Windows Analysis Report PEDIDO.exe

Overview

General Information

Sample Name: PEDIDO.exe
Analysis ID: 1650
MD5: 83046fa32e563289dbd98efe27f884f4
SHA1: fdacb1537161c011f5803471b6971225010d4e71
SHA256: 6b3d06b20b3ae5a3dd8d3a2eb9eb1f1a86d9ba5eb59f5ef75cfa1b2f28dcfd6c
Infos:

Most interesting Screenshot:

Detection

AgentTesla GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Sigma detected: RegAsm connects to smtp port
Yara detected GuLoader
Hides threads from debuggers
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Drops certificate files (DER)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: RegAsm.exe.2404.5.memstrmin Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "margaridasantos@tccinfaes.comTccBps1427logmail.tccinfaes.comsarahmorg434@gmail.com"}
Multi AV Scanner detection for submitted file
Source: PEDIDO.exe Virustotal: Detection: 23% Perma Link
Antivirus / Scanner detection for submitted sample
Source: PEDIDO.exe Avira: detected
Antivirus detection for URL or domain
Source: http://mail.tccinfaes.com Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: mail.tccinfaes.com Virustotal: Detection: 11% Perma Link
Source: http://mail.tccinfaes.com Virustotal: Detection: 11% Perma Link
Antivirus or Machine Learning detection for unpacked file
Source: 2.0.PEDIDO.exe.400000.0.unpack Avira: Label: TR/AD.Nekark.lwket

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_00FD2338 CryptUnprotectData, 5_2_00FD2338
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_00FD2A70 CryptUnprotectData, 5_2_00FD2A70

Compliance:

barindex
Uses 32bit PE files
Source: PEDIDO.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: unknown HTTPS traffic detected: 172.217.168.46:443 -> 192.168.11.20:49791 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.18.97:443 -> 192.168.11.20:49792 version: TLS 1.2

Networking:

barindex
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLARANET-ASClaraNETLTDGB CLARANET-ASClaraNETLTDGB
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 188.93.227.195 188.93.227.195
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1_aiH9wqXGFfSAi2OVlXiWPSY325xMIrC HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/d4i6055jl54qaa9s37lc8j7fnoiuafqn/1634146200000/00014782062933200622/*/1_aiH9wqXGFfSAi2OVlXiWPSY325xMIrC?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0c-88-docs.googleusercontent.comConnection: Keep-Alive
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.11.20:49799 -> 188.93.227.195:587
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.11.20:49799 -> 188.93.227.195:587
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: RegAsm.exe, 00000005.00000002.47246057313.000000001DC11000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegAsm.exe, 00000005.00000002.47246057313.000000001DC11000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: RegAsm.exe, 00000005.00000002.47246057313.000000001DC11000.00000004.00000001.sdmp String found in binary or memory: http://GkEcfT.com
Source: RegAsm.exe, 00000005.00000002.47253108213.000000001FDDA000.00000004.00000001.sdmp String found in binary or memory: http://cps.letsencrypt.org0
Source: RegAsm.exe, 00000005.00000003.42564859038.0000000000F19000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: RegAsm.exe, 00000005.00000003.42564859038.0000000000F19000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: RegAsm.exe, 00000005.00000002.47252517493.000000001FD10000.00000004.00000001.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en#z
Source: RegAsm.exe, 00000005.00000002.47252517493.000000001FD10000.00000004.00000001.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: RegAsm.exe, 00000005.00000002.47247239985.000000001DD0C000.00000004.00000001.sdmp String found in binary or memory: http://mail.tccinfaes.com
Source: RegAsm.exe, 00000005.00000002.47253108213.000000001FDDA000.00000004.00000001.sdmp String found in binary or memory: http://r3.i.lencr.org/0)
Source: RegAsm.exe, 00000005.00000002.47253108213.000000001FDDA000.00000004.00000001.sdmp String found in binary or memory: http://r3.o.lencr.org0
Source: RegAsm.exe, 00000005.00000002.47247239985.000000001DD0C000.00000004.00000001.sdmp String found in binary or memory: http://tccinfaes.com
Source: RegAsm.exe, 00000005.00000002.47253108213.000000001FDDA000.00000004.00000001.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: RegAsm.exe, 00000005.00000002.47235666189.0000000000F1B000.00000004.00000020.sdmp, 2D85F72862B55C4EADD9E66E06947F3D.5.dr String found in binary or memory: http://x1.i.lencr.org/
Source: RegAsm.exe, 00000005.00000002.47253108213.000000001FDDA000.00000004.00000001.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: RegAsm.exe, 00000005.00000002.47252949580.000000001FDBB000.00000004.00000001.sdmp String found in binary or memory: http://x1.i.lencr.org/H
Source: RegAsm.exe, 00000005.00000002.47247072813.000000001DCF0000.00000004.00000001.sdmp String found in binary or memory: https://ZjJPdvMOyw165opG2hLg.org
Source: RegAsm.exe, 00000005.00000002.47247072813.000000001DCF0000.00000004.00000001.sdmp String found in binary or memory: https://ZjJPdvMOyw165opG2hLg.orgD
Source: RegAsm.exe, 00000005.00000002.47247072813.000000001DCF0000.00000004.00000001.sdmp String found in binary or memory: https://ZjJPdvMOyw165opG2hLg.orgt-
Source: RegAsm.exe, 00000005.00000003.42564859038.0000000000F19000.00000004.00000001.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
Source: RegAsm.exe, 00000005.00000002.47235182001.0000000000ECD000.00000004.00000020.sdmp String found in binary or memory: https://doc-0c-88-docs.googleusercontent.com/
Source: RegAsm.exe, 00000005.00000002.47235182001.0000000000ECD000.00000004.00000020.sdmp String found in binary or memory: https://doc-0c-88-docs.googleusercontent.com/$
Source: RegAsm.exe, 00000005.00000003.42564732729.0000000000F0B000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.47235473464.0000000000EFB000.00000004.00000020.sdmp String found in binary or memory: https://doc-0c-88-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/d4i6055j
Source: RegAsm.exe, 00000005.00000002.47234868425.0000000000E88000.00000004.00000020.sdmp String found in binary or memory: https://drive.google.com/d
Source: RegAsm.exe, 00000005.00000002.47234868425.0000000000E88000.00000004.00000020.sdmp String found in binary or memory: https://drive.google.com/l
Source: RegAsm.exe, 00000005.00000002.47234868425.0000000000E88000.00000004.00000020.sdmp, RegAsm.exe, 00000005.00000002.47233899544.00000000007F0000.00000004.00000001.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1_aiH9wqXGFfSAi2OVlXiWPSY325xMIrC
Source: RegAsm.exe, 00000005.00000002.47234868425.0000000000E88000.00000004.00000020.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1_aiH9wqXGFfSAi2OVlXiWPSY325xMIrCY
Source: RegAsm.exe, 00000005.00000003.42564732729.0000000000F0B000.00000004.00000001.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1_aiH9wqXGFfSAi2OVlXiWPSY325xMIrCpgS8lwJVzhRuGhVes
Source: RegAsm.exe, 00000005.00000002.47246765132.000000001DCAB000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/
Source: RegAsm.exe, 00000005.00000002.47246602234.000000001DC8D000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com//
Source: RegAsm.exe, 00000005.00000002.47246602234.000000001DC8D000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/https://login.live.com/
Source: RegAsm.exe, 00000005.00000002.47246602234.000000001DC8D000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/v104
Source: RegAsm.exe, 00000005.00000002.47246765132.000000001DCAB000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: RegAsm.exe, 00000005.00000002.47246057313.000000001DC11000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
Source: unknown DNS traffic detected: queries for: drive.google.com
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1_aiH9wqXGFfSAi2OVlXiWPSY325xMIrC HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/d4i6055jl54qaa9s37lc8j7fnoiuafqn/1634146200000/00014782062933200622/*/1_aiH9wqXGFfSAi2OVlXiWPSY325xMIrC?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0c-88-docs.googleusercontent.comConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 172.217.168.46:443 -> 192.168.11.20:49791 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.18.97:443 -> 192.168.11.20:49792 version: TLS 1.2

E-Banking Fraud:

barindex
Drops certificate files (DER)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D Jump to dropped file

System Summary:

barindex
Uses 32bit PE files
Source: PEDIDO.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Detected potential crypto function
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 2_2_00401441 2_2_00401441
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 2_2_0040167D 2_2_0040167D
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 2_2_00401630 2_2_00401630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_00A4C080 5_2_00A4C080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_00A4BA48 5_2_00A4BA48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_00A43A50 5_2_00A43A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_00A44320 5_2_00A44320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_00A41130 5_2_00A41130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_00A43708 5_2_00A43708
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_00AA6D90 5_2_00AA6D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_00AA07E0 5_2_00AA07E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_00E778D0 5_2_00E778D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_00E77A3F 5_2_00E77A3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_00E7DBA0 5_2_00E7DBA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_00E76728 5_2_00E76728
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_00E744F8 5_2_00E744F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_00E7D7A8 5_2_00E7D7A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_00E73330 5_2_00E73330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_00FD70F7 5_2_00FD70F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_00FDAC28 5_2_00FDAC28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_00FDF150 5_2_00FDF150
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_00FD0040 5_2_00FD0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_00FD0006 5_2_00FD0006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_00FD6148 5_2_00FD6148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_1DA05E08 5_2_1DA05E08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_1DA04ACC 5_2_1DA04ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_1DA05DC1 5_2_1DA05DC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_1DA06AF1 5_2_1DA06AF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_1FE62BE0 5_2_1FE62BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_1FE67438 5_2_1FE67438
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_1FE60040 5_2_1FE60040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_1FE66810 5_2_1FE66810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_1FE6A7D0 5_2_1FE6A7D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_1FE6741D 5_2_1FE6741D
Sample file is different than original file name gathered from version info
Source: PEDIDO.exe, 00000002.00000002.42591006110.0000000000416000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameSkovslotte5.exe vs PEDIDO.exe
Source: PEDIDO.exe Binary or memory string: OriginalFilenameSkovslotte5.exe vs PEDIDO.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\PEDIDO.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: edgegdi.dll Jump to behavior
Source: PEDIDO.exe Virustotal: Detection: 23%
Source: PEDIDO.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\PEDIDO.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\PEDIDO.exe 'C:\Users\user\Desktop\PEDIDO.exe'
Source: C:\Users\user\Desktop\PEDIDO.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\PEDIDO.exe'
Source: C:\Users\user\Desktop\PEDIDO.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\PEDIDO.exe'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PEDIDO.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\PEDIDO.exe' Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\PEDIDO.exe' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO.exe File created: C:\Users\user\AppData\Local\Temp\~DFF4A430973BE8926E.TMP Jump to behavior
Source: classification engine Classification label: mal100.spre.troj.spyw.evad.winEXE@6/3@5/3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2884:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2884:120:WilError_03
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000002.00000002.42592354775.0000000002C30000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 2_2_00406171 push ds; ret 2_2_00406172
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 2_2_02C336C4 push ebx; retf 2_2_02C336C7
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 2_2_02C3448B pushad ; iretd 2_2_02C3448E
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 2_2_02C32AA2 push 5EE706AFh; ret 2_2_02C32AA7
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 2_2_02C31CAE push cs; iretd 2_2_02C31D47
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 2_2_02C30401 pushfd ; iretd 2_2_02C30402
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 2_2_02C34C37 push cs; retf 2_2_02C34C63
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 2_2_02C341F0 push ebp; ret 2_2_02C341F1
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 2_2_02C32BA4 push 6DF2974Ah; ret 2_2_02C32BAA
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 2_2_02C3430F push ebp; ret 2_2_02C3431D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_1FE654C0 push esp; retf 5_2_1FE65501
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_1FE65313 pushfd ; retf 00E6h 5_2_1FE65359

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect Any.run
Source: C:\Users\user\Desktop\PEDIDO.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: PEDIDO.exe, 00000002.00000002.42591955596.00000000022D0000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32USERPROFILE=WINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\REGASM.EXE\SYSWOW64\MSVBVM60.DLLWINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\REGASM.EXE\SYSWOW64\MSVBVM60.DLL
Source: PEDIDO.exe, 00000002.00000002.42591955596.00000000022D0000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.47233899544.00000000007F0000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: PEDIDO.exe, 00000002.00000002.42591373555.0000000000614000.00000004.00000020.sdmp Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXERY
Source: RegAsm.exe, 00000005.00000002.47233899544.00000000007F0000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32USERPROFILE=HTTPS://DRIVE.GOOGLE.COM/UC?EXPORT=DOWNLOAD&ID=1_AIH9WQXGFFSAI2OVLXIWPSY325XMIRC
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5956 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Window / User API: threadDelayed 9952 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO.exe System information queried: ModuleInformation Jump to behavior
Source: PEDIDO.exe, 00000002.00000002.42593504742.0000000004C39000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.47237699647.0000000002919000.00000004.00000001.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: PEDIDO.exe, 00000002.00000002.42593504742.0000000004C39000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.47237699647.0000000002919000.00000004.00000001.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: RegAsm.exe, 00000005.00000002.47237699647.0000000002919000.00000004.00000001.sdmp Binary or memory string: vmicshutdown
Source: PEDIDO.exe, 00000002.00000002.42593504742.0000000004C39000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.47237699647.0000000002919000.00000004.00000001.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: RegAsm.exe, 00000005.00000002.47234868425.0000000000E88000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAWP
Source: PEDIDO.exe, 00000002.00000002.42593504742.0000000004C39000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.47237699647.0000000002919000.00000004.00000001.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: PEDIDO.exe, 00000002.00000002.42593504742.0000000004C39000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.47237699647.0000000002919000.00000004.00000001.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: RegAsm.exe, 00000005.00000002.47237699647.0000000002919000.00000004.00000001.sdmp Binary or memory string: vmicvss
Source: RegAsm.exe, 00000005.00000002.47235473464.0000000000EFB000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW
Source: PEDIDO.exe, 00000002.00000002.42591373555.0000000000614000.00000004.00000020.sdmp Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exerY
Source: RegAsm.exe, 00000005.00000002.47233899544.00000000007F0000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32USERPROFILE=https://drive.google.com/uc?export=download&id=1_aiH9wqXGFfSAi2OVlXiWPSY325xMIrC
Source: PEDIDO.exe, 00000002.00000002.42591955596.00000000022D0000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.47233899544.00000000007F0000.00000004.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: PEDIDO.exe, 00000002.00000002.42593504742.0000000004C39000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.47237699647.0000000002919000.00000004.00000001.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: PEDIDO.exe, 00000002.00000002.42593504742.0000000004C39000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.47237699647.0000000002919000.00000004.00000001.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: PEDIDO.exe, 00000002.00000002.42593504742.0000000004C39000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.47237699647.0000000002919000.00000004.00000001.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: RegAsm.exe, 00000005.00000002.47235473464.0000000000EFB000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAWIJc6
Source: RegAsm.exe, 00000005.00000002.47237699647.0000000002919000.00000004.00000001.sdmp Binary or memory string: vmicheartbeat
Source: PEDIDO.exe, 00000002.00000002.42591955596.00000000022D0000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32USERPROFILE=windir=\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe\syswow64\msvbvm60.dllwindir=\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe\syswow64\msvbvm60.dll

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\PEDIDO.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread information set: HideFromDebugger Jump to behavior
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process token adjusted: Debug Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\PEDIDO.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 5_2_00A46950 LdrInitializeThunk, 5_2_00A46950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\PEDIDO.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: B00000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\PEDIDO.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\PEDIDO.exe' Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\PEDIDO.exe' Jump to behavior
Source: RegAsm.exe, 00000005.00000002.47237238978.00000000014C0000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: RegAsm.exe, 00000005.00000002.47237238978.00000000014C0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 00000005.00000002.47237238978.00000000014C0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: RegAsm.exe, 00000005.00000002.47237238978.00000000014C0000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000005.00000002.47246057313.000000001DC11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 2404, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000005.00000002.47246057313.000000001DC11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 2404, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000005.00000002.47246057313.000000001DC11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 2404, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1650 Sample: PEDIDO.exe Startdate: 13/10/2021 Architecture: WINDOWS Score: 100 19 tccinfaes.com 2->19 21 mail.tccinfaes.com 2->21 23 6 other IPs or domains 2->23 31 Multi AV Scanner detection for domain / URL 2->31 33 Found malware configuration 2->33 35 Antivirus detection for URL or domain 2->35 37 6 other signatures 2->37 8 PEDIDO.exe 1 2->8         started        signatures3 process4 signatures5 39 Writes to foreign memory regions 8->39 41 Tries to detect Any.run 8->41 43 Hides threads from debuggers 8->43 11 RegAsm.exe 11 8->11         started        15 RegAsm.exe 8->15         started        process6 dnsIp7 25 tccinfaes.com 188.93.227.195, 49799, 587 CLARANET-ASClaraNETLTDGB Portugal 11->25 27 drive.google.com 172.217.168.46, 443, 49791 GOOGLEUS United States 11->27 29 googlehosted.l.googleusercontent.com 172.217.18.97, 443, 49792 GOOGLEUS United States 11->29 45 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->45 47 Tries to steal Mail credentials (via file access) 11->47 49 Tries to harvest and steal ftp login credentials 11->49 55 3 other signatures 11->55 17 conhost.exe 11->17         started        51 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->51 53 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 15->53 signatures8 process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.217.168.46
 drive.google.com United States
15169 GOOGLEUS false
188.93.227.195
 tccinfaes.com Portugal
8426 CLARANET-ASClaraNETLTDGB true
172.217.18.97
 googlehosted.l.googleusercontent.com United States
15169 GOOGLEUS false

Contacted Domains

Name IP Active
tccinfaes.com 188.93.227.195 true
drive.google.com 172.217.168.46 true
googlehosted.l.googleusercontent.com 172.217.18.97 true
edge-web.dual-gslb.spotify.com 35.186.224.25 true
spclient.wg.spotify.com unknown unknown
mail.tccinfaes.com unknown unknown
x1.i.lencr.org unknown unknown
doc-0c-88-docs.googleusercontent.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://doc-0c-88-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/d4i6055jl54qaa9s37lc8j7fnoiuafqn/1634146200000/00014782062933200622/*/1_aiH9wqXGFfSAi2OVlXiWPSY325xMIrC?e=download false
    		high