Windows Analysis Report
INVOICE.exe

Overview

General Information

Sample Name: INVOICE.exe
Analysis ID: 634111
MD5: a10619d494661c1f8ca180e53c5a11fd
SHA1: 1273e17b50d8d33078df02447fa9adaab255b459
SHA256: e126c11aec2897bd7959747e70bc85d4153abdadbe45344bb41771ced23f3228
Infos:

Detection

NanoCore, GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Yara detected GuLoader
Snort IDS alert for network traffic
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Executable has a suspicious name (potential lure to open the executable)
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file does not import any functions
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Binary contains a suspicious time stamp
PE / OLE file has an invalid certificate
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Found malware configuration
Source: 00000003.00000000.844018063.0000000001130000.00000040.00000400.00020000.00000000.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://cdn.discordapp.com/attachments/963535165500588126/978282265127825408/NANOBIN_HBsjI150.bin"}
Multi AV Scanner detection for submitted file
Source: INVOICE.exe Virustotal: Detection: 14% Perma Link
Source: INVOICE.exe ReversingLabs: Detection: 42%
Uses 32bit PE files
Source: INVOICE.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: C:\Users\user\Desktop\INVOICE.exe Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\heliolitidae Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior
Source: unknown HTTPS traffic detected: 162.159.134.233:443 -> 192.168.11.20:49747 version: TLS 1.2
Source: INVOICE.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbw{ source: CasPol.exe, 00000003.00000003.1281811492.000000000143A000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.1421171892.000000000143A000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.1283756923.000000000143A000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.1282689467.000000000143A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading\net6.0-Release\System.Threading.pdb source: System.Threading.dll.0.dr
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: CasPol.exe, 00000003.00000003.1281811492.000000000143A000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.1421171892.000000000143A000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.1283756923.000000000143A000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.1282689467.000000000143A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Handles\net6.0-Release\System.Runtime.Handles.pdb source: System.Runtime.Handles.dll.0.dr
Source: Binary string: System.Threading.ni.pdb source: System.Threading.dll.0.dr
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: CasPol.exe, 00000003.00000003.1281811492.000000000143A000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.1421171892.000000000143A000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.1283756923.000000000143A000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.1282689467.000000000143A000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405C49
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_00406873 FindFirstFileW,FindClose, 0_2_00406873
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Source: C:\Users\user\Desktop\INVOICE.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe File opened: C:\Users\user\AppData\Local\Temp\Arteriagra2.Syr Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe File opened: C:\Users\user\AppData\Local\Temp\alnicoes.til Jump to behavior

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49748 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49748 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49749 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49749 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49759 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 23.105.131.228:5218 -> 192.168.11.20:49759
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49759 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49767 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49767 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49771 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49773 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49773 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49774 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49774 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.11.20:49774 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49775 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49775 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49776 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49776 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49778 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49778 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49779 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49779 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2810290 ETPRO TROJAN NanoCore RAT Keepalive Response 1 23.105.131.228:5218 -> 192.168.11.20:49779
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49780 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49780 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49781 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49781 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.11.20:49781 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49782 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49782 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49783 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49783 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49784 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49784 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49785 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49785 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49786 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49786 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49787 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49787 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49788 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49788 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49789 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49789 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49790 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49790 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49791 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49791 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49792 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49792 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49793 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49793 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49794 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49794 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.11.20:49794 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49795 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49795 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49796 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49796 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49797 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49797 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49798 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49798 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49799 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49799 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49800 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49800 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2810290 ETPRO TROJAN NanoCore RAT Keepalive Response 1 23.105.131.228:5218 -> 192.168.11.20:49800
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49801 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49801 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49802 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49802 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49803 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49803 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49804 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49804 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.11.20:49804 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49805 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49805 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49806 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49806 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49807 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49807 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49808 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49808 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49809 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49809 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49810 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49810 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49811 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49811 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49812 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49812 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49813 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49813 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49814 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49814 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49815 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49815 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.11.20:49815 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49816 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49816 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49817 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49817 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2810290 ETPRO TROJAN NanoCore RAT Keepalive Response 1 23.105.131.228:5218 -> 192.168.11.20:49817
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49818 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49818 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49819 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49819 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49820 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49820 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49821 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49821 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49822 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49822 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.11.20:49822 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49826 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49826 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49830 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49830 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49831 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 23.105.131.228:5218 -> 192.168.11.20:49831
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49831 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49832 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49832 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49833 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49833 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49834 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49834 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49836 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49836 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49837 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49837 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49838 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49838 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49839 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49839 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49840 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49840 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49841 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49841 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.11.20:49841 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49842 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49842 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49843 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49843 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49844 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49844 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2810290 ETPRO TROJAN NanoCore RAT Keepalive Response 1 23.105.131.228:5218 -> 192.168.11.20:49844
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49845 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49845 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49846 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49846 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49847 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49847 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49848 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49848 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.11.20:49848 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49849 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49849 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49850 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49850 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49851 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49851 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 23.105.131.228:5218 -> 192.168.11.20:49851
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://cdn.discordapp.com/attachments/963535165500588126/978282265127825408/NANOBIN_HBsjI150.bin
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: LEASEWEB-USA-NYC-11US LEASEWEB-USA-NYC-11US
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 23.105.131.228 23.105.131.228
Source: Joe Sandbox View IP Address: 162.159.134.233 162.159.134.233
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /attachments/963535165500588126/978282265127825408/NANOBIN_HBsjI150.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: cdn.discordapp.comCache-Control: no-cache
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.11.20:49748 -> 23.105.131.228:5218
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: INVOICE.exe, filename.exe.3.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: INVOICE.exe, filename.exe.3.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: CasPol.exe, 00000003.00000003.1020103132.0000000001455000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.1281811492.000000000143A000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.1421171892.000000000143A000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.1019748732.0000000001455000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.1283756923.000000000143A000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.1282689467.000000000143A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: CasPol.exe, 00000003.00000003.1020103132.0000000001455000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.1281811492.000000000143A000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.1421171892.000000000143A000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.1019748732.0000000001455000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.1283756923.000000000143A000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.1282689467.000000000143A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: INVOICE.exe, filename.exe.3.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: INVOICE.exe, filename.exe.3.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: updater.ini.0.dr String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: INVOICE.exe, filename.exe.3.dr String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: INVOICE.exe, filename.exe.3.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: INVOICE.exe, filename.exe.3.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: CasPol.exe, 00000003.00000003.1281441617.00000000013F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/
Source: CasPol.exe, 00000003.00000003.1281441617.00000000013F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/4
Source: CasPol.exe, 00000003.00000003.1421120632.0000000001437000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.1283390694.0000000001414000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.1281609750.0000000001414000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.1420897763.0000000001420000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/963535165500588126/978282265127825408/NANOBIN_HBsjI150.bin
Source: System.Runtime.Handles.dll.0.dr, System.Threading.dll.0.dr String found in binary or memory: https://github.com/dotnet/runtime
Source: System.Threading.dll.0.dr String found in binary or memory: https://github.com/dotnet/runtimeBSJB
Source: unknown DNS traffic detected: queries for: cdn.discordapp.com
Source: global traffic HTTP traffic detected: GET /attachments/963535165500588126/978282265127825408/NANOBIN_HBsjI150.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: cdn.discordapp.comCache-Control: no-cache
Source: unknown HTTPS traffic detected: 162.159.134.233:443 -> 192.168.11.20:49747 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_004056DE

System Summary
barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: INVOICE.exe
Executable has a suspicious name (potential lure to open the executable)
Source: INVOICE.exe Static file information: Suspicious name
Uses 32bit PE files
Source: INVOICE.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_0040352D
Detected potential crypto function
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_0040755C 0_2_0040755C
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_00406D85 0_2_00406D85
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_73E81BFF 0_2_73E81BFF
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B663E8 0_2_02B663E8
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B57AA9 0_2_02B57AA9
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B50E84 0_2_02B50E84
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B51E8D 0_2_02B51E8D
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B5068C 0_2_02B5068C
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B51A8E 0_2_02B51A8E
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B50AE5 0_2_02B50AE5
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B5D2E9 0_2_02B5D2E9
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B51AD6 0_2_02B51AD6
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B596DC 0_2_02B596DC
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B50EC1 0_2_02B50EC1
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B506CE 0_2_02B506CE
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B66A31 0_2_02B66A31
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B50E3A 0_2_02B50E3A
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B50A2F 0_2_02B50A2F
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B50611 0_2_02B50611
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B51A12 0_2_02B51A12
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B5020E 0_2_02B5020E
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B50E0A 0_2_02B50E0A
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B5767A 0_2_02B5767A
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B50262 0_2_02B50262
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B50A6D 0_2_02B50A6D
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B50657 0_2_02B50657
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B57647 0_2_02B57647
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B577B7 0_2_02B577B7
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B50BB8 0_2_02B50BB8
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B51BA6 0_2_02B51BA6
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B65BAC 0_2_02B65BAC
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B507A8 0_2_02B507A8
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B507F2 0_2_02B507F2
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B507FA 0_2_02B507FA
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B50BEC 0_2_02B50BEC
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B51BD9 0_2_02B51BD9
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B503CE 0_2_02B503CE
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B58737 0_2_02B58737
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B58336 0_2_02B58336
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B51B2D 0_2_02B51B2D
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B50F07 0_2_02B50F07
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B58777 0_2_02B58777
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B50B7F 0_2_02B50B7F
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B50B64 0_2_02B50B64
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B50B67 0_2_02B50B67
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B57B66 0_2_02B57B66
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B50B61 0_2_02B50B61
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B5076C 0_2_02B5076C
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B50B55 0_2_02B50B55
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B50B57 0_2_02B50B57
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B50B50 0_2_02B50B50
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B50B5D 0_2_02B50B5D
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B50B5F 0_2_02B50B5F
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B5035E 0_2_02B5035E
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B50B59 0_2_02B50B59
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B50B5B 0_2_02B50B5B
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B50B45 0_2_02B50B45
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B50B47 0_2_02B50B47
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B57746 0_2_02B57746
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B50B43 0_2_02B50B43
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B50B4D 0_2_02B50B4D
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B51B4F 0_2_02B51B4F
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B50B49 0_2_02B50B49
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B50B4B 0_2_02B50B4B
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B504BE 0_2_02B504BE
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B50C9E 0_2_02B50C9E
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B50480 0_2_02B50480
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B5088B 0_2_02B5088B
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B518F3 0_2_02B518F3
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B51CF9 0_2_02B51CF9
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B518E3 0_2_02B518E3
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B50CE3 0_2_02B50CE3
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B508E2 0_2_02B508E2
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B578E8 0_2_02B578E8
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B500DC 0_2_02B500DC
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B500C2 0_2_02B500C2
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B594CE 0_2_02B594CE
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B598CB 0_2_02B598CB
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B5043C 0_2_02B5043C
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B50C2F 0_2_02B50C2F
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B51C1A 0_2_02B51C1A
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B50001 0_2_02B50001
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B50400 0_2_02B50400
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B5000D 0_2_02B5000D
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B50C6A 0_2_02B50C6A
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B50845 0_2_02B50845
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B57842 0_2_02B57842
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B509BE 0_2_02B509BE
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B50DBA 0_2_02B50DBA
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B50197 0_2_02B50197
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B519F2 0_2_02B519F2
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B595E4 0_2_02B595E4
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B579E7 0_2_02B579E7
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B509EF 0_2_02B509EF
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B50DD8 0_2_02B50DD8
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B50926 0_2_02B50926
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B50520 0_2_02B50520
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B50928 0_2_02B50928
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B50116 0_2_02B50116
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B50D1A 0_2_02B50D1A
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B50504 0_2_02B50504
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B51976 0_2_02B51976
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B5797F 0_2_02B5797F
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B67564 0_2_02B67564
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B5756F 0_2_02B5756F
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B5096E 0_2_02B5096E
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B50569 0_2_02B50569
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B5956A 0_2_02B5956A
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B5015F 0_2_02B5015F
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B50D4B 0_2_02B50D4B
Contains functionality to call native functions
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B6868C NtProtectVirtualMemory, 0_2_02B6868C
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B663E8 LoadLibraryA,NtAllocateVirtualMemory, 0_2_02B663E8
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B68D4B NtResumeThread, 0_2_02B68D4B
PE file does not import any functions
Source: System.Threading.dll.0.dr Static PE information: No import functions for PE file found
Tries to load missing DLLs
Source: C:\Users\user\Desktop\INVOICE.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: edgegdi.dll Jump to behavior
PE / OLE file has an invalid certificate
Source: INVOICE.exe Static PE information: invalid certificate
Source: INVOICE.exe Virustotal: Detection: 14%
Source: INVOICE.exe ReversingLabs: Detection: 42%
Source: C:\Users\user\Desktop\INVOICE.exe File read: C:\Users\user\Desktop\INVOICE.exe Jump to behavior
Source: INVOICE.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\INVOICE.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\INVOICE.exe "C:\Users\user\Desktop\INVOICE.exe"
Source: C:\Users\user\Desktop\INVOICE.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\INVOICE.exe"
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\INVOICE.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\INVOICE.exe" Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_0040352D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File created: C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe File created: C:\Users\user\AppData\Local\Temp\nstB3EB.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@4/13@77/2
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_004021AA CoCreateInstance, 0_2_004021AA
Source: C:\Users\user\Desktop\INVOICE.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_0040498A
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\ffc00a26ff38e37b47b2c75f92b48929\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7420:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7420:304:WilStaging_02
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{e2d76446-64a1-46f3-8813-50732b47912e}
Source: C:\Users\user\Desktop\INVOICE.exe File written: C:\Users\user\AppData\Local\Temp\updater.ini Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\heliolitidae Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior
Source: INVOICE.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbw{ source: CasPol.exe, 00000003.00000003.1281811492.000000000143A000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.1421171892.000000000143A000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.1283756923.000000000143A000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.1282689467.000000000143A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading\net6.0-Release\System.Threading.pdb source: System.Threading.dll.0.dr
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: CasPol.exe, 00000003.00000003.1281811492.000000000143A000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.1421171892.000000000143A000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.1283756923.000000000143A000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.1282689467.000000000143A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Handles\net6.0-Release\System.Runtime.Handles.pdb source: System.Runtime.Handles.dll.0.dr
Source: Binary string: System.Threading.ni.pdb source: System.Threading.dll.0.dr
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: CasPol.exe, 00000003.00000003.1281811492.000000000143A000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.1421171892.000000000143A000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.1283756923.000000000143A000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.1282689467.000000000143A000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000003.00000000.844018063.0000000001130000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1043900195.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_73E830C0 push eax; ret 0_2_73E830EE
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B5451F pushfd ; retf AF77h 0_2_02B542B9
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B57195 push edx; ret 0_2_02B57196
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_73E81BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 0_2_73E81BFF
Binary contains a suspicious time stamp
Source: System.Runtime.Handles.dll.0.dr Static PE information: 0xABF00243 [Sun May 29 22:59:15 2061 UTC]
Drops PE files
Source: C:\Users\user\Desktop\INVOICE.exe File created: C:\Users\user\AppData\Local\Temp\nspB8FC.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\INVOICE.exe File created: C:\Users\user\AppData\Local\Temp\System.Runtime.Handles.dll Jump to dropped file
Source: C:\Users\user\Desktop\INVOICE.exe File created: C:\Users\user\AppData\Local\Temp\System.Threading.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Startup key Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Startup key Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Startup key Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Startup key Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect Any.run
Source: C:\Users\user\Desktop\INVOICE.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: INVOICE.exe, 00000000.00000002.1044105230.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, INVOICE.exe, 00000000.00000002.1042576005.0000000000658000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: INVOICE.exe, 00000000.00000002.1042576005.0000000000658000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXELL
Source: INVOICE.exe, 00000000.00000002.1044105230.0000000002C51000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: NTDLLUSER32KERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=WINDIR=\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLL
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 3360 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 7876 Thread sleep time: -240000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\INVOICE.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\System.Runtime.Handles.dll Jump to dropped file
Source: C:\Users\user\Desktop\INVOICE.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\System.Threading.dll Jump to dropped file
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B516A6 rdtsc 0_2_02B516A6
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Window / User API: threadDelayed 415 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Window / User API: threadDelayed 997 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Window / User API: foregroundWindowGot 1402 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405C49
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_00406873 FindFirstFileW,FindClose, 0_2_00406873
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\INVOICE.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\INVOICE.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe File opened: C:\Users\user\AppData\Local\Temp\Arteriagra2.Syr Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe File opened: C:\Users\user\AppData\Local\Temp\alnicoes.til Jump to behavior
Source: INVOICE.exe, 00000000.00000002.1044392231.00000000046F9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: INVOICE.exe, 00000000.00000002.1044392231.00000000046F9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: INVOICE.exe, 00000000.00000002.1044392231.00000000046F9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicshutdown
Source: INVOICE.exe, 00000000.00000002.1044392231.00000000046F9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: INVOICE.exe, 00000000.00000002.1044392231.00000000046F9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: INVOICE.exe, 00000000.00000002.1044392231.00000000046F9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: INVOICE.exe, 00000000.00000002.1044392231.00000000046F9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicvss
Source: CasPol.exe, 00000003.00000003.1281811492.000000000143A000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.1421171892.000000000143A000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.1283756923.000000000143A000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.1282689467.000000000143A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: INVOICE.exe, 00000000.00000002.1042576005.0000000000658000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exell
Source: INVOICE.exe, 00000000.00000002.1044105230.0000000002C51000.00000004.00000800.00020000.00000000.sdmp, INVOICE.exe, 00000000.00000002.1042576005.0000000000658000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: INVOICE.exe, 00000000.00000002.1044392231.00000000046F9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: CasPol.exe, 00000003.00000003.1281441617.00000000013F7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWxQD
Source: INVOICE.exe, 00000000.00000002.1044392231.00000000046F9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: INVOICE.exe, 00000000.00000002.1044105230.0000000002C51000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ntdlluser32kernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\Microsoft.NET\Framework\v2.0.50727\caspol.exewindir=\syswow64\iertutil.dll
Source: INVOICE.exe, 00000000.00000002.1044392231.00000000046F9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: INVOICE.exe, 00000000.00000002.1044392231.00000000046F9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicheartbeat
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_73E81BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 0_2_73E81BFF
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B516A6 rdtsc 0_2_02B516A6
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B5D2E9 mov eax, dword ptr fs:[00000030h] 0_2_02B5D2E9
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B57647 mov eax, dword ptr fs:[00000030h] 0_2_02B57647
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B654B6 mov eax, dword ptr fs:[00000030h] 0_2_02B654B6
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B65DEA mov eax, dword ptr fs:[00000030h] 0_2_02B65DEA
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B67564 mov eax, dword ptr fs:[00000030h] 0_2_02B67564
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_02B5756F mov eax, dword ptr fs:[00000030h] 0_2_02B5756F
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\INVOICE.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\INVOICE.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe base: 1130000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\INVOICE.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\INVOICE.exe" Jump to behavior
Source: CasPol.exe, 00000003.00000003.1370784061.000000001FB93000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.1421872750.000000001FB94000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: CasPol.exe, 00000003.00000003.1384972030.000000001FBCB000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.1152271111.000000001FBCB000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.1367482997.000000001FBCB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager.NET\Framework\v2.0.50727\en\SurveillanceExClientPlugin.resources.EXE
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\INVOICE.exe Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_0040352D
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 634111 Sample: INVOICE.exe Startdate: 25/05/2022 Architecture: WINDOWS Score: 100 27 cdn.discordapp.com 2->27 33 Snort IDS alert for network traffic 2->33 35 Found malware configuration 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 6 other signatures 2->39 8 INVOICE.exe 3 27 2->8         started        signatures3 process4 file5 19 C:\Users\user\AppData\Local\...\System.dll, PE32 8->19 dropped 21 C:\Users\user\...\System.Threading.dll, PE32+ 8->21 dropped 23 C:\Users\user\...\System.Runtime.Handles.dll, PE32 8->23 dropped 41 Writes to foreign memory regions 8->41 43 Tries to detect Any.run 8->43 12 CasPol.exe 1 18 8->12         started        signatures6 process7 dnsIp8 29 timenamoney.ooguy.com 23.105.131.228, 49748, 49749, 49759 LEASEWEB-USA-NYC-11US United States 12->29 31 cdn.discordapp.com 162.159.134.233, 443, 49747 CLOUDFLARENETUS United States 12->31 25 C:\Users\user\AppData\Roaming\...\run.dat, ISO-8859 12->25 dropped 45 Tries to detect Any.run 12->45 47 Hides that the sample has been downloaded from the Internet (zone.identifier) 12->47 17 conhost.exe 12->17         started        file9 signatures10 process11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
23.105.131.228
 timenamoney.ooguy.com United States
396362 LEASEWEB-USA-NYC-11US true
162.159.134.233
 cdn.discordapp.com United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
dual-a-0001.dc-msedge.net 13.107.22.200 true
timenamoney.ooguy.com 23.105.131.228 true
cdn.discordapp.com 162.159.134.233 true
e-0009.e-msedge.net 13.107.5.88 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://cdn.discordapp.com/attachments/963535165500588126/978282265127825408/NANOBIN_HBsjI150.bin false
    		high