Windows Analysis Report
SecuriteInfo.com.W32.AIDetect.malware2.23037.exe

Overview

General Information

Sample Name: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe
Analysis ID: 634855
MD5: be43b751bd103fe5a64b4e0aa7a30060
SHA1: ab293504fe7636c3cfc74718973bbd1cbca05fb4
SHA256: 87eefb05fd8c133f8a0059e1bc695f652a2f7b0c297386d7a08fb37bdb76009b
Infos:

Detection

NanoCore, GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Yara detected GuLoader
Snort IDS alert for network traffic
Writes to foreign memory regions
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
PE / OLE file has an invalid certificate
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Found malware configuration
Source: 00000004.00000000.213653060266.0000000000630000.00000040.00000400.00020000.00000000.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://cdn.discordapp.com/attachments/963535165500588126/979423160845869128/nanoexp_bWgaxBaEn43.bin"}
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Virustotal: Detection: 10% Perma Link
Source: Lib.Platform.Windows.Native.dll.2.dr Binary or memory string: -----BEGIN PUBLIC KEY-----
Uses 32bit PE files
Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Indianerhvding Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior
Source: unknown HTTPS traffic detected: 162.159.129.233:443 -> 192.168.11.20:49767 version: TLS 1.2
Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Builds\219\N2\HO_NMDllHost_g_2016_r_0\Sources\NMDllHost_2016\src\NMDllHost\NMDllHost\x86\Release\NMDllHost.pdb source: NMDllHost.exe.2.dr
Source: Binary string: F:\APPS8.0.0.85\sw\src\apps\acapi\acapi___Win32_Release_Unicode\athcfg20U.pdb source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe, 00000002.00000002.213831352269.000000000040A000.00000004.00000001.01000000.00000003.sdmp, athcfg20U.dll.2.dr
Source: Binary string: System.Net.Http.pdb source: System.Net.Http.dll.2.dr
Source: Binary string: F:\APPS8.0.0.85\sw\src\apps\acapi\acapi___Win32_Release_Unicode\athcfg20U.pdbeSuppTypeVendorACAPI.initGlobalResources failed: %s source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe, 00000002.00000002.213831352269.000000000040A000.00000004.00000001.01000000.00000003.sdmp
Source: Binary string: d:\Projects\AirVPN\Repo\eddie-air\src\Lib.Platform.Windows.Native\bin\x64\Release\Lib.Platform.Windows.Native.pdb source: Lib.Platform.Windows.Native.dll.2.dr
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Code function: 2_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 2_2_00405C49
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Code function: 2_2_00406873 FindFirstFileW,FindClose, 2_2_00406873
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Code function: 2_2_0040290B FindFirstFileW, 2_2_0040290B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\Microsoft.NET\Framework\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System\06e54f5fa1f15dd558eaf403cdcacad3\System.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\5085e86702d2182b0d9417971c65ded2\System.Drawing.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\ae952be8fa59744d6333aed90b72f162\System.Windows.Forms.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\Microsoft.NET\ Jump to behavior

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49768 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49768 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49769 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49769 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49771 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49771 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49775 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49775 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49780 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49780 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49782 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49782 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49783 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49783 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.11.20:49783 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49784 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49784 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49786 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49786 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49787 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49787 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49788 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49788 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2810290 ETPRO TROJAN NanoCore RAT Keepalive Response 1 23.105.131.228:5218 -> 192.168.11.20:49788
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49790 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49790 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49791 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49791 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49792 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49792 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49796 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49796 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49797 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49797 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49799 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49799 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49800 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49800 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49801 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 23.105.131.228:5218 -> 192.168.11.20:49801
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49801 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49802 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49802 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.11.20:49802 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49803 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49803 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49804 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49804 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49806 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49806 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49807 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49807 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49808 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49808 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49809 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49809 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49810 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49810 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49811 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49811 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49812 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49812 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49813 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49813 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49814 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49814 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49815 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49815 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49816 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49816 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49817 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49817 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49819 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49819 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49820 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49820 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49821 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49821 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49822 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49822 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49823 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49823 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49824 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49824 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49825 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49825 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49826 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49826 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49827 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49827 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49828 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49828 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49829 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49829 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2810290 ETPRO TROJAN NanoCore RAT Keepalive Response 1 23.105.131.228:5218 -> 192.168.11.20:49829
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49830 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49830 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49831 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49831 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49832 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49832 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49833 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49833 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49834 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49834 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49835 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49835 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.11.20:49835 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49836 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49836 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49837 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49837 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49838 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49838 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49839 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49839 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49840 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49840 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49842 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49842 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49843 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49843 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.11.20:49843 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49844 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49844 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49845 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49845 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49846 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49846 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49847 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49847 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49848 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49848 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49852 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49852 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49853 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49853 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2810290 ETPRO TROJAN NanoCore RAT Keepalive Response 1 23.105.131.228:5218 -> 192.168.11.20:49853
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49854 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49854 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49855 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49855 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49856 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49856 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49857 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49857 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49858 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49858 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49859 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49859 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.11.20:49859 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49860 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49860 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49861 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49861 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49862 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49862 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49863 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49863 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49864 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49864 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.11.20:49865 -> 23.105.131.228:5218
Source: Traffic Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.11.20:49865 -> 23.105.131.228:5218
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://cdn.discordapp.com/attachments/963535165500588126/979423160845869128/nanoexp_bWgaxBaEn43.bin
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: LEASEWEB-USA-NYC-11US LEASEWEB-USA-NYC-11US
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 23.105.131.228 23.105.131.228
Source: Joe Sandbox View IP Address: 162.159.129.233 162.159.129.233
Source: Joe Sandbox View IP Address: 162.159.129.233 162.159.129.233
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /attachments/963535165500588126/979423160845869128/nanoexp_bWgaxBaEn43.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: cdn.discordapp.comCache-Control: no-cache
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.11.20:49768 -> 23.105.131.228:5218
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe, Militrpoliti2.exe.4.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe, Militrpoliti2.exe.4.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Lib.Platform.Windows.Native.dll.2.dr String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: CasPol.exe, 00000004.00000003.213808760129.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000003.214076230540.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000003.214141314816.00000000007FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: CasPol.exe, 00000004.00000003.213808760129.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000003.214076230540.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000003.214141314816.00000000007FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Lib.Platform.Windows.Native.dll.2.dr String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: Lib.Platform.Windows.Native.dll.2.dr String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: NMDllHost.exe.2.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe, Militrpoliti2.exe.4.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe, Militrpoliti2.exe.4.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Lib.Platform.Windows.Native.dll.2.dr String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: Lib.Platform.Windows.Native.dll.2.dr String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe, Militrpoliti2.exe.4.dr String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Lib.Platform.Windows.Native.dll.2.dr String found in binary or memory: http://ocsp.comodoca.com0
Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe, Militrpoliti2.exe.4.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe, Militrpoliti2.exe.4.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: Lib.Platform.Windows.Native.dll.2.dr String found in binary or memory: http://ocsp.sectigo.com0
Source: NMDllHost.exe.2.dr String found in binary or memory: http://ocsp.thawte.com0
Source: NMDllHost.exe.2.dr String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: NMDllHost.exe.2.dr String found in binary or memory: http://s2.symcb.com0
Source: SourceCodePro-Medium.otf.2.dr String found in binary or memory: http://scripts.sil.org/OFLSource
Source: NMDllHost.exe.2.dr String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: NMDllHost.exe.2.dr String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: NMDllHost.exe.2.dr String found in binary or memory: http://sv.symcd.com0&
Source: NMDllHost.exe.2.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: NMDllHost.exe.2.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: NMDllHost.exe.2.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: NMDllHost.exe.2.dr String found in binary or memory: http://www.nero.com
Source: NMDllHost.exe.2.dr String found in binary or memory: http://www.symauth.com/cps0(
Source: NMDllHost.exe.2.dr String found in binary or memory: http://www.symauth.com/rpa00
Source: CasPol.exe, 00000004.00000003.214075868688.00000000007AE000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000003.214140695527.00000000007AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/
Source: CasPol.exe, 00000004.00000003.214140465902.0000000000792000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000003.214075728029.0000000000792000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/LQ%
Source: CasPol.exe, 00000004.00000003.214075936789.00000000007BB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/963535165500588126/979423160845869128/nanoexp_bWgaxBaEn43.bin
Source: CasPol.exe, 00000004.00000003.214140465902.0000000000792000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000003.214075728029.0000000000792000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.discordapp.com/dQ
Source: Lib.Platform.Windows.Native.dll.2.dr String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: NMDllHost.exe.2.dr String found in binary or memory: https://d.symcb.com/cps0%
Source: NMDllHost.exe.2.dr String found in binary or memory: https://d.symcb.com/rpa0
Source: Lib.Platform.Windows.Native.dll.2.dr String found in binary or memory: https://sectigo.com/CPS0
Source: Lib.Platform.Windows.Native.dll.2.dr String found in binary or memory: https://sectigo.com/CPS0D
Source: unknown DNS traffic detected: queries for: cdn.discordapp.com
Source: global traffic HTTP traffic detected: GET /attachments/963535165500588126/979423160845869128/nanoexp_bWgaxBaEn43.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: cdn.discordapp.comCache-Control: no-cache
Source: unknown HTTPS traffic detected: 162.159.129.233:443 -> 192.168.11.20:49767 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Code function: 2_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 2_2_004056DE
Uses 32bit PE files
Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Code function: 2_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 2_2_0040352D
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Code function: 2_2_0040755C 2_2_0040755C
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Code function: 2_2_00406D85 2_2_00406D85
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Code function: 2_2_6FE01BFF 2_2_6FE01BFF
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Code function: 2_2_02A43C12 2_2_02A43C12
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Code function: 2_2_02A48808 2_2_02A48808
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Code function: 2_2_02A5784A 2_2_02A5784A
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Code function: 2_2_02A495A8 2_2_02A495A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Code function: 2_2_02A46B80 2_2_02A46B80
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Code function: 2_2_02A47DCB 2_2_02A47DCB
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Code function: 2_2_02A47DD6 2_2_02A47DD6
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Code function: 2_2_02A54945 2_2_02A54945
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Code function: 2_2_02A4CB44 2_2_02A4CB44
Contains functionality to call native functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Code function: 2_2_02A58AD4 NtProtectVirtualMemory, 2_2_02A58AD4
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Code function: 2_2_02A591DD NtResumeThread, 2_2_02A591DD
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe, 00000002.00000002.213831352269.000000000040A000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameathcfg10.dll vs SecuriteInfo.com.W32.AIDetect.malware2.23037.exe
PE file contains strange resources
Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: edgegdi.dll Jump to behavior
PE / OLE file has an invalid certificate
Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Static PE information: invalid certificate
Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Virustotal: Detection: 10%
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Jump to behavior
Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe"
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Code function: 2_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 2_2_0040352D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File created: C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe File created: C:\Users\user\AppData\Local\Temp\nsqF33A.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@4/19@78/2
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Code function: 2_2_004021AA CoCreateInstance, 2_2_004021AA
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Code function: 2_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 2_2_0040498A
Source: System.Net.Http.dll.2.dr, System.Net.Http/HttpContent.cs Task registration methods: 'CreateContentReadStreamAsync', 'CreateCompletedTask'
Source: System.Net.Http.dll.2.dr, System.Net.Http/ByteArrayContent.cs Task registration methods: 'CreateContentReadStreamAsync'
Source: System.Net.Http.dll.2.dr, System.Net.Http/StreamContent.cs Task registration methods: 'CreateContentReadStreamAsync'
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\ffc00a26ff38e37b47b2c75f92b48929\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6432:304:WilStaging_02
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{190cd7bb-eb81-4624-b859-1727ba707e97}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6432:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe File written: C:\Users\user\AppData\Local\Temp\Bolson210.ini Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Indianerhvding Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_d08f9da24428a513\MSVCR80.dll Jump to behavior
Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Builds\219\N2\HO_NMDllHost_g_2016_r_0\Sources\NMDllHost_2016\src\NMDllHost\NMDllHost\x86\Release\NMDllHost.pdb source: NMDllHost.exe.2.dr
Source: Binary string: F:\APPS8.0.0.85\sw\src\apps\acapi\acapi___Win32_Release_Unicode\athcfg20U.pdb source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe, 00000002.00000002.213831352269.000000000040A000.00000004.00000001.01000000.00000003.sdmp, athcfg20U.dll.2.dr
Source: Binary string: System.Net.Http.pdb source: System.Net.Http.dll.2.dr
Source: Binary string: F:\APPS8.0.0.85\sw\src\apps\acapi\acapi___Win32_Release_Unicode\athcfg20U.pdbeSuppTypeVendorACAPI.initGlobalResources failed: %s source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe, 00000002.00000002.213831352269.000000000040A000.00000004.00000001.01000000.00000003.sdmp
Source: Binary string: d:\Projects\AirVPN\Repo\eddie-air\src\Lib.Platform.Windows.Native\bin\x64\Release\Lib.Platform.Windows.Native.pdb source: Lib.Platform.Windows.Native.dll.2.dr

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000004.00000000.213653060266.0000000000630000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.213833253823.0000000002A40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Code function: 2_2_6FE030C0 push eax; ret 2_2_6FE030EE
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Code function: 2_2_02A43C12 push C26212D5h; retn 3481h 2_2_02A43CF6
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Code function: 2_2_02A420A6 pushad ; retf 2_2_02A420E4
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Code function: 2_2_02A43603 push 00000042h; retf 2_2_02A43610
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Code function: 2_2_02A4386C push ecx; retn 3C43h 2_2_02A439E1
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Code function: 2_2_02A43640 push 00000042h; retf 2_2_02A43610
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Code function: 2_2_02A435BC push 00000042h; retf 2_2_02A43610
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Code function: 2_2_02A47DBD push edi; ret 2_2_02A47DBF
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Code function: 2_2_02A42DE2 pushfd ; retf 2_2_02A53CC4
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Code function: 2_2_02A471C3 pushfd ; retf 2_2_02A53CC4
PE file contains sections with non-standard names
Source: NMDllHost.exe.2.dr Static PE information: section name: .shared
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Code function: 2_2_6FE01BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 2_2_6FE01BFF
Drops PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe File created: C:\Users\user\AppData\Local\Temp\nsiF917.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe File created: C:\Users\user\AppData\Local\Temp\NMDllHost.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe File created: C:\Users\user\AppData\Local\Temp\athcfg20U.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe File created: C:\Users\user\AppData\Local\Temp\Lib.Platform.Windows.Native.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe File created: C:\Users\user\AppData\Local\Temp\System.Net.Http.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Fatigable Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Fatigable Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Fatigable Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Fatigable Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect Any.run
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe, 00000002.00000002.213833441632.0000000002B41000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe, 00000002.00000002.213833441632.0000000002B41000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: NTDLLUSER32KERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=WINDIR=\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLL
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 5800 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 5448 Thread sleep time: -220000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\NMDllHost.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\athcfg20U.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Lib.Platform.Windows.Native.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\System.Net.Http.dll Jump to dropped file
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Code function: 2_2_02A49279 rdtsc 2_2_02A49279
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Window / User API: threadDelayed 441 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Window / User API: threadDelayed 1054 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Window / User API: foregroundWindowGot 1422 Jump to behavior
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe File opened / queried: C:\Users\user\AppData\Local\Temp\vmmemctl.inf Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Code function: 2_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 2_2_00405C49
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Code function: 2_2_00406873 FindFirstFileW,FindClose, 2_2_00406873
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Code function: 2_2_0040290B FindFirstFileW, 2_2_0040290B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\Microsoft.NET\Framework\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System\06e54f5fa1f15dd558eaf403cdcacad3\System.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\5085e86702d2182b0d9417971c65ded2\System.Drawing.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\ae952be8fa59744d6333aed90b72f162\System.Windows.Forms.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\Microsoft.NET\ Jump to behavior
Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe, 00000002.00000002.213833759841.00000000046A9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: vmmemctl.inf.2.dr Binary or memory string: loc.Disk1 = "VMMemCtl Source Media"
Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe, 00000002.00000002.213833759841.00000000046A9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: vmmemctl.inf.2.dr Binary or memory string: [VMMemCtl.DriverFiles]
Source: vmmemctl.inf.2.dr Binary or memory string: DriverPackageDisplayName = %loc.VMMemCtlServiceDisplayName%
Source: vmmemctl.inf.2.dr Binary or memory string: loc.VMMemCtlServiceDisplayName = "Memory Control Driver"
Source: vmmemctl.inf.2.dr Binary or memory string: DelService = %VMMemCtlServiceName%,0x204
Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe, 00000002.00000002.213833759841.00000000046A9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: vmmemctl.inf.2.dr Binary or memory string: CatalogFile = vmmemctl.cat
Source: CasPol.exe, 00000004.00000003.214076072577.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000003.214141105918.00000000007D6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: CasPol.exe, 00000004.00000003.214140465902.0000000000792000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000003.214075728029.0000000000792000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWhy}%SystemRoot%\system32\mswsock.dll
Source: vmmemctl.inf.2.dr Binary or memory string: [VMMemCtl.Service]
Source: vmmemctl.inf.2.dr Binary or memory string: vmmemctl.sys
Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe, 00000002.00000002.213833441632.0000000002B41000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: vmmemctl.inf.2.dr Binary or memory string: [VMMemCtl.AddRegistry]
Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe, 00000002.00000002.213833759841.00000000046A9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe, 00000002.00000002.213833441632.0000000002B41000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ntdlluser32kernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\Microsoft.NET\Framework\v2.0.50727\caspol.exewindir=\syswow64\iertutil.dll
Source: vmmemctl.inf.2.dr Binary or memory string: VMwareProvider = "VMware, Inc."
Source: vmmemctl.inf.2.dr Binary or memory string: ServiceBinary = %12%\vmmemctl.sys ;%windir%\system32\drivers\vmmemctl.sys
Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe, 00000002.00000002.213833759841.00000000046A9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: vmmemctl.inf.2.dr Binary or memory string: DisplayName = %loc.VMMemCtlServiceDisplayName%
Source: vmmemctl.inf.2.dr Binary or memory string: DelFiles = VMMemCtl.DriverFiles
Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe, 00000002.00000002.213833759841.00000000046A9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicshutdown
Source: vmmemctl.inf.2.dr Binary or memory string: CopyFiles = VMMemCtl.DriverFiles
Source: vmmemctl.inf.2.dr Binary or memory string: AddReg = VMMemCtl.AddRegistry
Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe, 00000002.00000002.213833759841.00000000046A9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: vmmemctl.inf.2.dr Binary or memory string: DelReg = VMMemCtl.DelRegistry
Source: vmmemctl.inf.2.dr Binary or memory string: VMMemCtlServiceName = "VMMemCtl"
Source: vmmemctl.inf.2.dr Binary or memory string: vmmemctl.sys = 1
Source: vmmemctl.inf.2.dr Binary or memory string: OptionDesc = %loc.VMMemCtlServiceDesc%
Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe, 00000002.00000002.213833759841.00000000046A9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicvss
Source: vmmemctl.inf.2.dr Binary or memory string: loc.VMMemCtlServiceDesc = "Driver to provide enhanced memory management of this virtual machine."
Source: vmmemctl.inf.2.dr Binary or memory string: ; Copyright (c) 1999-2019 VMware, Inc. All rights reserved.
Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe, 00000002.00000002.213833759841.00000000046A9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: vmmemctl.inf.2.dr Binary or memory string: [VMMemCtl.DelRegistry]
Source: vmmemctl.inf.2.dr Binary or memory string: AddService = %VMMemCtlServiceName%,0x800,VMMemCtl.Service ; SPSVCINST_STARTSERVICE
Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe, 00000002.00000002.213833759841.00000000046A9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: vmmemctl.inf.2.dr Binary or memory string: ; vmmemctl.inf
Source: vmmemctl.inf.2.dr Binary or memory string: Description = %loc.VMMemCtlServiceDesc%
Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe, 00000002.00000002.213833759841.00000000046A9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicheartbeat
Source: vmmemctl.inf.2.dr Binary or memory string: Provider = %VMwareProvider%
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Code function: 2_2_6FE01BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 2_2_6FE01BFF
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Code function: 2_2_02A49279 rdtsc 2_2_02A49279
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Code function: 2_2_02A56045 mov eax, dword ptr fs:[00000030h] 2_2_02A56045
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Code function: 2_2_02A5784A mov eax, dword ptr fs:[00000030h] 2_2_02A5784A
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Code function: 2_2_02A5570E mov eax, dword ptr fs:[00000030h] 2_2_02A5570E
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Code function: 2_2_02A4CB44 mov eax, dword ptr fs:[00000030h] 2_2_02A4CB44
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe base: 630000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe" Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe Code function: 2_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 2_2_0040352D
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 634855 Sample: SecuriteInfo.com.W32.AIDete... Startdate: 26/05/2022 Architecture: WINDOWS Score: 100 29 cdn.discordapp.com 2->29 35 Snort IDS alert for network traffic 2->35 37 Found malware configuration 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 4 other signatures 2->41 8 SecuriteInfo.com.W32.AIDetect.malware2.23037.exe 3 34 2->8         started        signatures3 process4 file5 19 C:\Users\user\AppData\Local\...\System.dll, PE32 8->19 dropped 21 C:\Users\user\AppData\Local\...\athcfg20U.dll, PE32 8->21 dropped 23 C:\Users\user\AppData\...\System.Net.Http.dll, PE32 8->23 dropped 25 2 other files (none is malicious) 8->25 dropped 43 Writes to foreign memory regions 8->43 45 Tries to detect Any.run 8->45 12 CasPol.exe 1 18 8->12         started        signatures6 process7 dnsIp8 31 timenamoney.ooguy.com 23.105.131.228, 49768, 49769, 49771 LEASEWEB-USA-NYC-11US United States 12->31 33 cdn.discordapp.com 162.159.129.233, 443, 49767 CLOUDFLARENETUS United States 12->33 27 C:\Users\user\AppData\Roaming\...\run.dat, data 12->27 dropped 47 Tries to detect Any.run 12->47 49 Hides that the sample has been downloaded from the Internet (zone.identifier) 12->49 17 conhost.exe 12->17         started        file9 signatures10 process11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
23.105.131.228
 timenamoney.ooguy.com United States
396362 LEASEWEB-USA-NYC-11US true
162.159.129.233
 cdn.discordapp.com United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
timenamoney.ooguy.com 23.105.131.228 true
cdn.discordapp.com 162.159.129.233 true