Loading ...

Play interactive tourEdit tour

Windows Analysis Report FACTURAS.exe

Overview

General Information

Sample Name:FACTURAS.exe
Analysis ID:539521
MD5:2332fdde9344114749db5496eef5f5f9
SHA1:303c40dd112294dc012836be48eb38e8af056432
SHA256:0e693b9dcb4ccb3e64cb61396447dd4e3871234b4af80c2d57e4fbc9b6268a61
Infos:

Most interesting Screenshot:

Detection

AgentTesla GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected GuLoader
Hides threads from debuggers
Writes to foreign memory regions
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
C2 URLs / IPs found in malware configuration
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64native
  • FACTURAS.exe (PID: 6316 cmdline: "C:\Users\user\Desktop\FACTURAS.exe" MD5: 2332FDDE9344114749DB5496EEF5F5F9)
    • CasPol.exe (PID: 5172 cmdline: "C:\Users\user\Desktop\FACTURAS.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
    • CasPol.exe (PID: 5196 cmdline: "C:\Users\user\Desktop\FACTURAS.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
      • conhost.exe (PID: 1360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "gulnaz@furteksdokuma.com.tr@Gulnaz159753mail.furteksdokuma.com.trsarahmorg434@gmail.com"}

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=downlD'"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000000.21615424247.0000000000E10000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    00000006.00000002.22646307055.000000001DF31000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000006.00000002.22646307055.000000001DF31000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: CasPol.exe PID: 5196JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: CasPol.exe PID: 5196JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 00000006.00000000.21615424247.0000000000E10000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=downlD'"}
            Source: CasPol.exe.5172.5.memstrminMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "gulnaz@furteksdokuma.com.tr@Gulnaz159753mail.furteksdokuma.com.trsarahmorg434@gmail.com"}
            Multi AV Scanner detection for submitted fileShow sources
            Source: FACTURAS.exeVirustotal: Detection: 40%Perma Link
            Source: FACTURAS.exeMetadefender: Detection: 38%Perma Link
            Source: FACTURAS.exeReversingLabs: Detection: 57%
            Source: FACTURAS.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: unknownHTTPS traffic detected: 142.250.181.238:443 -> 192.168.11.20:49803 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.181.225:443 -> 192.168.11.20:49804 version: TLS 1.2

            Networking:

            barindex
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=downlD'
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1e3nVGX3LlhNn9Zf6RwTjDw6FKTCAih9T HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/09s7mqju06nhfef03e9jkahgn04c8qp1/1639485750000/01707528263340534167/*/1e3nVGX3LlhNn9Zf6RwTjDw6FKTCAih9T?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0g-7s-docs.googleusercontent.comConnection: Keep-Alive
            Source: unknownNetwork traffic detected: HTTP traffic on port 49804 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49803 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49804
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49803
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: CasPol.exe, 00000006.00000002.22646307055.000000001DF31000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
            Source: CasPol.exe, 00000006.00000002.22646307055.000000001DF31000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
            Source: CasPol.exe, 00000006.00000003.21845391885.0000000000FEC000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000002.22637414137.0000000000FE2000.00000004.00000020.sdmp, CasPol.exe, 00000006.00000003.21840238765.0000000000FEC000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
            Source: CasPol.exe, 00000006.00000003.21845391885.0000000000FEC000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000002.22637414137.0000000000FE2000.00000004.00000020.sdmp, CasPol.exe, 00000006.00000003.21840238765.0000000000FEC000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: CasPol.exe, 00000006.00000002.22646307055.000000001DF31000.00000004.00000001.sdmpString found in binary or memory: http://kFWRbv.com
            Source: CasPol.exe, 00000006.00000003.21840136475.0000000000FDF000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000003.21840238765.0000000000FEC000.00000004.00000001.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
            Source: CasPol.exe, 00000006.00000003.21840136475.0000000000FDF000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000003.21840238765.0000000000FEC000.00000004.00000001.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/report-to/gse_l9ocaq
            Source: CasPol.exe, 00000006.00000003.21840238765.0000000000FEC000.00000004.00000001.sdmpString found in binary or memory: https://doc-0g-7s-docs.googleusercontent.com/
            Source: CasPol.exe, 00000006.00000003.21845391885.0000000000FEC000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000003.21840238765.0000000000FEC000.00000004.00000001.sdmpString found in binary or memory: https://doc-0g-7s-docs.googleusercontent.com/1
            Source: CasPol.exe, 00000006.00000003.21840238765.0000000000FEC000.00000004.00000001.sdmpString found in binary or memory: https://doc-0g-7s-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/09s7mqju
            Source: CasPol.exe, 00000006.00000003.21845391885.0000000000FEC000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000003.21840238765.0000000000FEC000.00000004.00000001.sdmpString found in binary or memory: https://doc-0g-7s-docs.googleusercontent.com/e
            Source: CasPol.exe, 00000006.00000003.21845391885.0000000000FEC000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000003.21840238765.0000000000FEC000.00000004.00000001.sdmpString found in binary or memory: https://doc-0g-7s-docs.googleusercontent.com/u
            Source: CasPol.exe, 00000006.00000002.22636737249.0000000000F58000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/
            Source: CasPol.exe, 00000006.00000002.22636737249.0000000000F58000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/st
            Source: CasPol.exe, 00000006.00000002.22637930252.0000000001150000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1e3nVGX3LlhNn9Zf6RwTjDw6FKTCAih9T
            Source: CasPol.exe, 00000006.00000002.22636994763.0000000000F95000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1e3nVGX3LlhNn9Zf6RwTjDw6FKTCAih9T.
            Source: CasPol.exe, 00000006.00000003.21840176556.0000000000FE6000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1e3nVGX3LlhNn9Zf6RwTjDw6FKTCAih9TmPHLwNfjxpm9j9STo
            Source: CasPol.exe, 00000006.00000002.22646307055.000000001DF31000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
            Source: unknownDNS traffic detected: queries for: drive.google.com
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1e3nVGX3LlhNn9Zf6RwTjDw6FKTCAih9T HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/09s7mqju06nhfef03e9jkahgn04c8qp1/1639485750000/01707528263340534167/*/1e3nVGX3LlhNn9Zf6RwTjDw6FKTCAih9T?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0g-7s-docs.googleusercontent.comConnection: Keep-Alive
            Source: unknownHTTPS traffic detected: 142.250.181.238:443 -> 192.168.11.20:49803 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.181.225:443 -> 192.168.11.20:49804 version: TLS 1.2
            Source: FACTURAS.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_00B211306_2_00B21130
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_00B243206_2_00B24320
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_00B23A506_2_00B23A50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_00B237086_2_00B23708
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_1DED5E086_2_1DED5E08
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_1DED46C46_2_1DED46C4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_1DED6AF16_2_1DED6AF1
            Source: FACTURAS.exe, 00000001.00000002.21867312888.0000000000424000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSERVICEKONTRAKTS.exe vs FACTURAS.exe
            Source: FACTURAS.exe, 00000001.00000002.21868523702.0000000002AC0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSERVICEKONTRAKTS.exeFE2XMURAL@ vs FACTURAS.exe
            Source: FACTURAS.exeBinary or memory string: OriginalFilenameSERVICEKONTRAKTS.exe vs FACTURAS.exe
            Source: C:\Users\user\Desktop\FACTURAS.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: edgegdi.dllJump to behavior
            Source: FACTURAS.exeVirustotal: Detection: 40%
            Source: FACTURAS.exeMetadefender: Detection: 38%
            Source: FACTURAS.exeReversingLabs: Detection: 57%
            Source: FACTURAS.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\FACTURAS.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\Desktop\FACTURAS.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\FACTURAS.exe "C:\Users\user\Desktop\FACTURAS.exe"
            Source: C:\Users\user\Desktop\FACTURAS.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\FACTURAS.exe"
            Source: C:\Users\user\Desktop\FACTURAS.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\FACTURAS.exe"
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\FACTURAS.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\FACTURAS.exe" Jump to behavior
            Source: C:\Users\user\Desktop\FACTURAS.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\FACTURAS.exe" Jump to behavior
            Source: C:\Users\user\Desktop\FACTURAS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\InprocServer32Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Users\user\Desktop\FACTURAS.exeFile created: C:\Users\user\AppData\Roaming\Bh2BSU9xxO49MYboEPptixGKslvKjoQApxmsXHE151Jump to behavior
            Source: C:\Users\user\Desktop\FACTURAS.exeFile created: C:\Users\user\AppData\Local\Temp\~DF503944F8FF7253A1.TMPJump to behavior
            Source: classification engineClassification label: mal100.troj.evad.winEXE@6/2@2/2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1360:304:WilStaging_02
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1360:120:WilError_03
            Source: Window RecorderWindow detected: More than 3 window changes detected

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: 00000006.00000000.21615424247.0000000000E10000.00000040.00000001.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 1_2_0040508B pushad ; ret 1_2_0040509D
            Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 1_2_0040755C push cs; retf 1_2_0040755D
            Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 1_2_00407179 push esp; iretd 1_2_00407181
            Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 1_2_00407584 push cs; retf 1_2_0040755D
            Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 1_2_004085B8 push edx; retf 1_2_004085B9
            Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 1_2_00406245 push ecx; retf 1_2_00406249
            Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 1_2_004072E6 push ebp; iretd 1_2_004072E9
            Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 1_2_004042FC push edx; retf 1_2_004042FD
            Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 1_2_0040972A push eax; iretd 1_2_00409745
            Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 1_2_004083D6 pushfd ; iretd 1_2_00408422
            Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 1_2_023247D6 push 00000063h; iretd 1_2_023247E4
            Source: C:\Users\user\Desktop\FACTURAS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\FACTURAS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\FACTURAS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\FACTURAS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\FACTURAS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Tries to detect Any.runShow sources
            Source: C:\Users\user\Desktop\FACTURAS.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
            Source: C:\Users\user\Desktop\FACTURAS.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: FACTURAS.exe, 00000001.00000002.21869632814.0000000003170000.00000004.00000001.sdmpBinary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32APPDATA=WINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXE\SYSWOW64\MSVBVM60.DLLWINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXE\SYSWOW64\MSVBVM60.DLL
            Source: FACTURAS.exe, 00000001.00000002.21869632814.0000000003170000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000002.22637930252.0000000001150000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
            Source: CasPol.exe, 00000006.00000002.22637930252.0000000001150000.00000004.00000001.sdmpBinary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32APPDATA=HTTPS://DRIVE.GOOGLE.COM/UC?EXPORT=DOWNLOAD&ID=1E3NVGX3LLHNN9ZF6RWTJDW6FKTCAIH9T
            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
            Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5956Thread sleep time: -2767011611056431s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindow / User API: threadDelayed 9947Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\FACTURAS.exeSystem information queried: ModuleInformationJump to behavior
            Source: FACTURAS.exe, 00000001.00000002.21869694639.0000000003239000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000002.22638624948.0000000002C99000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
            Source: CasPol.exe, 00000006.00000002.22636737249.0000000000F58000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWX
            Source: FACTURAS.exe, 00000001.00000002.21869694639.0000000003239000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000002.22638624948.0000000002C99000.00000004.00000001.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
            Source: CasPol.exe, 00000006.00000002.22638624948.0000000002C99000.00000004.00000001.sdmpBinary or memory string: vmicshutdown
            Source: FACTURAS.exe, 00000001.00000002.21869694639.0000000003239000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000002.22638624948.0000000002C99000.00000004.00000001.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
            Source: CasPol.exe, 00000006.00000002.22637364540.0000000000FD8000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWM
            Source: FACTURAS.exe, 00000001.00000002.21869694639.0000000003239000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000002.22638624948.0000000002C99000.00000004.00000001.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
            Source: FACTURAS.exe, 00000001.00000002.21869694639.0000000003239000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000002.22638624948.0000000002C99000.00000004.00000001.sdmpBinary or memory string: Hyper-V Time Synchronization Service
            Source: CasPol.exe, 00000006.00000002.22638624948.0000000002C99000.00000004.00000001.sdmpBinary or memory string: vmicvss
            Source: CasPol.exe, 00000006.00000002.22637364540.0000000000FD8000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
            Source: CasPol.exe, 00000006.00000002.22637930252.0000000001150000.00000004.00000001.sdmpBinary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32APPDATA=https://drive.google.com/uc?export=download&id=1e3nVGX3LlhNn9Zf6RwTjDw6FKTCAih9T
            Source: FACTURAS.exe, 00000001.00000002.21869632814.0000000003170000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000002.22637930252.0000000001150000.00000004.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: FACTURAS.exe, 00000001.00000002.21869694639.0000000003239000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000002.22638624948.0000000002C99000.00000004.00000001.sdmpBinary or memory string: Hyper-V Data Exchange Service
            Source: FACTURAS.exe, 00000001.00000002.21869694639.0000000003239000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000002.22638624948.0000000002C99000.00000004.00000001.sdmpBinary or memory string: Hyper-V Heartbeat Service
            Source: FACTURAS.exe, 00000001.00000002.21869694639.0000000003239000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000002.22638624948.0000000002C99000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Service Interface
            Source: CasPol.exe, 00000006.00000002.22638624948.0000000002C99000.00000004.00000001.sdmpBinary or memory string: vmicheartbeat
            Source: FACTURAS.exe, 00000001.00000002.21869632814.0000000003170000.00000004.00000001.sdmpBinary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32APPDATA=windir=\Microsoft.NET\Framework\v4.0.30319\caspol.exe\syswow64\msvbvm60.dllwindir=\Microsoft.NET\Framework\v4.0.30319\caspol.exe\syswow64\msvbvm60.dll

            Anti Debugging:

            barindex
            Hides threads from debuggersShow sources
            Source: C:\Users\user\Desktop\FACTURAS.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\FACTURAS.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Writes to foreign memory regionsShow sources
            Source: C:\Users\user\Desktop\FACTURAS.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: E10000Jump to behavior
            Source: C:\Users\user\Desktop\FACTURAS.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\FACTURAS.exe" Jump to behavior
            Source: C:\Users\user\Desktop\FACTURAS.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\FACTURAS.exe" Jump to behavior
            Source: CasPol.exe, 00000006.00000002.22638238010.0000000001840000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
            Source: CasPol.exe, 00000006.00000002.22638238010.0000000001840000.00000002.00020000.sdmpBinary or memory string: Program Manager]\
            Source: CasPol.exe, 00000006.00000002.22638238010.0000000001840000.00000002.00020000.sdmpBinary or memory string: Progman
            Source: CasPol.exe, 00000006.00000002.22638238010.0000000001840000.00000002.00020000.sdmpBinary or memory string: Progmanlock
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: CasPol.exe, 00000006.00000002.22646307055.000000001DF31000.00000004.00000001.sdmpBinary or memory string: MsMpEng.exe

            Stealing of Sensitive Information:

            bar