Windows Analysis Report
SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Overview

General Information

Sample Name:	SecuriteInfo.com.W32.AIDetect.malware2.20966.exe
Analysis ID:	634648
MD5:	64d7de9ac600402c1f3e5b9849cbd12c
SHA1:	961f113b32ce2f0958ec5fcccf5489524cf30348
SHA256:	da36f8024e0a8b325dbd71aceed611d0cc8000af85346ceea1bd2a2cf1a73eb6
Infos:

Detection

NanoCore, GuLoader

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Yara detected GuLoader

Snort IDS alert for network traffic

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses 32bit PE files

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Abnormal high CPU Usage

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

PE / OLE file has an invalid certificate

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Classification

Signatures

AV Detection

Found malware configuration

Source: 00000003.00000000.52242866721.0000000000E10000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://cdn.discordapp.com/attachments/963535165500588126/979323922124263434/NANO_uyUuDnXlo102.bin"}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Virustotal: Detection: 7%

Perma Link

Source: Lib.Platform.Windows.Native.dll.1.dr

Binary or memory string: -----BEGIN PUBLIC KEY-----

Uses 32bit PE files

Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Indianerhvding

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 162.159.129.233:443 -> 192.168.11.20:49760 version: TLS 1.2

Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: CasPol.exe, 00000003.00000003.52802373816.00000000013B9000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52760926233.00000000013B9000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52699253340.00000000013B9000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52672748302.00000000013B9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb?R source: CasPol.exe, 00000003.00000003.52801945154.0000000001367000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52760506590.0000000001367000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52698861975.0000000001367000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52672351149.0000000001367000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Builds\219\N2\HO_NMDllHost_g_2016_r_0\Sources\NMDllHost_2016\src\NMDllHost\NMDllHost\x86\Release\NMDllHost.pdb source: NMDllHost.exe.1.dr
Source:	Binary string: F:\APPS8.0.0.85\sw\src\apps\acapi\acapi___Win32_Release_Unicode\athcfg20U.pdb source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000001.00000002.52899228955.000000000040A000.00000004.00000001.01000000.00000003.sdmp, athcfg20U.dll.1.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: CasPol.exe, 00000003.00000003.52801945154.0000000001367000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52760506590.0000000001367000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52698861975.0000000001367000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52672351149.0000000001367000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Net.Http.pdb source: System.Net.Http.dll.1.dr
Source:	Binary string: F:\APPS8.0.0.85\sw\src\apps\acapi\acapi___Win32_Release_Unicode\athcfg20U.pdbeSuppTypeVendorACAPI.initGlobalResources failed: %s source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000001.00000002.52899228955.000000000040A000.00000004.00000001.01000000.00000003.sdmp
Source:	Binary string: d:\Projects\AirVPN\Repo\eddie-air\src\Lib.Platform.Windows.Native\bin\x64\Release\Lib.Platform.Windows.Native.pdb source: Lib.Platform.Windows.Native.dll.1.dr

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Code function: 1_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	1_2_00405C49
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Code function: 1_2_00406873 FindFirstFileW,FindClose,	1_2_00406873
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Code function: 1_2_0040290B FindFirstFileW,	1_2_0040290B

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Windows\Microsoft.NET\Framework\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System\06e54f5fa1f15dd558eaf403cdcacad3\System.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\5085e86702d2182b0d9417971c65ded2\System.Drawing.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\ae952be8fa59744d6333aed90b72f162\System.Windows.Forms.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Windows\Microsoft.NET\	Jump to behavior

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49761 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49761 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49762 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49762 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49765 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49765 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49767 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49767 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49769 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49769 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49770 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49770 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49771 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49771 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49773 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49773 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49774 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49774 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49776 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49776 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49777 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49777 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49778 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49778 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49779 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49779 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49781 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49781 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49782 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49782 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49783 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49783 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49784 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49784 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49786 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49786 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49787 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49787 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49788 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49788 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49789 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49789 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49790 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49790 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49791 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49791 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49793 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49793 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49794 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49794 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49795 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49795 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49796 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49796 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49797 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49797 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49798 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49798 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49799 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49799 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49800 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49800 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49801 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49801 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49802 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49802 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49803 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49803 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49804 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49804 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49805 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49805 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49807 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49807 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49808 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49808 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49809 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49809 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49810 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49810 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49811 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49811 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49812 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49812 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49813 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49813 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49814 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49814 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49815 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49815 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49816 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49816 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49817 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49817 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49818 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49818 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49819 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49819 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49820 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49820 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49821 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49821 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49824 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49824 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49825 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49825 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49826 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49826 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49827 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49827 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49828 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49828 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49829 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49829 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49830 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49830 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49831 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49831 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49832 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49832 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49833 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49833 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49834 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49834 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49835 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49835 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49836 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49836 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49837 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49837 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49838 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49838 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49839 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49839 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49840 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49840 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49841 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49841 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49842 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49842 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49843 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49843 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49844 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49844 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49846 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49846 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49847 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49847 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49848 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49848 -> 23.105.131.186:6040

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://cdn.discordapp.com/attachments/963535165500588126/979323922124263434/NANO_uyUuDnXlo102.bin

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: LEASEWEB-USA-NYC-11US LEASEWEB-USA-NYC-11US

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 162.159.129.233 162.159.129.233
Source: Joe Sandbox View	IP Address: 162.159.129.233 162.159.129.233

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /attachments/963535165500588126/979323922124263434/NANO_uyUuDnXlo102.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: cdn.discordapp.comCache-Control: no-cache

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.11.20:49761 -> 23.105.131.186:6040

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, filename.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, filename.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Lib.Platform.Windows.Native.dll.1.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: CasPol.exe, 00000003.00000003.52405636119.000000000136B000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52801945154.0000000001367000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52760506590.0000000001367000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52698861975.0000000001367000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52672351149.0000000001367000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: CasPol.exe, 00000003.00000003.52405636119.000000000136B000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52801945154.0000000001367000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52760506590.0000000001367000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52698861975.0000000001367000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52672351149.0000000001367000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Lib.Platform.Windows.Native.dll.1.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: Lib.Platform.Windows.Native.dll.1.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: NMDllHost.exe.1.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, filename.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, filename.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Lib.Platform.Windows.Native.dll.1.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: Lib.Platform.Windows.Native.dll.1.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, filename.exe.3.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Lib.Platform.Windows.Native.dll.1.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, filename.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, filename.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: Lib.Platform.Windows.Native.dll.1.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: NMDllHost.exe.1.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: NMDllHost.exe.1.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: NMDllHost.exe.1.dr	String found in binary or memory: http://s2.symcb.com0
Source: SourceCodePro-Medium.otf.1.dr	String found in binary or memory: http://scripts.sil.org/OFLSource
Source: NMDllHost.exe.1.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: NMDllHost.exe.1.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: NMDllHost.exe.1.dr	String found in binary or memory: http://sv.symcd.com0&
Source: NMDllHost.exe.1.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: NMDllHost.exe.1.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: NMDllHost.exe.1.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: NMDllHost.exe.1.dr	String found in binary or memory: http://www.nero.com
Source: NMDllHost.exe.1.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: NMDllHost.exe.1.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: CasPol.exe, 00000003.00000003.52671971734.0000000001335000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/
Source: CasPol.exe, 00000003.00000003.52760234391.0000000001340000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52672064010.0000000001340000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52801674515.0000000001340000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52698575011.0000000001340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/963535165500588126/979323922124263434/NANO_uyUuDnXlo102.bin
Source: CasPol.exe, 00000003.00000003.52760234391.0000000001340000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52672064010.0000000001340000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52801674515.0000000001340000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52698575011.0000000001340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/963535165500588126/979323922124263434/NANO_uyUuDnXlo102.bin9
Source: Lib.Platform.Windows.Native.dll.1.dr	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: NMDllHost.exe.1.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: NMDllHost.exe.1.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: Lib.Platform.Windows.Native.dll.1.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: Lib.Platform.Windows.Native.dll.1.dr	String found in binary or memory: https://sectigo.com/CPS0D

Source: unknown

DNS traffic detected: queries for: cdn.discordapp.com

Source: global traffic

Source: unknown

HTTPS traffic detected: 162.159.129.233:443 -> 192.168.11.20:49760 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Code function: 1_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

1_2_004056DE

Uses 32bit PE files

Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Code function: 1_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

1_2_0040352D

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Code function: 1_2_0040755C	1_2_0040755C
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Code function: 1_2_00406D85	1_2_00406D85
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Code function: 1_2_70051BFF	1_2_70051BFF

Abnormal high CPU Usage

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Process Stats: CPU usage > 98%

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000001.00000002.52899228955.000000000040A000.00000004.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilenameathcfg10.dll vs SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

PE file contains strange resources

Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Section loaded: edgegdi.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: edgegdi.dll			Jump to behavior

PE / OLE file has an invalid certificate

Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Static PE information: invalid certificate

Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Virustotal: Detection: 7%

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Jump to behavior

Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe"
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

1_2_0040352D

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

File created: C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

File created: C:\Users\user\AppData\Local\Temp\nsgA890.tmp

Jump to behavior

Source: classification engine

Classification label: mal96.troj.evad.winEXE@4/19@76/2

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Code function: 1_2_004021AA CoCreateInstance,

1_2_004021AA

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Code function: 1_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

1_2_0040498A

Source: System.Net.Http.dll.1.dr, System.Net.Http/HttpContent.cs	Task registration methods: 'CreateContentReadStreamAsync', 'CreateCompletedTask'
Source: System.Net.Http.dll.1.dr, System.Net.Http/ByteArrayContent.cs	Task registration methods: 'CreateContentReadStreamAsync'
Source: System.Net.Http.dll.1.dr, System.Net.Http/StreamContent.cs	Task registration methods: 'CreateContentReadStreamAsync'

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\ffc00a26ff38e37b47b2c75f92b48929\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{7e80ce5b-f074-4338-b361-96c1d0c70f76}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1776:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1776:304:WilStaging_02
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

File written: C:\Users\user\AppData\Local\Temp\Bolson210.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Indianerhvding

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: CasPol.exe, 00000003.00000003.52802373816.00000000013B9000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52760926233.00000000013B9000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52699253340.00000000013B9000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52672748302.00000000013B9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb?R source: CasPol.exe, 00000003.00000003.52801945154.0000000001367000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52760506590.0000000001367000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52698861975.0000000001367000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52672351149.0000000001367000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Builds\219\N2\HO_NMDllHost_g_2016_r_0\Sources\NMDllHost_2016\src\NMDllHost\NMDllHost\x86\Release\NMDllHost.pdb source: NMDllHost.exe.1.dr
Source:	Binary string: F:\APPS8.0.0.85\sw\src\apps\acapi\acapi___Win32_Release_Unicode\athcfg20U.pdb source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000001.00000002.52899228955.000000000040A000.00000004.00000001.01000000.00000003.sdmp, athcfg20U.dll.1.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: CasPol.exe, 00000003.00000003.52801945154.0000000001367000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52760506590.0000000001367000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52698861975.0000000001367000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52672351149.0000000001367000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Net.Http.pdb source: System.Net.Http.dll.1.dr
Source:	Binary string: F:\APPS8.0.0.85\sw\src\apps\acapi\acapi___Win32_Release_Unicode\athcfg20U.pdbeSuppTypeVendorACAPI.initGlobalResources failed: %s source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000001.00000002.52899228955.000000000040A000.00000004.00000001.01000000.00000003.sdmp
Source:	Binary string: d:\Projects\AirVPN\Repo\eddie-air\src\Lib.Platform.Windows.Native\bin\x64\Release\Lib.Platform.Windows.Native.pdb source: Lib.Platform.Windows.Native.dll.1.dr

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000003.00000000.52242866721.0000000000E10000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.52901204008.0000000002B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Code function: 1_2_700530C0 push eax; ret

1_2_700530EE

PE file contains sections with non-standard names

Source: NMDllHost.exe.1.dr

Static PE information: section name: .shared

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Code function: 1_2_70051BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

1_2_70051BFF

Drops PE files

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	File created: C:\Users\user\AppData\Local\Temp\NMDllHost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	File created: C:\Users\user\AppData\Local\Temp\nsiAE0F.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	File created: C:\Users\user\AppData\Local\Temp\athcfg20U.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	File created: C:\Users\user\AppData\Local\Temp\Lib.Platform.Windows.Native.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	File created: C:\Users\user\AppData\Local\Temp\System.Net.Http.dll	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Startup key	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Startup key	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Startup key	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Startup key	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect Any.run

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000001.00000002.52900478180.00000000006B2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000001.00000002.52901444551.0000000002C11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000001.00000002.52900478180.00000000006B2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000001.00000002.52901444551.0000000002C11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: NTDLLUSER32KERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=WINDIR=\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLL

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 396	Thread sleep time: -1844674407370954s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 392	Thread sleep time: -280000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\NMDllHost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\athcfg20U.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Lib.Platform.Windows.Native.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\System.Net.Http.dll	Jump to dropped file

Contains long sleeps (>= 3 min)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Window / User API: threadDelayed 394	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Window / User API: threadDelayed 1049	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Window / User API: foregroundWindowGot 1367	Jump to behavior

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

File opened / queried: C:\Users\user\AppData\Local\Temp\vmmemctl.inf

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Code function: 1_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	1_2_00405C49
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Code function: 1_2_00406873 FindFirstFileW,FindClose,	1_2_00406873
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Code function: 1_2_0040290B FindFirstFileW,	1_2_0040290B

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Windows\Microsoft.NET\Framework\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System\06e54f5fa1f15dd558eaf403cdcacad3\System.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\5085e86702d2182b0d9417971c65ded2\System.Drawing.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\ae952be8fa59744d6333aed90b72f162\System.Windows.Forms.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Windows\Microsoft.NET\	Jump to behavior

Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000001.00000002.52900388286.0000000000676000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Extract: vmmemctl.inf... 100%k
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000001.00000002.52901815574.00000000046E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: vmmemctl.inf.1.dr	Binary or memory string: loc.Disk1 = "VMMemCtl Source Media"
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000001.00000002.52901815574.00000000046E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: vmmemctl.inf.1.dr	Binary or memory string: [VMMemCtl.DriverFiles]
Source: vmmemctl.inf.1.dr	Binary or memory string: DriverPackageDisplayName = %loc.VMMemCtlServiceDisplayName%
Source: vmmemctl.inf.1.dr	Binary or memory string: loc.VMMemCtlServiceDisplayName = "Memory Control Driver"
Source: vmmemctl.inf.1.dr	Binary or memory string: DelService = %VMMemCtlServiceName%,0x204
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000001.00000002.52901815574.00000000046E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: vmmemctl.inf.1.dr	Binary or memory string: CatalogFile = vmmemctl.cat
Source: CasPol.exe, 00000003.00000003.52801779606.000000000134D000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52698691300.000000000134D000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52672166075.000000000134D000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52760335613.000000000134D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: vmmemctl.inf.1.dr	Binary or memory string: [VMMemCtl.Service]
Source: vmmemctl.inf.1.dr	Binary or memory string: vmmemctl.sys
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000001.00000002.52900478180.00000000006B2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000001.00000002.52901444551.0000000002C11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: vmmemctl.inf.1.dr	Binary or memory string: [VMMemCtl.AddRegistry]
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000001.00000002.52901815574.00000000046E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000001.00000002.52901444551.0000000002C11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ntdlluser32kernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\Microsoft.NET\Framework\v2.0.50727\caspol.exewindir=\syswow64\iertutil.dll
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000001.00000002.52900478180.00000000006B2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe
Source: vmmemctl.inf.1.dr	Binary or memory string: VMwareProvider = "VMware, Inc."
Source: vmmemctl.inf.1.dr	Binary or memory string: ServiceBinary = %12%\vmmemctl.sys ;%windir%\system32\drivers\vmmemctl.sys
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000001.00000002.52901815574.00000000046E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: vmmemctl.inf.1.dr	Binary or memory string: DisplayName = %loc.VMMemCtlServiceDisplayName%
Source: vmmemctl.inf.1.dr	Binary or memory string: DelFiles = VMMemCtl.DriverFiles
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000001.00000002.52901815574.00000000046E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: vmmemctl.inf.1.dr	Binary or memory string: CopyFiles = VMMemCtl.DriverFiles
Source: vmmemctl.inf.1.dr	Binary or memory string: AddReg = VMMemCtl.AddRegistry
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000001.00000002.52901815574.00000000046E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: vmmemctl.inf.1.dr	Binary or memory string: DelReg = VMMemCtl.DelRegistry
Source: vmmemctl.inf.1.dr	Binary or memory string: VMMemCtlServiceName = "VMMemCtl"
Source: vmmemctl.inf.1.dr	Binary or memory string: vmmemctl.sys = 1
Source: vmmemctl.inf.1.dr	Binary or memory string: OptionDesc = %loc.VMMemCtlServiceDesc%
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000001.00000002.52901815574.00000000046E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: vmmemctl.inf.1.dr	Binary or memory string: loc.VMMemCtlServiceDesc = "Driver to provide enhanced memory management of this virtual machine."
Source: vmmemctl.inf.1.dr	Binary or memory string: ; Copyright (c) 1999-2019 VMware, Inc. All rights reserved.
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000001.00000002.52901815574.00000000046E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: vmmemctl.inf.1.dr	Binary or memory string: [VMMemCtl.DelRegistry]
Source: vmmemctl.inf.1.dr	Binary or memory string: AddService = %VMMemCtlServiceName%,0x800,VMMemCtl.Service ; SPSVCINST_STARTSERVICE
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000001.00000002.52900014831.0000000000638000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Nonarguable.JAPGooCanvas-3.0.typelibfarme.Fej5Lib.Platform.Windows.Native.dllNMDllHost.exeSourceCodePro-Medium.otfSystem.Net.Http.dllathcfg20U.dllaudio-volume-high.pngbattery-level-10-symbolic.symbolic.pngedit-clear-rtl.pngnetwork-wireless-hotspot-symbolic.symbolic.pngvmmemctl.inf
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000001.00000002.52901815574.00000000046E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: vmmemctl.inf.1.dr	Binary or memory string: ; vmmemctl.inf
Source: vmmemctl.inf.1.dr	Binary or memory string: Description = %loc.VMMemCtlServiceDesc%
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000001.00000002.52901815574.00000000046E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat
Source: vmmemctl.inf.1.dr	Binary or memory string: Provider = %VMwareProvider%

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Code function: 1_2_70051BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

1_2_70051BFF

Enables debug privileges

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Process token adjusted: Debug

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Memory allocated: page read and write | page guard

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe"

Jump to behavior

Source: CasPol.exe, 00000003.00000003.53029590993.000000001FA2A000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52937361706.000000001FA29000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.53407120961.000000001F9E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: CasPol.exe, 00000003.00000003.52931123472.000000001F9E4000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52434722881.000000001F9E4000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52549155852.000000001F9E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager.NET\Framework\v2.0.50727\.50727/en-US/SurveillanceExClientPlugin.resources/SurveillanceExClientPlugin.resources.EXEw

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

1_2_0040352D

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
162.159.129.233	cdn.discordapp.com	United States		13335	CLOUDFLARENETUS	false
23.105.131.186	ratagain.gleeze.com	United States		396362	LEASEWEB-USA-NYC-11US	true

Contacted Domains

Name	IP	Active
cdn.discordapp.com	162.159.129.233	true
ratagain.gleeze.com	23.105.131.186	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://cdn.discordapp.com/attachments/963535165500588126/979323922124263434/NANO_uyUuDnXlo102.bin	false		high

AV Detection

Found malware configuration

Source: 00000003.00000000.52242866721.0000000000E10000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://cdn.discordapp.com/attachments/963535165500588126/979323922124263434/NANO_uyUuDnXlo102.bin"}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Virustotal: Detection: 7%

Perma Link

Source: Lib.Platform.Windows.Native.dll.1.dr

Binary or memory string: -----BEGIN PUBLIC KEY-----

Uses 32bit PE files

Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Indianerhvding

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 162.159.129.233:443 -> 192.168.11.20:49760 version: TLS 1.2

Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: CasPol.exe, 00000003.00000003.52802373816.00000000013B9000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52760926233.00000000013B9000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52699253340.00000000013B9000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52672748302.00000000013B9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb?R source: CasPol.exe, 00000003.00000003.52801945154.0000000001367000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52760506590.0000000001367000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52698861975.0000000001367000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52672351149.0000000001367000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Builds\219\N2\HO_NMDllHost_g_2016_r_0\Sources\NMDllHost_2016\src\NMDllHost\NMDllHost\x86\Release\NMDllHost.pdb source: NMDllHost.exe.1.dr
Source:	Binary string: F:\APPS8.0.0.85\sw\src\apps\acapi\acapi___Win32_Release_Unicode\athcfg20U.pdb source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000001.00000002.52899228955.000000000040A000.00000004.00000001.01000000.00000003.sdmp, athcfg20U.dll.1.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: CasPol.exe, 00000003.00000003.52801945154.0000000001367000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52760506590.0000000001367000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52698861975.0000000001367000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52672351149.0000000001367000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Net.Http.pdb source: System.Net.Http.dll.1.dr
Source:	Binary string: F:\APPS8.0.0.85\sw\src\apps\acapi\acapi___Win32_Release_Unicode\athcfg20U.pdbeSuppTypeVendorACAPI.initGlobalResources failed: %s source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000001.00000002.52899228955.000000000040A000.00000004.00000001.01000000.00000003.sdmp
Source:	Binary string: d:\Projects\AirVPN\Repo\eddie-air\src\Lib.Platform.Windows.Native\bin\x64\Release\Lib.Platform.Windows.Native.pdb source: Lib.Platform.Windows.Native.dll.1.dr

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Code function: 1_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	1_2_00405C49
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Code function: 1_2_00406873 FindFirstFileW,FindClose,	1_2_00406873
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Code function: 1_2_0040290B FindFirstFileW,	1_2_0040290B

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Windows\Microsoft.NET\Framework\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System\06e54f5fa1f15dd558eaf403cdcacad3\System.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\5085e86702d2182b0d9417971c65ded2\System.Drawing.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\ae952be8fa59744d6333aed90b72f162\System.Windows.Forms.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Windows\Microsoft.NET\	Jump to behavior

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49761 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49761 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49762 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49762 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49765 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49765 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49767 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49767 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49769 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49769 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49770 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49770 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49771 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49771 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49773 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49773 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49774 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49774 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49776 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49776 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49777 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49777 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49778 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49778 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49779 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49779 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49781 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49781 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49782 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49782 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49783 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49783 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49784 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49784 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49786 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49786 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49787 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49787 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49788 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49788 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49789 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49789 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49790 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49790 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49791 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49791 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49793 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49793 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49794 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49794 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49795 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49795 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49796 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49796 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49797 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49797 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49798 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49798 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49799 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49799 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49800 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49800 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49801 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49801 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49802 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49802 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49803 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49803 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49804 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49804 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49805 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49805 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49807 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49807 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49808 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49808 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49809 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49809 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49810 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49810 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49811 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49811 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49812 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49812 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49813 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49813 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49814 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49814 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49815 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49815 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49816 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49816 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49817 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49817 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49818 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49818 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49819 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49819 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49820 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49820 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49821 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49821 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49824 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49824 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49825 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49825 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49826 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49826 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49827 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49827 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49828 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49828 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49829 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49829 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49830 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49830 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49831 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49831 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49832 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49832 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49833 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49833 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49834 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49834 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49835 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49835 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49836 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49836 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49837 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49837 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49838 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49838 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49839 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49839 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49840 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49840 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49841 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49841 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49842 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49842 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49843 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49843 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49844 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49844 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49846 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49846 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49847 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49847 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49848 -> 23.105.131.186:6040
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49848 -> 23.105.131.186:6040

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://cdn.discordapp.com/attachments/963535165500588126/979323922124263434/NANO_uyUuDnXlo102.bin

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: LEASEWEB-USA-NYC-11US LEASEWEB-USA-NYC-11US

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 162.159.129.233 162.159.129.233
Source: Joe Sandbox View	IP Address: 162.159.129.233 162.159.129.233

Uses a known web browser user agent for HTTP communication

Source: global traffic

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.11.20:49761 -> 23.105.131.186:6040

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, filename.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, filename.exe.3.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Lib.Platform.Windows.Native.dll.1.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: CasPol.exe, 00000003.00000003.52405636119.000000000136B000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52801945154.0000000001367000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52760506590.0000000001367000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52698861975.0000000001367000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52672351149.0000000001367000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: CasPol.exe, 00000003.00000003.52405636119.000000000136B000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52801945154.0000000001367000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52760506590.0000000001367000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52698861975.0000000001367000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52672351149.0000000001367000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Lib.Platform.Windows.Native.dll.1.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: Lib.Platform.Windows.Native.dll.1.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: NMDllHost.exe.1.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, filename.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, filename.exe.3.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Lib.Platform.Windows.Native.dll.1.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: Lib.Platform.Windows.Native.dll.1.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, filename.exe.3.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Lib.Platform.Windows.Native.dll.1.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, filename.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, filename.exe.3.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: Lib.Platform.Windows.Native.dll.1.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: NMDllHost.exe.1.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: NMDllHost.exe.1.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: NMDllHost.exe.1.dr	String found in binary or memory: http://s2.symcb.com0
Source: SourceCodePro-Medium.otf.1.dr	String found in binary or memory: http://scripts.sil.org/OFLSource
Source: NMDllHost.exe.1.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: NMDllHost.exe.1.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: NMDllHost.exe.1.dr	String found in binary or memory: http://sv.symcd.com0&
Source: NMDllHost.exe.1.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: NMDllHost.exe.1.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: NMDllHost.exe.1.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: NMDllHost.exe.1.dr	String found in binary or memory: http://www.nero.com
Source: NMDllHost.exe.1.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: NMDllHost.exe.1.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: CasPol.exe, 00000003.00000003.52671971734.0000000001335000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/
Source: CasPol.exe, 00000003.00000003.52760234391.0000000001340000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52672064010.0000000001340000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52801674515.0000000001340000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52698575011.0000000001340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/963535165500588126/979323922124263434/NANO_uyUuDnXlo102.bin
Source: CasPol.exe, 00000003.00000003.52760234391.0000000001340000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52672064010.0000000001340000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52801674515.0000000001340000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52698575011.0000000001340000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/963535165500588126/979323922124263434/NANO_uyUuDnXlo102.bin9
Source: Lib.Platform.Windows.Native.dll.1.dr	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: NMDllHost.exe.1.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: NMDllHost.exe.1.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: Lib.Platform.Windows.Native.dll.1.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: Lib.Platform.Windows.Native.dll.1.dr	String found in binary or memory: https://sectigo.com/CPS0D

Source: unknown

DNS traffic detected: queries for: cdn.discordapp.com

Source: global traffic

Source: unknown

HTTPS traffic detected: 162.159.129.233:443 -> 192.168.11.20:49760 version: TLS 1.2

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

1_2_004056DE

Uses 32bit PE files

Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

1_2_0040352D

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Code function: 1_2_0040755C	1_2_0040755C
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Code function: 1_2_00406D85	1_2_00406D85
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Code function: 1_2_70051BFF	1_2_70051BFF

Abnormal high CPU Usage

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Process Stats: CPU usage > 98%

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000001.00000002.52899228955.000000000040A000.00000004.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilenameathcfg10.dll vs SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

PE file contains strange resources

Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Section loaded: edgegdi.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: edgegdi.dll			Jump to behavior

PE / OLE file has an invalid certificate

Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Static PE information: invalid certificate

Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Virustotal: Detection: 7%

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Jump to behavior

Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe"
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

1_2_0040352D

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

File created: C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

File created: C:\Users\user\AppData\Local\Temp\nsgA890.tmp

Jump to behavior

Source: classification engine

Classification label: mal96.troj.evad.winEXE@4/19@76/2

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Code function: 1_2_004021AA CoCreateInstance,

1_2_004021AA

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Code function: 1_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

1_2_0040498A

Source: System.Net.Http.dll.1.dr, System.Net.Http/HttpContent.cs	Task registration methods: 'CreateContentReadStreamAsync', 'CreateCompletedTask'
Source: System.Net.Http.dll.1.dr, System.Net.Http/ByteArrayContent.cs	Task registration methods: 'CreateContentReadStreamAsync'
Source: System.Net.Http.dll.1.dr, System.Net.Http/StreamContent.cs	Task registration methods: 'CreateContentReadStreamAsync'

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\ffc00a26ff38e37b47b2c75f92b48929\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{7e80ce5b-f074-4338-b361-96c1d0c70f76}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1776:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1776:304:WilStaging_02
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

File written: C:\Users\user\AppData\Local\Temp\Bolson210.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Indianerhvding

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll

Jump to behavior

Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: CasPol.exe, 00000003.00000003.52802373816.00000000013B9000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52760926233.00000000013B9000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52699253340.00000000013B9000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52672748302.00000000013B9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb?R source: CasPol.exe, 00000003.00000003.52801945154.0000000001367000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52760506590.0000000001367000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52698861975.0000000001367000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52672351149.0000000001367000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Builds\219\N2\HO_NMDllHost_g_2016_r_0\Sources\NMDllHost_2016\src\NMDllHost\NMDllHost\x86\Release\NMDllHost.pdb source: NMDllHost.exe.1.dr
Source:	Binary string: F:\APPS8.0.0.85\sw\src\apps\acapi\acapi___Win32_Release_Unicode\athcfg20U.pdb source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000001.00000002.52899228955.000000000040A000.00000004.00000001.01000000.00000003.sdmp, athcfg20U.dll.1.dr
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: CasPol.exe, 00000003.00000003.52801945154.0000000001367000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52760506590.0000000001367000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52698861975.0000000001367000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52672351149.0000000001367000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Net.Http.pdb source: System.Net.Http.dll.1.dr
Source:	Binary string: F:\APPS8.0.0.85\sw\src\apps\acapi\acapi___Win32_Release_Unicode\athcfg20U.pdbeSuppTypeVendorACAPI.initGlobalResources failed: %s source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000001.00000002.52899228955.000000000040A000.00000004.00000001.01000000.00000003.sdmp
Source:	Binary string: d:\Projects\AirVPN\Repo\eddie-air\src\Lib.Platform.Windows.Native\bin\x64\Release\Lib.Platform.Windows.Native.pdb source: Lib.Platform.Windows.Native.dll.1.dr

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000003.00000000.52242866721.0000000000E10000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.52901204008.0000000002B10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Code function: 1_2_700530C0 push eax; ret

1_2_700530EE

PE file contains sections with non-standard names

Source: NMDllHost.exe.1.dr

Static PE information: section name: .shared

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Code function: 1_2_70051BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

1_2_70051BFF

Drops PE files

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	File created: C:\Users\user\AppData\Local\Temp\NMDllHost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	File created: C:\Users\user\AppData\Local\Temp\nsiAE0F.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	File created: C:\Users\user\AppData\Local\Temp\athcfg20U.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	File created: C:\Users\user\AppData\Local\Temp\Lib.Platform.Windows.Native.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	File created: C:\Users\user\AppData\Local\Temp\System.Net.Http.dll	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Startup key	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Startup key	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Startup key	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Startup key	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect Any.run

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000001.00000002.52900478180.00000000006B2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000001.00000002.52901444551.0000000002C11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000001.00000002.52900478180.00000000006B2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000001.00000002.52901444551.0000000002C11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: NTDLLUSER32KERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=WINDIR=\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLL

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 396	Thread sleep time: -1844674407370954s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 392	Thread sleep time: -280000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\NMDllHost.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\athcfg20U.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Lib.Platform.Windows.Native.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\System.Net.Http.dll	Jump to dropped file

Contains long sleeps (>= 3 min)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Window / User API: threadDelayed 394	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Window / User API: threadDelayed 1049	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Window / User API: foregroundWindowGot 1367	Jump to behavior

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

File opened / queried: C:\Users\user\AppData\Local\Temp\vmmemctl.inf

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Code function: 1_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	1_2_00405C49
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Code function: 1_2_00406873 FindFirstFileW,FindClose,	1_2_00406873
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Code function: 1_2_0040290B FindFirstFileW,	1_2_0040290B

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Windows\Microsoft.NET\Framework\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System\06e54f5fa1f15dd558eaf403cdcacad3\System.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\5085e86702d2182b0d9417971c65ded2\System.Drawing.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\ae952be8fa59744d6333aed90b72f162\System.Windows.Forms.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Windows\Microsoft.NET\	Jump to behavior

Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000001.00000002.52900388286.0000000000676000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Extract: vmmemctl.inf... 100%k
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000001.00000002.52901815574.00000000046E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: vmmemctl.inf.1.dr	Binary or memory string: loc.Disk1 = "VMMemCtl Source Media"
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000001.00000002.52901815574.00000000046E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: vmmemctl.inf.1.dr	Binary or memory string: [VMMemCtl.DriverFiles]
Source: vmmemctl.inf.1.dr	Binary or memory string: DriverPackageDisplayName = %loc.VMMemCtlServiceDisplayName%
Source: vmmemctl.inf.1.dr	Binary or memory string: loc.VMMemCtlServiceDisplayName = "Memory Control Driver"
Source: vmmemctl.inf.1.dr	Binary or memory string: DelService = %VMMemCtlServiceName%,0x204
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000001.00000002.52901815574.00000000046E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: vmmemctl.inf.1.dr	Binary or memory string: CatalogFile = vmmemctl.cat
Source: CasPol.exe, 00000003.00000003.52801779606.000000000134D000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52698691300.000000000134D000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52672166075.000000000134D000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52760335613.000000000134D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: vmmemctl.inf.1.dr	Binary or memory string: [VMMemCtl.Service]
Source: vmmemctl.inf.1.dr	Binary or memory string: vmmemctl.sys
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000001.00000002.52900478180.00000000006B2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000001.00000002.52901444551.0000000002C11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: vmmemctl.inf.1.dr	Binary or memory string: [VMMemCtl.AddRegistry]
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000001.00000002.52901815574.00000000046E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000001.00000002.52901444551.0000000002C11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ntdlluser32kernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\Microsoft.NET\Framework\v2.0.50727\caspol.exewindir=\syswow64\iertutil.dll
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000001.00000002.52900478180.00000000006B2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe
Source: vmmemctl.inf.1.dr	Binary or memory string: VMwareProvider = "VMware, Inc."
Source: vmmemctl.inf.1.dr	Binary or memory string: ServiceBinary = %12%\vmmemctl.sys ;%windir%\system32\drivers\vmmemctl.sys
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000001.00000002.52901815574.00000000046E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: vmmemctl.inf.1.dr	Binary or memory string: DisplayName = %loc.VMMemCtlServiceDisplayName%
Source: vmmemctl.inf.1.dr	Binary or memory string: DelFiles = VMMemCtl.DriverFiles
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000001.00000002.52901815574.00000000046E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: vmmemctl.inf.1.dr	Binary or memory string: CopyFiles = VMMemCtl.DriverFiles
Source: vmmemctl.inf.1.dr	Binary or memory string: AddReg = VMMemCtl.AddRegistry
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000001.00000002.52901815574.00000000046E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: vmmemctl.inf.1.dr	Binary or memory string: DelReg = VMMemCtl.DelRegistry
Source: vmmemctl.inf.1.dr	Binary or memory string: VMMemCtlServiceName = "VMMemCtl"
Source: vmmemctl.inf.1.dr	Binary or memory string: vmmemctl.sys = 1
Source: vmmemctl.inf.1.dr	Binary or memory string: OptionDesc = %loc.VMMemCtlServiceDesc%
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000001.00000002.52901815574.00000000046E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: vmmemctl.inf.1.dr	Binary or memory string: loc.VMMemCtlServiceDesc = "Driver to provide enhanced memory management of this virtual machine."
Source: vmmemctl.inf.1.dr	Binary or memory string: ; Copyright (c) 1999-2019 VMware, Inc. All rights reserved.
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000001.00000002.52901815574.00000000046E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: vmmemctl.inf.1.dr	Binary or memory string: [VMMemCtl.DelRegistry]
Source: vmmemctl.inf.1.dr	Binary or memory string: AddService = %VMMemCtlServiceName%,0x800,VMMemCtl.Service ; SPSVCINST_STARTSERVICE
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000001.00000002.52900014831.0000000000638000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Nonarguable.JAPGooCanvas-3.0.typelibfarme.Fej5Lib.Platform.Windows.Native.dllNMDllHost.exeSourceCodePro-Medium.otfSystem.Net.Http.dllathcfg20U.dllaudio-volume-high.pngbattery-level-10-symbolic.symbolic.pngedit-clear-rtl.pngnetwork-wireless-hotspot-symbolic.symbolic.pngvmmemctl.inf
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000001.00000002.52901815574.00000000046E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: vmmemctl.inf.1.dr	Binary or memory string: ; vmmemctl.inf
Source: vmmemctl.inf.1.dr	Binary or memory string: Description = %loc.VMMemCtlServiceDesc%
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000001.00000002.52901815574.00000000046E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat
Source: vmmemctl.inf.1.dr	Binary or memory string: Provider = %VMwareProvider%

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Code function: 1_2_70051BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

1_2_70051BFF

Enables debug privileges

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Process token adjusted: Debug

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Memory allocated: page read and write | page guard

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe"

Jump to behavior

Source: CasPol.exe, 00000003.00000003.53029590993.000000001FA2A000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52937361706.000000001FA29000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.53407120961.000000001F9E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: CasPol.exe, 00000003.00000003.52931123472.000000001F9E4000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52434722881.000000001F9E4000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000003.00000003.52549155852.000000001F9E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager.NET\Framework\v2.0.50727\.50727/en-US/SurveillanceExClientPlugin.resources/SurveillanceExClientPlugin.resources.EXEw

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

1_2_0040352D

ID:	634648
Product:	CloudBasic
Start time:	15:53:31
Start date:	26.05.2022
Sample:	SecuriteInfo.com.W32.AIDetect.malware2.20966.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Architecture:	WINDOWS
MD5:	64d7de9ac600402c1f3e5b9849cbd12c
SHA1:	961f113b32ce2f0958ec5fcccf5489524cf30348
SHA256:	da36f8024e0a8b325dbd71aceed611d0cc8000af85346ceea1bd2a2cf1a73eb6
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\Bolson210.ini	ASCII text, with CRLF line terminators	D5E9EF9561789A05AFB528A1E6C7D9B7	B2C92096EE4103A58B41A0754F2E1F1BB823392C	8D2AE334DCB01E0A5EE1F9CA0689E68743E851B96E48A75ED5E20515D03D7FF5
C:\Users\user\AppData\Local\Temp\Efterkommelserne.lnk	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide	AA6BC79B220719BD39A82A8A4E4153C6	A2659B2897A78A5B32268DA79EBCAA71B04C23E7	44FD1BEE4ED2EB625483C2706DAB8341CAE84D22E043B9B05283A57413221E0A
C:\Users\user\AppData\Local\Temp\GooCanvas-3.0.typelib	HTML document, ASCII text, with CRLF line terminators	5343C1A8B203C162A3BF3870D9F50FD4	04B5B886C20D88B57EEA6D8FF882624A4AC1E51D	DC1D54DAB6EC8C00F70137927504E4F222C8395F10760B6BEECFCFA94E08249F
C:\Users\user\AppData\Local\Temp\Lib.Platform.Windows.Native.dll	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	232371076A23379753EB776CF06FBE5D	6A5EA5D44E555AD392725E5AC3D80AF0137386E9	5940F9D18B9439ECBFCD6EDC60563D6F56623D03F09EAFA786C436185EF156BB
C:\Users\user\AppData\Local\Temp\NMDllHost.exe	PE32 executable (GUI) Intel 80386, for MS Windows	DBF787BD6E5CE77FB34FF281A144EB96	50B7799ECCA566BE35429828245D44CB04AD8885	CCBACEEA04837229C95C08274C747ABE069279AFB990DDD89EC743C42ADC0AD9
C:\Users\user\AppData\Local\Temp\Nonarguable.JAP	data	783896AB4BF80A78F5D6EF8CD5E67835	46C7FAB858B604A8CF50FE0F6612152A0D6743CA	49B6243080ED1C14B192FA5D7D9FC04C8A9992AD81E088C4B58B4934877F4618
C:\Users\user\AppData\Local\Temp\SourceCodePro-Medium.otf	OpenType font data	75D305F30919530A2C49AC362D2E2D34	B9EE4ACF9AC299FCADC4A074AEA0C0FD7888AA1D	CF5676ADA0FF425860EE60E3EE7AC4091C568D9FD9E3562D4BC7F06D5A78AD15
C:\Users\user\AppData\Local\Temp\System.Net.Http.dll	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows	DA9015DF320DCC2EDDEE493E20F639BA	5732E5722D2CB5A668ABC19AED6434852D0A4FC8	2294EBB89E749E7145628164913251B563EA6641A6CD1AE03FBCE55DA43F9B17
C:\Users\user\AppData\Local\Temp\athcfg20U.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	96CF937BBA21CB4D3203E15246837AE9	08B9BF57F8942CA98077B62BB0DBA0BD0AF2C952	398185CE130D689D5D2B2C3F179F540715F030D91246C876675E84456F1BA488
C:\Users\user\AppData\Local\Temp\audio-volume-high.png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	5CE69BDF1125A922B6ED1FE28DCAF92B	10C925FAD32D7071A3D96608FD1A04ECDA1B4820	0537CF9335394EA509ED23021DAA44F781D380FEAA3947B9DD31C290BE706E1A
C:\Users\user\AppData\Local\Temp\battery-level-10-symbolic.symbolic.png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	EBBCB008023C6C1B4EFAB0774A4BB19E	7C657C976D7D728E9D6D8F6A603F50B42D86C321	5FD17A236AF8B520DB2E34E44E71C3634CB8221E0A27617E522ECB8D0FF8EFF8
C:\Users\user\AppData\Local\Temp\directory\filename.exe	data	1A322630DE0DBCA059FD771A9CD9D863	1F4DDDF6F3E39A42A76B92CCE42FCC981647BC73	D2130DDAD7BD136450499EFEB7E4EF8D8C073AAD36FD0AAB1CD645C1458D3EBF
C:\Users\user\AppData\Local\Temp\edit-clear-rtl.png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	0D948AEE5693D469DA3F0DCC0FCC009D	61A9DA78E129B3A98855E54F837025CA20DF8017	85D3314527708E953C393ABE52AD6A7AD63BDA7A31353CE0380CC775AA781A6F
C:\Users\user\AppData\Local\Temp\farme.Fej5	ASCII text, with very long lines, with no line terminators	B067370FD071B16223FA8E1E5A1474EE	4460E6972EE4AEC56907FC10879ED2616E10409A	57197A007044FBC9E7EE63D5C69291EF7A6241C9A71EFAC545C02D18966BFD7C
C:\Users\user\AppData\Local\Temp\network-wireless-hotspot-symbolic.symbolic.png	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	D8FFE7BA5669DE024607E64126DDFFEC	D1993BB12041E4C3F7CF45AFB2DBCFB74A544C0D	2A6FD48DE810DE4BD61BD26DDAECCB6C6C9204CB4D213EBE1ACB560054911CDD
C:\Users\user\AppData\Local\Temp\nsiAE0F.tmp\System.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	CFF85C549D536F651D4FB8387F1976F2	D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E	8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
C:\Users\user\AppData\Local\Temp\vmmemctl.inf	ASCII text, with CRLF line terminators	4BCE488F7C4E00ED71170C7D0A593663	F49F1FD072D650A8A5DD1F026E003CEE85420BC8	17365C633230CD05375125AA6C710B76900E2B93D87D14E1F9F2338C3B3BEA1A
C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\catalog.dat	data	32D0AAE13696FF7F8AF33B2D22451028	EF80C4E0DB2AE8EF288027C9D3518E6950B583A4	5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\run.dat	data	3A5EAF0A700BDF9302CA712650C61A17	D4B206EA1D5493B9010C390BEE33F040DFE3E398	1038EF03DC82A289928DE25E2B99B0184A358DEA132EA03B1253C9C65927226E

Windows Analysis Report
SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report SecuriteInfo.com.W32.AIDetect.malware2.20966.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
SecuriteInfo.com.W32.AIDetect.malware2.20966.exe