Windows Analysis Report
63.exe

Overview

General Information

Sample Name:	63.exe
Analysis ID:	626030
MD5:	638161fea451ac9d2cff99a9b9a7446c
SHA1:	0ebd57241094f53ce80470edd61bfc0c8361eb2a
SHA256:	f144a51298e1e037133ad60094a271af9d65501a3ab5e41527efb6bcb56ccf58
Tags:	exe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Telegram RAT

Yara detected AgentTesla

Antivirus / Scanner detection for submitted sample

Writes to foreign memory regions

Machine Learning detection for sample

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Yara detected Generic Downloader

.NET source code contains very large array initializations

Tries to detect virtualization through RDTSC time measurements

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Detected potential crypto function

Yara detected Credential Stealer

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Drops PE files

Tries to load missing DLLs

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection

Found malware configuration

Source: 16.2.RegAsm.exe.400000.0.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "1354205151", "Chat URL": "https://api.telegram.org/bot1160330796:AAF3SAwgW-OTi9M5kDhSZUlENwhKRvFOWe8/sendDocument"}
Source: RegAsm.exe.5680.16.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot1160330796:AAF3SAwgW-OTi9M5kDhSZUlENwhKRvFOWe8/sendMessage"}

Multi AV Scanner detection for submitted file

Source: 63.exe	Virustotal: Detection: 67%			Perma Link
Source: 63.exe	ReversingLabs: Detection: 65%

Antivirus / Scanner detection for submitted sample

Source: 63.exe

Avira: detected

Machine Learning detection for sample

Source: 63.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 16.2.RegAsm.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 16.0.RegAsm.exe.400000.10.unpack	Avira: Label: TR/Spy.Gen8
Source: 16.0.RegAsm.exe.400000.6.unpack	Avira: Label: TR/Spy.Gen8
Source: 16.0.RegAsm.exe.400000.12.unpack	Avira: Label: TR/Spy.Gen8
Source: 16.0.RegAsm.exe.400000.8.unpack	Avira: Label: TR/Spy.Gen8
Source: 16.0.RegAsm.exe.400000.4.unpack	Avira: Label: TR/Spy.Gen8

Uses 32bit PE files

Source: 63.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 63.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: clrjit.pdb source: 63.exe, 00000000.00000003.268630387.00000000052AD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: RegAsm.pdb source: RegAsm.exe, RegAsm.exe, 00000010.00000000.424779246.0000000000952000.00000002.00000001.01000000.0000000A.sdmp, RegAsm.exe.0.dr
Source:	Binary string: RegAsm.pdb4 source: RegAsm.exe, 00000010.00000000.424779246.0000000000952000.00000002.00000001.01000000.0000000A.sdmp, RegAsm.exe.0.dr
Source:	Binary string: C:\Dropbox\Dev\ag.v66\Libraries\MSILJitter\bin\RELEASE\win32\AgileDotNetRT.pdb source: o.dll.0.dr

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 16.0.RegAsm.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.RegAsm.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.RegAsm.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.RegAsm.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.RegAsm.exe.400000.6.unpack, type: UNPACKEDPE

Source: RegAsm.exe, 00000010.00000002.531353991.0000000002C51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegAsm.exe, 00000010.00000002.531353991.0000000002C51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: RegAsm.exe, 00000010.00000002.531353991.0000000002C51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ZPEHvd.com
Source: o.dll.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: o.dll.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: o.dll.0.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: o.dll.0.dr	String found in binary or memory: http://s2.symcb.com0
Source: o.dll.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: o.dll.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: o.dll.0.dr	String found in binary or memory: http://sv.symcd.com0&
Source: o.dll.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: o.dll.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: o.dll.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: o.dll.0.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: o.dll.0.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: RegAsm.exe, 00000010.00000002.531353991.0000000002C51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.orgGETMozilla/5.0
Source: RegAsm.exe, 00000010.00000000.425108271.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot1160330796:AAF3SAwgW-OTi9M5kDhSZUlENwhKRvFOWe8/
Source: RegAsm.exe, 00000010.00000002.531353991.0000000002C51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot1160330796:AAF3SAwgW-OTi9M5kDhSZUlENwhKRvFOWe8/sendDocumentdocument-----
Source: o.dll.0.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: o.dll.0.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: RegAsm.exe, 00000010.00000000.425108271.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: RegAsm.exe, 00000010.00000002.531353991.0000000002C51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

System Summary

Malicious sample detected (through community Yara rule)

Source: 16.0.RegAsm.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 16.0.RegAsm.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 16.0.RegAsm.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 16.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 16.0.RegAsm.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 16.0.RegAsm.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 00000010.00000002.531353991.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: Process Memory Space: RegAsm.exe PID: 5680, type: MEMORYSTR	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen

.NET source code contains very large array initializations

Source: 63.exe, owjkr/vpvao.cs	Large array initialization: .cctor: array initializer size 132624
Source: 0.0.63.exe.7c0000.0.unpack, owjkr/vpvao.cs	Large array initialization: .cctor: array initializer size 132624
Source: 16.2.RegAsm.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bD9E03315u002dB701u002d40B2u002dA9AAu002d216CD680177Fu007d/u003874ABDA0u002dAC0Cu002d4641u002dA022u002d803F71CBA88B.cs	Large array initialization: .cctor: array initializer size 11839
Source: 16.0.RegAsm.exe.400000.10.unpack, u003cPrivateImplementationDetailsu003eu007bD9E03315u002dB701u002d40B2u002dA9AAu002d216CD680177Fu007d/u003874ABDA0u002dAC0Cu002d4641u002dA022u002d803F71CBA88B.cs	Large array initialization: .cctor: array initializer size 11839
Source: 16.0.RegAsm.exe.400000.6.unpack, u003cPrivateImplementationDetailsu003eu007bD9E03315u002dB701u002d40B2u002dA9AAu002d216CD680177Fu007d/u003874ABDA0u002dAC0Cu002d4641u002dA022u002d803F71CBA88B.cs	Large array initialization: .cctor: array initializer size 11839
Source: 16.0.RegAsm.exe.400000.12.unpack, u003cPrivateImplementationDetailsu003eu007bD9E03315u002dB701u002d40B2u002dA9AAu002d216CD680177Fu007d/u003874ABDA0u002dAC0Cu002d4641u002dA022u002d803F71CBA88B.cs	Large array initialization: .cctor: array initializer size 11839
Source: 16.0.RegAsm.exe.400000.8.unpack, u003cPrivateImplementationDetailsu003eu007bD9E03315u002dB701u002d40B2u002dA9AAu002d216CD680177Fu007d/u003874ABDA0u002dAC0Cu002d4641u002dA022u002d803F71CBA88B.cs	Large array initialization: .cctor: array initializer size 11839

Uses 32bit PE files

Source: 63.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 16.0.RegAsm.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 16.0.RegAsm.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 16.0.RegAsm.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 16.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 16.0.RegAsm.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 16.0.RegAsm.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 00000010.00000002.531353991.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: Process Memory Space: RegAsm.exe PID: 5680, type: MEMORYSTR	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 16_2_00953DFE	16_2_00953DFE
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 16_2_010B46E0	16_2_010B46E0
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 16_2_010B4610	16_2_010B4610
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 16_2_010B46B0	16_2_010B46B0
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 16_2_010BD1A0	16_2_010BD1A0
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 16_2_05EE6508	16_2_05EE6508
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 16_2_05EE8CD8	16_2_05EE8CD8
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 16_2_05EE7120	16_2_05EE7120
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 16_2_05EE6850	16_2_05EE6850
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 16_2_05EE2204	16_2_05EE2204
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 16_2_05EE2194	16_2_05EE2194
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 16_2_05EE2258	16_2_05EE2258
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 16_2_05EE2224	16_2_05EE2224
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 16_2_05EE2234	16_2_05EE2234
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 16_2_05EE2202	16_2_05EE2202

Sample file is different than original file name gathered from version info

Source: 63.exe, 00000000.00000000.261457145.0000000000832000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameDOCUMENT.exe4 vs 63.exe
Source: 63.exe, 00000000.00000003.268630387.00000000052AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclrjit.dllT vs 63.exe
Source: 63.exe	Binary or memory string: OriginalFilenameDOCUMENT.exe4 vs 63.exe

Tries to load missing DLLs

Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe

Section loaded: sfc.dll

Jump to behavior

Source: 63.exe	Virustotal: Detection: 67%
Source: 63.exe	ReversingLabs: Detection: 65%

Source: C:\Users\user\Desktop\63.exe

File read: C:\Users\user\Desktop\63.exe:Zone.Identifier

Jump to behavior

Source: 63.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\63.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\63.exe "C:\Users\user\Desktop\63.exe"
Source: C:\Users\user\Desktop\63.exe	Process created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe
Source: C:\Users\user\Desktop\63.exe	Process created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\63.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\63.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\63.exe

File created: C:\Users\user\AppData\Local\Temp\851a6346-8539-40b9-b694-d1d5343c092e

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/3@0/0

Source: C:\Users\user\Desktop\63.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: 63.exe, uhvtn/ruypt.cs	Cryptographic APIs: 'TransformBlock'
Source: 63.exe, muhbh/lnibr.cs	Cryptographic APIs: 'TransformBlock'
Source: 63.exe, qgfei/supzt.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.63.exe.7c0000.0.unpack, muhbh/lnibr.cs	Cryptographic APIs: 'TransformBlock'
Source: 0.0.63.exe.7c0000.0.unpack, qgfei/supzt.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.63.exe.7c0000.0.unpack, uhvtn/ruypt.cs	Cryptographic APIs: 'TransformBlock'
Source: 16.2.RegAsm.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 16.2.RegAsm.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 16.0.RegAsm.exe.400000.10.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 16.0.RegAsm.exe.400000.10.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Users\user\Desktop\63.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 63.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 63.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: clrjit.pdb source: 63.exe, 00000000.00000003.268630387.00000000052AD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: RegAsm.pdb source: RegAsm.exe, RegAsm.exe, 00000010.00000000.424779246.0000000000952000.00000002.00000001.01000000.0000000A.sdmp, RegAsm.exe.0.dr
Source:	Binary string: RegAsm.pdb4 source: RegAsm.exe, 00000010.00000000.424779246.0000000000952000.00000002.00000001.01000000.0000000A.sdmp, RegAsm.exe.0.dr
Source:	Binary string: C:\Dropbox\Dev\ag.v66\Libraries\MSILJitter\bin\RELEASE\win32\AgileDotNetRT.pdb source: o.dll.0.dr

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 16_2_00954289 push es; retf	16_2_00954294
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 16_2_009544A3 push es; retf	16_2_009544A4
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 16_2_00954469 push cs; retf	16_2_0095449E

PE file contains sections with non-standard names

Source: o.dll.0.dr	Static PE information: section name: .didat
Source: o.dll.0.dr	Static PE information: section name: .00cfg

Source: initial sample

Static PE information: section name: .text entropy: 7.51647686445

Drops PE files

Source: C:\Users\user\Desktop\63.exe	File created: C:\Users\user\AppData\Local\Temp\851a6346-8539-40b9-b694-d1d5343c092e\o.dll			Jump to dropped file
Source: C:\Users\user\Desktop\63.exe	File created: C:\Users\user\AppData\Local\Temp\RegAsm.exe			Jump to dropped file

Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\63.exe

RDTSC instruction interceptor: First address: 0000000072BF1D36 second address: 0000000072BF2A87 instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [ebp-10h], eax 0x00000005 mov dword ptr [ebp-0Ch], edx 0x00000008 mov eax, dword ptr [ebp-10h] 0x0000000b sub eax, dword ptr [ebp-08h] 0x0000000e mov edx, dword ptr [ebp-0Ch] 0x00000011 sbb edx, dword ptr [ebp-04h] 0x00000014 pop edi 0x00000015 pop esi 0x00000016 pop ebx 0x00000017 mov esp, ebp 0x00000019 pop ebp 0x0000001a ret 0x0000001b mov dword ptr [72C053C0h], eax 0x00000020 mov dword ptr [72C053C4h], edx 0x00000026 mov dword ptr [ebp-0Ch], 00000000h 0x0000002d jmp 00007FDD04A4D2FBh 0x0000002f mov eax, dword ptr [ebp-0Ch] 0x00000032 cmp eax, dword ptr [ebp+08h] 0x00000035 jnl 00007FDD04A4D336h 0x00000037 rdtsc

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\63.exe TID: 6460	Thread sleep count: 238 > 30	Jump to behavior
Source: C:\Users\user\Desktop\63.exe TID: 1128	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\Users\user\Desktop\63.exe TID: 1128	Thread sleep time: -35971150943733603s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\63.exe TID: 6196	Thread sleep count: 4509 > 30	Jump to behavior
Source: C:\Users\user\Desktop\63.exe TID: 6196	Thread sleep count: 4881 > 30	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\63.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\63.exe	Window / User API: threadDelayed 4509			Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Window / User API: threadDelayed 4881			Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\63.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\63.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Enables debug privileges

Source: C:\Users\user\Desktop\63.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\63.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\63.exe	Memory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Memory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Memory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 438000	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Memory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 43A000	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Memory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: B81008	Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\63.exe

Memory allocated: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\63.exe

Memory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\63.exe

Process created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\63.exe	Queries volume information: C:\Users\user\Desktop\63.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\63.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Telegram RAT

Source: Yara match	File source: 00000010.00000002.531353991.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5680, type: MEMORYSTR

Yara detected AgentTesla

Source: Yara match	File source: 16.0.RegAsm.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.RegAsm.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.RegAsm.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.RegAsm.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.RegAsm.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000000.425108271.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.424683140.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.424295986.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.529314857.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.423853193.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.531353991.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5680, type: MEMORYSTR

Yara detected Credential Stealer

Source: Yara match	File source: 00000010.00000002.531353991.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5680, type: MEMORYSTR

Remote Access Functionality

Yara detected Telegram RAT

Source: Yara match	File source: 00000010.00000002.531353991.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5680, type: MEMORYSTR

Yara detected AgentTesla

Source: Yara match	File source: 16.0.RegAsm.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.RegAsm.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.RegAsm.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.RegAsm.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.RegAsm.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000000.425108271.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.424683140.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.424295986.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.529314857.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.423853193.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.531353991.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5680, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

AV Detection

Found malware configuration

Source: 16.2.RegAsm.exe.400000.0.unpack	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "1354205151", "Chat URL": "https://api.telegram.org/bot1160330796:AAF3SAwgW-OTi9M5kDhSZUlENwhKRvFOWe8/sendDocument"}
Source: RegAsm.exe.5680.16.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot1160330796:AAF3SAwgW-OTi9M5kDhSZUlENwhKRvFOWe8/sendMessage"}

Multi AV Scanner detection for submitted file

Source: 63.exe	Virustotal: Detection: 67%			Perma Link
Source: 63.exe	ReversingLabs: Detection: 65%

Antivirus / Scanner detection for submitted sample

Source: 63.exe

Avira: detected

Machine Learning detection for sample

Source: 63.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 16.2.RegAsm.exe.400000.0.unpack	Avira: Label: TR/Spy.Gen8
Source: 16.0.RegAsm.exe.400000.10.unpack	Avira: Label: TR/Spy.Gen8
Source: 16.0.RegAsm.exe.400000.6.unpack	Avira: Label: TR/Spy.Gen8
Source: 16.0.RegAsm.exe.400000.12.unpack	Avira: Label: TR/Spy.Gen8
Source: 16.0.RegAsm.exe.400000.8.unpack	Avira: Label: TR/Spy.Gen8
Source: 16.0.RegAsm.exe.400000.4.unpack	Avira: Label: TR/Spy.Gen8

Uses 32bit PE files

Source: 63.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 63.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: clrjit.pdb source: 63.exe, 00000000.00000003.268630387.00000000052AD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: RegAsm.pdb source: RegAsm.exe, RegAsm.exe, 00000010.00000000.424779246.0000000000952000.00000002.00000001.01000000.0000000A.sdmp, RegAsm.exe.0.dr
Source:	Binary string: RegAsm.pdb4 source: RegAsm.exe, 00000010.00000000.424779246.0000000000952000.00000002.00000001.01000000.0000000A.sdmp, RegAsm.exe.0.dr
Source:	Binary string: C:\Dropbox\Dev\ag.v66\Libraries\MSILJitter\bin\RELEASE\win32\AgileDotNetRT.pdb source: o.dll.0.dr

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 16.0.RegAsm.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.RegAsm.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.RegAsm.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.RegAsm.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.RegAsm.exe.400000.6.unpack, type: UNPACKEDPE

Source: RegAsm.exe, 00000010.00000002.531353991.0000000002C51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegAsm.exe, 00000010.00000002.531353991.0000000002C51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: RegAsm.exe, 00000010.00000002.531353991.0000000002C51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ZPEHvd.com
Source: o.dll.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: o.dll.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: o.dll.0.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: o.dll.0.dr	String found in binary or memory: http://s2.symcb.com0
Source: o.dll.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: o.dll.0.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: o.dll.0.dr	String found in binary or memory: http://sv.symcd.com0&
Source: o.dll.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: o.dll.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: o.dll.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: o.dll.0.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: o.dll.0.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: RegAsm.exe, 00000010.00000002.531353991.0000000002C51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.orgGETMozilla/5.0
Source: RegAsm.exe, 00000010.00000000.425108271.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot1160330796:AAF3SAwgW-OTi9M5kDhSZUlENwhKRvFOWe8/
Source: RegAsm.exe, 00000010.00000002.531353991.0000000002C51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot1160330796:AAF3SAwgW-OTi9M5kDhSZUlENwhKRvFOWe8/sendDocumentdocument-----
Source: o.dll.0.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: o.dll.0.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: RegAsm.exe, 00000010.00000000.425108271.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: RegAsm.exe, 00000010.00000002.531353991.0000000002C51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

System Summary

Malicious sample detected (through community Yara rule)

Source: 16.0.RegAsm.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 16.0.RegAsm.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 16.0.RegAsm.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 16.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 16.0.RegAsm.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 16.0.RegAsm.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 00000010.00000002.531353991.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: Process Memory Space: RegAsm.exe PID: 5680, type: MEMORYSTR	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen

.NET source code contains very large array initializations

Source: 63.exe, owjkr/vpvao.cs	Large array initialization: .cctor: array initializer size 132624
Source: 0.0.63.exe.7c0000.0.unpack, owjkr/vpvao.cs	Large array initialization: .cctor: array initializer size 132624
Source: 16.2.RegAsm.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bD9E03315u002dB701u002d40B2u002dA9AAu002d216CD680177Fu007d/u003874ABDA0u002dAC0Cu002d4641u002dA022u002d803F71CBA88B.cs	Large array initialization: .cctor: array initializer size 11839
Source: 16.0.RegAsm.exe.400000.10.unpack, u003cPrivateImplementationDetailsu003eu007bD9E03315u002dB701u002d40B2u002dA9AAu002d216CD680177Fu007d/u003874ABDA0u002dAC0Cu002d4641u002dA022u002d803F71CBA88B.cs	Large array initialization: .cctor: array initializer size 11839
Source: 16.0.RegAsm.exe.400000.6.unpack, u003cPrivateImplementationDetailsu003eu007bD9E03315u002dB701u002d40B2u002dA9AAu002d216CD680177Fu007d/u003874ABDA0u002dAC0Cu002d4641u002dA022u002d803F71CBA88B.cs	Large array initialization: .cctor: array initializer size 11839
Source: 16.0.RegAsm.exe.400000.12.unpack, u003cPrivateImplementationDetailsu003eu007bD9E03315u002dB701u002d40B2u002dA9AAu002d216CD680177Fu007d/u003874ABDA0u002dAC0Cu002d4641u002dA022u002d803F71CBA88B.cs	Large array initialization: .cctor: array initializer size 11839
Source: 16.0.RegAsm.exe.400000.8.unpack, u003cPrivateImplementationDetailsu003eu007bD9E03315u002dB701u002d40B2u002dA9AAu002d216CD680177Fu007d/u003874ABDA0u002dAC0Cu002d4641u002dA022u002d803F71CBA88B.cs	Large array initialization: .cctor: array initializer size 11839

Uses 32bit PE files

Source: 63.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 16.0.RegAsm.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 16.0.RegAsm.exe.400000.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 16.0.RegAsm.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 16.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 16.0.RegAsm.exe.400000.12.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 16.0.RegAsm.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 00000010.00000002.531353991.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: Process Memory Space: RegAsm.exe PID: 5680, type: MEMORYSTR	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 16_2_00953DFE	16_2_00953DFE
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 16_2_010B46E0	16_2_010B46E0
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 16_2_010B4610	16_2_010B4610
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 16_2_010B46B0	16_2_010B46B0
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 16_2_010BD1A0	16_2_010BD1A0
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 16_2_05EE6508	16_2_05EE6508
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 16_2_05EE8CD8	16_2_05EE8CD8
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 16_2_05EE7120	16_2_05EE7120
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 16_2_05EE6850	16_2_05EE6850
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 16_2_05EE2204	16_2_05EE2204
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 16_2_05EE2194	16_2_05EE2194
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 16_2_05EE2258	16_2_05EE2258
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 16_2_05EE2224	16_2_05EE2224
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 16_2_05EE2234	16_2_05EE2234
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 16_2_05EE2202	16_2_05EE2202

Sample file is different than original file name gathered from version info

Source: 63.exe, 00000000.00000000.261457145.0000000000832000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameDOCUMENT.exe4 vs 63.exe
Source: 63.exe, 00000000.00000003.268630387.00000000052AD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclrjit.dllT vs 63.exe
Source: 63.exe	Binary or memory string: OriginalFilenameDOCUMENT.exe4 vs 63.exe

Tries to load missing DLLs

Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe

Section loaded: sfc.dll

Jump to behavior

Source: 63.exe	Virustotal: Detection: 67%
Source: 63.exe	ReversingLabs: Detection: 65%

Source: C:\Users\user\Desktop\63.exe

File read: C:\Users\user\Desktop\63.exe:Zone.Identifier

Jump to behavior

Source: 63.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\63.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\63.exe "C:\Users\user\Desktop\63.exe"
Source: C:\Users\user\Desktop\63.exe	Process created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe
Source: C:\Users\user\Desktop\63.exe	Process created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\63.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\63.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\63.exe

File created: C:\Users\user\AppData\Local\Temp\851a6346-8539-40b9-b694-d1d5343c092e

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/3@0/0

Source: C:\Users\user\Desktop\63.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: 63.exe, uhvtn/ruypt.cs	Cryptographic APIs: 'TransformBlock'
Source: 63.exe, muhbh/lnibr.cs	Cryptographic APIs: 'TransformBlock'
Source: 63.exe, qgfei/supzt.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.63.exe.7c0000.0.unpack, muhbh/lnibr.cs	Cryptographic APIs: 'TransformBlock'
Source: 0.0.63.exe.7c0000.0.unpack, qgfei/supzt.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.63.exe.7c0000.0.unpack, uhvtn/ruypt.cs	Cryptographic APIs: 'TransformBlock'
Source: 16.2.RegAsm.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 16.2.RegAsm.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 16.0.RegAsm.exe.400000.10.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 16.0.RegAsm.exe.400000.10.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Users\user\Desktop\63.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 63.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 63.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: clrjit.pdb source: 63.exe, 00000000.00000003.268630387.00000000052AD000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: RegAsm.pdb source: RegAsm.exe, RegAsm.exe, 00000010.00000000.424779246.0000000000952000.00000002.00000001.01000000.0000000A.sdmp, RegAsm.exe.0.dr
Source:	Binary string: RegAsm.pdb4 source: RegAsm.exe, 00000010.00000000.424779246.0000000000952000.00000002.00000001.01000000.0000000A.sdmp, RegAsm.exe.0.dr
Source:	Binary string: C:\Dropbox\Dev\ag.v66\Libraries\MSILJitter\bin\RELEASE\win32\AgileDotNetRT.pdb source: o.dll.0.dr

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 16_2_00954289 push es; retf	16_2_00954294
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 16_2_009544A3 push es; retf	16_2_009544A4
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Code function: 16_2_00954469 push cs; retf	16_2_0095449E

PE file contains sections with non-standard names

Source: o.dll.0.dr	Static PE information: section name: .didat
Source: o.dll.0.dr	Static PE information: section name: .00cfg

Source: initial sample

Static PE information: section name: .text entropy: 7.51647686445

Drops PE files

Source: C:\Users\user\Desktop\63.exe	File created: C:\Users\user\AppData\Local\Temp\851a6346-8539-40b9-b694-d1d5343c092e\o.dll			Jump to dropped file
Source: C:\Users\user\Desktop\63.exe	File created: C:\Users\user\AppData\Local\Temp\RegAsm.exe			Jump to dropped file

Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\63.exe

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\63.exe TID: 6460	Thread sleep count: 238 > 30	Jump to behavior
Source: C:\Users\user\Desktop\63.exe TID: 1128	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\Users\user\Desktop\63.exe TID: 1128	Thread sleep time: -35971150943733603s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\63.exe TID: 6196	Thread sleep count: 4509 > 30	Jump to behavior
Source: C:\Users\user\Desktop\63.exe TID: 6196	Thread sleep count: 4881 > 30	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\63.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\63.exe	Window / User API: threadDelayed 4509			Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Window / User API: threadDelayed 4881			Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\63.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\63.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Enables debug privileges

Source: C:\Users\user\Desktop\63.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\63.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\63.exe	Memory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Memory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Memory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 438000	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Memory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 43A000	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Memory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: B81008	Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\63.exe

Memory allocated: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\63.exe

Memory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\63.exe

Process created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\63.exe	Queries volume information: C:\Users\user\Desktop\63.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\63.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\63.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Telegram RAT

Source: Yara match	File source: 00000010.00000002.531353991.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5680, type: MEMORYSTR

Yara detected AgentTesla

Source: Yara match	File source: 16.0.RegAsm.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.RegAsm.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.RegAsm.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.RegAsm.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.RegAsm.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000000.425108271.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.424683140.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.424295986.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.529314857.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.423853193.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.531353991.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5680, type: MEMORYSTR

Yara detected Credential Stealer

Source: Yara match	File source: 00000010.00000002.531353991.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5680, type: MEMORYSTR

Remote Access Functionality

Yara detected Telegram RAT

Source: Yara match	File source: 00000010.00000002.531353991.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5680, type: MEMORYSTR

Yara detected AgentTesla

Source: Yara match	File source: 16.0.RegAsm.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.RegAsm.exe.400000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.RegAsm.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.RegAsm.exe.400000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.0.RegAsm.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000000.425108271.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.424683140.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.424295986.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.529314857.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.423853193.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.531353991.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5680, type: MEMORYSTR

ID:	626030
Product:	CloudBasic
Start time:	14:03:35
Start date:	13.05.2022
Sample:	63.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	638161fea451ac9d2cff99a9b9a7446c
SHA1:	0ebd57241094f53ce80470edd61bfc0c8361eb2a
SHA256:	f144a51298e1e037133ad60094a271af9d65501a3ab5e41527efb6bcb56ccf58
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\63.exe.log	ASCII text, with CRLF line terminators	D5C4F072A3F0ED8C0079814E68AF222D	D2ACD6634158C5B881919FCE628716B7C3E519EB	DAAD0CC8592CA67F6ACCFCB2127FC9D08F514D4165F8617E0150FE1784808FC5
C:\Users\user\AppData\Local\Temp\851a6346-8539-40b9-b694-d1d5343c092e\o.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	14FF402962AD21B78AE0B4C43CD1F194	F8A510EB26666E875A5BDD1CADAD40602763AD72	FB9646CB956945BDC503E69645F6B5316D3826B780D3C36738D6B944E884D15B
C:\Users\user\AppData\Local\Temp\RegAsm.exe	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows	6FD7592411112729BF6B1F2F6C34899F	5E5C839726D6A43C478AB0B95DBF52136679F5EA	FFE4480CCC81B061F725C54587E9D1BA96547D27FE28083305D75796F2EB3E74

Windows Analysis Report
63.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Windows Analysis Report 63.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
63.exe