Loading ...

Play interactive tourEdit tour

Windows Analysis Report justificante de la transfer.exe

Overview

General Information

Sample Name:justificante de la transfer.exe
Analysis ID:526293
MD5:e565201ac69a8a2fa7ee22e0809f7b3c
SHA1:fed196aeff9aca57c198b0b99a9c9bc6e01d31b9
SHA256:b6fad861abae70b69d7f0ef4e51756b181149e165ada09aee47e3d2bd5f9a0c6
Infos:

Most interesting Screenshot:

Detection

AgentTesla GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected GuLoader
Hides threads from debuggers
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
C2 URLs / IPs found in malware configuration
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Drops certificate files (DER)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64native
  • justificante de la transfer.exe (PID: 6424 cmdline: "C:\Users\user\Desktop\justificante de la transfer.exe" MD5: E565201AC69A8A2FA7EE22E0809F7B3C)
    • CasPol.exe (PID: 6828 cmdline: "C:\Users\user\Desktop\justificante de la transfer.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
    • CasPol.exe (PID: 8676 cmdline: "C:\Users\user\Desktop\justificante de la transfer.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
      • conhost.exe (PID: 8684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "arealaboral@neopyme.comnJm038qQkPmail.neopyme.combernardkincaid01@gmail.com"}

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?exporto"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000000.761549812.0000000000B00000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    0000000B.00000002.5698566884.000000001DC81000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      0000000B.00000002.5698566884.000000001DC81000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000002.933649087.0000000002300000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
          Process Memory Space: CasPol.exe PID: 8676JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 1 entries

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 0000000B.00000000.761549812.0000000000B00000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?exporto"}
            Source: conhost.exe.8684.12.memstrminMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "arealaboral@neopyme.comnJm038qQkPmail.neopyme.combernardkincaid01@gmail.com"}
            Multi AV Scanner detection for submitted fileShow sources
            Source: justificante de la transfer.exeVirustotal: Detection: 22%Perma Link
            Source: justificante de la transfer.exeReversingLabs: Detection: 11%
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 11_2_00E2C130 CryptUnprotectData,11_2_00E2C130
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 11_2_00E2C7D3 CryptUnprotectData,11_2_00E2C7D3
            Source: justificante de la transfer.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: unknownHTTPS traffic detected: 142.250.185.110:443 -> 192.168.11.20:49755 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.185.225:443 -> 192.168.11.20:49757 version: TLS 1.2

            Networking:

            barindex
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: https://drive.google.com/uc?exporto
            Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: Joe Sandbox ViewIP Address: 54.36.109.179 54.36.109.179
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1Bi-sjR4KzfRIPfdPNOxJn3S8BMnh3zRT HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/cbqvfrinn52haphefl414ecufsqsvklm/1637586450000/17803878832083720643/*/1Bi-sjR4KzfRIPfdPNOxJn3S8BMnh3zRT?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0s-b8-docs.googleusercontent.comConnection: Keep-Alive
            Source: global trafficTCP traffic: 192.168.11.20:49775 -> 54.36.109.179:587
            Source: global trafficTCP traffic: 192.168.11.20:49775 -> 54.36.109.179:587
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
            Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
            Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: CasPol.exe, 0000000B.00000002.5699329145.000000001DCD2000.00000004.00000001.sdmpString found in binary or memory: subdomain_match":["go","tv"]},{"applied_policy":"EdgeUA","domain":"video.zhihu.com"},{"applied_policy":"ChromeUA","domain":"la7.it"},{"applied_policy":"ChromeUA","domain":"ide.cs50.io"},{"applied_policy":"ChromeUA","domain":"moneygram.com"},{"applied_policy":"ChromeUA","domain":"blog.esuteru.com"},{"applied_policy":"ChromeUA","domain":"online.tivo.com","path_match":["/start"]},{"applied_policy":"ChromeUA","domain":"smallbusiness.yahoo.com","path_match":["/businessmaker"]},{"applied_policy":"ChromeUA","domain":"jeeready.amazon.in","path_match":["/home"]},{"applied_policy":"ChromeUA","domain":"abc.com"},{"applied_policy":"ChromeUA","domain":"mvsrec738.examly.io"},{"applied_policy":"ChromeUA","domain":"myslate.sixphrase.com"},{"applied_policy":"ChromeUA","domain":"search.norton.com","path_match":["/nsssOnboarding"]},{"applied_policy":"ChromeUA","domain":"checkdecide.com"},{"applied_policy":"ChromeUA","domain":"virtualvisitlogin.partners.org"},{"applied_policy":"ChromeUA","domain":"carelogin.bryantelemedicine.com"},{"applied_policy":"ChromeUA","domain":"providerstc.hs.utah.gov"},{"applied_policy":"ChromeUA","domain":"applychildcaresubsidy.alberta.ca"},{"applied_policy":"ChromeUA","domain":"elearning.evn.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"telecare.keckmedicine.org"},{"applied_policy":"ChromeUA","domain":"authoring.amirsys.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"elearning.seabank.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"app.fields.corteva.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"gsq.minornet.com"},{"applied_policy":"ChromeUA","domain":"shop.lic.co.nz"},{"applied_policy":"ChromeUA","domain":"telehealthportal.uofuhealth.org"},{"applied_policy":"ChromeUA","domain":"portal.centurylink.com"},{"applied_policy":"ChromeUA","domain":"visitnow.org"},{"applied_policy":"ChromeUA","domain":"www.hotstar.com","path_match":["/in/subscribe/payment/methods/dc","/in/subscribe/payment/methods/cc"]},{"applied_policy":"ChromeUA","domain":"tryca.st","path_match":["/studio","/publisher"]},{"applied_policy":"ChromeUA","domain":"telemost.yandex.ru"},{"applied_policy":"ChromeUA","domain":"astrogo.astro.com.my"},{"applied_policy":"ChromeUA","domain":"airbornemedia.gogoinflight.com"},{"applied_policy":"ChromeUA","domain":"itoaxaca.mindbox.app"},{"applied_policy":"ChromeUA","domain":"app.classkick.com"},{"applied_policy":"ChromeUA","domain":"exchangeservicecenter.com","path_match":["/freeze"]},{"applied_policy":"ChromeUA","domain":"bancodeoccidente.com.co","path_match":["/portaltransaccional"]},{"applied_policy":"ChromeUA","domain":"better.com"},{"applied_policy":"IEUA","domain":"bm.gzekao.cn","path_match":["/tr/webregister/"]},{"applied_policy":"ChromeUA","domain":"scheduling.care.psjhealth.org","path_match":["/virtual"]},{"applied_policy":"ChromeUA","domain":"salud.go.cr"},{"applied_policy":"ChromeUA","domain":"learning.chungdahm.com"},{"applied_policy":"C
            Source: CasPol.exe, 0000000B.00000002.5698566884.000000001DC81000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
            Source: CasPol.exe, 0000000B.00000002.5698566884.000000001DC81000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
            Source: CasPol.exe, 0000000B.00000002.5699329145.000000001DCD2000.00000004.00000001.sdmpString found in binary or memory: http://YacheoH9CTlBmpI1K.com
            Source: CasPol.exe, 0000000B.00000002.5699329145.000000001DCD2000.00000004.00000001.sdmpString found in binary or memory: http://YacheoH9CTlBmpI1K.comt
            Source: CasPol.exe, 0000000B.00000002.5699329145.000000001DCD2000.00000004.00000001.sdmpString found in binary or memory: http://YacheoH9CTlBmpI1K.comt-
            Source: CasPol.exe, 0000000B.00000002.5677098382.0000000000F47000.00000004.00000020.sdmpString found in binary or memory: http://cps.letsencrypt.org0
            Source: CasPol.exe, 0000000B.00000003.1883579517.000000002102C000.00000004.00000010.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
            Source: CasPol.exe, 0000000B.00000003.910118192.0000000000F6A000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: CasPol.exe, 0000000B.00000002.5706986424.000000001FDE0000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
            Source: CasPol.exe, 0000000B.00000002.5677591920.0000000000F56000.00000004.00000020.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.11.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
            Source: CasPol.exe, 0000000B.00000002.5706986424.000000001FDE0000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabkS
            Source: CasPol.exe, 0000000B.00000003.1879317771.000000001FEBA000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?8028f1dafc
            Source: CasPol.exe, 0000000B.00000002.5701328362.000000001DDA3000.00000004.00000001.sdmpString found in binary or memory: http://mail.neopyme.com
            Source: CasPol.exe, 0000000B.00000002.5701328362.000000001DDA3000.00000004.00000001.sdmpString found in binary or memory: http://neopyme.com
            Source: CasPol.exe, 0000000B.00000002.5698566884.000000001DC81000.00000004.00000001.sdmpString found in binary or memory: http://pYhQFb.com
            Source: CasPol.exe, 0000000B.00000002.5677098382.0000000000F47000.00000004.00000020.sdmpString found in binary or memory: http://r3.i.lencr.org/09
            Source: CasPol.exe, 0000000B.00000002.5677098382.0000000000F47000.00000004.00000020.sdmpString found in binary or memory: http://r3.o.lencr.org0
            Source: CasPol.exe, 0000000B.00000002.5677098382.0000000000F47000.00000004.00000020.sdmpString found in binary or memory: http://x1.c.lencr.org/0
            Source: CasPol.exe, 0000000B.00000002.5676049058.0000000000F27000.00000004.00000020.sdmp, CasPol.exe, 0000000B.00000002.5710155753.000000002102A000.00000004.00000010.sdmp, 2D85F72862B55C4EADD9E66E06947F3D0.11.drString found in binary or memory: http://x1.i.lencr.org/
            Source: CasPol.exe, 0000000B.00000002.5677098382.0000000000F47000.00000004.00000020.sdmpString found in binary or memory: http://x1.i.lencr.org/0
            Source: CasPol.exe, 0000000B.00000002.5710155753.000000002102A000.00000004.00000010.sdmpString found in binary or memory: http://x1.i.lencr.org/U
            Source: CasPol.exe, 0000000B.00000003.1879317771.000000001FEBA000.00000004.00000001.sdmpString found in binary or memory: http://x1.i.lencr.org:80/
            Source: CasPol.exe, 0000000B.00000003.904616144.0000000000F6A000.00000004.00000001.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
            Source: CasPol.exe, 0000000B.00000003.904616144.0000000000F6A000.00000004.00000001.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/report-to/gse_l9ocaq
            Source: CasPol.exe, 0000000B.00000003.910118192.0000000000F6A000.00000004.00000001.sdmpString found in binary or memory: https://doc-0s-b8-docs.googleusercontent.com/
            Source: CasPol.exe, 0000000B.00000002.5677591920.0000000000F56000.00000004.00000020.sdmpString found in binary or memory: https://doc-0s-b8-docs.googleusercontent.com/&/
            Source: CasPol.exe, 0000000B.00000003.910118192.0000000000F6A000.00000004.00000001.sdmpString found in binary or memory: https://doc-0s-b8-docs.googleusercontent.com/-
            Source: CasPol.exe, 0000000B.00000003.904616144.0000000000F6A000.00000004.00000001.sdmpString found in binary or memory: https://doc-0s-b8-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/cbqvfrin
            Source: CasPol.exe, 0000000B.00000002.5674515926.0000000000EE6000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/
            Source: CasPol.exe, 0000000B.00000002.5674515926.0000000000EE6000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/T
            Source: CasPol.exe, 0000000B.00000002.5671286322.0000000000D00000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1Bi-sjR4KzfRIPfdPNOxJn3S8BMnh3zRT
            Source: CasPol.exe, 0000000B.00000002.5676049058.0000000000F27000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1Bi-sjR4KzfRIPfdPNOxJn3S8BMnh3zRT6
            Source: CasPol.exe, 0000000B.00000003.904616144.0000000000F6A000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1Bi-sjR4KzfRIPfdPNOxJn3S8BMnh3zRT6MSuMCoPhcuIw3UZ4
            Source: CasPol.exe, 0000000B.00000002.5699329145.000000001DCD2000.00000004.00000001.sdmp, CasPol.exe, 0000000B.00000002.5700265223.000000001DD36000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/
            Source: CasPol.exe, 0000000B.00000002.5699329145.000000001DCD2000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com//
            Source: CasPol.exe, 0000000B.00000002.5699329145.000000001DCD2000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/https://login.live.com/
            Source: CasPol.exe, 0000000B.00000002.5699329145.000000001DCD2000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/v104
            Source: CasPol.exe, 0000000B.00000002.5700265223.000000001DD36000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
            Source: CasPol.exe, 0000000B.00000002.5698566884.000000001DC81000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
            Source: unknownDNS traffic detected: queries for: drive.google.com
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1Bi-sjR4KzfRIPfdPNOxJn3S8BMnh3zRT HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/cbqvfrinn52haphefl414ecufsqsvklm/1637586450000/17803878832083720643/*/1Bi-sjR4KzfRIPfdPNOxJn3S8BMnh3zRT?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0s-b8-docs.googleusercontent.comConnection: Keep-Alive
            Source: unknownHTTPS traffic detected: 142.250.185.110:443 -> 192.168.11.20:49755 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.185.225:443 -> 192.168.11.20:49757 version: TLS 1.2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3DJump to dropped file
            Source: justificante de la transfer.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 11_2_00A004A011_2_00A004A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 11_2_00A0596011_2_00A05960
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 11_2_00A0A20011_2_00A0A200
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 11_2_00A04A2811_2_00A04A28
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 11_2_00A4C08011_2_00A4C080
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 11_2_00A4432011_2_00A44320
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 11_2_00A4BA4811_2_00A4BA48
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 11_2_00A43A5011_2_00A43A50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 11_2_00A4112011_2_00A41120
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 11_2_00A4370811_2_00A43708
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 11_2_00AC6D9011_2_00AC6D90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 11_2_00AC07E011_2_00AC07E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 11_2_00DFB45811_2_00DFB458
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 11_2_00DFEAC011_2_00DFEAC0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 11_2_00DF861211_2_00DF8612
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 11_2_00DF5B9111_2_00DF5B91
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 11_2_00DF44F811_2_00DF44F8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 11_2_00DF333011_2_00DF3330
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 11_2_00E2507211_2_00E25072
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 11_2_00E235A011_2_00E235A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 11_2_00E2EAB811_2_00E2EAB8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 11_2_00E2934811_2_00E29348
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 11_2_00E2473811_2_00E24738
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 11_2_00E21C2811_2_00E21C28
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 11_2_00E29D4411_2_00E29D44
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 11_2_1DA35E0811_2_1DA35E08
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 11_2_1DA346C411_2_1DA346C4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 11_2_1DA35DC311_2_1DA35DC3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 11_2_1DA36AF111_2_1DA36AF1
            Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_023064CB NtWriteVirtualMemory,0_2_023064CB
            Source: justificante de la transfer.exe, 00000000.00000000.611730099.0000000000445000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCappuccino.exe vs justificante de la transfer.exe
            Source: justificante de la transfer.exeBinary or memory string: OriginalFilenameCappuccino.exe vs justificante de la transfer.exe
            Source: justificante de la transfer.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: justificante de la transfer.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: C:\Users\user\Desktop\justificante de la transfer.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: edgegdi.dllJump to behavior
            Source: justificante de la transfer.exeVirustotal: Detection: 22%
            Source: justificante de la transfer.exeReversingLabs: Detection: 11%
            Source: justificante de la transfer.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\justificante de la transfer.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\Desktop\justificante de la transfer.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\justificante de la transfer.exe "C:\Users\user\Desktop\justificante de la transfer.exe"
            Source: C:\Users\user\Desktop\justificante de la transfer.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\justificante de la transfer.exe"
            Source: C:\Users\user\Desktop\justificante de la transfer.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\justificante de la transfer.exe"
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\justificante de la transfer.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\justificante de la transfer.exe" Jump to behavior
            Source: C:\Users\user\Desktop\justificante de la transfer.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\justificante de la transfer.exe" Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3DJump to behavior
            Source: C:\Users\user\Desktop\justificante de la transfer.exeFile created: C:\Users\user\AppData\Local\Temp\~DFC7BBBE7FAB9778BB.TMPJump to behavior
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/6@4/4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8684:304:WilStaging_02
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8684:120:WilError_03
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: 0000000B.00000000.761549812.0000000000B00000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.933649087.0000000002300000.00000040.00000001.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_00406467 push esi; iretd 0_2_00406468
            Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_00404E11 push eax; ret 0_2_00404E19
            Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_00403CFC push cs; retf 0_2_00403D26
            Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_004045D2 push cs; iretd 0_2_004045ED
            Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_00404B97 push eax; retf 0_2_00404B99
            Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_00404DB7 push cs; retf 0_2_00404DBB
            Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_02303A4B push ebx; iretd 0_2_02303AB5
            Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_02307AF8 pushfd ; iretd 0_2_02307AF9
            Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_02301BC0 push 53B0A25Ah; iretd 0_2_02301BC5
            Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_0230803B push ds; ret 0_2_0230805D
            Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_02300825 push ebx; retf 0_2_0230086D
            Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_023000E8 push eax; iretd 0_2_023000EB
            Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_023009F3 push ebx; iretd 0_2_023009F5
            Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_023009FB push ebx; iretd 0_2_023009F5
            Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_023051E6 push ebx; iretd 0_2_023051F1
            Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_02302E2F push edx; iretd 0_2_02302E31
            Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_02303670 push ebx; retf 0_2_02303671
            Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_023076E1 push 26441584h; iretd 0_2_02307713
            Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_023036DC push ebx; retf 0_2_023036DD
            Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_0230472B push es; retf 0_2_0230472D
            Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_0230078D push eax; iretd 0_2_02300793
            Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_02304454 pushfd ; retf 0_2_02304455
            Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_0230644C push ds; ret 0_2_02306469
            Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_02300D1B push ebx; iretd 0_2_02300D81
            Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_0230054C push ebx; iretd 0_2_0230054D
            Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_0230158E push ecx; iretd 0_2_02301593
            Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_023015C2 push ds; iretd 0_2_023015C9
            Source: C:\Users\user\Desktop\justificante de la transfer.exeCode function: 0_2_02303DC2 push 26441584h; iretd 0_2_02303DCF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 11_2_00A047D8 pushfd ; ret 11_2_00A04939
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 11_2_00A05908 push eax; retf 11_2_00A05909
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
            Source: C:\Users\user\Desktop\justificante de la transfer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX