Windows Analysis Report
MACHINE SPECIFICATIONS.exe

Overview

General Information

Sample Name: MACHINE SPECIFICATIONS.exe
Analysis ID: 755960
MD5: 92945d0a2731ef771ea9d10c792e03e1
SHA1: 1eeef600b7b51ce7aa93e825be55b40f3ef8e319
SHA256: 46b61250c34b38d26ac5897217e6b70a222ff16318161c4e67c74c74491cc612
Tags: exe
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Antivirus detection for URL or domain
Snort IDS alert for network traffic
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
.NET source code references suspicious native API functions
Machine Learning detection for sample
May check the online IP address of the machine
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file does not import any functions
Sample file is different than original file name gathered from version info
Drops PE files
Uses a known web browser user agent for HTTP communication
Detected TCP or UDP traffic on non-standard ports
Creates a window with clipboard capturing capabilities
Uses FTP
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: MACHINE SPECIFICATIONS.exe Virustotal: Detection: 58% Perma Link
Source: MACHINE SPECIFICATIONS.exe ReversingLabs: Detection: 73%
Antivirus detection for URL or domain
Source: http://ftp.electrobist.com Avira URL Cloud: Label: malware
Machine Learning detection for sample
Source: MACHINE SPECIFICATIONS.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 10.0.CasPol.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 10.0.CasPol.exe.400000.0.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "FTP Host": "ftp://ftp.electrobist.com", "Username": "user1@electrobist.com", "Password": "w&oNc9e]pf~4"}
Source: unknown HTTPS traffic detected: 3.220.57.224:443 -> 192.168.2.3:49701 version: TLS 1.2
Source: MACHINE SPECIFICATIONS.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: caspol.pdbdv source: CasPol.exe, 0000000A.00000003.399059752.00000000059A9000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000B.00000000.387084223.0000000000802000.00000002.00000001.01000000.00000007.sdmp, newapp.exe.10.dr
Source: Binary string: caspol.pdb source: CasPol.exe, 0000000A.00000003.399059752.00000000059A9000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000B.00000000.387084223.0000000000802000.00000002.00000001.01000000.00000007.sdmp, newapp.exe.10.dr
Source: Binary string: C:\Users\Memm\Downloads\JesusIsTheLord\obj\Debug\Meme.pdb source: MACHINE SPECIFICATIONS.exe

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2029927 ET TROJAN AgentTesla Exfil via FTP 192.168.2.3:49702 -> 51.195.62.160:21
Source: Traffic Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.3:49703 -> 51.195.62.160:52259
May check the online IP address of the machine
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe DNS query: name: api.ipify.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe DNS query: name: api.ipify.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe DNS query: name: api.ipify.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe DNS query: name: api.ipify.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe DNS query: name: api.ipify.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe DNS query: name: api.ipify.org
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: OVHFR OVHFR
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 51.195.62.160 51.195.62.160
Source: Joe Sandbox View IP Address: 3.220.57.224 3.220.57.224
Source: Joe Sandbox View IP Address: 3.220.57.224 3.220.57.224
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Host: api.ipify.orgConnection: Keep-Alive
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49703 -> 51.195.62.160:52259
Uses FTP
Source: unknown FTP traffic detected: 51.195.62.160:21 -> 192.168.2.3:49702 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 15:20. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 15:20. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 15:20. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 15:20. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Source: unknown Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49701
Source: CasPol.exe, 0000000A.00000002.767841057.0000000002881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: CasPol.exe, 0000000A.00000002.767841057.0000000002881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: CasPol.exe, 0000000A.00000003.409423403.000000000592A000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000002.779812564.000000000592A000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000003.399211019.000000000590A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: CasPol.exe, 0000000A.00000002.772635350.0000000002B66000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000002.772655142.0000000002B6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ftp.electrobist.com
Source: CasPol.exe, 0000000A.00000002.767841057.0000000002881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: CasPol.exe, 0000000A.00000002.767841057.0000000002881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://xgrPBN.com
Source: CasPol.exe, 0000000A.00000002.767841057.0000000002881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org
Source: CasPol.exe, 0000000A.00000002.767841057.0000000002881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/
Source: CasPol.exe, 0000000A.00000002.767841057.0000000002881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.orgftp://ftp.electrobist.comuser1
Source: CasPol.exe, 0000000A.00000002.768390327.00000000028D4000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000A.00000002.772635350.0000000002B66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://eyUBHCqVhczCNfHAY6U.org
Source: CasPol.exe, 0000000A.00000002.767841057.0000000002881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
Source: unknown DNS traffic detected: queries for: api.ipify.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Host: api.ipify.orgConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 3.220.57.224:443 -> 192.168.2.3:49701 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Installs a global keyboard hook
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Jump to behavior
Creates a window with clipboard capturing capabilities
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 10.0.CasPol.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 10.0.CasPol.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0000000A.00000000.345984518.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: CasPol.exe PID: 688, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
.NET source code contains very large array initializations
Source: 10.0.CasPol.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b209BAEF0u002dB9D1u002d4EDCu002d916Au002d070C59DE070Au007d/E2113872u002d1804u002d41A9u002d8E9Fu002d0420E9801409.cs Large array initialization: .cctor: array initializer size 11016
Yara signature match
Source: 10.0.CasPol.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 10.0.CasPol.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0000000A.00000000.345984518.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: CasPol.exe PID: 688, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Detected potential crypto function
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_023FFC48 10_2_023FFC48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_023F6D20 10_2_023F6D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_05DF9708 10_2_05DF9708
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_05DFF2A0 10_2_05DFF2A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_05DFBE50 10_2_05DFBE50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_05DFB4E0 10_2_05DFB4E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_05DF84B8 10_2_05DF84B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_05DF8408 10_2_05DF8408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_05DFD9A8 10_2_05DFD9A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_05E90480 10_2_05E90480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_05E92170 10_2_05E92170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_05E9BC40 10_2_05E9BC40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_05E95F40 10_2_05E95F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_05E929C8 10_2_05E929C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_05E92020 10_2_05E92020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_05E9CA68 10_2_05E9CA68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_05EE3D4C 10_2_05EE3D4C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_05EE372C 10_2_05EE372C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_05EE5668 10_2_05EE5668
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_05EEC1E0 10_2_05EEC1E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_05EE0040 10_2_05EE0040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_05EEC054 10_2_05EEC054
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_05EE33E4 10_2_05EE33E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_05EED3A0 10_2_05EED3A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_05EE8B28 10_2_05EE8B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_05EE3730 10_2_05EE3730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_05E93958 10_2_05E93958
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 11_2_01130958 11_2_01130958
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Code function: 13_2_00C00958 13_2_00C00958
PE file does not import any functions
Source: MACHINE SPECIFICATIONS.exe Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: MACHINE SPECIFICATIONS.exe Binary or memory string: OriginalFilenameMeme.exe4 vs MACHINE SPECIFICATIONS.exe
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\newapp\newapp.exe 67F3FC243C58EEAE55BDDC22CE025B7841A89ACA2E201B999D8C0E4F07D177B8
Source: MACHINE SPECIFICATIONS.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: MACHINE SPECIFICATIONS.exe Virustotal: Detection: 58%
Source: MACHINE SPECIFICATIONS.exe ReversingLabs: Detection: 73%
Source: MACHINE SPECIFICATIONS.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\newapp\newapp.exe "C:\Users\user\AppData\Roaming\newapp\newapp.exe"
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MACHINE SPECIFICATIONS.exe.log Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File created: C:\Users\user\AppData\Local\Temp\tmpA418.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@7/5@3/3
Source: newapp.exe.10.dr, Microsoft.Tools.Caspol/caspol.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: newapp.exe.10.dr, Microsoft.Tools.Caspol/caspol.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 11.0.newapp.exe.800000.0.unpack, Microsoft.Tools.Caspol/caspol.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 11.0.newapp.exe.800000.0.unpack, Microsoft.Tools.Caspol/caspol.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4764:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6132:120:WilError_01
Source: MACHINE SPECIFICATIONS.exe, C6ean/Ough6.cs Cryptographic APIs: 'CreateDecryptor'
Source: 10.0.CasPol.exe.400000.0.unpack, A/f2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 10.0.CasPol.exe.400000.0.unpack, A/f2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: MACHINE SPECIFICATIONS.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: MACHINE SPECIFICATIONS.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: MACHINE SPECIFICATIONS.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: caspol.pdbdv source: CasPol.exe, 0000000A.00000003.399059752.00000000059A9000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000B.00000000.387084223.0000000000802000.00000002.00000001.01000000.00000007.sdmp, newapp.exe.10.dr
Source: Binary string: caspol.pdb source: CasPol.exe, 0000000A.00000003.399059752.00000000059A9000.00000004.00000800.00020000.00000000.sdmp, newapp.exe, 0000000B.00000000.387084223.0000000000802000.00000002.00000001.01000000.00000007.sdmp, newapp.exe.10.dr
Source: Binary string: C:\Users\Memm\Downloads\JesusIsTheLord\obj\Debug\Meme.pdb source: MACHINE SPECIFICATIONS.exe
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_05DFE6F9 pushfd ; ret 10_2_05DFE705
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_05DF9C29 push 550241CFh; iretd 10_2_05DF9C85
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_05DF2A47 push edi; retn 0000h 10_2_05DF2A49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_05E9517B push esp; ret 10_2_05E951D5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_05E9517B pushad ; ret 10_2_05E95225
Source: initial sample Static PE information: section name: .text entropy: 7.996815914318105
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File created: C:\Users\user\AppData\Roaming\newapp\newapp.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run newapp Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run newapp Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Source: initial sample Icon embedded in binary file: icon matches a legit application icon: download (67).png
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\newapp\newapp.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe TID: 5296 Thread sleep count: 299 > 30 Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe TID: 2400 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 1324 Thread sleep time: -7378697629483816s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2148 Thread sleep count: 9649 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 2100 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe TID: 1116 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Window / User API: threadDelayed 9649 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: CasPol.exe, 0000000A.00000003.399211019.000000000590A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process token adjusted: Debug Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 10_2_05DF7BF0 LdrInitializeThunk, 10_2_05DF7BF0
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 438000 Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 43E000 Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 2CD008 Jump to behavior
.NET source code references suspicious native API functions
Source: MACHINE SPECIFICATIONS.exe, C6ean/Ough6.cs Reference to suspicious API methods: ('Nic8', 'GetProcAddress@kernel32'), ('Ph2ne', 'VirtualProtect@kernel32.dll'), ('Joi3', 'LoadLibraryA@kernel32')
Source: 10.0.CasPol.exe.400000.0.unpack, A/C1.cs Reference to suspicious API methods: ('A', 'VirtualAllocExNuma@kernel32.dll')
Source: 10.0.CasPol.exe.400000.0.unpack, A/e2.cs Reference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe Queries volume information: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Queries volume information: C:\Users\user\AppData\Roaming\newapp\newapp.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\newapp\newapp.exe Queries volume information: C:\Users\user\AppData\Roaming\newapp\newapp.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MACHINE SPECIFICATIONS.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 10.0.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000000.345984518.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.768390327.00000000028D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 688, type: MEMORYSTR
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 0000000A.00000002.767841057.0000000002881000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.768390327.00000000028D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 688, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 10.0.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000000.345984518.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.768390327.00000000028D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 688, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 755960 Sample: MACHINE SPECIFICATIONS.exe Startdate: 29/11/2022 Architecture: WINDOWS Score: 100 41 Snort IDS alert for network traffic 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Antivirus detection for URL or domain 2->45 47 6 other signatures 2->47 6 MACHINE SPECIFICATIONS.exe 3 2->6         started        10 newapp.exe 2 2->10         started        12 newapp.exe 1 2->12         started        process3 file4 23 C:\Users\...\MACHINE SPECIFICATIONS.exe.log, CSV 6->23 dropped 49 Writes to foreign memory regions 6->49 51 Injects a PE file into a foreign processes 6->51 14 CasPol.exe 17 7 6->14         started        19 conhost.exe 10->19         started        21 conhost.exe 12->21         started        signatures5 process6 dnsIp7 27 ftp.electrobist.com 51.195.62.160, 21, 49702, 49703 OVHFR France 14->27 29 api.ipify.org.herokudns.com 3.220.57.224, 443, 49701 AMAZON-AESUS United States 14->29 31 2 other IPs or domains 14->31 25 C:\Users\user\AppData\Roaming\...\newapp.exe, PE32 14->25 dropped 33 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->33 35 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->35 37 May check the online IP address of the machine 14->37 39 6 other signatures 14->39 file8 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
51.195.62.160
 ftp.electrobist.com France
16276 OVHFR true
3.220.57.224
 api.ipify.org.herokudns.com United States
14618 AMAZON-AESUS false

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
api.ipify.org.herokudns.com 3.220.57.224 true
c-0001.c-msedge.net 13.107.4.50 true
ftp.electrobist.com 51.195.62.160 true
api.ipify.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.ipify.org/ false
    		high