Loading ...

Play interactive tourEdit tour

Windows Analysis Report Delivery note_241493.exe

Overview

General Information

Sample Name:Delivery note_241493.exe
Analysis ID:1645
MD5:ae27dccff11f1c8e17661269d90148b9
SHA1:365138784e65ad92bc8f05653374348aa4e00788
SHA256:dd739f42791b213769f242efac95b60d0026825d5c882d576533cd8ae57514b6
Infos:

Most interesting Screenshot:

Detection

AgentTesla GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected AgentTesla
Sigma detected: RegAsm connects to smtp port
Yara detected GuLoader
Hides threads from debuggers
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64native
  • Delivery note_241493.exe (PID: 8872 cmdline: 'C:\Users\user\Desktop\Delivery note_241493.exe' MD5: AE27DCCFF11F1C8E17661269D90148B9)
    • RegAsm.exe (PID: 1832 cmdline: 'C:\Users\user\Desktop\Delivery note_241493.exe' MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • RegAsm.exe (PID: 1660 cmdline: 'C:\Users\user\Desktop\Delivery note_241493.exe' MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • RegAsm.exe (PID: 2672 cmdline: 'C:\Users\user\Desktop\Delivery note_241493.exe' MD5: 0D5DF43AF2916F47D00C1573797C1A13)
      • conhost.exe (PID: 2804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "tamasfulop@csavarcsapagyexpress.huRozsnyoi42mail.csavarcsapagyexpress.husirevirus39@gmail.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1001013711.00000000023A0000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    0000001A.00000002.5633190528.000000001DCC1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      0000001A.00000002.5633190528.000000001DCC1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: RegAsm.exe PID: 2672JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: RegAsm.exe PID: 2672JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

            Sigma Overview

            Networking:

            barindex
            Sigma detected: RegAsm connects to smtp portShow sources
            Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 185.111.89.226, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, Initiated: true, ProcessId: 2672, Protocol: tcp, SourceIp: 192.168.11.20, SourceIsIpv6: false, SourcePort: 49769

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: conhost.exe.2804.27.memstrminMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "tamasfulop@csavarcsapagyexpress.huRozsnyoi42mail.csavarcsapagyexpress.husirevirus39@gmail.com"}
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_01150280 CryptUnprotectData,26_2_01150280
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_01150A09 CryptUnprotectData,26_2_01150A09
            Source: Delivery note_241493.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: unknownHTTPS traffic detected: 172.217.168.46:443 -> 192.168.11.20:49755 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.184.193:443 -> 192.168.11.20:49756 version: TLS 1.2

            Networking:

            barindex
            Source: Joe Sandbox ViewASN Name: WEBSUPPORT-SRO-SK-ASSK WEBSUPPORT-SRO-SK-ASSK
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1kFeDtVEJdXDeWXxKM0sf_SDs1MXR4dov HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/p9irpuq1lj8ip6m4433g3knsldrdvp8d/1634135550000/12448148553778765603/*/1kFeDtVEJdXDeWXxKM0sf_SDs1MXR4dov?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-04-9g-docs.googleusercontent.comConnection: Keep-Alive
            Source: global trafficTCP traffic: 192.168.11.20:49769 -> 185.111.89.226:587
            Source: global trafficTCP traffic: 192.168.11.20:49769 -> 185.111.89.226:587
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
            Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: RegAsm.exe, 0000001A.00000002.5633190528.000000001DCC1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
            Source: RegAsm.exe, 0000001A.00000002.5633190528.000000001DCC1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
            Source: RegAsm.exe, 0000001A.00000002.5633190528.000000001DCC1000.00000004.00000001.sdmpString found in binary or memory: http://Hpdghc.com
            Source: RegAsm.exe, 0000001A.00000002.5642251197.000000001FF46000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
            Source: RegAsm.exe, 0000001A.00000003.972127154.0000000001086000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
            Source: RegAsm.exe, 0000001A.00000002.5642251197.000000001FF46000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
            Source: RegAsm.exe, 0000001A.00000002.5635743077.000000001DDE5000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
            Source: RegAsm.exe, 0000001A.00000003.972127154.0000000001086000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: RegAsm.exe, 0000001A.00000002.5635743077.000000001DDE5000.00000004.00000001.sdmpString found in binary or memory: http://csavarcsapagyexpress.hu
            Source: RegAsm.exe, 0000001A.00000002.5635743077.000000001DDE5000.00000004.00000001.sdmpString found in binary or memory: http://mail.csavarcsapagyexpress.hu
            Source: RegAsm.exe, 0000001A.00000002.5642251197.000000001FF46000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
            Source: RegAsm.exe, 0000001A.00000003.972127154.0000000001086000.00000004.00000001.sdmp, RegAsm.exe, 0000001A.00000003.977239633.0000000001084000.00000004.00000001.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
            Source: RegAsm.exe, 0000001A.00000003.972558924.0000000001081000.00000004.00000001.sdmpString found in binary or memory: https://doc-04-9g-docs.googleusercontent.com/
            Source: RegAsm.exe, 0000001A.00000003.977239633.0000000001084000.00000004.00000001.sdmpString found in binary or memory: https://doc-04-9g-docs.googleusercontent.com/5
            Source: RegAsm.exe, 0000001A.00000003.972558924.0000000001081000.00000004.00000001.sdmp, RegAsm.exe, 0000001A.00000003.977239633.0000000001084000.00000004.00000001.sdmpString found in binary or memory: https://doc-04-9g-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/p9irpuq1
            Source: RegAsm.exe, 0000001A.00000002.5614964275.0000000001040000.00000004.00000020.sdmpString found in binary or memory: https://doc-04-9g-docs.googleusercontent.com/ij7
            Source: RegAsm.exe, 0000001A.00000002.5614964275.0000000001040000.00000004.00000020.sdmpString found in binary or memory: https://doc-04-9g-docs.googleusercontent.com/qi;
            Source: RegAsm.exe, 0000001A.00000003.972558924.0000000001081000.00000004.00000001.sdmpString found in binary or memory: https://doc-04-9g-docs.googleusercontent.com/tography
            Source: RegAsm.exe, 0000001A.00000002.5613874054.0000000000FF8000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/
            Source: RegAsm.exe, 0000001A.00000003.972558924.0000000001081000.00000004.00000001.sdmp, RegAsm.exe, 0000001A.00000002.5613195333.0000000000EA0000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1kFeDtVEJdXDeWXxKM0sf_SDs1MXR4dov
            Source: RegAsm.exe, 0000001A.00000003.972558924.0000000001081000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1kFeDtVEJdXDeWXxKM0sf_SDs1MXR4dov90yJjkpGPPugIoOr0
            Source: RegAsm.exe, 0000001A.00000002.5633190528.000000001DCC1000.00000004.00000001.sdmp, RegAsm.exe, 0000001A.00000003.1894514695.0000000000ED1000.00000004.00000001.sdmpString found in binary or memory: https://jRW95HZ6DAQuQZac.org
            Source: RegAsm.exe, 0000001A.00000002.5635743077.000000001DDE5000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
            Source: RegAsm.exe, 0000001A.00000002.5633190528.000000001DCC1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
            Source: unknownDNS traffic detected: queries for: drive.google.com
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1kFeDtVEJdXDeWXxKM0sf_SDs1MXR4dov HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/p9irpuq1lj8ip6m4433g3knsldrdvp8d/1634135550000/12448148553778765603/*/1kFeDtVEJdXDeWXxKM0sf_SDs1MXR4dov?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-04-9g-docs.googleusercontent.comConnection: Keep-Alive
            Source: unknownHTTPS traffic detected: 172.217.168.46:443 -> 192.168.11.20:49755 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.184.193:443 -> 192.168.11.20:49756 version: TLS 1.2
            Source: Delivery note_241493.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: C:\Users\user\Desktop\Delivery note_241493.exeCode function: 0_2_004016790_2_00401679
            Source: C:\Users\user\Desktop\Delivery note_241493.exeCode function: 0_2_0040162C0_2_0040162C
            Source: C:\Users\user\Desktop\Delivery note_241493.exeCode function: 0_2_0040143D0_2_0040143D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_0093113026_2_00931130
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_0093BA1826_2_0093BA18
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_00933A5026_2_00933A50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_0093432026_2_00934320
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_0093957026_2_00939570
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_0093C77826_2_0093C778
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_0093370826_2_00933708
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_00946AC826_2_00946AC8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_0094089026_2_00940890
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_0115916826_2_01159168
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_0115CCA826_2_0115CCA8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_01155CE826_2_01155CE8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_0115C72826_2_0115C728
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_01154E0026_2_01154E00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_0115E49826_2_0115E498
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_0115E0C026_2_0115E0C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_0115164026_2_01151640
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_011699A826_2_011699A8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_011669A826_2_011669A8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_0116DB2026_2_0116DB20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_0116C7D026_2_0116C7D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_01164EB026_2_01164EB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_0116333026_2_01163330
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_1DAF5E0826_2_1DAF5E08
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_1DAF4ACC26_2_1DAF4ACC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_1DAF5E0326_2_1DAF5E03
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_1DAF6AFB26_2_1DAF6AFB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_01166A6126_2_01166A61
            Source: Delivery note_241493.exe, 00000000.00000002.999532636.0000000000416000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTains4.exe vs Delivery note_241493.exe
            Source: Delivery note_241493.exeBinary or memory string: OriginalFilenameTains4.exe vs Delivery note_241493.exe
            Source: C:\Users\user\Desktop\Delivery note_241493.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: edgegdi.dllJump to behavior
            Source: Delivery note_241493.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Delivery note_241493.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\Desktop\Delivery note_241493.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Delivery note_241493.exe 'C:\Users\user\Desktop\Delivery note_241493.exe'
            Source: C:\Users\user\Desktop\Delivery note_241493.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Delivery note_241493.exe'
            Source: C:\Users\user\Desktop\Delivery note_241493.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Delivery note_241493.exe'
            Source: C:\Users\user\Desktop\Delivery note_241493.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Delivery note_241493.exe'
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Delivery note_241493.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Delivery note_241493.exe' Jump to behavior
            Source: C:\Users\user\Desktop\Delivery note_241493.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Delivery note_241493.exe' Jump to behavior
            Source: C:\Users\user\Desktop\Delivery note_241493.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Delivery note_241493.exe' Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\Delivery note_241493.exeFile created: C:\Users\user\AppData\Local\Temp\~DFA880510812ECEB02.TMPJump to behavior
            Source: classification engineClassification label: mal100.spre.troj.spyw.evad.winEXE@8/1@4/3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2804:304:WilStaging_02
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2804:120:WilError_03
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: 00000000.00000002.1001013711.00000000023A0000.00000040.00000001.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\Delivery note_241493.exeCode function: 0_2_00405C5C push edx; retf 0_2_00405C6F
            Source: C:\Users\user\Desktop\Delivery note_241493.exeCode function: 0_2_00405E5F push esp; ret 0_2_00405E60
            Source: C:\Users\user\Desktop\Delivery note_241493.exeCode function: 0_2_00406809 pushad ; iretd 0_2_0040681A
            Source: C:\Users\user\Desktop\Delivery note_241493.exeCode function: 0_2_00405A23 push cs; iretd 0_2_00405ADA
            Source: C:\Users\user\Desktop\Delivery note_241493.exeCode function: 0_2_004038B9 push 4EA9091Fh; iretd 0_2_004038BE
            Source: C:\Users\user\Desktop\Delivery note_241493.exeCode function: 0_2_00405376 pushad ; retf 0_2_004053D4
            Source: C:\Users\user\Desktop\Delivery note_241493.exeCode function: 0_2_00405376 push esi; ret 0_2_004054C4
            Source: C:\Users\user\Desktop\Delivery note_241493.exeCode function: 0_2_00406915 push edi; iretd 0_2_00406917
            Source: C:\Users\user\Desktop\Delivery note_241493.exeCode function: 0_2_004053D5 push esi; ret 0_2_004054C4
            Source: C:\Users\user\Desktop\Delivery note_241493.exeCode function: 0_2_023A1E7E push ds; iretd 0_2_023A1E7F
            Source: C:\Users\user\Desktop\Delivery note_241493.exeCode function: 0_2_023A084B push es; ret 0_2_023A0854
            Source: C:\Users\user\Desktop\Delivery note_241493.exeCode function: 0_2_023A1AD7 push es; ret 0_2_023A1AD8
            Source: C:\Users\user\Desktop\Delivery note_241493.exeCode function: 0_2_023A0ED4 push cs; retf 0_2_023A0ED7
            Source: C:\Users\user\Desktop\Delivery note_241493.exeCode function: 0_2_023A1737 push es; ret 0_2_023A1738
            Source: C:\Users\user\Desktop\Delivery note_241493.exeCode function: 0_2_023A317F push esp; iretw 0_2_023A3180
            Source: C:\Users\user\Desktop\Delivery note_241493.exeCode function: 0_2_023A2B99 push ebp; retf 0_2_023A2B9A
            Source: C:\Users\user\Desktop\Delivery note_241493.exeCode function: 0_2_023A1790 push eax; iretd 0_2_023A1792
            Source: C:\Users\user\Desktop\Delivery note_241493.exeCode function: 0_2_023A3B90 push esi; retf 0_2_023A3B9E
            Source: C:\Users\user\Desktop\Delivery note_241493.exeCode function: 0_2_023A27D0 push es; ret 0_2_023A27D8
            Source: C:\Users\user\Desktop\Delivery note_241493.exeCode function: 0_2_023A0BD5 push es; ret 0_2_023A0BD8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_01162177 push edi; retn 0000h26_2_01162179
            Source: C:\Users\user\Desktop\Delivery note_241493.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX