Loading ...

Play interactive tourEdit tour

Windows Analysis Report Maj PO.exe

Overview

General Information

Sample Name:Maj PO.exe
Analysis ID:1652
MD5:ebc68c72c1d9ddb811c502683d4a72ff
SHA1:2ba515688b053a2e6153b5f21baa379b8b120b5e
SHA256:0e11a70592490252dab6e6d9ea4d35832ac26d994882807377e79ea00788713b
Infos:

Most interesting Screenshot:

Detection

AgentTesla GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Potential malicious icon found
Yara detected AgentTesla
Sigma detected: RegAsm connects to smtp port
Yara detected GuLoader
Hides threads from debuggers
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Tries to harvest and steal ftp login credentials
Modifies the hosts file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Dropped file seen in connection with other malware
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64native
  • Maj PO.exe (PID: 2592 cmdline: 'C:\Users\user\Desktop\Maj PO.exe' MD5: EBC68C72C1D9DDB811C502683D4A72FF)
    • RegAsm.exe (PID: 5852 cmdline: 'C:\Users\user\Desktop\Maj PO.exe' MD5: 0D5DF43AF2916F47D00C1573797C1A13)
      • conhost.exe (PID: 5876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "sales@binaryinfotech.comabc123#@!mail.binaryinfotech.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001A.00000002.5677751044.000000001D5F1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000001A.00000002.5677751044.000000001D5F1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000005.00000002.1300755705.00000000022F0000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
        Process Memory Space: RegAsm.exe PID: 5852JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: RegAsm.exe PID: 5852JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

            Sigma Overview

            Networking:

            barindex
            Sigma detected: RegAsm connects to smtp portShow sources
            Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 132.148.164.170, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, Initiated: true, ProcessId: 5852, Protocol: tcp, SourceIp: 192.168.11.20, SourceIsIpv6: false, SourcePort: 49770

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: conhost.exe.5876.27.memstrminMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "sales@binaryinfotech.comabc123#@!mail.binaryinfotech.com"}
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_1C35F540 CryptUnprotectData,26_2_1C35F540
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_1C35FC31 CryptUnprotectData,26_2_1C35FC31
            Source: Maj PO.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: unknownHTTPS traffic detected: 172.217.168.46:443 -> 192.168.11.20:49763 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.184.193:443 -> 192.168.11.20:49765 version: TLS 1.2
            Source: Binary string: RegAsm.pdb source: RegAsm.exe, 0000001A.00000003.2167715535.000000001F8F3000.00000004.00000001.sdmp, tKZVPq.exe.26.dr
            Source: Binary string: RegAsm.pdb4 source: RegAsm.exe, 0000001A.00000003.2167715535.000000001F8F3000.00000004.00000001.sdmp, tKZVPq.exe.26.dr
            Source: C:\Users\user\Desktop\Maj PO.exeCode function: 4x nop then mov ebx, ebx5_2_004022BD
            Source: C:\Users\user\Desktop\Maj PO.exeCode function: 4x nop then mov ebx, ebx5_2_0040365D
            Source: C:\Users\user\Desktop\Maj PO.exeCode function: 4x nop then mov ebx, ebx5_2_00403223
            Source: C:\Users\user\Desktop\Maj PO.exeCode function: 4x nop then mov ebx, ebx5_2_00403431
            Source: C:\Users\user\Desktop\Maj PO.exeCode function: 4x nop then mov ebx, ebx5_2_004034C6
            Source: C:\Users\user\Desktop\Maj PO.exeCode function: 4x nop then mov ebx, ebx5_2_004036E7
            Source: C:\Users\user\Desktop\Maj PO.exeCode function: 4x nop then mov ebx, ebx5_2_00403553
            Source: C:\Users\user\Desktop\Maj PO.exeCode function: 4x nop then mov ebx, ebx5_2_00403772
            Source: C:\Users\user\Desktop\Maj PO.exeCode function: 4x nop then mov ebx, ebx5_2_00403337
            Source: C:\Users\user\Desktop\Maj PO.exeCode function: 4x nop then mov ebx, ebx5_2_004035DB
            Source: C:\Users\user\Desktop\Maj PO.exeCode function: 4x nop then mov ebx, ebx5_2_004037F8
            Source: C:\Users\user\Desktop\Maj PO.exeCode function: 4x nop then mov ebx, ebx5_2_004031A4
            Source: C:\Users\user\Desktop\Maj PO.exeCode function: 4x nop then mov ebx, ebx5_2_004033AF

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.11.20:49770 -> 132.148.164.170:587
            Source: Joe Sandbox ViewASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1BAbh3ojjt7dVXOtB4uKC4koi7OeNO6xe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/g8frrqkhvedecg6836ocig58c2eq4g9p/1634175750000/16524389560697724177/*/1BAbh3ojjt7dVXOtB4uKC4koi7OeNO6xe?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-14-28-docs.googleusercontent.comConnection: Keep-Alive
            Source: global trafficTCP traffic: 192.168.11.20:49770 -> 132.148.164.170:587
            Source: global trafficTCP traffic: 192.168.11.20:49770 -> 132.148.164.170:587
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
            Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: RegAsm.exe, 0000001A.00000002.5679518910.000000001D6AB000.00000004.00000001.sdmpString found in binary or memory: subdomain_match":["go","tv"]},{"applied_policy":"EdgeUA","domain":"video.zhihu.com"},{"applied_policy":"ChromeUA","domain":"la7.it"},{"applied_policy":"ChromeUA","domain":"ide.cs50.io"},{"applied_policy":"ChromeUA","domain":"moneygram.com"},{"applied_policy":"ChromeUA","domain":"blog.esuteru.com"},{"applied_policy":"ChromeUA","domain":"online.tivo.com","path_match":["/start"]},{"applied_policy":"ChromeUA","domain":"smallbusiness.yahoo.com","path_match":["/businessmaker"]},{"applied_policy":"ChromeUA","domain":"jeeready.amazon.in","path_match":["/home"]},{"applied_policy":"ChromeUA","domain":"abc.com"},{"applied_policy":"ChromeUA","domain":"mvsrec738.examly.io"},{"applied_policy":"ChromeUA","domain":"myslate.sixphrase.com"},{"applied_policy":"ChromeUA","domain":"search.norton.com","path_match":["/nsssOnboarding"]},{"applied_policy":"ChromeUA","domain":"checkdecide.com"},{"applied_policy":"ChromeUA","domain":"virtualvisitlogin.partners.org"},{"applied_policy":"ChromeUA","domain":"carelogin.bryantelemedicine.com"},{"applied_policy":"ChromeUA","domain":"providerstc.hs.utah.gov"},{"applied_policy":"ChromeUA","domain":"applychildcaresubsidy.alberta.ca"},{"applied_policy":"ChromeUA","domain":"elearning.evn.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"telecare.keckmedicine.org"},{"applied_policy":"ChromeUA","domain":"authoring.amirsys.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"elearning.seabank.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"app.fields.corteva.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"gsq.minornet.com"},{"applied_policy":"ChromeUA","domain":"shop.lic.co.nz"},{"applied_policy":"ChromeUA","domain":"telehealthportal.uofuhealth.org"},{"applied_policy":"ChromeUA","domain":"portal.centurylink.com"},{"applied_policy":"ChromeUA","domain":"visitnow.org"},{"applied_policy":"ChromeUA","domain":"www.hotstar.com","path_match":["/in/subscribe/payment/methods/dc","/in/subscribe/payment/methods/cc"]},{"applied_policy":"ChromeUA","domain":"tryca.st","path_match":["/studio","/publisher"]},{"applied_policy":"ChromeUA","domain":"telemost.yandex.ru"},{"applied_policy":"ChromeUA","domain":"astrogo.astro.com.my"},{"applied_policy":"ChromeUA","domain":"airbornemedia.gogoinflight.com"},{"applied_policy":"ChromeUA","domain":"itoaxaca.mindbox.app"},{"applied_policy":"ChromeUA","domain":"app.classkick.com"},{"applied_policy":"ChromeUA","domain":"exchangeservicecenter.com","path_match":["/freeze"]},{"applied_policy":"ChromeUA","domain":"bancodeoccidente.com.co","path_match":["/portaltransaccional"]},{"applied_policy":"ChromeUA","domain":"better.com"},{"applied_policy":"IEUA","domain":"bm.gzekao.cn","path_match":["/tr/webregister/"]},{"applied_policy":"ChromeUA","domain":"scheduling.care.psjhealth.org","path_match":["/virtual"]},{"applied_policy":"ChromeUA","domain":"salud.go.cr"},{"applied_policy":"ChromeUA","domain":"learning.chungdahm.com"},{"applied_policy":"C
            Source: RegAsm.exe, 0000001A.00000002.5677751044.000000001D5F1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
            Source: RegAsm.exe, 0000001A.00000002.5677751044.000000001D5F1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
            Source: RegAsm.exe, 0000001A.00000002.5680250480.000000001D70C000.00000004.00000001.sdmpString found in binary or memory: http://binaryinfotech.com
            Source: RegAsm.exe, 0000001A.00000002.5659646764.000000000075F000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
            Source: RegAsm.exe, 0000001A.00000002.5659646764.000000000075F000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: RegAsm.exe, 0000001A.00000002.5680250480.000000001D70C000.00000004.00000001.sdmpString found in binary or memory: http://mail.binaryinfotech.com
            Source: RegAsm.exe, 0000001A.00000002.5677751044.000000001D5F1000.00000004.00000001.sdmpString found in binary or memory: http://nQcaIX.com
            Source: RegAsm.exe, 0000001A.00000003.1272477420.0000000000770000.00000004.00000001.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
            Source: RegAsm.exe, 0000001A.00000002.5659115297.000000000073D000.00000004.00000020.sdmpString found in binary or memory: https://doc-14-28-docs.googleusercontent.com/
            Source: RegAsm.exe, 0000001A.00000002.5659115297.000000000073D000.00000004.00000020.sdmpString found in binary or memory: https://doc-14-28-docs.googleusercontent.com/&P
            Source: RegAsm.exe, 0000001A.00000003.1272477420.0000000000770000.00000004.00000001.sdmpString found in binary or memory: https://doc-14-28-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/g8frrqkh
            Source: RegAsm.exe, 0000001A.00000002.5658353535.00000000006F8000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/
            Source: RegAsm.exe, 0000001A.00000002.5658353535.00000000006F8000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/a
            Source: RegAsm.exe, 0000001A.00000002.5662150144.00000000008F0000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1BAbh3ojjt7dVXOtB4uKC4koi7OeNO6xe
            Source: RegAsm.exe, 0000001A.00000003.1272477420.0000000000770000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1BAbh3ojjt7dVXOtB4uKC4koi7OeNO6xe5yMxKVGgCdAu9OVZU
            Source: RegAsm.exe, 0000001A.00000002.5677751044.000000001D5F1000.00000004.00000001.sdmp, RegAsm.exe, 0000001A.00000002.5678510969.000000001D642000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/
            Source: RegAsm.exe, 0000001A.00000002.5677751044.000000001D5F1000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com//
            Source: RegAsm.exe, 0000001A.00000002.5677751044.000000001D5F1000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/https://login.live.com/
            Source: RegAsm.exe, 0000001A.00000002.5677751044.000000001D5F1000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/v104
            Source: RegAsm.exe, 0000001A.00000002.5679518910.000000001D6AB000.00000004.00000001.sdmp, RegAsm.exe, 0000001A.00000003.2219825828.000000001C231000.00000004.00000001.sdmpString found in binary or memory: https://rupH9qpwRIFc83v.org
            Source: RegAsm.exe, 0000001A.00000002.5679518910.000000001D6AB000.00000004.00000001.sdmpString found in binary or memory: https://rupH9qpwRIFc83v.orgt-
            Source: RegAsm.exe, 0000001A.00000002.5678510969.000000001D642000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
            Source: RegAsm.exe, 0000001A.00000002.5677751044.000000001D5F1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
            Source: unknownDNS traffic detected: queries for: drive.google.com
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1BAbh3ojjt7dVXOtB4uKC4koi7OeNO6xe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/g8frrqkhvedecg6836ocig58c2eq4g9p/1634175750000/16524389560697724177/*/1BAbh3ojjt7dVXOtB4uKC4koi7OeNO6xe?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-14-28-docs.googleusercontent.comConnection: Keep-Alive
            Source: unknownHTTPS traffic detected: 172.217.168.46:443 -> 192.168.11.20:49763 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.184.193:443 -> 192.168.11.20:49765 version: TLS 1.2

            Spam, unwanted Advertisements and Ransom Demands:

            barindex
            Modifies the hosts fileShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

            System Summary:

            barindex
            Potential malicious icon foundShow sources
            Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
            Source: Maj PO.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: C:\Users\user\Desktop\Maj PO.exeCode function: 5_2_004018685_2_00401868
            Source: C:\Users\user\Desktop\Maj PO.exeCode function: 5_2_004022BD5_2_004022BD
            Source: C:\Users\user\Desktop\Maj PO.exeCode function: 5_2_004032235_2_00403223
            Source: C:\Users\user\Desktop\Maj PO.exeCode function: 5_2_004034315_2_00403431
            Source: C:\Users\user\Desktop\Maj PO.exeCode function: 5_2_004035535_2_00403553
            Source: C:\Users\user\Desktop\Maj PO.exeCode function: 5_2_004033375_2_00403337
            Source: C:\Users\user\Desktop\Maj PO.exeCode function: 5_2_004035DB5_2_004035DB
            Source: C:\Users\user\Desktop\Maj PO.exeCode function: 5_2_004031A45_2_004031A4
            Source: C:\Users\user\Desktop\Maj PO.exeCode function: 5_2_004033AF5_2_004033AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_0011113026_2_00111130
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_00113A5026_2_00113A50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_0011C27026_2_0011C270
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_0011432026_2_00114320
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_0011CFD026_2_0011CFD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_0011370826_2_00113708
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_1C35644026_2_1C356440
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_1C350CB026_2_1C350CB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_1C355D5826_2_1C355D58
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_1C35C24826_2_1C35C248
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_1C3512D026_2_1C3512D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_1C35771826_2_1C357718
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_1C35BCA026_2_1C35BCA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_1C36DC0026_2_1C36DC00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_1C364EB026_2_1C364EB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_1C36581826_2_1C365818
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_1C36B27226_2_1C36B272
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_1C368C7026_2_1C368C70
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_1C361D2826_2_1C361D28
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_1C3657B826_2_1C3657B8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_1D435E0826_2_1D435E08
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_1D4353E026_2_1D4353E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_1D434ACC26_2_1D434ACC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_1D435D2026_2_1D435D20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_1D436AD126_2_1D436AD1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_1D436AF126_2_1D436AF1
            Source: C:\Users\user\Desktop\Maj PO.exeCode function: String function: 0040177E appears 94 times
            Source: Maj PO.exe, 00000005.00000002.1299202525.000000000041D000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameREJFN.exe vs Maj PO.exe
            Source: Maj PO.exe, 00000005.00000002.1301184152.0000000002A90000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameREJFN.exeFE2X vs Maj PO.exe
            Source: Maj PO.exeBinary or memory string: OriginalFilenameREJFN.exe vs Maj PO.exe
            Source: Maj PO.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: C:\Users\user\Desktop\Maj PO.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: edgegdi.dllJump to behavior
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe C066AEE7AA3AA83F763EBC5541DAA266ED6C648FBFFCDE0D836A13B221BB2ADC
            Source: Maj PO.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Maj PO.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\Desktop\Maj PO.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Maj PO.exe 'C:\Users\user\Desktop\Maj PO.exe'
            Source: C:\Users\user\Desktop\Maj PO.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Maj PO.exe'
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Maj PO.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Maj PO.exe' Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Roaming\tKZVPqJump to behavior
            Source: classification engineClassification label: mal100.rans.spre.troj.adwa.spyw.evad.winEXE@4/3@3/3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5876:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5876:304:WilStaging_02
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: Binary string: RegAsm.pdb source: RegAsm.exe, 0000001A.00000003.2167715535.000000001F8F3000.00000004.00000001.sdmp, tKZVPq.exe.26.dr
            Source: Binary string: RegAsm.pdb4 source: RegAsm.exe, 0000001A.00000003.2167715535.000000001F8F3000.00000004.00000001.sdmp, tKZVPq.exe.26.dr

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: 00000005.00000002.1300755705.00000000022F0000.00000040.00000001.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\Maj PO.exeCode function: 5_2_00402158 pushad ; retf 5_2_00402159
            Source: C:\Users\user\Desktop\Maj PO.exeCode function: 5_2_0040450B pushad ; ret 5_2_00404512
            Source: C:\Users\user\Desktop\Maj PO.exeCode function: 5_2_00405DC0 push esi; retf 5_2_00405DD3
            Source: C:\Users\user\Desktop\Maj PO.exeCode function: 5_2_022F1A02 push ebx; ret 5_2_022F1A03
            Source: C:\Users\user\Desktop\Maj PO.exeCode function: 5_2_022F2A11 push ebx; iretd 5_2_022F2A32
            Source: C:\Users\user\Desktop\Maj PO.exeCode function: 5_2_022F370A push ds; retf 5_2_022F370B
            Source: C:\Users\user\Desktop\Maj PO.exeCode function: 5_2_022F0DAB push FFFFFFA3h; retf 5_2_022F0DAD
            Source: C:\Users\user\Desktop\Maj PO.exeCode function: 5_2_022F2B96 pushad ; retf 5_2_022F2B9C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 26_2_1D4350E8 push ds; ret 26_2_1D435187
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exeJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tKZVPqJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tKZVPqJump to behavior

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe:Zone.Identifier read attributes | deleteJump to behavior
            Source: C:\Users\user\Desktop\Maj PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Maj PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Maj PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Maj PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Maj PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Maj PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Maj PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Maj PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Maj PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Maj PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX