Windows Analysis Report
Royalistic.exe

Overview

General Information

Sample Name: Royalistic.exe
Analysis ID: 828570
MD5: d14335f61c99a9b8a2d5e87cdf83cdd0
SHA1: f82f3481619be8f9f11d76638db3107b1d332912
SHA256: 08cabec4d0127fb3e6530b04448cb3539c2b8f28988e60499c2dbbfe475206df
Infos:

Detection

AgentTesla, GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected GuLoader
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
May check the online IP address of the machine
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file does not import any functions
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Binary contains a suspicious time stamp
Creates a window with clipboard capturing capabilities
PE / OLE file has an invalid certificate
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: Royalistic.exe Virustotal: Detection: 50% Perma Link
Source: Royalistic.exe ReversingLabs: Detection: 25%
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 5_2_3968C488 CryptUnprotectData, 5_2_3968C488
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 5_2_3968C9D8 CryptUnprotectData, 5_2_3968C9D8
Uses 32bit PE files
Source: Royalistic.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 142.250.184.238:443 -> 192.168.11.20:49835 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.184.225:443 -> 192.168.11.20:49836 version: TLS 1.2
Source: unknown HTTPS traffic detected: 64.185.227.155:443 -> 192.168.11.20:49837 version: TLS 1.2
Source: Royalistic.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\Royalistic.exe Code function: 1_2_00405A19 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 1_2_00405A19
Source: C:\Users\user\Desktop\Royalistic.exe Code function: 1_2_004065CE FindFirstFileA,FindClose, 1_2_004065CE
Source: C:\Users\user\Desktop\Royalistic.exe Code function: 1_2_004027AA FindFirstFileA, 1_2_004027AA

Networking
barindex
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 64.185.227.155 64.185.227.155
Source: Joe Sandbox View IP Address: 64.185.227.155 64.185.227.155
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1UVMbNINla56ELELB-JwuaeCfH_gJxWsR HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/n5qeluefaghr8f6hcddgpiu2u5tcuo8v/1679046600000/04783729953593762461/*/1UVMbNINla56ELELB-JwuaeCfH_gJxWsR?e=download&uuid=a3c458a3-e946-4640-bad5-e344d2665c90 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-08-50-docs.googleusercontent.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: unknown Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: CasPol.exe, 00000005.00000003.24628796513.00000000059FC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.24633505571.0000000005A0F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: CasPol.exe, 00000005.00000003.24628796513.00000000059FC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Royalistic.exe, Royalistic.exe, 00000001.00000002.24656159751.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Royalistic.exe, 00000001.00000000.24145483899.000000000040A000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Royalistic.exe, 00000001.00000002.24656159751.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Royalistic.exe, 00000001.00000000.24145483899.000000000040A000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: CasPol.exe, 00000005.00000002.29396081799.0000000036361000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: CasPol.exe, 00000005.00000002.29396081799.0000000036361000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org
Source: CasPol.exe, 00000005.00000002.29396081799.0000000036361000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/
Source: CasPol.exe, 00000005.00000003.24633505571.0000000005A24000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://doc-08-50-docs.googleusercontent.com/
Source: CasPol.exe, 00000005.00000003.24629377441.0000000005A3B000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.29376899735.00000000059DA000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.29376899735.00000000059FB000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.24628796513.00000000059FC000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000003.24633505571.00000000059F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://doc-08-50-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/n5qeluef
Source: CasPol.exe, 00000005.00000002.29376899735.0000000005992000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/
Source: CasPol.exe, 00000005.00000002.29376899735.0000000005992000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.29392880123.0000000035300000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1UVMbNINla56ELELB-JwuaeCfH_gJxWsR
Source: CasPol.exe, 00000005.00000002.29376899735.0000000005992000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1UVMbNINla56ELELB-JwuaeCfH_gJxWsR3
Source: unknown DNS traffic detected: queries for: drive.google.com
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1UVMbNINla56ELELB-JwuaeCfH_gJxWsR HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/n5qeluefaghr8f6hcddgpiu2u5tcuo8v/1679046600000/04783729953593762461/*/1UVMbNINla56ELELB-JwuaeCfH_gJxWsR?e=download&uuid=a3c458a3-e946-4640-bad5-e344d2665c90 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-08-50-docs.googleusercontent.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 142.250.184.238:443 -> 192.168.11.20:49835 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.184.225:443 -> 192.168.11.20:49836 version: TLS 1.2
Source: unknown HTTPS traffic detected: 64.185.227.155:443 -> 192.168.11.20:49837 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Installs a global keyboard hook
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe Jump to behavior
Creates a window with clipboard capturing capabilities
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\Royalistic.exe Code function: 1_2_004054B6 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 1_2_004054B6
Uses 32bit PE files
Source: Royalistic.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\Royalistic.exe Code function: 1_2_004033B3 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 1_2_004033B3
Detected potential crypto function
Source: C:\Users\user\Desktop\Royalistic.exe Code function: 1_2_0040727F 1_2_0040727F
Source: C:\Users\user\Desktop\Royalistic.exe Code function: 1_2_00406AA8 1_2_00406AA8
Source: C:\Users\user\Desktop\Royalistic.exe Code function: 1_2_707D2288 1_2_707D2288
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 5_2_00974930 5_2_00974930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 5_2_00970040 5_2_00970040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 5_2_00973968 5_2_00973968
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 5_2_00976F18 5_2_00976F18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 5_2_00970700 5_2_00970700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 5_2_361A4148 5_2_361A4148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 5_2_361A4D60 5_2_361A4D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 5_2_361A4490 5_2_361A4490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 5_2_361AD305 5_2_361AD305
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 5_2_361A1D73 5_2_361A1D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 5_2_3968DB50 5_2_3968DB50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 5_2_39684A00 5_2_39684A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 5_2_39680040 5_2_39680040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 5_2_396845E0 5_2_396845E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 5_2_3968DF18 5_2_3968DF18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 5_2_396831D1 5_2_396831D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 5_2_39683270 5_2_39683270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 5_2_396845D0 5_2_396845D0
PE file does not import any functions
Source: api-ms-win-crt-stdio-l1-1-0.dll.1.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.1.dr Static PE information: No import functions for PE file found
Tries to load missing DLLs
Source: C:\Users\user\Desktop\Royalistic.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: edgegdi.dll Jump to behavior
PE / OLE file has an invalid certificate
Source: Royalistic.exe Static PE information: invalid certificate
Source: Royalistic.exe Virustotal: Detection: 50%
Source: Royalistic.exe ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\Royalistic.exe File read: C:\Users\user\Desktop\Royalistic.exe Jump to behavior
Source: Royalistic.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Royalistic.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Royalistic.exe C:\Users\user\Desktop\Royalistic.exe
Source: C:\Users\user\Desktop\Royalistic.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\Desktop\Royalistic.exe
Source: C:\Users\user\Desktop\Royalistic.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\Desktop\Royalistic.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Royalistic.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\Desktop\Royalistic.exe Jump to behavior
Source: C:\Users\user\Desktop\Royalistic.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\Desktop\Royalistic.exe Jump to behavior
Source: C:\Users\user\Desktop\Royalistic.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Royalistic.exe Code function: 1_2_004033B3 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 1_2_004033B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Royalistic.exe File created: C:\Users\user\AppData\Roaming\Kartoffelprodukterne Jump to behavior
Source: C:\Users\user\Desktop\Royalistic.exe File created: C:\Users\user\AppData\Local\Temp\nsfDF2B.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@6/16@3/3
Source: C:\Users\user\Desktop\Royalistic.exe Code function: 1_2_00402173 CoCreateInstance,MultiByteToWideChar, 1_2_00402173
Source: C:\Users\user\Desktop\Royalistic.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Royalistic.exe Code function: 1_2_00404766 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 1_2_00404766
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:564:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:564:120:WilError_03
Source: C:\Users\user\Desktop\Royalistic.exe File written: C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Stinkbranden\Middagsselskaber\AsMultiLang.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: Royalistic.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000001.00000002.24658662982.00000000052B6000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.24657057833.00000000007BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Royalistic.exe PID: 5084, type: MEMORYSTR
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Royalistic.exe Code function: 1_2_04724000 push ds; ret 1_2_04723FD2
Source: C:\Users\user\Desktop\Royalistic.exe Code function: 1_2_047242A3 push ds; ret 1_2_047242B2
Source: C:\Users\user\Desktop\Royalistic.exe Code function: 1_2_04724760 push edi; ret 1_2_04724775
Source: C:\Users\user\Desktop\Royalistic.exe Code function: 1_2_04724BFC push ecx; iretd 1_2_04724C08
Source: C:\Users\user\Desktop\Royalistic.exe Code function: 1_2_04723FBB push ds; ret 1_2_04723FD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 5_2_00C242A3 push ds; ret 5_2_00C242B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 5_2_00C24000 push ds; ret 5_2_00C23FD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 5_2_00C24BFC push ecx; iretd 5_2_00C24C08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 5_2_00C23FBB push ds; ret 5_2_00C23FD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 5_2_00C24760 push edi; ret 5_2_00C24775
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 5_2_361ABB20 pushfd ; retf 5_2_361ABB21
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Royalistic.exe Code function: 1_2_707D2288 GlobalFree,lstrcpyA,GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA, 1_2_707D2288
Binary contains a suspicious time stamp
Source: System.Xml.XmlDocument.dll.1.dr Static PE information: 0x9BADDA42 [Sun Oct 6 21:14:42 2052 UTC]
Drops PE files
Source: C:\Users\user\Desktop\Royalistic.exe File created: C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Forhastelse\Kommandjsr\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Users\user\Desktop\Royalistic.exe File created: C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Konini\Firsaarsfdselsdage\Whorehouse\Faithworthy\System.Xml.XmlDocument.dll Jump to dropped file
Source: C:\Users\user\Desktop\Royalistic.exe File created: C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Forhastelse\Kommandjsr\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Royalistic.exe File created: C:\Users\user\AppData\Local\Temp\nslE084.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\Royalistic.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect Any.run
Source: C:\Users\user\Desktop\Royalistic.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\Royalistic.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Royalistic.exe, 00000001.00000002.24657057833.0000000000788000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4276 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4276 Thread sleep time: -1200000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\Royalistic.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Forhastelse\Kommandjsr\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Users\user\Desktop\Royalistic.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Konini\Firsaarsfdselsdage\Whorehouse\Faithworthy\System.Xml.XmlDocument.dll Jump to dropped file
Source: C:\Users\user\Desktop\Royalistic.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Kartoffelprodukterne\conchinine\Forhastelse\Kommandjsr\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1200000 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Window / User API: threadDelayed 1879 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Royalistic.exe Code function: 1_2_00405A19 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 1_2_00405A19
Source: C:\Users\user\Desktop\Royalistic.exe Code function: 1_2_004065CE FindFirstFileA,FindClose, 1_2_004065CE
Source: C:\Users\user\Desktop\Royalistic.exe Code function: 1_2_004027AA FindFirstFileA, 1_2_004027AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Thread delayed: delay time: 1200000 Jump to behavior
Source: C:\Users\user\Desktop\Royalistic.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Royalistic.exe API call chain: ExitProcess graph end node
Source: Royalistic.exe, 00000001.00000002.24757822575.0000000009269000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.29381357073.0000000007549000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: Royalistic.exe, 00000001.00000002.24757822575.0000000009269000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.29381357073.0000000007549000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: CasPol.exe, 00000005.00000002.29381357073.0000000007549000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicshutdown
Source: Royalistic.exe, 00000001.00000002.24757822575.0000000009269000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.29381357073.0000000007549000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: Royalistic.exe, 00000001.00000002.24757822575.0000000009269000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.29381357073.0000000007549000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: Royalistic.exe, 00000001.00000002.24757822575.0000000009269000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.29381357073.0000000007549000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: CasPol.exe, 00000005.00000002.29381357073.0000000007549000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicvss
Source: CasPol.exe, 00000005.00000002.29376899735.00000000059E7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: CasPol.exe, 00000005.00000002.29376899735.0000000005992000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW(
Source: Royalistic.exe, 00000001.00000002.24657057833.0000000000788000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: Royalistic.exe, 00000001.00000002.24757822575.0000000009269000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.29381357073.0000000007549000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: Royalistic.exe, 00000001.00000002.24757822575.0000000009269000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.29381357073.0000000007549000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: Royalistic.exe, 00000001.00000002.24757822575.0000000009269000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000005.00000002.29381357073.0000000007549000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: CasPol.exe, 00000005.00000002.29381357073.0000000007549000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicheartbeat
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Royalistic.exe Code function: 1_2_707D2288 GlobalFree,lstrcpyA,GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA, 1_2_707D2288
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Royalistic.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: C20000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Royalistic.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\Desktop\Royalistic.exe Jump to behavior
Source: C:\Users\user\Desktop\Royalistic.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\Desktop\Royalistic.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\Royalistic.exe Code function: 1_2_004033B3 EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 1_2_004033B3

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 00000005.00000002.29396081799.00000000363AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000005.00000002.29396081799.00000000363AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 7428, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 00000005.00000002.29396081799.00000000363AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 828570 Sample: Royalistic.exe Startdate: 17/03/2023 Architecture: WINDOWS Score: 100 28 googlehosted.l.googleusercontent.com 2->28 30 drive.google.com 2->30 32 3 other IPs or domains 2->32 40 Multi AV Scanner detection for submitted file 2->40 42 Yara detected GuLoader 2->42 44 Yara detected AgentTesla 2->44 46 2 other signatures 2->46 8 Royalistic.exe 52 2->8         started        signatures3 process4 file5 20 C:\Users\user\...\System.Xml.XmlDocument.dll, PE32 8->20 dropped 22 C:\Users\...\api-ms-win-crt-stdio-l1-1-0.dll, PE32 8->22 dropped 24 api-ms-win-core-pr...sthreads-l1-1-1.dll, PE32+ 8->24 dropped 26 C:\Users\user\AppData\Local\...\System.dll, PE32 8->26 dropped 48 Writes to foreign memory regions 8->48 50 Tries to detect Any.run 8->50 12 CasPol.exe 15 11 8->12         started        16 CasPol.exe 8->16         started        signatures6 process7 dnsIp8 34 api4.ipify.org 64.185.227.155, 443, 49837 WEBNXUS United States 12->34 36 googlehosted.l.googleusercontent.com 142.250.184.225, 443, 49836 GOOGLEUS United States 12->36 38 drive.google.com 142.250.184.238, 443, 49835 GOOGLEUS United States 12->38 52 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->52 54 Tries to steal Mail credentials (via file / registry access) 12->54 56 Tries to harvest and steal browser information (history, passwords, etc) 12->56 62 2 other signatures 12->62 18 conhost.exe 12->18         started        58 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 16->58 60 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 16->60 signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
142.250.184.225
 googlehosted.l.googleusercontent.com United States
15169 GOOGLEUS false
142.250.184.238
 drive.google.com United States
15169 GOOGLEUS false
64.185.227.155
 api4.ipify.org United States
18450 WEBNXUS false

Contacted Domains

Name IP Active
api4.ipify.org 64.185.227.155 true
drive.google.com 142.250.184.238 true
googlehosted.l.googleusercontent.com 142.250.184.225 true
doc-08-50-docs.googleusercontent.com unknown unknown
api.ipify.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.ipify.org/ false
    		high
    https://doc-08-50-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/n5qeluefaghr8f6hcddgpiu2u5tcuo8v/1679046600000/04783729953593762461/*/1UVMbNINla56ELELB-JwuaeCfH_gJxWsR?e=download&uuid=a3c458a3-e946-4640-bad5-e344d2665c90 false
      		high