001.00000003.231752467.00000000060C0000.00000004.00000001.sdmp, HSBc20210216B1.exe, 00000001.00000003.232607353.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
                      Source: HSBc20210216B1.exe, 00000001.00000003.232607353.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com-y
                      Source: HSBc20210216B1.exe, 00000001.00000003.231789778.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com.12.p
                      Source: HSBc20210216B1.exe, 00000001.00000003.231752467.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com3
                      Source: HSBc20210216B1.exe, 00000001.00000003.232607353.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comB4
                      Source: HSBc20210216B1.exe, 00000001.00000003.232808189.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comBv
                      Source: HSBc20210216B1.exe, 00000001.00000003.232393260.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comIyU4
                      Source: HSBc20210216B1.exe, 00000001.00000003.232607353.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC
                      Source: HSBc20210216B1.exe, 00000001.00000003.231865905.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTCwy
                      Source: HSBc20210216B1.exe, 00000001.00000003.232393260.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comcRyJ4
                      Source: HSBc20210216B1.exe, 00000001.00000003.232393260.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comjw
                      Source: HSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: HSBc20210216B1.exe, 00000001.00000003.231752467.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comn-u
                      Source: HSBc20210216B1.exe, 00000001.00000003.232808189.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comnv
                      Source: HSBc20210216B1.exe, 00000001.00000003.232548828.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comvw
                      Source: HSBc20210216B1.exe, 00000001.00000003.232607353.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comw
                      Source: HSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: HSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: HSBc20210216B1.exe, 00000001.00000003.235658575.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                      Source: HSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: HSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: HSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                      Source: HSBc20210216B1.exe, 00000001.00000003.236025933.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers2qa4n
                      Source: HSBc20210216B1.exe, 00000001.00000003.236619080.00000000060C0000.00000004.00000001.sdmp, HSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: HSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: HSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: HSBc20210216B1.exe, 00000001.00000003.237063097.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersGqV4
                      Source: HSBc20210216B1.exe, 00000001.00000003.236025933.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersXq
                      Source: HSBc20210216B1.exe, 00000001.00000003.235700772.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersp
                      Source: HSBc20210216B1.exe, 00000001.00000002.254016500.0000000006090000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com=
                      Source: HSBc20210216B1.exe, 00000001.00000002.254016500.0000000006090000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comFn
                      Source: HSBc20210216B1.exe, 00000001.00000002.254016500.0000000006090000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
                      Source: HSBc20210216B1.exe, 00000001.00000002.254016500.0000000006090000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comceto
                      Source: HSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                      Source: HSBc20210216B1.exe, 00000001.00000003.231266137.00000000060BE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: HSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: HSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: HSBc20210216B1.exe, 00000001.00000003.231266137.00000000060BE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnM4
                      Source: HSBc20210216B1.exe, 00000001.00000003.231266137.00000000060BE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cne4
                      Source: HSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: HSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: HSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: HSBc20210216B1.exe, 00000001.00000003.233470064.0000000006093000.00000004.00000001.sdmp, HSBc20210216B1.exe, 00000001.00000003.234328883.000000000609C000.00000004.00000001.sdmp, HSBc20210216B1.exe, 00000001.00000003.234019758.000000000609B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: HSBc20210216B1.exe, 00000001.00000003.233470064.0000000006093000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/)
                      Source: HSBc20210216B1.exe, 00000001.00000003.234118051.000000000609B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/;
                      Source: HSBc20210216B1.exe, 00000001.00000003.233470064.0000000006093000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/D
                      Source: HSBc20210216B1.exe, 00000001.00000003.234243906.000000000609B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/E
                      Source: HSBc20210216B1.exe, 00000001.00000003.233470064.0000000006093000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/adnl
                      Source: HSBc20210216B1.exe, 00000001.00000003.234243906.000000000609B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                      Source: HSBc20210216B1.exe, 00000001.00000003.234243906.000000000609B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/3
                      Source: HSBc20210216B1.exe, 00000001.00000003.233790965.0000000006096000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/N
                      Source: HSBc20210216B1.exe, 00000001.00000003.234328883.000000000609C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/x
                      Source: HSBc20210216B1.exe, 00000001.00000003.234328883.000000000609C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/n
                      Source: HSBc20210216B1.exe, 00000001.00000003.234328883.000000000609C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/t-u
                      Source: HSBc20210216B1.exe, 00000001.00000003.233790965.0000000006096000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/x
                      Source: HSBc20210216B1.exe, 00000001.00000003.235320871.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
                      Source: HSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: HSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: HSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: HSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                      Source: HSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                      Source: HSBc20210216B1.exe, 00000001.00000002.255035686.00000000072A2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: HSBc20210216B1.exe, 00000001.00000003.231752467.00000000060C0000.00000004.00000001.sdmp, HSBc20210216B1.exe, 00000001.00000003.231718416.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: HSBc20210216B1.exe, 00000001.00000003.231752467.00000000060C0000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.
                      Source: RegSvcs.exe, 00000005.00000002.494922031.00000000026E1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                      Source: RegSvcs.exe, 00000005.00000002.494922031.00000000026E1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: RegSvcs.exe, 00000005.00000002.496366512.0000000002A40000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
                      Source: HSBc20210216B1.exe, 00000001.00000002.251226749.0000000004069000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.490503848.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: RegSvcs.exe, 00000005.00000002.494922031.00000000026E1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownDNS traffic detected: queries for: us2.smtp.mailhostbox.com

                      Spam, unwanted Advertisements and Ransom Demands:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      System Summary:

                      barindex
                      Source: HSBc20210216B1.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeCode function: 1_2_0153E5D81_2_0153E5D8
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeCode function: 1_2_0153E5CA1_2_0153E5CA
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeCode function: 1_2_0153BC341_2_0153BC34
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeCode function: 1_2_0507266F1_2_0507266F
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeCode function: 1_2_050740C81_2_050740C8
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeCode function: 1_2_050729C81_2_050729C8
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeCode function: 1_2_050727791_2_05072779
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeCode function: 1_2_050700061_2_05070006
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeCode function: 1_2_050722581_2_05072258
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeCode function: 1_2_05076C401_2_05076C40
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeCode function: 1_2_050729C01_2_050729C0
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeCode function: 1_2_05072BAC1_2_05072BAC
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeCode function: 1_2_05072BF81_2_05072BF8
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeCode function: 1_2_056664C01_2_056664C0
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeCode function: 1_2_056664B01_2_056664B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_005D38D85_2_005D38D8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_005DE68E5_2_005DE68E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_005D97685_2_005D9768
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_005D00405_2_005D0040
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_005DAA985_2_005DAA98
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_005DAB485_2_005DAB48
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00C094F05_2_00C094F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00C066D05_2_00C066D0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00C04A505_2_00C04A50
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00C01ED05_2_00C01ED0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00C07E405_2_00C07E40
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00C040785_2_00C04078
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00C0D2F05_2_00C0D2F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00C039E85_2_00C039E8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00C08E005_2_00C08E00
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00C02FB05_2_00C02FB0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_026B47A05_2_026B47A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_026B46FF5_2_026B46FF
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_026BD6705_2_026BD670
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_059656905_2_05965690
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_005D39915_2_005D3991
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_005D0B185_2_005D0B18
                      Source: HSBc20210216B1.exe, 00000001.00000002.249036318.0000000000E02000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameHostProtectionAttribu.exeh$ vs HSBc20210216B1.exe
                      Source: HSBc20210216B1.exe, 00000001.00000002.251226749.0000000004069000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameuEYPcZODvIXvprdFHyURaffEdgGZJ.exe4 vs HSBc20210216B1.exe
                      Source: HSBc20210216B1.exe, 00000001.00000002.256091516.00000000091C0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameCF_Secretaria.dll< vs HSBc20210216B1.exe
                      Source: HSBc20210216B1.exeBinary or memory string: OriginalFilenameHostProtectionAttribu.exeh$ vs HSBc20210216B1.exe
                      Source: HSBc20210216B1.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: HSBc20210216B1.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: HSBc20210216B1.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe 43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
                      Source: HSBc20210216B1.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: HSBc20210216B1.exeVirustotal: Detection: 20%
                      Source: HSBc20210216B1.exeReversingLabs: Detection: 16%
                      Source: HSBc20210216B1.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\HSBc20210216B1.exe 'C:\Users\user\Desktop\HSBc20210216B1.exe'
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe 'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe'
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe 'C:\Users\user\AppData\Roaming\NXLun\NXLun.exe'
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HSBc20210216B1.exe.logJump to behavior
                      Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@7/6@1/1
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4088:120:WilError_01
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeMutant created: \Sessions\1\BaseNamedObjects\oKxHbXByQgAPcziaddzXctj
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6832:120:WilError_01
                      Source: HSBc20210216B1.exe, u0003u2001.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 1.0.HSBc20210216B1.exe.d60000.0.unpack, u0003u2001.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 1.2.HSBc20210216B1.exe.d60000.0.unpack, u0003u2001.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: HSBc20210216B1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: HSBc20210216B1.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000005.00000003.449772837.0000000005993000.00000004.00000001.sdmp, NXLun.exe, 00000012.00000002.314896853.0000000000A92000.00000002.00020000.sdmp, NXLun.exe, 00000017.00000000.328698652.0000000000C52000.00000002.00020000.sdmp, NXLun.exe.5.dr
                      Source: Binary string: RegSvcs.pdb source: NXLun.exe, NXLun.exe.5.dr

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: HSBc20210216B1.exe, u0003u2001.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.0.HSBc20210216B1.exe.d60000.0.unpack, u0003u2001.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.2.HSBc20210216B1.exe.d60000.0.unpack, u0003u2001.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_005DD828 push eax; retf 005Ah5_2_005DD829
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_005D7191 push 8BD08B05h; iretd 5_2_005D719F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_005DFB78 pushfd ; retf 5_2_005DFB86
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_026B451C push ss; retf 5_2_026B4526
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_026B5EC8 push ds; retf 5_2_026B5ED6
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.79300898434
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NXLunJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NXLunJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: 00000001.00000002.249871977.0000000003061000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: HSBc20210216B1.exe PID: 6404, type: MEMORYSTR
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: HSBc20210216B1.exe, 00000001.00000002.249871977.0000000003061000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: HSBc20210216B1.exe, 00000001.00000002.249871977.0000000003061000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exe TID: 6408Thread sleep time: -36606s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exe TID: 6456Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe TID: 6084Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exe TID: 2440Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\NXLun\NXLun.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 9375Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 474Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\HSBc20210216B1.exeProcess information queried: ProcessInformationJump to behavior