Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
63.exe

Overview

General Information

Sample Name:63.exe
Analysis ID:626030
MD5:638161fea451ac9d2cff99a9b9a7446c
SHA1:0ebd57241094f53ce80470edd61bfc0c8361eb2a
SHA256:f144a51298e1e037133ad60094a271af9d65501a3ab5e41527efb6bcb56ccf58
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Telegram RAT
Yara detected AgentTesla
Antivirus / Scanner detection for submitted sample
Writes to foreign memory regions
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Yara detected Generic Downloader
.NET source code contains very large array initializations
Tries to detect virtualization through RDTSC time measurements
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Detected potential crypto function
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • 63.exe (PID: 6408 cmdline: "C:\Users\user\Desktop\63.exe" MD5: 638161FEA451AC9D2CFF99A9B9A7446C)
    • RegAsm.exe (PID: 5680 cmdline: C:\Users\user\AppData\Local\Temp\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
  • cleanup
{"C2 url": "https://api.telegram.org/bot1160330796:AAF3SAwgW-OTi9M5kDhSZUlENwhKRvFOWe8/sendMessage"}
{"Exfil Mode": "Telegram", "Chat id": "1354205151", "Chat URL": "https://api.telegram.org/bot1160330796:AAF3SAwgW-OTi9M5kDhSZUlENwhKRvFOWe8/sendDocument"}
SourceRuleDescriptionAuthorStrings
00000010.00000000.425108271.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000010.00000000.425108271.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000010.00000000.424683140.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000010.00000000.424683140.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000010.00000002.531353991.0000000002C51000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 13 entries
            SourceRuleDescriptionAuthorStrings
            16.0.RegAsm.exe.400000.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              16.0.RegAsm.exe.400000.4.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                16.0.RegAsm.exe.400000.4.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                  16.0.RegAsm.exe.400000.4.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
                  • 0x30013:$s1: get_kbok
                  • 0x3092d:$s2: get_CHoo
                  • 0x31538:$s3: set_passwordIsSet
                  • 0x2fe29:$s4: get_enableLog
                  • 0x3445e:$s8: torbrowser
                  • 0x32e1d:$s10: logins
                  • 0x326f6:$s11: credential
                  • 0x2f254:$g1: get_Clipboard
                  • 0x2f262:$g2: get_Keyboard
                  • 0x2f26f:$g3: get_Password
                  • 0x307dd:$g4: get_CtrlKeyDown
                  • 0x307ed:$g5: get_ShiftKeyDown
                  • 0x307fe:$g6: get_AltKeyDown
                  16.0.RegAsm.exe.400000.10.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 19 entries
                    No Sigma rule has matched
                    No Snort rule has matched

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Source: 16.2.RegAsm.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "1354205151", "Chat URL": "https://api.telegram.org/bot1160330796:AAF3SAwgW-OTi9M5kDhSZUlENwhKRvFOWe8/sendDocument"}
                    Source: RegAsm.exe.5680.16.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot1160330796:AAF3SAwgW-OTi9M5kDhSZUlENwhKRvFOWe8/sendMessage"}
                    Source: 63.exeVirustotal: Detection: 67%Perma Link
                    Source: 63.exeReversingLabs: Detection: 65%
                    Source: 63.exeAvira: detected
                    Source: 63.exeJoe Sandbox ML: detected
                    Source: 16.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                    Source: 16.0.RegAsm.exe.400000.10.unpackAvira: Label: TR/Spy.Gen8
                    Source: 16.0.RegAsm.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                    Source: 16.0.RegAsm.exe.400000.12.unpackAvira: Label: TR/Spy.Gen8
                    Source: 16.0.RegAsm.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8
                    Source: 16.0.RegAsm.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                    Source: 63.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: 63.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                    Source: Binary string: clrjit.pdb source: 63.exe, 00000000.00000003.268630387.00000000052AD000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: RegAsm.pdb source: RegAsm.exe, RegAsm.exe, 00000010.00000000.424779246.0000000000952000.00000002.00000001.01000000.0000000A.sdmp, RegAsm.exe.0.dr
                    Source: Binary string: RegAsm.pdb4 source: RegAsm.exe, 00000010.00000000.424779246.0000000000952000.00000002.00000001.01000000.0000000A.sdmp, RegAsm.exe.0.dr
                    Source: Binary string: C:\Dropbox\Dev\ag.v66\Libraries\MSILJitter\bin\RELEASE\win32\AgileDotNetRT.pdb source: o.dll.0.dr

                    Networking

                    barindex
                    Source: Yara matchFile source: 16.0.RegAsm.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.0.RegAsm.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.0.RegAsm.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.0.RegAsm.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.0.RegAsm.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: RegAsm.exe, 00000010.00000002.531353991.0000000002C51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                    Source: RegAsm.exe, 00000010.00000002.531353991.0000000002C51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNS
                    Source: RegAsm.exe, 00000010.00000002.531353991.0000000002C51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ZPEHvd.com
                    Source: o.dll.0.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
                    Source: o.dll.0.drString found in binary or memory: http://ocsp.thawte.com0
                    Source: o.dll.0.drString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
                    Source: o.dll.0.drString found in binary or memory: http://s2.symcb.com0
                    Source: o.dll.0.drString found in binary or memory: http://sv.symcb.com/sv.crl0a
                    Source: o.dll.0.drString found in binary or memory: http://sv.symcb.com/sv.crt0
                    Source: o.dll.0.drString found in binary or memory: http://sv.symcd.com0&
                    Source: o.dll.0.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
                    Source: o.dll.0.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
                    Source: o.dll.0.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
                    Source: o.dll.0.drString found in binary or memory: http://www.symauth.com/cps0(
                    Source: o.dll.0.drString found in binary or memory: http://www.symauth.com/rpa00
                    Source: RegAsm.exe, 00000010.00000002.531353991.0000000002C51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.orgGETMozilla/5.0
                    Source: RegAsm.exe, 00000010.00000000.425108271.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot1160330796:AAF3SAwgW-OTi9M5kDhSZUlENwhKRvFOWe8/
                    Source: RegAsm.exe, 00000010.00000002.531353991.0000000002C51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot1160330796:AAF3SAwgW-OTi9M5kDhSZUlENwhKRvFOWe8/sendDocumentdocument-----
                    Source: o.dll.0.drString found in binary or memory: https://d.symcb.com/cps0%
                    Source: o.dll.0.drString found in binary or memory: https://d.symcb.com/rpa0
                    Source: RegAsm.exe, 00000010.00000000.425108271.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                    Source: RegAsm.exe, 00000010.00000002.531353991.0000000002C51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

                    System Summary

                    barindex
                    Source: 16.0.RegAsm.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 16.0.RegAsm.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 16.0.RegAsm.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 16.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 16.0.RegAsm.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 16.0.RegAsm.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 00000010.00000002.531353991.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: Process Memory Space: RegAsm.exe PID: 5680, type: MEMORYSTRMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
                    Source: 63.exe, owjkr/vpvao.csLarge array initialization: .cctor: array initializer size 132624
                    Source: 0.0.63.exe.7c0000.0.unpack, owjkr/vpvao.csLarge array initialization: .cctor: array initializer size 132624
                    Source: 16.2.RegAsm.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007bD9E03315u002dB701u002d40B2u002dA9AAu002d216CD680177Fu007d/u003874ABDA0u002dAC0Cu002d4641u002dA022u002d803F71CBA88B.csLarge array initialization: .cctor: array initializer size 11839
                    Source: 16.0.RegAsm.exe.400000.10.unpack, u003cPrivateImplementationDetailsu003eu007bD9E03315u002dB701u002d40B2u002dA9AAu002d216CD680177Fu007d/u003874ABDA0u002dAC0Cu002d4641u002dA022u002d803F71CBA88B.csLarge array initialization: .cctor: array initializer size 11839
                    Source: 16.0.RegAsm.exe.400000.6.unpack, u003cPrivateImplementationDetailsu003eu007bD9E03315u002dB701u002d40B2u002dA9AAu002d216CD680177Fu007d/u003874ABDA0u002dAC0Cu002d4641u002dA022u002d803F71CBA88B.csLarge array initialization: .cctor: array initializer size 11839
                    Source: 16.0.RegAsm.exe.400000.12.unpack, u003cPrivateImplementationDetailsu003eu007bD9E03315u002dB701u002d40B2u002dA9AAu002d216CD680177Fu007d/u003874ABDA0u002dAC0Cu002d4641u002dA022u002d803F71CBA88B.csLarge array initialization: .cctor: array initializer size 11839
                    Source: 16.0.RegAsm.exe.400000.8.unpack, u003cPrivateImplementationDetailsu003eu007bD9E03315u002dB701u002d40B2u002dA9AAu002d216CD680177Fu007d/u003874ABDA0u002dAC0Cu002d4641u002dA022u002d803F71CBA88B.csLarge array initialization: .cctor: array initializer size 11839
                    Source: 63.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: 16.0.RegAsm.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 16.0.RegAsm.exe.400000.10.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 16.0.RegAsm.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 16.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 16.0.RegAsm.exe.400000.12.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 16.0.RegAsm.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: 00000010.00000002.531353991.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: Process Memory Space: RegAsm.exe PID: 5680, type: MEMORYSTRMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 16_2_00953DFE16_2_00953DFE
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 16_2_010B46E016_2_010B46E0
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 16_2_010B461016_2_010B4610
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 16_2_010B46B016_2_010B46B0
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 16_2_010BD1A016_2_010BD1A0
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 16_2_05EE650816_2_05EE6508
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 16_2_05EE8CD816_2_05EE8CD8
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 16_2_05EE712016_2_05EE7120
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 16_2_05EE685016_2_05EE6850
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 16_2_05EE220416_2_05EE2204
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 16_2_05EE219416_2_05EE2194
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 16_2_05EE225816_2_05EE2258
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 16_2_05EE222416_2_05EE2224
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 16_2_05EE223416_2_05EE2234
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 16_2_05EE220216_2_05EE2202
                    Source: 63.exe, 00000000.00000000.261457145.0000000000832000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameDOCUMENT.exe4 vs 63.exe
                    Source: 63.exe, 00000000.00000003.268630387.00000000052AD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclrjit.dllT vs 63.exe
                    Source: 63.exeBinary or memory string: OriginalFilenameDOCUMENT.exe4 vs 63.exe
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeSection loaded: sfc.dllJump to behavior
                    Source: 63.exeVirustotal: Detection: 67%
                    Source: 63.exeReversingLabs: Detection: 65%
                    Source: C:\Users\user\Desktop\63.exeFile read: C:\Users\user\Desktop\63.exe:Zone.IdentifierJump to behavior
                    Source: 63.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\63.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\63.exe "C:\Users\user\Desktop\63.exe"
                    Source: C:\Users\user\Desktop\63.exeProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exe
                    Source: C:\Users\user\Desktop\63.exeProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exeJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\63.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\63.exe.logJump to behavior
                    Source: C:\Users\user\Desktop\63.exeFile created: C:\Users\user\AppData\Local\Temp\851a6346-8539-40b9-b694-d1d5343c092eJump to behavior
                    Source: classification engineClassification label: mal100.troj.evad.winEXE@3/3@0/0
                    Source: C:\Users\user\Desktop\63.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: 63.exe, uhvtn/ruypt.csCryptographic APIs: 'TransformBlock'
                    Source: 63.exe, muhbh/lnibr.csCryptographic APIs: 'TransformBlock'
                    Source: 63.exe, qgfei/supzt.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.0.63.exe.7c0000.0.unpack, muhbh/lnibr.csCryptographic APIs: 'TransformBlock'
                    Source: 0.0.63.exe.7c0000.0.unpack, qgfei/supzt.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.0.63.exe.7c0000.0.unpack, uhvtn/ruypt.csCryptographic APIs: 'TransformBlock'
                    Source: 16.2.RegAsm.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 16.2.RegAsm.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 16.0.RegAsm.exe.400000.10.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 16.0.RegAsm.exe.400000.10.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: C:\Users\user\Desktop\63.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: 63.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: 63.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                    Source: Binary string: clrjit.pdb source: 63.exe, 00000000.00000003.268630387.00000000052AD000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: RegAsm.pdb source: RegAsm.exe, RegAsm.exe, 00000010.00000000.424779246.0000000000952000.00000002.00000001.01000000.0000000A.sdmp, RegAsm.exe.0.dr
                    Source: Binary string: RegAsm.pdb4 source: RegAsm.exe, 00000010.00000000.424779246.0000000000952000.00000002.00000001.01000000.0000000A.sdmp, RegAsm.exe.0.dr
                    Source: Binary string: C:\Dropbox\Dev\ag.v66\Libraries\MSILJitter\bin\RELEASE\win32\AgileDotNetRT.pdb source: o.dll.0.dr
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 16_2_00954289 push es; retf 16_2_00954294
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 16_2_009544A3 push es; retf 16_2_009544A4
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeCode function: 16_2_00954469 push cs; retf 16_2_0095449E
                    Source: o.dll.0.drStatic PE information: section name: .didat
                    Source: o.dll.0.drStatic PE information: section name: .00cfg
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.51647686445
                    Source: C:\Users\user\Desktop\63.exeFile created: C:\Users\user\AppData\Local\Temp\851a6346-8539-40b9-b694-d1d5343c092e\o.dllJump to dropped file
                    Source: C:\Users\user\Desktop\63.exeFile created: C:\Users\user\AppData\Local\Temp\RegAsm.exeJump to dropped file
                    Source: C:\Users\user\Desktop\63.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\63.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\63.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\63.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\63.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\63.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\63.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\63.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\63.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\63.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\63.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\63.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\63.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\63.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\63.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\63.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\63.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\63.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\63.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\63.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\63.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\63.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\63.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\63.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\63.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\63.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\63.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\63.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\63.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\63.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\63.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\63.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\63.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\63.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\63.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\63.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\63.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\63.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\63.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\63.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\63.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\63.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\63.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\63.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\63.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Source: C:\Users\user\Desktop\63.exeRDTSC instruction interceptor: First address: 0000000072BF1D36 second address: 0000000072BF2A87 instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [ebp-10h], eax 0x00000005 mov dword ptr [ebp-0Ch], edx 0x00000008 mov eax, dword ptr [ebp-10h] 0x0000000b sub eax, dword ptr [ebp-08h] 0x0000000e mov edx, dword ptr [ebp-0Ch] 0x00000011 sbb edx, dword ptr [ebp-04h] 0x00000014 pop edi 0x00000015 pop esi 0x00000016 pop ebx 0x00000017 mov esp, ebp 0x00000019 pop ebp 0x0000001a ret 0x0000001b mov dword ptr [72C053C0h], eax 0x00000020 mov dword ptr [72C053C4h], edx 0x00000026 mov dword ptr [ebp-0Ch], 00000000h 0x0000002d jmp 00007FDD04A4D2FBh 0x0000002f mov eax, dword ptr [ebp-0Ch] 0x00000032 cmp eax, dword ptr [ebp+08h] 0x00000035 jnl 00007FDD04A4D336h 0x00000037 rdtsc
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\63.exe TID: 6460Thread sleep count: 238 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\63.exe TID: 1128Thread sleep count: 39 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\63.exe TID: 1128Thread sleep time: -35971150943733603s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\63.exe TID: 6196Thread sleep count: 4509 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\63.exe TID: 6196Thread sleep count: 4881 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\63.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\63.exeWindow / User API: threadDelayed 4509Jump to behavior
                    Source: C:\Users\user\Desktop\63.exeWindow / User API: threadDelayed 4881Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\63.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\63.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\63.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\63.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Source: C:\Users\user\Desktop\63.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\63.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 402000Jump to behavior
                    Source: C:\Users\user\Desktop\63.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 438000Jump to behavior
                    Source: C:\Users\user\Desktop\63.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 43A000Jump to behavior
                    Source: C:\Users\user\Desktop\63.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: B81008Jump to behavior
                    Source: C:\Users\user\Desktop\63.exeMemory allocated: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\user\Desktop\63.exeMemory written: C:\Users\user\AppData\Local\Temp\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\63.exeProcess created: C:\Users\user\AppData\Local\Temp\RegAsm.exe C:\Users\user\AppData\Local\Temp\RegAsm.exeJump to behavior
                    Source: C:\Users\user\Desktop\63.exeQueries volume information: C:\Users\user\Desktop\63.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\63.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\63.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Users\user\AppData\Local\Temp\RegAsm.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\63.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Source: Yara matchFile source: 00000010.00000002.531353991.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5680, type: MEMORYSTR
                    Source: Yara matchFile source: 16.0.RegAsm.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.0.RegAsm.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.0.RegAsm.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.0.RegAsm.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.0.RegAsm.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000010.00000000.425108271.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000000.424683140.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000000.424295986.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.529314857.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000000.423853193.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.531353991.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5680, type: MEMORYSTR
                    Source: Yara matchFile source: 00000010.00000002.531353991.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5680, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Source: Yara matchFile source: 00000010.00000002.531353991.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5680, type: MEMORYSTR
                    Source: Yara matchFile source: 16.0.RegAsm.exe.400000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.0.RegAsm.exe.400000.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.0.RegAsm.exe.400000.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.0.RegAsm.exe.400000.12.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 16.0.RegAsm.exe.400000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000010.00000000.425108271.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000000.424683140.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000000.424295986.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.529314857.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000000.423853193.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000010.00000002.531353991.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 5680, type: MEMORYSTR
                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    <