Loading ...

Play interactive tourEdit tour

Windows Analysis Report Euro invoice.exe

Overview

General Information

Sample Name:Euro invoice.exe
Analysis ID:528711
MD5:15f79ec8cfa1ad6c24767d4ca45aa4cd
SHA1:3b48453cc5680c048880bb0c4f0f19f34fdf1da7
SHA256:49d22404c910a5bd1b6e13d92bb411b826edfc42fd680cfaa90ffb23ecc3a195
Tags:agentteslaexe
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Tries to steal Mail credentials (via file / registry access)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Modifies the hosts file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • Euro invoice.exe (PID: 5764 cmdline: "C:\Users\user\Desktop\Euro invoice.exe" MD5: 15F79EC8CFA1AD6C24767D4CA45AA4CD)
    • RegSvcs.exe (PID: 5620 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
    • RegSvcs.exe (PID: 6692 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
    • RegSvcs.exe (PID: 6980 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • kprUEGC.exe (PID: 7164 cmdline: "C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe" MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 6040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • kprUEGC.exe (PID: 3932 cmdline: "C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe" MD5: 2867A3817C9245F7CF518524DFD18F28)
    • conhost.exe (PID: 5788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "support25@vrlogistic.net", "Password": "support25!@#$", "Host": "mail.vrlogistic.net"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000000.301908839.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000005.00000000.301908839.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000005.00000000.300860583.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000005.00000000.300860583.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000001.00000002.304280819.0000000003430000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            Click to see the 15 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.0.RegSvcs.exe.400000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              5.0.RegSvcs.exe.400000.1.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                5.0.RegSvcs.exe.400000.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  5.0.RegSvcs.exe.400000.2.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    1.2.Euro invoice.exe.43f4370.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 15 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
                      Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Users\user\Desktop\Euro invoice.exe" , ParentImage: C:\Users\user\Desktop\Euro invoice.exe, ParentProcessId: 5764, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 5620
                      Sigma detected: Possible Applocker BypassShow sources
                      Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Users\user\Desktop\Euro invoice.exe" , ParentImage: C:\Users\user\Desktop\Euro invoice.exe, ParentProcessId: 5764, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 5620

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 1.2.Euro invoice.exe.442a590.1.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "support25@vrlogistic.net", "Password": "support25!@#$", "Host": "mail.vrlogistic.net"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: Euro invoice.exeReversingLabs: Detection: 33%
                      Source: 5.0.RegSvcs.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 5.0.RegSvcs.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                      Source: 5.0.RegSvcs.exe.400000.2.unpackAvira: Label: TR/Spy.Gen8
                      Source: 5.0.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 5.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 5.0.RegSvcs.exe.400000.3.unpackAvira: Label: TR/Spy.Gen8
                      Source: Euro invoice.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: Euro invoice.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000005.00000003.504305930.0000000005D48000.00000004.00000001.sdmp, kprUEGC.exe, 0000000B.00000000.366836955.0000000000A12000.00000002.00020000.sdmp, kprUEGC.exe, 0000000E.00000002.385745819.00000000008B2000.00000002.00020000.sdmp, kprUEGC.exe.5.dr
                      Source: Binary string: RegSvcs.pdb source: kprUEGC.exe, kprUEGC.exe, 0000000E.00000002.385745819.00000000008B2000.00000002.00020000.sdmp, kprUEGC.exe.5.dr

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.3:49840 -> 148.66.138.164:587
                      Source: Joe Sandbox ViewASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
                      Source: global trafficTCP traffic: 192.168.2.3:49840 -> 148.66.138.164:587
                      Source: global trafficTCP traffic: 192.168.2.3:49840 -> 148.66.138.164:587
                      Source: RegSvcs.exe, 00000005.00000002.557211337.0000000002B61000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: RegSvcs.exe, 00000005.00000002.557211337.0000000002B61000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: RegSvcs.exe, 00000005.00000002.557211337.0000000002B61000.00000004.00000001.sdmpString found in binary or memory: http://Fedebu.com
                      Source: RegSvcs.exe, 00000005.00000002.558309682.0000000005D30000.00000004.00000001.sdmpString found in binary or memory: http://crl.microsoft.co)X
                      Source: RegSvcs.exe, 00000005.00000002.557542494.0000000002E8A000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.557645745.0000000002EC1000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000002.557664034.0000000002ECD000.00000004.00000001.sdmpString found in binary or memory: http://k5CVS3sUuqbD95uELlH.net
                      Source: RegSvcs.exe, 00000005.00000002.557645745.0000000002EC1000.00000004.00000001.sdmpString found in binary or memory: http://mail.vrlogistic.net
                      Source: Euro invoice.exe, 00000001.00000002.304085723.00000000032EA000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: RegSvcs.exe, 00000005.00000002.557211337.0000000002B61000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%$
                      Source: RegSvcs.exe, 00000005.00000002.557211337.0000000002B61000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: Euro invoice.exe, 00000001.00000002.304736532.00000000043F4000.00000004.00000001.sdmp, RegSvcs.exe, 00000005.00000000.301908839.0000000000402000.00000040.00000001.sdmp, RegSvcs.exe, 00000005.00000000.300860583.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: RegSvcs.exe, 00000005.00000002.557211337.0000000002B61000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownDNS traffic detected: queries for: mail.vrlogistic.net

                      Spam, unwanted Advertisements and Ransom Demands:

                      barindex
                      Modifies the hosts fileShow sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile written: C:\Windows\System32\drivers\etc\hostsJump to behavior

                      System Summary:

                      barindex
                      Initial sample is a PE file and has a suspicious nameShow sources
                      Source: initial sampleStatic PE information: Filename: Euro invoice.exe
                      .NET source code contains very large array initializationsShow sources
                      Source: 5.0.RegSvcs.exe.400000.4.unpack, u003cPrivateImplementationDetailsu003eu007bA62A6339u002d4F48u002d4E13u002d8591u002d760094C03D2Au007d/u00393E23D57u002d6125u002d4C47u002d9C42u002d008B92BF02C6.csLarge array initialization: .cctor: array initializer size 11964
                      Source: 5.0.RegSvcs.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007bA62A6339u002d4F48u002d4E13u002d8591u002d760094C03D2Au007d/u00393E23D57u002d6125u002d4C47u002d9C42u002d008B92BF02C6.csLarge array initialization: .cctor: array initializer size 11964
                      Source: 5.0.RegSvcs.exe.400000.2.unpack, u003cPrivateImplementationDetailsu003eu007bA62A6339u002d4F48u002d4E13u002d8591u002d760094C03D2Au007d/u00393E23D57u002d6125u002d4C47u002d9C42u002d008B92BF02C6.csLarge array initialization: .cctor: array initializer size 11964
                      Source: 5.0.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bA62A6339u002d4F48u002d4E13u002d8591u002d760094C03D2Au007d/u00393E23D57u002d6125u002d4C47u002d9C42u002d008B92BF02C6.csLarge array initialization: .cctor: array initializer size 11964
                      Source: 5.2.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bA62A6339u002d4F48u002d4E13u002d8591u002d760094C03D2Au007d/u00393E23D57u002d6125u002d4C47u002d9C42u002d008B92BF02C6.csLarge array initialization: .cctor: array initializer size 11964
                      Source: 5.0.RegSvcs.exe.400000.3.unpack, u003cPrivateImplementationDetailsu003eu007bA62A6339u002d4F48u002d4E13u002d8591u002d760094C03D2Au007d/u00393E23D57u002d6125u002d4C47u002d9C42u002d008B92BF02C6.csLarge array initialization: .cctor: array initializer size 11964
                      Source: Euro invoice.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                      Source: C:\Users\user\Desktop\Euro invoice.exeCode function: 1_2_0319A7101_2_0319A710
                      Source: C:\Users\user\Desktop\Euro invoice.exeCode function: 1_2_031904D81_2_031904D8
                      Source: C:\Users\user\Desktop\Euro invoice.exeCode function: 1_2_031908561_2_03190856
                      Source: C:\Users\user\Desktop\Euro invoice.exeCode function: 1_2_031918F01_2_031918F0
                      Source: C:\Users\user\Desktop\Euro invoice.exeCode function: 1_2_03191C021_2_03191C02
                      Source: C:\Users\user\Desktop\Euro invoice.exeCode function: 1_2_031908801_2_03190880
                      Source: C:\Users\user\Desktop\Euro invoice.exeCode function: 1_2_031919911_2_03191991
                      Source: C:\Users\user\Desktop\Euro invoice.exeCode function: 1_2_05FB0AE01_2_05FB0AE0
                      Source: C:\Users\user\Desktop\Euro invoice.exeCode function: 1_2_05FB83301_2_05FB8330
                      Source: C:\Users\user\Desktop\Euro invoice.exeCode function: 1_2_05FB83201_2_05FB8320
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_010A85C85_2_010A85C8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_010A39605_2_010A3960
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_010A8D085_2_010A8D08
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_010ACDA85_2_010ACDA8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_010A8E085_2_010A8E08
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_013047A05_2_013047A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_013047185_2_01304718
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_055365085_2_05536508
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_055371205_2_05537120
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_055368505_2_05536850
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_055390D85_2_055390D8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_055322605_2_05532260
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_055322295_2_05532229
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0553BEB8 appears 48 times
                      Source: Euro invoice.exeBinary or memory string: OriginalFilename vs Euro invoice.exe
                      Source: Euro invoice.exe, 00000001.00000002.307877674.0000000005FA0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs Euro invoice.exe
                      Source: Euro invoice.exe, 00000001.00000002.304736532.00000000043F4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamexXvmOuTrUsJTERPkUCRhPLSavHyJIBpEM.exe4 vs Euro invoice.exe
                      Source: Euro invoice.exe, 00000001.00000002.304736532.00000000043F4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs Euro invoice.exe
                      Source: Euro invoice.exe, 00000001.00000002.304085723.00000000032EA000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamexXvmOuTrUsJTERPkUCRhPLSavHyJIBpEM.exe4 vs Euro invoice.exe
                      Source: Euro invoice.exe, 00000001.00000002.308107167.0000000006770000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs Euro invoice.exe
                      Source: Euro invoice.exeBinary or memory string: OriginalFilenameFileSecurityStateAcce.exe. vs Euro invoice.exe
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe 43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
                      Source: Euro invoice.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: Euro invoice.exeReversingLabs: Detection: 33%
                      Source: C:\Users\user\Desktop\Euro invoice.exeFile read: C:\Users\user\Desktop\Euro invoice.exe:Zone.IdentifierJump to behavior
                      Source: Euro invoice.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\Euro invoice.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\Euro invoice.exe "C:\Users\user\Desktop\Euro invoice.exe"
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe "C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe"
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe "C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe"
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\Euro invoice.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Euro invoice.exe.logJump to behavior
                      Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@11/6@1/1
                      Source: C:\Users\user\Desktop\Euro invoice.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeMutant created: \Sessions\1\BaseNamedObjects\bSIqof
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6040:120:WilError_01
                      Source: C:\Users\user\Desktop\Euro invoice.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5788:120:WilError_01
                      Source: Euro invoice.exeString found in binary or memory: views/addcustomer.baml
                      Source: Euro invoice.exeString found in binary or memory: views/addbook.baml
                      Source: Euro invoice.exeString found in binary or memory: *images/booksimage.jpg$views/addbook.baml1J,views/addcustomer.baml
                      Source: 5.0.RegSvcs.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.0.RegSvcs.exe.400000.4.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.0.RegSvcs.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.0.RegSvcs.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.0.RegSvcs.exe.400000.2.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 5.0.RegSvcs.exe.400000.2.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: Euro invoice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: Euro invoice.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000005.00000003.504305930.0000000005D48000.00000004.00000001.sdmp, kprUEGC.exe, 0000000B.00000000.366836955.0000000000A12000.00000002.00020000.sdmp, kprUEGC.exe, 0000000E.00000002.385745819.00000000008B2000.00000002.00020000.sdmp, kprUEGC.exe.5.dr
                      Source: Binary string: RegSvcs.pdb source: kprUEGC.exe, kprUEGC.exe, 0000000E.00000002.385745819.00000000008B2000.00000002.00020000.sdmp, kprUEGC.exe.5.dr

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: Euro invoice.exe, u002d/li1lll1i1IIl.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.0.Euro invoice.exe.e70000.0.unpack, u002d/li1lll1i1IIl.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 1.2.Euro invoice.exe.e70000.0.unpack, u002d/li1lll1i1IIl.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: C:\Users\user\Desktop\Euro invoice.exeCode function: 1_2_05FB7003 pushad ; ret 1_2_05FB7019
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0553EC22 pushad ; ret 5_2_0553EC69
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_05537AE8 push 8BF04589h; iretd 5_2_05537B74
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 11_2_02C1049B push esp; ret 11_2_02C1049E
                      Source: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeCode function: 11_2_02C10438 push ebx; ret 11_2_02C10442
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.91256606252
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exeJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kprUEGCJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kprUEGCJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Euro invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set