Windows Analysis Report
REMITTANCE COPY.exe

Overview

General Information

Sample Name:	REMITTANCE COPY.exe
Analysis ID:	756282
MD5:	e54ca4f235a6878e6c4913b4ddcba055
SHA1:	b91ce873b8a93b46ebac12b5d1e62f3a1a9dd27f
SHA256:	6acfd9ea1b88077926a542fd286da3119b626792f71b09927ca252236245d43a
Tags:	agentteslaexe
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AgentTesla

Yara detected AntiVM3

Sigma detected: Scheduled temp file as task from temp location

Multi AV Scanner detection for dropped file

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

.NET source code references suspicious native API functions

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains very large array initializations

Machine Learning detection for dropped file

Hides that the sample has been downloaded from the Internet (zone.identifier)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Uses schtasks.exe or at.exe to add and modify task schedules

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Drops PE files

Detected TCP or UDP traffic on non-standard ports

Uses SMTP (mail sending)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Dropped file seen in connection with other malware

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: REMITTANCE COPY.exe	ReversingLabs: Detection: 21%
Source: REMITTANCE COPY.exe	Virustotal: Detection: 49%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe

ReversingLabs: Detection: 21%

Machine Learning detection for sample

Source: REMITTANCE COPY.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 10.0.RegSvcs.exe.400000.0.unpack

Avira: Label: TR/Spy.Gen8

Source: 10.0.RegSvcs.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.orogenicgroup-bd.com", "Username": "amir.hossain@orogenicgroup-bd.com", "Password": "Hossain$3400"}

Uses 32bit PE files

Source: REMITTANCE COPY.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: REMITTANCE COPY.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: RegSvcs.pdb, source: yGbzOMp.exe, 0000000C.00000000.367371733.0000000000ED2000.00000002.00000001.01000000.0000000B.sdmp, yGbzOMp.exe.10.dr
Source:	Binary string: tDw0Ivm.pdb source: REMITTANCE COPY.exe, FSmZIJwnxoJulr.exe.1.dr
Source:	Binary string: RegSvcs.pdb source: yGbzOMp.exe, 0000000C.00000000.367371733.0000000000ED2000.00000002.00000001.01000000.0000000B.sdmp, yGbzOMp.exe.10.dr

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	1_2_02B27F18
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	1_2_02B27F09
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	1_2_02B294B0
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	1_2_02B294C0

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49702 -> 119.148.27.3:587

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.5:49702 -> 119.148.27.3:587

Source: RegSvcs.exe, 0000000A.00000002.429075662.0000000003331000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.560149553.00000000027CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegSvcs.exe, 00000013.00000002.565816116.0000000002B54000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.566299272.0000000002BB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://BUBAorlAmTfYEKM.org
Source: RegSvcs.exe, 00000013.00000002.560149553.00000000027CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: RegSvcs.exe, 00000013.00000002.560149553.00000000027CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://JXqRNJ.com
Source: RegSvcs.exe, 0000000A.00000002.435455318.00000000036BF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.443833244.0000000006799000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000003.493495830.0000000005F1E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.571267257.0000000005F28000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.571336653.0000000005F2C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.566149106.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: RegSvcs.exe, 0000000A.00000003.404386589.00000000067EE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.571422388.0000000005F50000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000003.493584481.0000000005F50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: RegSvcs.exe, 0000000A.00000002.435455318.00000000036BF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.443833244.0000000006799000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000003.493495830.0000000005F1E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.571336653.0000000005F2C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.566149106.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: RegSvcs.exe, 0000000A.00000002.435455318.00000000036BF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.443833244.0000000006799000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.427101571.0000000001514000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000003.493495830.0000000005F1E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.571211268.0000000005F22000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.566149106.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
Source: REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com
Source: REMITTANCE COPY.exe, 00000001.00000003.288469959.0000000005DBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://fontfabrik.com8
Source: RegSvcs.exe, 0000000A.00000002.435455318.00000000036BF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.566149106.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.orogenicgroup-bd.com
Source: RegSvcs.exe, 00000013.00000003.493584481.0000000005F50000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.571466727.0000000005F56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://microsoft.co
Source: RegSvcs.exe, 0000000A.00000002.435455318.00000000036BF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.443833244.0000000006799000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.427101571.0000000001514000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000003.493495830.0000000005F1E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.571267257.0000000005F28000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.571211268.0000000005F22000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.571336653.0000000005F2C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.566149106.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: REMITTANCE COPY.exe, 00000001.00000002.337033733.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, FSmZIJwnxoJulr.exe, 0000000B.00000002.423245986.0000000002A11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: REMITTANCE COPY.exe, 00000001.00000003.303771050.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.303959941.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.303624192.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.303913362.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.303859975.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.303721912.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.303668105.0000000005DD2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.agfamonotype.E
Source: REMITTANCE COPY.exe, 00000001.00000003.291989862.0000000005D83000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: REMITTANCE COPY.exe, 00000001.00000003.293125528.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292709953.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292496560.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292316798.0000000005D87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: REMITTANCE COPY.exe, 00000001.00000003.292842829.0000000005D87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.com4
Source: REMITTANCE COPY.exe, 00000001.00000003.292842829.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292899850.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.293206606.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.293150130.0000000005D90000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292552805.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292709953.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292496560.0000000005D87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comK
Source: REMITTANCE COPY.exe, 00000001.00000003.292899850.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.293206606.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.293150130.0000000005D90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comOp8
Source: REMITTANCE COPY.exe, 00000001.00000003.293206606.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.293150130.0000000005D90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comTyp
Source: REMITTANCE COPY.exe, 00000001.00000003.292316798.0000000005D87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.come-d
Source: REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: REMITTANCE COPY.exe, 00000001.00000003.292842829.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292899850.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.293206606.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.293150130.0000000005D90000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292552805.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292709953.0000000005D87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comll
Source: REMITTANCE COPY.exe, 00000001.00000003.292709953.0000000005D87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comn
Source: REMITTANCE COPY.exe, 00000001.00000003.292316798.0000000005D87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comn-u
Source: REMITTANCE COPY.exe, 00000001.00000003.292552805.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292709953.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292496560.0000000005D87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.como.O
Source: REMITTANCE COPY.exe, 00000001.00000003.292316798.0000000005D87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comorm
Source: REMITTANCE COPY.exe, 00000001.00000003.293206606.0000000005D87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.comr
Source: REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000002.336773384.00000000014B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: REMITTANCE COPY.exe, 00000001.00000003.304551334.0000000005DBB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.298354512.0000000005DBB000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.298303175.0000000005DBB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: REMITTANCE COPY.exe, 00000001.00000003.299382446.0000000005DBB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers9
Source: REMITTANCE COPY.exe, 00000001.00000003.297504908.0000000005DBA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers:
Source: REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: REMITTANCE COPY.exe, 00000001.00000003.297504908.0000000005DBA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersHr
Source: REMITTANCE COPY.exe, 00000001.00000003.304433086.0000000005DBB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersVr
Source: REMITTANCE COPY.exe, 00000001.00000003.297651784.0000000005DBB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersur
Source: REMITTANCE COPY.exe, 00000001.00000003.288206696.0000000005DBD000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.288094280.0000000005DBD000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.288042735.0000000005DBD000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.287982024.0000000005DBD000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: REMITTANCE COPY.exe, 00000001.00000003.287982024.0000000005DBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.comW
Source: REMITTANCE COPY.exe, 00000001.00000003.290883555.0000000005D83000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.290780334.0000000005D83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: REMITTANCE COPY.exe, 00000001.00000003.290883555.0000000005D83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cna-e8
Source: REMITTANCE COPY.exe, 00000001.00000003.290883555.0000000005D83000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.290780334.0000000005D83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnava
Source: REMITTANCE COPY.exe, 00000001.00000003.291721850.0000000005D86000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.291634809.0000000005D84000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnf
Source: REMITTANCE COPY.exe, 00000001.00000003.290883555.0000000005D83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnft
Source: REMITTANCE COPY.exe, 00000001.00000003.291102483.0000000005D91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cniUI
Source: REMITTANCE COPY.exe, 00000001.00000003.290883555.0000000005D83000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.290780334.0000000005D83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnorm
Source: REMITTANCE COPY.exe, 00000001.00000003.290883555.0000000005D83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cnormX
Source: REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: REMITTANCE COPY.exe, 00000001.00000003.300842991.0000000005D90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/i-
Source: REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.335473766.0000000005D8F000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.300945403.0000000005D90000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.302829024.0000000005D8B000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.300842991.0000000005D90000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.301785961.0000000005D90000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000002.346313308.0000000005D94000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.305138593.0000000005D8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: REMITTANCE COPY.exe, 00000001.00000003.296476214.0000000005D8B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.monotype.
Source: REMITTANCE COPY.exe, 00000001.00000003.287595714.00000000014BD000.00000004.00000020.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: REMITTANCE COPY.exe, 00000001.00000003.287595714.00000000014BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com8
Source: REMITTANCE COPY.exe, 00000001.00000003.287595714.00000000014BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.comp
Source: REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: REMITTANCE COPY.exe, 00000001.00000002.348171972.0000000007105000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: REMITTANCE COPY.exe, 00000001.00000003.292241305.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000002.346689888.0000000007012000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: REMITTANCE COPY.exe, 00000001.00000003.292241305.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292842829.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292899850.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.293206606.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292552805.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292709953.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292496560.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, REMITTANCE COPY.exe, 00000001.00000003.292316798.0000000005D87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cnX
Source: REMITTANCE COPY.exe, 00000001.00000003.292241305.0000000005D87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cncro
Source: REMITTANCE COPY.exe, 00000001.00000003.292241305.0000000005D87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cno.
Source: RegSvcs.exe, 0000000A.00000002.435455318.00000000036BF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.443833244.0000000006799000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.427101571.0000000001514000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000003.493495830.0000000005F1E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.571211268.0000000005F22000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.566149106.0000000002B8D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: RegSvcs.exe, 0000000A.00000002.429075662.0000000003331000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000013.00000002.560149553.00000000027CC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www

Source: unknown

DNS traffic detected: queries for: mail.orogenicgroup-bd.com

System Summary

Malicious sample detected (through community Yara rule)

Source: 10.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 10.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 1.2.REMITTANCE COPY.exe.3f453a0.1.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.2.REMITTANCE COPY.exe.3f453a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 11.2.FSmZIJwnxoJulr.exe.2b2ba44.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 1.2.REMITTANCE COPY.exe.2e0ba18.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 1.2.REMITTANCE COPY.exe.3f453a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.2.REMITTANCE COPY.exe.3f453a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 1.2.REMITTANCE COPY.exe.3e99d50.2.raw.unpack, type: UNPACKEDPE	Matched rule: AgentTeslaV3 infostealer payload Author: ditekSHen
Source: 1.2.REMITTANCE COPY.exe.3e99d50.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 0000000A.00000000.334243836.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: 00000001.00000002.340679547.0000000003E1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: REMITTANCE COPY.exe PID: 2820, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 5924, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f Author: unknown

.NET source code contains very large array initializations

Source: 10.0.RegSvcs.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b1A51FE34u002d102Bu002d4B81u002dB647u002d9B5BFE7FC3FBu007d/u00339A8F051u002d32C9u002d4CC9u002dBC08u002dBE27BEFD88F4.cs

Large array initialization: .cctor: array initializer size 10971

Uses 32bit PE files

Source: REMITTANCE COPY.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Yara signature match

Source: 10.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 10.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 1.2.REMITTANCE COPY.exe.3f453a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.2.REMITTANCE COPY.exe.3f453a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 11.2.FSmZIJwnxoJulr.exe.2b2ba44.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 1.2.REMITTANCE COPY.exe.2e0ba18.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 1.2.REMITTANCE COPY.exe.3f453a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.2.REMITTANCE COPY.exe.3f453a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 1.2.REMITTANCE COPY.exe.3e99d50.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV3 author = ditekSHen, description = AgentTeslaV3 infostealer payload
Source: 1.2.REMITTANCE COPY.exe.3e99d50.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 0000000A.00000000.334243836.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: 00000001.00000002.340679547.0000000003E1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: REMITTANCE COPY.exe PID: 2820, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20
Source: Process Memory Space: RegSvcs.exe PID: 5924, type: MEMORYSTR	Matched rule: Windows_Trojan_AgentTesla_d3ac2b2f reference_sample = 65463161760af7ab85f5c475a0f7b1581234a1e714a2c5a555783bdd203f85f4, os = windows, severity = x86, creation_date = 2021-03-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AgentTesla, fingerprint = cbbb56fe6cd7277ae9595a10e05e2ce535a4e6bf205810be0bbce3a883b6f8bc, id = d3ac2b2f-14fc-4851-8a57-41032e386aeb, last_modified = 2022-06-20

Detected potential crypto function

Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_02B22B98	1_2_02B22B98
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_02B22788	1_2_02B22788
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_02B22F40	1_2_02B22F40
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_02B248E0	1_2_02B248E0
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_02B268E8	1_2_02B268E8
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_02B28468	1_2_02B28468
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_02B20040	1_2_02B20040
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_02B245B0	1_2_02B245B0
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_02B26AD2	1_2_02B26AD2
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_02B20A30	1_2_02B20A30
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_02B20A23	1_2_02B20A23
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_02B24220	1_2_02B24220
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_02B24211	1_2_02B24211
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_02B22B88	1_2_02B22B88
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_02B22F30	1_2_02B22F30
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_02B22778	1_2_02B22778
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_02B248D0	1_2_02B248D0
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_02B268DB	1_2_02B268DB
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_02B20006	1_2_02B20006
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_02B2459F	1_2_02B2459F
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_02B209D3	1_2_02B209D3
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_02B23939	1_2_02B23939
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_02B20540	1_2_02B20540
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_02B23948	1_2_02B23948
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_051EC5E4	1_2_051EC5E4
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_051EE8F8	1_2_051EE8F8
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_051EE8E8	1_2_051EE8E8
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_074F5F48	1_2_074F5F48
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_074F0560	1_2_074F0560
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_074FB570	1_2_074FB570
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_074F5F37	1_2_074F5F37
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_07500040	1_2_07500040
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_07500006	1_2_07500006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0189F780	10_2_0189F780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0189FAC8	10_2_0189FAC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0594C518	10_2_0594C518
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_05940548	10_2_05940548
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_05942638	10_2_05942638
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0594D278	10_2_0594D278
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06894E28	10_2_06894E28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0689E770	10_2_0689E770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0689A4C0	10_2_0689A4C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_068985B8	10_2_068985B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06890040	10_2_06890040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0689D518	10_2_0689D518
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0689D578	10_2_0689D578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_068973D0	10_2_068973D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_068E0D58	10_2_068E0D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_068E5950	10_2_068E5950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_068EA7D1	10_2_068EA7D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_068E6089	10_2_068E6089
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_068E6188	10_2_068E6188

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: String function: 05946F60 appears 52 times

Sample file is different than original file name gathered from version info

Source: REMITTANCE COPY.exe, 00000001.00000002.350779687.0000000007860000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs REMITTANCE COPY.exe
Source: REMITTANCE COPY.exe, 00000001.00000000.283146986.0000000000A02000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenametDw0Ivm.exeH vs REMITTANCE COPY.exe
Source: REMITTANCE COPY.exe, 00000001.00000002.337033733.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCassa.dll< vs REMITTANCE COPY.exe
Source: REMITTANCE COPY.exe, 00000001.00000002.337033733.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename98c82298-36d2-4e7e-8ae3-4950e4f51184.exe4 vs REMITTANCE COPY.exe
Source: REMITTANCE COPY.exe, 00000001.00000002.340679547.0000000003E1C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs REMITTANCE COPY.exe
Source: REMITTANCE COPY.exe, 00000001.00000002.340679547.0000000003E1C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename98c82298-36d2-4e7e-8ae3-4950e4f51184.exe4 vs REMITTANCE COPY.exe
Source: REMITTANCE COPY.exe, 00000001.00000002.342389295.0000000003FC6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenametDw0Ivm.exeH vs REMITTANCE COPY.exe
Source: REMITTANCE COPY.exe	Binary or memory string: OriginalFilenametDw0Ivm.exeH vs REMITTANCE COPY.exe

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe 43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50

Source: REMITTANCE COPY.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: FSmZIJwnxoJulr.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: REMITTANCE COPY.exe	ReversingLabs: Detection: 21%
Source: REMITTANCE COPY.exe	Virustotal: Detection: 49%

Source: C:\Users\user\Desktop\REMITTANCE COPY.exe

File read: C:\Users\user\Desktop\REMITTANCE COPY.exe

Source: unknown	Process created: C:\Users\user\Desktop\REMITTANCE COPY.exe C:\Users\user\Desktop\REMITTANCE COPY.exe
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FSmZIJwnxoJulr" /XML "C:\Users\user\AppData\Local\Temp\tmp72FE.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
Source: unknown	Process created: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe "C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe"
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe "C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe"
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FSmZIJwnxoJulr" /XML "C:\Users\user\AppData\Local\Temp\tmp77E.tmp
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FSmZIJwnxoJulr" /XML "C:\Users\user\AppData\Local\Temp\tmp72FE.tmp	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FSmZIJwnxoJulr" /XML "C:\Users\user\AppData\Local\Temp\tmp77E.tmp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: REMITTANCE COPY.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:64:120:WilError_01
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Mutant created: \Sessions\1\BaseNamedObjects\DuSwhYmlPmBH
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1008:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5624:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5612:120:WilError_01

Source: REMITTANCE COPY.exe, a16EH8yN3ks1U2Qt2E/TMlL4pN87R9I2WfTRT.cs	Cryptographic APIs: 'CreateDecryptor'
Source: REMITTANCE COPY.exe, a16EH8yN3ks1U2Qt2E/TMlL4pN87R9I2WfTRT.cs	Cryptographic APIs: 'CreateDecryptor'
Source: FSmZIJwnxoJulr.exe.1.dr, a16EH8yN3ks1U2Qt2E/TMlL4pN87R9I2WfTRT.cs	Cryptographic APIs: 'CreateDecryptor'
Source: FSmZIJwnxoJulr.exe.1.dr, a16EH8yN3ks1U2Qt2E/TMlL4pN87R9I2WfTRT.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.0.REMITTANCE COPY.exe.930000.0.unpack, a16EH8yN3ks1U2Qt2E/TMlL4pN87R9I2WfTRT.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.0.REMITTANCE COPY.exe.930000.0.unpack, a16EH8yN3ks1U2Qt2E/TMlL4pN87R9I2WfTRT.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 10.0.RegSvcs.exe.400000.0.unpack, A/f2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 10.0.RegSvcs.exe.400000.0.unpack, A/f2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: REMITTANCE COPY.exe, a16EH8yN3ks1U2Qt2E/V34Qd9WAa3yfJlh87W.cs	.Net Code: xNGnKSEAPrQagQeE6Hg System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: FSmZIJwnxoJulr.exe.1.dr, a16EH8yN3ks1U2Qt2E/V34Qd9WAa3yfJlh87W.cs	.Net Code: xNGnKSEAPrQagQeE6Hg System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 1.0.REMITTANCE COPY.exe.930000.0.unpack, a16EH8yN3ks1U2Qt2E/V34Qd9WAa3yfJlh87W.cs	.Net Code: xNGnKSEAPrQagQeE6Hg System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Source: REMITTANCE COPY.exe, a16EH8yN3ks1U2Qt2E/TMlL4pN87R9I2WfTRT.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: FSmZIJwnxoJulr.exe.1.dr, a16EH8yN3ks1U2Qt2E/TMlL4pN87R9I2WfTRT.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 1.0.REMITTANCE COPY.exe.930000.0.unpack, a16EH8yN3ks1U2Qt2E/TMlL4pN87R9I2WfTRT.cs	.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)

Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_02B23754 pushfd ; ret	1_2_02B2375A
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_02B28CFB push eax; retf	1_2_02B28D01
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_02B28CF8 pushad ; retf	1_2_02B28CF9
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_051EB879 pushfd ; iretd	1_2_051EB885
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Code function: 1_2_07503616 push ebx; retf	1_2_07503617
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_0594F488 push esp; retf	10_2_0594F5A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 10_2_06890040 push es; iretd	10_2_06891304

Source: initial sample	Static PE information: section name: .text entropy: 7.462745784487049
Source: initial sample	Static PE information: section name: .text entropy: 7.462745784487049

Source: REMITTANCE COPY.exe, a16EH8yN3ks1U2Qt2E/TMlL4pN87R9I2WfTRT.cs	High entropy of concatenated method names: '.cctor', 'QZQOvsDhNsh0c', 'Wf5QNuSnyY', 'WTFQlnN8oN', 'zDDQapRFVG', 'WFyQRvhShu', 'KSQQjemWLG', 'H5ZQGBjC0T', 'eERQYQE3B1', 'KHlQ5t8Doh'
Source: REMITTANCE COPY.exe, a16EH8yN3ks1U2Qt2E/b9EbLgSPMgWI1TbVyO.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'DX1yZAdbRp', 'k79RwwENcv', 'YAURt1o4jD', 'QcRRgplt9W', 'vSjRLMuSgl', 'w4qRAdTMXR', 'GrWRTc7KRW', 'AAoR6Emdwk'
Source: REMITTANCE COPY.exe, a16EH8yN3ks1U2Qt2E/TI5UwticKxRg1dyFSa.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'noOeZb0ies', 'u0lRbwS252', 'smsRuogV6p', 'PdfRIgiwKt', 'udWRmRvnDy', 'NM6RJFbMvd', 'fXJRqCKCPL', 'LW6RV4EL66'
Source: REMITTANCE COPY.exe, a16EH8yN3ks1U2Qt2E/z9bOeNT9MdeQrDHAPC.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'GpuImkaQsH', 'k79RwwENcv', 'YAURt1o4jD', 'CRGhIIkGVw', 'vvhhmOUkcZ', 'IbphVDL4Cg', 'n52hfpIrhI', 'pLLhshkecT'
Source: REMITTANCE COPY.exe, a16EH8yN3ks1U2Qt2E/d1CyLYFgFXGNvlemq3.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'L8XevvE8LV', 'PdfRIgiwKt', 'udWRmRvnDy', 'u0lRbwS252', 'smsRuogV6p', 'NM6RJFbMvd', 'fXJRqCKCPL', 'LW6RV4EL66'
Source: REMITTANCE COPY.exe, a16EH8yN3ks1U2Qt2E/ONFyhF0YnNyIhSgL3O.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'GxiVEJ0jNn', 'PdfRIgiwKt', 'udWRmRvnDy', 'G9laAsd9AN', 'WMbaTg2OTv', 'e78aa59LpQ', 'cfUaDsQqCy', 'aX0aRd0jsg'
Source: REMITTANCE COPY.exe, a16EH8yN3ks1U2Qt2E/aMk2fMC2Gr8WiX93LF.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'yxaIYIl12a', 'u0lRbwS252', 'smsRuogV6p', 'NM6RJFbMvd', 'fXJRqCKCPL', 'LW6RV4EL66', 'XVlRfAFoFX', 'FDHRk51DUB'
Source: REMITTANCE COPY.exe, a16EH8yN3ks1U2Qt2E/q7gDjMcmmu0YL18gMc.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'hQ1VY5GLQF', 'u0lRbwS252', 'smsRuogV6p', 'sG9h20VYLo', 'vB9hpSuWWH', 'xsFaFdoXVW', 'Gi8aWkgj4K', 'C7BhbJWPIQ'
Source: REMITTANCE COPY.exe, a16EH8yN3ks1U2Qt2E/Fy0rntsbxcuN10HMN7.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'GR31t3QhZ', 'GqpvY3pZgn', 'e4Ev5G3pRT', 'vqgvKcxHkV', 'AiXvxJSn2N', 'a0BvEZ5hWB', 'lbSvGAAOyy', 'o0Wv7qHw4T'
Source: REMITTANCE COPY.exe, a16EH8yN3ks1U2Qt2E/V34Qd9WAa3yfJlh87W.cs	High entropy of concatenated method names: '.ctor', 'Q8HyysoMWs', 'BUAyeZiSXM', 'BL4yIp87R9', 'd2WyVfTRTO', 'MufyQn6sHm', 'aQsynUs9Vs', 'ATvysJil16', 'Dispose', 'HHlyWsWpwV'
Source: FSmZIJwnxoJulr.exe.1.dr, a16EH8yN3ks1U2Qt2E/TMlL4pN87R9I2WfTRT.cs	High entropy of concatenated method names: '.cctor', 'QZQOvsDhNsh0c', 'Wf5QNuSnyY', 'WTFQlnN8oN', 'zDDQapRFVG', 'WFyQRvhShu', 'KSQQjemWLG', 'H5ZQGBjC0T', 'eERQYQE3B1', 'KHlQ5t8Doh'
Source: FSmZIJwnxoJulr.exe.1.dr, a16EH8yN3ks1U2Qt2E/b9EbLgSPMgWI1TbVyO.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'DX1yZAdbRp', 'k79RwwENcv', 'YAURt1o4jD', 'QcRRgplt9W', 'vSjRLMuSgl', 'w4qRAdTMXR', 'GrWRTc7KRW', 'AAoR6Emdwk'
Source: FSmZIJwnxoJulr.exe.1.dr, a16EH8yN3ks1U2Qt2E/TI5UwticKxRg1dyFSa.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'noOeZb0ies', 'u0lRbwS252', 'smsRuogV6p', 'PdfRIgiwKt', 'udWRmRvnDy', 'NM6RJFbMvd', 'fXJRqCKCPL', 'LW6RV4EL66'
Source: FSmZIJwnxoJulr.exe.1.dr, a16EH8yN3ks1U2Qt2E/d1CyLYFgFXGNvlemq3.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'L8XevvE8LV', 'PdfRIgiwKt', 'udWRmRvnDy', 'u0lRbwS252', 'smsRuogV6p', 'NM6RJFbMvd', 'fXJRqCKCPL', 'LW6RV4EL66'
Source: FSmZIJwnxoJulr.exe.1.dr, a16EH8yN3ks1U2Qt2E/z9bOeNT9MdeQrDHAPC.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'GpuImkaQsH', 'k79RwwENcv', 'YAURt1o4jD', 'CRGhIIkGVw', 'vvhhmOUkcZ', 'IbphVDL4Cg', 'n52hfpIrhI', 'pLLhshkecT'
Source: FSmZIJwnxoJulr.exe.1.dr, a16EH8yN3ks1U2Qt2E/Fy0rntsbxcuN10HMN7.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'GR31t3QhZ', 'GqpvY3pZgn', 'e4Ev5G3pRT', 'vqgvKcxHkV', 'AiXvxJSn2N', 'a0BvEZ5hWB', 'lbSvGAAOyy', 'o0Wv7qHw4T'
Source: FSmZIJwnxoJulr.exe.1.dr, a16EH8yN3ks1U2Qt2E/ONFyhF0YnNyIhSgL3O.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'GxiVEJ0jNn', 'PdfRIgiwKt', 'udWRmRvnDy', 'G9laAsd9AN', 'WMbaTg2OTv', 'e78aa59LpQ', 'cfUaDsQqCy', 'aX0aRd0jsg'
Source: FSmZIJwnxoJulr.exe.1.dr, a16EH8yN3ks1U2Qt2E/q7gDjMcmmu0YL18gMc.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'hQ1VY5GLQF', 'u0lRbwS252', 'smsRuogV6p', 'sG9h20VYLo', 'vB9hpSuWWH', 'xsFaFdoXVW', 'Gi8aWkgj4K', 'C7BhbJWPIQ'
Source: FSmZIJwnxoJulr.exe.1.dr, a16EH8yN3ks1U2Qt2E/aMk2fMC2Gr8WiX93LF.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'yxaIYIl12a', 'u0lRbwS252', 'smsRuogV6p', 'NM6RJFbMvd', 'fXJRqCKCPL', 'LW6RV4EL66', 'XVlRfAFoFX', 'FDHRk51DUB'
Source: FSmZIJwnxoJulr.exe.1.dr, a16EH8yN3ks1U2Qt2E/V34Qd9WAa3yfJlh87W.cs	High entropy of concatenated method names: '.ctor', 'Q8HyysoMWs', 'BUAyeZiSXM', 'BL4yIp87R9', 'd2WyVfTRTO', 'MufyQn6sHm', 'aQsynUs9Vs', 'ATvysJil16', 'Dispose', 'HHlyWsWpwV'
Source: 1.0.REMITTANCE COPY.exe.930000.0.unpack, a16EH8yN3ks1U2Qt2E/TMlL4pN87R9I2WfTRT.cs	High entropy of concatenated method names: '.cctor', 'QZQOvsDhNsh0c', 'Wf5QNuSnyY', 'WTFQlnN8oN', 'zDDQapRFVG', 'WFyQRvhShu', 'KSQQjemWLG', 'H5ZQGBjC0T', 'eERQYQE3B1', 'KHlQ5t8Doh'
Source: 1.0.REMITTANCE COPY.exe.930000.0.unpack, a16EH8yN3ks1U2Qt2E/b9EbLgSPMgWI1TbVyO.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'DX1yZAdbRp', 'k79RwwENcv', 'YAURt1o4jD', 'QcRRgplt9W', 'vSjRLMuSgl', 'w4qRAdTMXR', 'GrWRTc7KRW', 'AAoR6Emdwk'
Source: 1.0.REMITTANCE COPY.exe.930000.0.unpack, a16EH8yN3ks1U2Qt2E/TI5UwticKxRg1dyFSa.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'noOeZb0ies', 'u0lRbwS252', 'smsRuogV6p', 'PdfRIgiwKt', 'udWRmRvnDy', 'NM6RJFbMvd', 'fXJRqCKCPL', 'LW6RV4EL66'
Source: 1.0.REMITTANCE COPY.exe.930000.0.unpack, a16EH8yN3ks1U2Qt2E/d1CyLYFgFXGNvlemq3.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'L8XevvE8LV', 'PdfRIgiwKt', 'udWRmRvnDy', 'u0lRbwS252', 'smsRuogV6p', 'NM6RJFbMvd', 'fXJRqCKCPL', 'LW6RV4EL66'
Source: 1.0.REMITTANCE COPY.exe.930000.0.unpack, a16EH8yN3ks1U2Qt2E/z9bOeNT9MdeQrDHAPC.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'GpuImkaQsH', 'k79RwwENcv', 'YAURt1o4jD', 'CRGhIIkGVw', 'vvhhmOUkcZ', 'IbphVDL4Cg', 'n52hfpIrhI', 'pLLhshkecT'
Source: 1.0.REMITTANCE COPY.exe.930000.0.unpack, a16EH8yN3ks1U2Qt2E/ONFyhF0YnNyIhSgL3O.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'GxiVEJ0jNn', 'PdfRIgiwKt', 'udWRmRvnDy', 'G9laAsd9AN', 'WMbaTg2OTv', 'e78aa59LpQ', 'cfUaDsQqCy', 'aX0aRd0jsg'
Source: 1.0.REMITTANCE COPY.exe.930000.0.unpack, a16EH8yN3ks1U2Qt2E/Fy0rntsbxcuN10HMN7.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'GR31t3QhZ', 'GqpvY3pZgn', 'e4Ev5G3pRT', 'vqgvKcxHkV', 'AiXvxJSn2N', 'a0BvEZ5hWB', 'lbSvGAAOyy', 'o0Wv7qHw4T'
Source: 1.0.REMITTANCE COPY.exe.930000.0.unpack, a16EH8yN3ks1U2Qt2E/V34Qd9WAa3yfJlh87W.cs	High entropy of concatenated method names: '.ctor', 'Q8HyysoMWs', 'BUAyeZiSXM', 'BL4yIp87R9', 'd2WyVfTRTO', 'MufyQn6sHm', 'aQsynUs9Vs', 'ATvysJil16', 'Dispose', 'HHlyWsWpwV'
Source: 1.0.REMITTANCE COPY.exe.930000.0.unpack, a16EH8yN3ks1U2Qt2E/q7gDjMcmmu0YL18gMc.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'hQ1VY5GLQF', 'u0lRbwS252', 'smsRuogV6p', 'sG9h20VYLo', 'vB9hpSuWWH', 'xsFaFdoXVW', 'Gi8aWkgj4K', 'C7BhbJWPIQ'
Source: 1.0.REMITTANCE COPY.exe.930000.0.unpack, a16EH8yN3ks1U2Qt2E/aMk2fMC2Gr8WiX93LF.cs	High entropy of concatenated method names: '.ctor', 'Dispose', 'yxaIYIl12a', 'u0lRbwS252', 'smsRuogV6p', 'NM6RJFbMvd', 'fXJRqCKCPL', 'LW6RV4EL66', 'XVlRfAFoFX', 'FDHRk51DUB'

Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	File created: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File created: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe			Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run yGbzOMp			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run yGbzOMp			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe:Zone.Identifier read attributes \| delete

Source: REMITTANCE COPY.exe, 00000001.00000002.337033733.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, FSmZIJwnxoJulr.exe, 0000000B.00000002.423245986.0000000002A11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: REMITTANCE COPY.exe, 00000001.00000002.337033733.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, FSmZIJwnxoJulr.exe, 0000000B.00000002.423245986.0000000002A11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\REMITTANCE COPY.exe TID: 1004	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe TID: 4668	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe TID: 4776	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe TID: 5604	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 9841			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 9710

Source: RegSvcs.exe, 00000013.00000002.570894397.0000000005EE0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll:
Source: FSmZIJwnxoJulr.exe, 0000000B.00000002.423245986.0000000002A11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: FSmZIJwnxoJulr.exe, 0000000B.00000002.423245986.0000000002A11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: FSmZIJwnxoJulr.exe, 0000000B.00000002.423245986.0000000002A11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: FSmZIJwnxoJulr.exe, 0000000B.00000002.423245986.0000000002A11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: RegSvcs.exe, 0000000A.00000002.443833244.0000000006799000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllowerManagementCapabilities
Source: FSmZIJwnxoJulr.exe, 0000000B.00000002.423245986.0000000002A11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: FSmZIJwnxoJulr.exe, 0000000B.00000002.423245986.0000000002A11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: FSmZIJwnxoJulr.exe, 0000000B.00000002.423245986.0000000002A11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: FSmZIJwnxoJulr.exe, 0000000B.00000002.423245986.0000000002A11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: FSmZIJwnxoJulr.exe, 0000000B.00000002.423245986.0000000002A11000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Windows Analysis Report REMITTANCE COPY.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report
REMITTANCE COPY.exe

Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 438000	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43A000	Jump to behavior
Source: C:\Users\user\Desktop\REMITTANCE COPY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 11DB008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 438000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43A000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 7C0008	Jump to behavior

Source: REMITTANCE COPY.exe, a16EH8yN3ks1U2Qt2E/TMlL4pN87R9I2WfTRT.cs	Reference to suspicious API methods: ('YnNQHnFFtg', 'LoadLibrary@kernel32'), ('cTRQMR6cgX', 'GetProcAddress@kernel32')
Source: FSmZIJwnxoJulr.exe.1.dr, a16EH8yN3ks1U2Qt2E/TMlL4pN87R9I2WfTRT.cs	Reference to suspicious API methods: ('YnNQHnFFtg', 'LoadLibrary@kernel32'), ('cTRQMR6cgX', 'GetProcAddress@kernel32')
Source: 1.0.REMITTANCE COPY.exe.930000.0.unpack, a16EH8yN3ks1U2Qt2E/TMlL4pN87R9I2WfTRT.cs	Reference to suspicious API methods: ('YnNQHnFFtg', 'LoadLibrary@kernel32'), ('cTRQMR6cgX', 'GetProcAddress@kernel32')
Source: 10.0.RegSvcs.exe.400000.0.unpack, A/C1.cs	Reference to suspicious API methods: ('A', 'VirtualAllocExNuma@kernel32.dll')
Source: 10.0.RegSvcs.exe.400000.0.unpack, A/e2.cs	Reference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')

Source: Yara match	File source: 10.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.REMITTANCE COPY.exe.3f453a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.REMITTANCE COPY.exe.3f453a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.REMITTANCE COPY.exe.3e99d50.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000000.334243836.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.340679547.0000000003E1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.560149553.00000000027CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.429075662.0000000003331000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: REMITTANCE COPY.exe PID: 2820, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5856, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

ID:	756282
Product:	CloudBasic
Start time:	23:18:09
Start date:	29.11.2022
Sample:	REMITTANCE COPY.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	e54ca4f235a6878e6c4913b4ddcba055
SHA1:	b91ce873b8a93b46ebac12b5d1e62f3a1a9dd27f
SHA256:	6acfd9ea1b88077926a542fd286da3119b626792f71b09927ca252236245d43a
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FSmZIJwnxoJulr.exe.log	ASCII text, with CRLF line terminators	69206D3AF7D6EFD08F4B4726998856D3	E778D4BF781F7712163CF5E2F5E7C15953E484CF	A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\REMITTANCE COPY.exe.log	ASCII text, with CRLF line terminators	69206D3AF7D6EFD08F4B4726998856D3	E778D4BF781F7712163CF5E2F5E7C15953E484CF	A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\yGbzOMp.exe.log	ASCII text, with CRLF line terminators	8C0458BB9EA02D50565175E38D577E35	F0B50702CD6470F3C17D637908F83212FDBDB2F2	C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
C:\Users\user\AppData\Local\Temp\tmp72FE.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	269DCA092DD3F101BB67595918569AE5	C073FBB9C93034493E7D4F04F5FE1D070E71DD8C	F2A7823946D9CC784D77659910E2DE48D2FF088AD0DE9FFD935C3EC2A43CEC27
C:\Users\user\AppData\Local\Temp\tmp77E.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	269DCA092DD3F101BB67595918569AE5	C073FBB9C93034493E7D4F04F5FE1D070E71DD8C	F2A7823946D9CC784D77659910E2DE48D2FF088AD0DE9FFD935C3EC2A43CEC27
C:\Users\user\AppData\Roaming\FSmZIJwnxoJulr.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	E54CA4F235A6878E6C4913B4DDCBA055	B91CE873B8A93B46EBAC12B5D1E62F3A1A9DD27F	6ACFD9EA1B88077926A542FD286DA3119B626792F71B09927CA252236245D43A
C:\Users\user\AppData\Roaming\yGbzOMp\yGbzOMp.exe	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows	2867A3817C9245F7CF518524DFD18F28	D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC	43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
\Device\ConDrv	ASCII text, with CRLF line terminators	1AEB3A784552CFD2AEDEDC1D43A97A4F	804286AB9F8B3DE053222826A69A7CDA3492411A	0BC438F4B1208E1390C12D375B6CBB08BF47599D1F24BD07799BB1DF384AA293