Windows Analysis Report Maj PO.exe

Overview

General Information

Sample Name: Maj PO.exe
Analysis ID: 1652
MD5: ebc68c72c1d9ddb811c502683d4a72ff
SHA1: 2ba515688b053a2e6153b5f21baa379b8b120b5e
SHA256: 0e11a70592490252dab6e6d9ea4d35832ac26d994882807377e79ea00788713b
Infos:

Most interesting Screenshot:

Detection

AgentTesla GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Potential malicious icon found
Yara detected AgentTesla
Sigma detected: RegAsm connects to smtp port
Yara detected GuLoader
Hides threads from debuggers
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Tries to harvest and steal ftp login credentials
Modifies the hosts file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Dropped file seen in connection with other malware
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: conhost.exe.5876.27.memstrmin Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "sales@binaryinfotech.comabc123#@!mail.binaryinfotech.com"}

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 26_2_1C35F540 CryptUnprotectData, 26_2_1C35F540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 26_2_1C35FC31 CryptUnprotectData, 26_2_1C35FC31

Compliance:

barindex
Uses 32bit PE files
Source: Maj PO.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: unknown HTTPS traffic detected: 172.217.168.46:443 -> 192.168.11.20:49763 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.184.193:443 -> 192.168.11.20:49765 version: TLS 1.2
Source: Binary string: RegAsm.pdb source: RegAsm.exe, 0000001A.00000003.2167715535.000000001F8F3000.00000004.00000001.sdmp, tKZVPq.exe.26.dr
Source: Binary string: RegAsm.pdb4 source: RegAsm.exe, 0000001A.00000003.2167715535.000000001F8F3000.00000004.00000001.sdmp, tKZVPq.exe.26.dr

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 4x nop then mov ebx, ebx 5_2_004022BD
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 4x nop then mov ebx, ebx 5_2_0040365D
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 4x nop then mov ebx, ebx 5_2_00403223
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 4x nop then mov ebx, ebx 5_2_00403431
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 4x nop then mov ebx, ebx 5_2_004034C6
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 4x nop then mov ebx, ebx 5_2_004036E7
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 4x nop then mov ebx, ebx 5_2_00403553
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 4x nop then mov ebx, ebx 5_2_00403772
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 4x nop then mov ebx, ebx 5_2_00403337
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 4x nop then mov ebx, ebx 5_2_004035DB
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 4x nop then mov ebx, ebx 5_2_004037F8
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 4x nop then mov ebx, ebx 5_2_004031A4
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 4x nop then mov ebx, ebx 5_2_004033AF

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.11.20:49770 -> 132.148.164.170:587
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1BAbh3ojjt7dVXOtB4uKC4koi7OeNO6xe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/g8frrqkhvedecg6836ocig58c2eq4g9p/1634175750000/16524389560697724177/*/1BAbh3ojjt7dVXOtB4uKC4koi7OeNO6xe?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-14-28-docs.googleusercontent.comConnection: Keep-Alive
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.11.20:49770 -> 132.148.164.170:587
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.11.20:49770 -> 132.148.164.170:587
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: RegAsm.exe, 0000001A.00000002.5679518910.000000001D6AB000.00000004.00000001.sdmp String found in binary or memory: subdomain_match":["go","tv"]},{"applied_policy":"EdgeUA","domain":"video.zhihu.com"},{"applied_policy":"ChromeUA","domain":"la7.it"},{"applied_policy":"ChromeUA","domain":"ide.cs50.io"},{"applied_policy":"ChromeUA","domain":"moneygram.com"},{"applied_policy":"ChromeUA","domain":"blog.esuteru.com"},{"applied_policy":"ChromeUA","domain":"online.tivo.com","path_match":["/start"]},{"applied_policy":"ChromeUA","domain":"smallbusiness.yahoo.com","path_match":["/businessmaker"]},{"applied_policy":"ChromeUA","domain":"jeeready.amazon.in","path_match":["/home"]},{"applied_policy":"ChromeUA","domain":"abc.com"},{"applied_policy":"ChromeUA","domain":"mvsrec738.examly.io"},{"applied_policy":"ChromeUA","domain":"myslate.sixphrase.com"},{"applied_policy":"ChromeUA","domain":"search.norton.com","path_match":["/nsssOnboarding"]},{"applied_policy":"ChromeUA","domain":"checkdecide.com"},{"applied_policy":"ChromeUA","domain":"virtualvisitlogin.partners.org"},{"applied_policy":"ChromeUA","domain":"carelogin.bryantelemedicine.com"},{"applied_policy":"ChromeUA","domain":"providerstc.hs.utah.gov"},{"applied_policy":"ChromeUA","domain":"applychildcaresubsidy.alberta.ca"},{"applied_policy":"ChromeUA","domain":"elearning.evn.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"telecare.keckmedicine.org"},{"applied_policy":"ChromeUA","domain":"authoring.amirsys.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"elearning.seabank.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"app.fields.corteva.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"gsq.minornet.com"},{"applied_policy":"ChromeUA","domain":"shop.lic.co.nz"},{"applied_policy":"ChromeUA","domain":"telehealthportal.uofuhealth.org"},{"applied_policy":"ChromeUA","domain":"portal.centurylink.com"},{"applied_policy":"ChromeUA","domain":"visitnow.org"},{"applied_policy":"ChromeUA","domain":"www.hotstar.com","path_match":["/in/subscribe/payment/methods/dc","/in/subscribe/payment/methods/cc"]},{"applied_policy":"ChromeUA","domain":"tryca.st","path_match":["/studio","/publisher"]},{"applied_policy":"ChromeUA","domain":"telemost.yandex.ru"},{"applied_policy":"ChromeUA","domain":"astrogo.astro.com.my"},{"applied_policy":"ChromeUA","domain":"airbornemedia.gogoinflight.com"},{"applied_policy":"ChromeUA","domain":"itoaxaca.mindbox.app"},{"applied_policy":"ChromeUA","domain":"app.classkick.com"},{"applied_policy":"ChromeUA","domain":"exchangeservicecenter.com","path_match":["/freeze"]},{"applied_policy":"ChromeUA","domain":"bancodeoccidente.com.co","path_match":["/portaltransaccional"]},{"applied_policy":"ChromeUA","domain":"better.com"},{"applied_policy":"IEUA","domain":"bm.gzekao.cn","path_match":["/tr/webregister/"]},{"applied_policy":"ChromeUA","domain":"scheduling.care.psjhealth.org","path_match":["/virtual"]},{"applied_policy":"ChromeUA","domain":"salud.go.cr"},{"applied_policy":"ChromeUA","domain":"learning.chungdahm.com"},{"applied_policy":"C
Source: RegAsm.exe, 0000001A.00000002.5677751044.000000001D5F1000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegAsm.exe, 0000001A.00000002.5677751044.000000001D5F1000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: RegAsm.exe, 0000001A.00000002.5680250480.000000001D70C000.00000004.00000001.sdmp String found in binary or memory: http://binaryinfotech.com
Source: RegAsm.exe, 0000001A.00000002.5659646764.000000000075F000.00000004.00000020.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: RegAsm.exe, 0000001A.00000002.5659646764.000000000075F000.00000004.00000020.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: RegAsm.exe, 0000001A.00000002.5680250480.000000001D70C000.00000004.00000001.sdmp String found in binary or memory: http://mail.binaryinfotech.com
Source: RegAsm.exe, 0000001A.00000002.5677751044.000000001D5F1000.00000004.00000001.sdmp String found in binary or memory: http://nQcaIX.com
Source: RegAsm.exe, 0000001A.00000003.1272477420.0000000000770000.00000004.00000001.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
Source: RegAsm.exe, 0000001A.00000002.5659115297.000000000073D000.00000004.00000020.sdmp String found in binary or memory: https://doc-14-28-docs.googleusercontent.com/
Source: RegAsm.exe, 0000001A.00000002.5659115297.000000000073D000.00000004.00000020.sdmp String found in binary or memory: https://doc-14-28-docs.googleusercontent.com/&P
Source: RegAsm.exe, 0000001A.00000003.1272477420.0000000000770000.00000004.00000001.sdmp String found in binary or memory: https://doc-14-28-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/g8frrqkh
Source: RegAsm.exe, 0000001A.00000002.5658353535.00000000006F8000.00000004.00000020.sdmp String found in binary or memory: https://drive.google.com/
Source: RegAsm.exe, 0000001A.00000002.5658353535.00000000006F8000.00000004.00000020.sdmp String found in binary or memory: https://drive.google.com/a
Source: RegAsm.exe, 0000001A.00000002.5662150144.00000000008F0000.00000004.00000001.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1BAbh3ojjt7dVXOtB4uKC4koi7OeNO6xe
Source: RegAsm.exe, 0000001A.00000003.1272477420.0000000000770000.00000004.00000001.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1BAbh3ojjt7dVXOtB4uKC4koi7OeNO6xe5yMxKVGgCdAu9OVZU
Source: RegAsm.exe, 0000001A.00000002.5677751044.000000001D5F1000.00000004.00000001.sdmp, RegAsm.exe, 0000001A.00000002.5678510969.000000001D642000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/
Source: RegAsm.exe, 0000001A.00000002.5677751044.000000001D5F1000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com//
Source: RegAsm.exe, 0000001A.00000002.5677751044.000000001D5F1000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/https://login.live.com/
Source: RegAsm.exe, 0000001A.00000002.5677751044.000000001D5F1000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/v104
Source: RegAsm.exe, 0000001A.00000002.5679518910.000000001D6AB000.00000004.00000001.sdmp, RegAsm.exe, 0000001A.00000003.2219825828.000000001C231000.00000004.00000001.sdmp String found in binary or memory: https://rupH9qpwRIFc83v.org
Source: RegAsm.exe, 0000001A.00000002.5679518910.000000001D6AB000.00000004.00000001.sdmp String found in binary or memory: https://rupH9qpwRIFc83v.orgt-
Source: RegAsm.exe, 0000001A.00000002.5678510969.000000001D642000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: RegAsm.exe, 0000001A.00000002.5677751044.000000001D5F1000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
Source: unknown DNS traffic detected: queries for: drive.google.com
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1BAbh3ojjt7dVXOtB4uKC4koi7OeNO6xe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/g8frrqkhvedecg6836ocig58c2eq4g9p/1634175750000/16524389560697724177/*/1BAbh3ojjt7dVXOtB4uKC4koi7OeNO6xe?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-14-28-docs.googleusercontent.comConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 172.217.168.46:443 -> 192.168.11.20:49763 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.184.193:443 -> 192.168.11.20:49765 version: TLS 1.2

Spam, unwanted Advertisements and Ransom Demands:

barindex
Modifies the hosts file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior

System Summary:

barindex
Potential malicious icon found
Source: initial sample Icon embedded in PE file: bad icon match: 20047c7c70f0e004
Uses 32bit PE files
Source: Maj PO.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Detected potential crypto function
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 5_2_00401868 5_2_00401868
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 5_2_004022BD 5_2_004022BD
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 5_2_00403223 5_2_00403223
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 5_2_00403431 5_2_00403431
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 5_2_00403553 5_2_00403553
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 5_2_00403337 5_2_00403337
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 5_2_004035DB 5_2_004035DB
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 5_2_004031A4 5_2_004031A4
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 5_2_004033AF 5_2_004033AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 26_2_00111130 26_2_00111130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 26_2_00113A50 26_2_00113A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 26_2_0011C270 26_2_0011C270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 26_2_00114320 26_2_00114320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 26_2_0011CFD0 26_2_0011CFD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 26_2_00113708 26_2_00113708
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 26_2_1C356440 26_2_1C356440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 26_2_1C350CB0 26_2_1C350CB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 26_2_1C355D58 26_2_1C355D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 26_2_1C35C248 26_2_1C35C248
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 26_2_1C3512D0 26_2_1C3512D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 26_2_1C357718 26_2_1C357718
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 26_2_1C35BCA0 26_2_1C35BCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 26_2_1C36DC00 26_2_1C36DC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 26_2_1C364EB0 26_2_1C364EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 26_2_1C365818 26_2_1C365818
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 26_2_1C36B272 26_2_1C36B272
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 26_2_1C368C70 26_2_1C368C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 26_2_1C361D28 26_2_1C361D28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 26_2_1C3657B8 26_2_1C3657B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 26_2_1D435E08 26_2_1D435E08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 26_2_1D4353E0 26_2_1D4353E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 26_2_1D434ACC 26_2_1D434ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 26_2_1D435D20 26_2_1D435D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 26_2_1D436AD1 26_2_1D436AD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 26_2_1D436AF1 26_2_1D436AF1
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Maj PO.exe Code function: String function: 0040177E appears 94 times
Sample file is different than original file name gathered from version info
Source: Maj PO.exe, 00000005.00000002.1299202525.000000000041D000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameREJFN.exe vs Maj PO.exe
Source: Maj PO.exe, 00000005.00000002.1301184152.0000000002A90000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameREJFN.exeFE2X vs Maj PO.exe
Source: Maj PO.exe Binary or memory string: OriginalFilenameREJFN.exe vs Maj PO.exe
PE file contains strange resources
Source: Maj PO.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Users\user\Desktop\Maj PO.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: edgegdi.dll Jump to behavior
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe C066AEE7AA3AA83F763EBC5541DAA266ED6C648FBFFCDE0D836A13B221BB2ADC
Source: Maj PO.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Maj PO.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Maj PO.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Maj PO.exe 'C:\Users\user\Desktop\Maj PO.exe'
Source: C:\Users\user\Desktop\Maj PO.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Maj PO.exe'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Maj PO.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Maj PO.exe' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Roaming\tKZVPq Jump to behavior
Source: classification engine Classification label: mal100.rans.spre.troj.adwa.spyw.evad.winEXE@4/3@3/3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5876:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5876:304:WilStaging_02
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: Binary string: RegAsm.pdb source: RegAsm.exe, 0000001A.00000003.2167715535.000000001F8F3000.00000004.00000001.sdmp, tKZVPq.exe.26.dr
Source: Binary string: RegAsm.pdb4 source: RegAsm.exe, 0000001A.00000003.2167715535.000000001F8F3000.00000004.00000001.sdmp, tKZVPq.exe.26.dr

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000005.00000002.1300755705.00000000022F0000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 5_2_00402158 pushad ; retf 5_2_00402159
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 5_2_0040450B pushad ; ret 5_2_00404512
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 5_2_00405DC0 push esi; retf 5_2_00405DD3
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 5_2_022F1A02 push ebx; ret 5_2_022F1A03
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 5_2_022F2A11 push ebx; iretd 5_2_022F2A32
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 5_2_022F370A push ds; retf 5_2_022F370B
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 5_2_022F0DAB push FFFFFFA3h; retf 5_2_022F0DAD
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 5_2_022F2B96 pushad ; retf 5_2_022F2B9C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 26_2_1D4350E8 push ds; ret 26_2_1D435187

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tKZVPq Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tKZVPq Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\Maj PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Maj PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Maj PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Maj PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Maj PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Maj PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Maj PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Maj PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Maj PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Maj PO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect Any.run
Source: C:\Users\user\Desktop\Maj PO.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\Maj PO.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Maj PO.exe, 00000005.00000002.1300863056.0000000002310000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32USERPROFILE=WINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\REGASM.EXE\SYSWOW64\MSVBVM60.DLL
Source: Maj PO.exe, 00000005.00000002.1300863056.0000000002310000.00000004.00000001.sdmp, RegAsm.exe, 0000001A.00000002.5662150144.00000000008F0000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: Maj PO.exe, 00000005.00000002.1299718313.0000000000624000.00000004.00000020.sdmp Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: RegAsm.exe, 0000001A.00000002.5662150144.00000000008F0000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32USERPROFILE=HTTPS://DRIVE.GOOGLE.COM/UC?EXPORT=DOWNLOAD&ID=1BABH3OJJT7DVXOTB4UKC4KOI7OENO6XE
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1712 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Window / User API: threadDelayed 9956 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Maj PO.exe System information queried: ModuleInformation Jump to behavior
Source: Maj PO.exe, 00000005.00000002.1302442645.00000000047A9000.00000004.00000001.sdmp, RegAsm.exe, 0000001A.00000002.5665330240.0000000002179000.00000004.00000001.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: RegAsm.exe, 0000001A.00000002.5658353535.00000000006F8000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW@Kv%SystemRoot%\system32\mswsock.dll8
Source: Maj PO.exe, 00000005.00000002.1302442645.00000000047A9000.00000004.00000001.sdmp, RegAsm.exe, 0000001A.00000002.5665330240.0000000002179000.00000004.00000001.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: RegAsm.exe, 0000001A.00000002.5665330240.0000000002179000.00000004.00000001.sdmp Binary or memory string: vmicshutdown
Source: Maj PO.exe, 00000005.00000002.1302442645.00000000047A9000.00000004.00000001.sdmp, RegAsm.exe, 0000001A.00000002.5665330240.0000000002179000.00000004.00000001.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: Maj PO.exe, 00000005.00000002.1300863056.0000000002310000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32USERPROFILE=windir=\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe\syswow64\msvbvm60.dll
Source: Maj PO.exe, 00000005.00000002.1302442645.00000000047A9000.00000004.00000001.sdmp, RegAsm.exe, 0000001A.00000002.5665330240.0000000002179000.00000004.00000001.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: Maj PO.exe, 00000005.00000002.1302442645.00000000047A9000.00000004.00000001.sdmp, RegAsm.exe, 0000001A.00000002.5665330240.0000000002179000.00000004.00000001.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: RegAsm.exe, 0000001A.00000002.5665330240.0000000002179000.00000004.00000001.sdmp Binary or memory string: vmicvss
Source: RegAsm.exe, 0000001A.00000002.5659646764.000000000075F000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW
Source: Maj PO.exe, 00000005.00000002.1300863056.0000000002310000.00000004.00000001.sdmp, RegAsm.exe, 0000001A.00000002.5662150144.00000000008F0000.00000004.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: Maj PO.exe, 00000005.00000002.1302442645.00000000047A9000.00000004.00000001.sdmp, RegAsm.exe, 0000001A.00000002.5665330240.0000000002179000.00000004.00000001.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: RegAsm.exe, 0000001A.00000002.5662150144.00000000008F0000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32USERPROFILE=https://drive.google.com/uc?export=download&id=1BAbh3ojjt7dVXOtB4uKC4koi7OeNO6xe
Source: Maj PO.exe, 00000005.00000002.1302442645.00000000047A9000.00000004.00000001.sdmp, RegAsm.exe, 0000001A.00000002.5665330240.0000000002179000.00000004.00000001.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: Maj PO.exe, 00000005.00000002.1302442645.00000000047A9000.00000004.00000001.sdmp, RegAsm.exe, 0000001A.00000002.5665330240.0000000002179000.00000004.00000001.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: Maj PO.exe, 00000005.00000002.1299718313.0000000000624000.00000004.00000020.sdmp Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe
Source: RegAsm.exe, 0000001A.00000002.5665330240.0000000002179000.00000004.00000001.sdmp Binary or memory string: vmicheartbeat

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\Maj PO.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread information set: HideFromDebugger Jump to behavior
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 5_2_004022BD mov ebx, dword ptr fs:[00000030h] 5_2_004022BD
Source: C:\Users\user\Desktop\Maj PO.exe Code function: 5_2_004031A4 mov ebx, dword ptr fs:[00000030h] 5_2_004031A4
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Maj PO.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 26_2_0011714C LdrInitializeThunk, 26_2_0011714C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Maj PO.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 560000 Jump to behavior
Modifies the hosts file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Maj PO.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Maj PO.exe' Jump to behavior
Source: RegAsm.exe, 0000001A.00000002.5663407086.0000000000D21000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 0000001A.00000002.5663407086.0000000000D21000.00000002.00020000.sdmp Binary or memory string: Progman
Source: RegAsm.exe, 0000001A.00000002.5663407086.0000000000D21000.00000002.00020000.sdmp Binary or memory string: MProgram Manager
Source: RegAsm.exe, 0000001A.00000002.5663407086.0000000000D21000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Modifies the hosts file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 0000001A.00000002.5677751044.000000001D5F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 5852, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 0000001A.00000002.5677751044.000000001D5F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 5852, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 0000001A.00000002.5677751044.000000001D5F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 5852, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1652 Sample: Maj PO.exe Startdate: 14/10/2021 Architecture: WINDOWS Score: 100 22 mail.binaryinfotech.com 2->22 24 binaryinfotech.com 2->24 26 4 other IPs or domains 2->26 34 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->34 36 Potential malicious icon found 2->36 38 Found malware configuration 2->38 40 4 other signatures 2->40 8 Maj PO.exe 2->8         started        signatures3 process4 signatures5 42 Writes to foreign memory regions 8->42 44 Tries to detect Any.run 8->44 46 Hides threads from debuggers 8->46 11 RegAsm.exe 2 11 8->11         started        process6 dnsIp7 28 binaryinfotech.com 132.148.164.170, 49770, 587 AS-26496-GO-DADDY-COM-LLCUS United States 11->28 30 googlehosted.l.googleusercontent.com 142.250.184.193, 443, 49765 GOOGLEUS United States 11->30 32 drive.google.com 172.217.168.46, 443, 49763 GOOGLEUS United States 11->32 18 C:\Users\user\AppData\Roaming\...\tKZVPq.exe, PE32 11->18 dropped 20 C:\Windows\System32\drivers\etc\hosts, ASCII 11->20 dropped 48 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->48 50 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->50 52 Tries to steal Mail credentials (via file access) 11->52 54 7 other signatures 11->54 16 conhost.exe 11->16         started        file8 signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.217.168.46
 drive.google.com United States
15169 GOOGLEUS false
142.250.184.193
 googlehosted.l.googleusercontent.com United States
15169 GOOGLEUS false
132.148.164.170
 binaryinfotech.com United States
26496 AS-26496-GO-DADDY-COM-LLCUS true

Contacted Domains

Name IP Active
drive.google.com 172.217.168.46 true
googlehosted.l.googleusercontent.com 142.250.184.193 true
binaryinfotech.com 132.148.164.170 true
doc-14-28-docs.googleusercontent.com unknown unknown
mail.binaryinfotech.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://doc-14-28-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/g8frrqkhvedecg6836ocig58c2eq4g9p/1634175750000/16524389560697724177/*/1BAbh3ojjt7dVXOtB4uKC4koi7OeNO6xe?e=download false
    		high