Windows Analysis Report Justificante de Pago 25112021.pdf _.exe

Overview

General Information

Sample Name: Justificante de Pago 25112021.pdf _.exe
Analysis ID: 528616
MD5: 494cd8be1913f9def79b10031587aa8a
SHA1: ff74b67fa7c03d4fb388f49289ff14639656b3d3
SHA256: 75934da02313e0d772b4703bfaa3331311fc5a2b981f8ff0e455795bc3448ddb
Infos:

Most interesting Screenshot:

Detection

AgentTesla GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Potential malicious icon found
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected GuLoader
Hides threads from debuggers
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
C2 URLs / IPs found in malware configuration
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Creates processes with suspicious names
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Tries to load missing DLLs
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Uses SMTP (mail sending)
PE / OLE file has an invalid certificate
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000009.00000000.78170639033.0000000000B40000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://onedrive.live.com/download?c"}
Source: conhost.exe.5588.10.memstrmin Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "dherdiana@rpxholding.comdha10apasmtp.rpxholding.comjo.esg2000@gmail.com"}
Multi AV Scanner detection for submitted file
Source: Justificante de Pago 25112021.pdf _.exe Virustotal: Detection: 35% Perma Link
Source: Justificante de Pago 25112021.pdf _.exe ReversingLabs: Detection: 17%

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_00F6C4B8 CryptUnprotectData, 9_2_00F6C4B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_00F6C4B0 CryptUnprotectData, 9_2_00F6C4B0

Compliance:

barindex
Uses 32bit PE files
Source: Justificante de Pago 25112021.pdf _.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\SKIBSBES.pdb source: Justificante de Pago 25112021.pdf _.exe

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.11.20:49828 -> 202.158.48.236:587
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://onedrive.live.com/download?c
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ASN-CBNPTCyberindoAditamaID ASN-CBNPTCyberindoAditamaID
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.11.20:49828 -> 202.158.48.236:587
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.11.20:49828 -> 202.158.48.236:587
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: CasPol.exe, 00000009.00000002.82848837492.000000001DCC1000.00000004.00000001.sdmp String found in binary or memory: subdomain_match":["go","tv"]},{"applied_policy":"EdgeUA","domain":"video.zhihu.com"},{"applied_policy":"ChromeUA","domain":"la7.it"},{"applied_policy":"ChromeUA","domain":"ide.cs50.io"},{"applied_policy":"ChromeUA","domain":"moneygram.com"},{"applied_policy":"ChromeUA","domain":"blog.esuteru.com"},{"applied_policy":"ChromeUA","domain":"online.tivo.com","path_match":["/start"]},{"applied_policy":"ChromeUA","domain":"smallbusiness.yahoo.com","path_match":["/businessmaker"]},{"applied_policy":"ChromeUA","domain":"jeeready.amazon.in","path_match":["/home"]},{"applied_policy":"ChromeUA","domain":"abc.com"},{"applied_policy":"ChromeUA","domain":"mvsrec738.examly.io"},{"applied_policy":"ChromeUA","domain":"myslate.sixphrase.com"},{"applied_policy":"ChromeUA","domain":"search.norton.com","path_match":["/nsssOnboarding"]},{"applied_policy":"ChromeUA","domain":"checkdecide.com"},{"applied_policy":"ChromeUA","domain":"virtualvisitlogin.partners.org"},{"applied_policy":"ChromeUA","domain":"carelogin.bryantelemedicine.com"},{"applied_policy":"ChromeUA","domain":"providerstc.hs.utah.gov"},{"applied_policy":"ChromeUA","domain":"applychildcaresubsidy.alberta.ca"},{"applied_policy":"ChromeUA","domain":"elearning.evn.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"telecare.keckmedicine.org"},{"applied_policy":"ChromeUA","domain":"authoring.amirsys.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"elearning.seabank.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"app.fields.corteva.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"gsq.minornet.com"},{"applied_policy":"ChromeUA","domain":"shop.lic.co.nz"},{"applied_policy":"ChromeUA","domain":"telehealthportal.uofuhealth.org"},{"applied_policy":"ChromeUA","domain":"portal.centurylink.com"},{"applied_policy":"ChromeUA","domain":"visitnow.org"},{"applied_policy":"ChromeUA","domain":"www.hotstar.com","path_match":["/in/subscribe/payment/methods/dc","/in/subscribe/payment/methods/cc"]},{"applied_policy":"ChromeUA","domain":"tryca.st","path_match":["/studio","/publisher"]},{"applied_policy":"ChromeUA","domain":"telemost.yandex.ru"},{"applied_policy":"ChromeUA","domain":"astrogo.astro.com.my"},{"applied_policy":"ChromeUA","domain":"airbornemedia.gogoinflight.com"},{"applied_policy":"ChromeUA","domain":"itoaxaca.mindbox.app"},{"applied_policy":"ChromeUA","domain":"app.classkick.com"},{"applied_policy":"ChromeUA","domain":"exchangeservicecenter.com","path_match":["/freeze"]},{"applied_policy":"ChromeUA","domain":"bancodeoccidente.com.co","path_match":["/portaltransaccional"]},{"applied_policy":"ChromeUA","domain":"better.com"},{"applied_policy":"IEUA","domain":"bm.gzekao.cn","path_match":["/tr/webregister/"]},{"applied_policy":"ChromeUA","domain":"scheduling.care.psjhealth.org","path_match":["/virtual"]},{"applied_policy":"ChromeUA","domain":"salud.go.cr"},{"applied_policy":"ChromeUA","domain":"learning.chungdahm.com"},{"applied_policy":"C
Source: CasPol.exe, 00000009.00000002.82848425704.000000001DC71000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: CasPol.exe, 00000009.00000002.82848425704.000000001DC71000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: CasPol.exe, 00000009.00000003.78500301270.0000000000DF4000.00000004.00000001.sdmp, CasPol.exe, 00000009.00000002.82837666825.0000000000DDE000.00000004.00000020.sdmp, CasPol.exe, 00000009.00000003.78499975366.0000000000DF1000.00000004.00000001.sdmp, CasPol.exe, 00000009.00000003.78491920063.0000000000DF1000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: CasPol.exe, 00000009.00000003.78500301270.0000000000DF4000.00000004.00000001.sdmp, CasPol.exe, 00000009.00000002.82837666825.0000000000DDE000.00000004.00000020.sdmp, CasPol.exe, 00000009.00000003.78499975366.0000000000DF1000.00000004.00000001.sdmp, CasPol.exe, 00000009.00000003.78491920063.0000000000DF1000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: CasPol.exe, 00000009.00000002.82850173263.000000001DD91000.00000004.00000001.sdmp String found in binary or memory: http://mails.rpxholding.com
Source: CasPol.exe, 00000009.00000002.82848425704.000000001DC71000.00000004.00000001.sdmp String found in binary or memory: http://rOTpQz.com
Source: Justificante de Pago 25112021.pdf _.exe String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: Justificante de Pago 25112021.pdf _.exe String found in binary or memory: http://s.symcd.com06
Source: CasPol.exe, 00000009.00000002.82850173263.000000001DD91000.00000004.00000001.sdmp String found in binary or memory: http://smtp.rpxholding.com
Source: Justificante de Pago 25112021.pdf _.exe String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: Justificante de Pago 25112021.pdf _.exe String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: Justificante de Pago 25112021.pdf _.exe String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: CasPol.exe, 00000009.00000002.82850050864.000000001DD87000.00000004.00000001.sdmp, CasPol.exe, 00000009.00000003.79425673584.000000001CA61000.00000004.00000001.sdmp, CasPol.exe, 00000009.00000002.82850257454.000000001DD9F000.00000004.00000001.sdmp String found in binary or memory: http://x9bGZRuBZN1f4.com
Source: CasPol.exe, 00000009.00000002.82848837492.000000001DCC1000.00000004.00000001.sdmp String found in binary or memory: http://x9bGZRuBZN1f4.comT
Source: CasPol.exe, 00000009.00000002.82848837492.000000001DCC1000.00000004.00000001.sdmp String found in binary or memory: http://x9bGZRuBZN1f4.comt-~l
Source: CasPol.exe, 00000009.00000002.82848425704.000000001DC71000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.org%4
Source: CasPol.exe, 00000009.00000002.82848425704.000000001DC71000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: Justificante de Pago 25112021.pdf _.exe String found in binary or memory: https://d.symcb.com/cps0%
Source: Justificante de Pago 25112021.pdf _.exe String found in binary or memory: https://d.symcb.com/rpa0
Source: Justificante de Pago 25112021.pdf _.exe String found in binary or memory: https://d.symcb.com/rpa0.
Source: CasPol.exe, 00000009.00000003.78499975366.0000000000DF1000.00000004.00000001.sdmp, CasPol.exe, 00000009.00000003.78500507187.0000000000E25000.00000004.00000001.sdmp, CasPol.exe, 00000009.00000003.78491920063.0000000000DF1000.00000004.00000001.sdmp, CasPol.exe, 00000009.00000003.78492247430.0000000000E25000.00000004.00000001.sdmp String found in binary or memory: https://eruweq.bl.files.1drv.com/
Source: CasPol.exe, 00000009.00000002.82837666825.0000000000DDE000.00000004.00000020.sdmp, CasPol.exe, 00000009.00000003.78500507187.0000000000E25000.00000004.00000001.sdmp String found in binary or memory: https://eruweq.bl.files.1drv.com/=
Source: CasPol.exe, 00000009.00000003.78492247430.0000000000E25000.00000004.00000001.sdmp String found in binary or memory: https://eruweq.bl.files.1drv.com/y
Source: CasPol.exe, 00000009.00000002.82837666825.0000000000DDE000.00000004.00000020.sdmp, CasPol.exe, 00000009.00000003.78499975366.0000000000DF1000.00000004.00000001.sdmp, CasPol.exe, 00000009.00000003.78500507187.0000000000E25000.00000004.00000001.sdmp String found in binary or memory: https://eruweq.bl.files.1drv.com/y4mTi8F-5UT5v8gCCgHyyTjEWDMrhmEHc1_AIKHcGNjnR2bGYZ0rh8uS1SgrfpYq_k9
Source: CasPol.exe, 00000009.00000003.78492247430.0000000000E25000.00000004.00000001.sdmp String found in binary or memory: https://eruweq.bl.files.1drv.com/y4mWNDnZaG2b1DpDDUBUp81suowzh6ionkEHYNmviteBVtV4mchwDB8E2o0H7JDLVEW
Source: CasPol.exe, 00000009.00000002.82849325177.000000001DD1B000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/
Source: CasPol.exe, 00000009.00000002.82848837492.000000001DCC1000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com//
Source: CasPol.exe, 00000009.00000002.82848837492.000000001DCC1000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/https://login.live.com/
Source: CasPol.exe, 00000009.00000002.82848837492.000000001DCC1000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/v104
Source: CasPol.exe, 00000009.00000002.82837183509.0000000000D7B000.00000004.00000020.sdmp String found in binary or memory: https://onedrive.live.com/
Source: CasPol.exe, 00000009.00000002.82838279847.0000000000E60000.00000004.00000001.sdmp String found in binary or memory: https://onedrive.live.com/download?cid=5A15FDA1AE98540B&resid=5A15FDA1AE98540B%21121&authkey=APJj8W7
Source: CasPol.exe, 00000009.00000002.82849325177.000000001DD1B000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: CasPol.exe, 00000009.00000002.82848425704.000000001DC71000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
Source: unknown DNS traffic detected: queries for: onedrive.live.com

System Summary:

barindex
Potential malicious icon found
Source: initial sample Icon embedded in PE file: bad icon match: 20047c7c70f0e004
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Justificante de Pago 25112021.pdf _.exe
Uses 32bit PE files
Source: Justificante de Pago 25112021.pdf _.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Detected potential crypto function
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Code function: 1_2_00401578 1_2_00401578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_00A83A50 9_2_00A83A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_00A84320 9_2_00A84320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_00A8C578 9_2_00A8C578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_00A8BF4B 9_2_00A8BF4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_00A81120 9_2_00A81120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_00A83708 9_2_00A83708
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_00AE0218 9_2_00AE0218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_00AE14A0 9_2_00AE14A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_00AE6DD0 9_2_00AE6DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_00B547FC 9_2_00B547FC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_00B5480C 9_2_00B5480C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_00B5486F 9_2_00B5486F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_00B54840 9_2_00B54840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_00F60040 9_2_00F60040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_00F64048 9_2_00F64048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_00F68C28 9_2_00F68C28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_00F62E60 9_2_00F62E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_00F643AA 9_2_00F643AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_00F6F128 9_2_00F6F128
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_00F69640 9_2_00F69640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_00F6DE48 9_2_00F6DE48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_00F7CC6D 9_2_00F7CC6D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_00F761F0 9_2_00F761F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_00F7A24A 9_2_00F7A24A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_00F73330 9_2_00F73330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_1DBF5E48 9_2_1DBF5E48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_1DBF470C 9_2_1DBF470C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_1DBF5DCF 9_2_1DBF5DCF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_1DBF5E47 9_2_1DBF5E47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_1DBF6B3F 9_2_1DBF6B3F
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: String function: 00A86280 appears 52 times
Sample file is different than original file name gathered from version info
Source: Justificante de Pago 25112021.pdf _.exe, 00000001.00000000.77794519373.0000000000421000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameSKIBSBES.exe vs Justificante de Pago 25112021.pdf _.exe
Source: Justificante de Pago 25112021.pdf _.exe, 00000001.00000002.78524041816.0000000002AA0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSKIBSBES.exeFE2X vs Justificante de Pago 25112021.pdf _.exe
Source: Justificante de Pago 25112021.pdf _.exe Binary or memory string: OriginalFilenameSKIBSBES.exe vs Justificante de Pago 25112021.pdf _.exe
PE file contains strange resources
Source: Justificante de Pago 25112021.pdf _.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: edgegdi.dll Jump to behavior
PE / OLE file has an invalid certificate
Source: Justificante de Pago 25112021.pdf _.exe Static PE information: invalid certificate
Source: Justificante de Pago 25112021.pdf _.exe Virustotal: Detection: 35%
Source: Justificante de Pago 25112021.pdf _.exe ReversingLabs: Detection: 17%
Source: Justificante de Pago 25112021.pdf _.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe "C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe"
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: classification engine Classification label: mal100.rans.troj.spyw.evad.winEXE@4/1@3/1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5588:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5588:304:WilStaging_02
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: Justificante de Pago 25112021.pdf _.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\SKIBSBES.pdb source: Justificante de Pago 25112021.pdf _.exe

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000009.00000000.78170639033.0000000000B40000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Code function: 1_2_00405661 push ebp; ret 1_2_00405664
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Code function: 1_2_004066B9 push ds; ret 1_2_004066D6
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Code function: 1_2_00403193 push ds; retf 1_2_0040324B
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Code function: 1_2_02A649C0 push 00000011h; iretd 1_2_02A649C8
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Code function: 1_2_02A64E80 push edx; retf 1_2_02A64E85
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Code function: 1_2_02A60C2E push cs; ret 1_2_02A60C2F
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Code function: 1_2_02A635A0 push eax; retf 1_2_02A635A1
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Code function: 1_2_02A64D4B push 00000069h; ret 1_2_02A64D4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_00F6D7F7 push ebx; iretd 9_2_00F6D7FA

Persistence and Installation Behavior:

barindex
Creates processes with suspicious names
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe File created: \justificante de pago 25112021.pdf _.exe
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe File created: \justificante de pago 25112021.pdf _.exe Jump to behavior
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect Any.run
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Justificante de Pago 25112021.pdf _.exe, 00000001.00000002.78525638719.0000000004F60000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32APPDATA=WINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXE\SYSWOW64\MSVBVM60.DLL
Source: Justificante de Pago 25112021.pdf _.exe, 00000001.00000002.78525638719.0000000004F60000.00000004.00000001.sdmp, CasPol.exe, 00000009.00000002.82838279847.0000000000E60000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: CasPol.exe, 00000009.00000002.82838279847.0000000000E60000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32APPDATA=HTTPS://ONEDRIVE.LIVE.COM/DOWNLOAD?CID=5A15FDA1AE98540B&RESID=5A15FDA1AE98540B%21121&AUTHKEY=APJJ8W7T3QKLSCW
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2168 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Window / User API: threadDelayed 9958 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe System information queried: ModuleInformation Jump to behavior
Source: Justificante de Pago 25112021.pdf _.exe, 00000001.00000002.78525710953.0000000005029000.00000004.00000001.sdmp, CasPol.exe, 00000009.00000002.82839934942.00000000029A9000.00000004.00000001.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: Justificante de Pago 25112021.pdf _.exe, 00000001.00000002.78525710953.0000000005029000.00000004.00000001.sdmp, CasPol.exe, 00000009.00000002.82839934942.00000000029A9000.00000004.00000001.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: CasPol.exe, 00000009.00000002.82839934942.00000000029A9000.00000004.00000001.sdmp Binary or memory string: vmicshutdown
Source: Justificante de Pago 25112021.pdf _.exe, 00000001.00000002.78525710953.0000000005029000.00000004.00000001.sdmp, CasPol.exe, 00000009.00000002.82839934942.00000000029A9000.00000004.00000001.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: Justificante de Pago 25112021.pdf _.exe, 00000001.00000002.78525638719.0000000004F60000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32APPDATA=windir=\Microsoft.NET\Framework\v4.0.30319\caspol.exe\syswow64\msvbvm60.dll
Source: Justificante de Pago 25112021.pdf _.exe, 00000001.00000002.78525710953.0000000005029000.00000004.00000001.sdmp, CasPol.exe, 00000009.00000002.82839934942.00000000029A9000.00000004.00000001.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: Justificante de Pago 25112021.pdf _.exe, 00000001.00000002.78525710953.0000000005029000.00000004.00000001.sdmp, CasPol.exe, 00000009.00000002.82839934942.00000000029A9000.00000004.00000001.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: CasPol.exe, 00000009.00000002.82839934942.00000000029A9000.00000004.00000001.sdmp Binary or memory string: vmicvss
Source: CasPol.exe, 00000009.00000002.82837183509.0000000000D7B000.00000004.00000020.sdmp, CasPol.exe, 00000009.00000002.82837666825.0000000000DDE000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW
Source: CasPol.exe, 00000009.00000002.82837666825.0000000000DDE000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAWodc-web-geo.onedrive.akadns.netLMEM@
Source: Justificante de Pago 25112021.pdf _.exe, 00000001.00000002.78525638719.0000000004F60000.00000004.00000001.sdmp, CasPol.exe, 00000009.00000002.82838279847.0000000000E60000.00000004.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: CasPol.exe, 00000009.00000002.82838279847.0000000000E60000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32APPDATA=https://onedrive.live.com/download?cid=5A15FDA1AE98540B&resid=5A15FDA1AE98540B%21121&authkey=APJj8W7T3QklSCw
Source: Justificante de Pago 25112021.pdf _.exe, 00000001.00000002.78525710953.0000000005029000.00000004.00000001.sdmp, CasPol.exe, 00000009.00000002.82839934942.00000000029A9000.00000004.00000001.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: Justificante de Pago 25112021.pdf _.exe, 00000001.00000002.78525710953.0000000005029000.00000004.00000001.sdmp, CasPol.exe, 00000009.00000002.82839934942.00000000029A9000.00000004.00000001.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: Justificante de Pago 25112021.pdf _.exe, 00000001.00000002.78525710953.0000000005029000.00000004.00000001.sdmp, CasPol.exe, 00000009.00000002.82839934942.00000000029A9000.00000004.00000001.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: CasPol.exe, 00000009.00000002.82839934942.00000000029A9000.00000004.00000001.sdmp Binary or memory string: vmicheartbeat

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread information set: HideFromDebugger Jump to behavior
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process token adjusted: Debug Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 9_2_00A86E96 LdrInitializeThunk, 9_2_00A86E96
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: B40000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\Justificante de Pago 25112021.pdf _.exe" Jump to behavior
Source: CasPol.exe, 00000009.00000002.82839512733.0000000001550000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: CasPol.exe, 00000009.00000002.82839512733.0000000001550000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: CasPol.exe, 00000009.00000002.82839512733.0000000001550000.00000002.00020000.sdmp Binary or memory string: Progman
Source: CasPol.exe, 00000009.00000002.82839512733.0000000001550000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000009.00000002.82848425704.000000001DC71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 8168, type: MEMORYSTR
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000009.00000002.82848425704.000000001DC71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 8168, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000009.00000002.82848425704.000000001DC71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 8168, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 528616 Sample: Justificante de Pago 251120... Startdate: 25/11/2021 Architecture: WINDOWS Score: 100 17 smtp.rpxholding.com 2->17 19 mails.rpxholding.com 2->19 21 3 other IPs or domains 2->21 25 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->25 27 Potential malicious icon found 2->27 29 Found malware configuration 2->29 31 6 other signatures 2->31 8 Justificante de Pago 25112021.pdf        _.exe 2->8         started        signatures3 process4 signatures5 33 Writes to foreign memory regions 8->33 35 Tries to detect Any.run 8->35 37 Hides threads from debuggers 8->37 11 CasPol.exe 11 8->11         started        process6 dnsIp7 23 mails.rpxholding.com 202.158.48.236, 49828, 587 ASN-CBNPTCyberindoAditamaID Indonesia 11->23 39 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->39 41 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->41 43 Tries to steal Mail credentials (via file / registry access) 11->43 45 5 other signatures 11->45 15 conhost.exe 11->15         started        signatures8 process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
202.158.48.236
 mails.rpxholding.com Indonesia
4787 ASN-CBNPTCyberindoAditamaID true

Contacted Domains

Name IP Active
mails.rpxholding.com 202.158.48.236 true
smtp.rpxholding.com unknown unknown
onedrive.live.com unknown unknown
eruweq.bl.files.1drv.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://onedrive.live.com/download?c false
    		high