Windows Analysis Report
rJUSTIFICANTEDEPAGO.exe

Overview

General Information

Sample Name: rJUSTIFICANTEDEPAGO.exe
Analysis ID: 830400
MD5: e542cf9ce8a67a5b681cc9b0004e0b10
SHA1: 40161158f7cab76c57b4d95798c74ebc7d612cfe
SHA256: 4e78f6957f4c8c0f56a9b49e139342b1df7b1dc05518d96e776aa687a80f8c58
Infos:

Detection

AgentTesla, GuLoader
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected GuLoader
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file does not import any functions
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Binary contains a suspicious time stamp
PE / OLE file has an invalid certificate
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: rJUSTIFICANTEDEPAGO.exe Virustotal: Detection: 21% Perma Link
Uses 32bit PE files
Source: rJUSTIFICANTEDEPAGO.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\rJUSTIFICANTEDEPAGO.exe Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Replyingly\Avnbgen\Spisekamrenes Jump to behavior
Source: unknown HTTPS traffic detected: 172.217.16.206:443 -> 192.168.11.20:49816 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.186.33:443 -> 192.168.11.20:49817 version: TLS 1.2
Source: rJUSTIFICANTEDEPAGO.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\rJUSTIFICANTEDEPAGO.exe Code function: 2_2_0040596D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 2_2_0040596D
Source: C:\Users\user\Desktop\rJUSTIFICANTEDEPAGO.exe Code function: 2_2_004065A2 FindFirstFileW,FindClose, 2_2_004065A2
Source: C:\Users\user\Desktop\rJUSTIFICANTEDEPAGO.exe Code function: 2_2_00402862 FindFirstFileW, 2_2_00402862
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1Ll5Auv3nDnZ4O0Qt2f2ZcFUknFi4BgKW HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/npt87m3l1utm86tkghdjh82fk6qcfges/1679307750000/00651307112604445902/*/1Ll5Auv3nDnZ4O0Qt2f2ZcFUknFi4BgKW?e=download&uuid=ea605c4e-1574-48ab-a781-ae85f09da2da HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0s-98-docs.googleusercontent.comConnection: Keep-Alive
Source: unknown Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: CasPol.exe, 00000007.00000003.2773592501.0000000005510000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: CasPol.exe, 00000007.00000003.2773592501.0000000005510000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: rJUSTIFICANTEDEPAGO.exe, 00000002.00000002.2801043131.000000000040A000.00000004.00000001.01000000.00000004.sdmp, rJUSTIFICANTEDEPAGO.exe, 00000002.00000000.1680795427.000000000040A000.00000008.00000001.01000000.00000004.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: CasPol.exe, 00000007.00000002.6872352349.0000000005508000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://doc-0s-98-docs.googleusercontent.com/%%doc-0s-98-docs.googleusercontent.com
Source: CasPol.exe, 00000007.00000003.2773592501.0000000005510000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.6872352349.00000000054F5000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.6872352349.000000000554E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://doc-0s-98-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/npt87m3l
Source: CasPol.exe, 00000007.00000002.6888996138.0000000034FA0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1Ll5Auv3nDnZ4O0Qt2f2ZcFUknFi4BgKW
Source: rJUSTIFICANTEDEPAGO.exe, 00000002.00000002.2801043131.0000000000789000.00000004.00000001.01000000.00000004.sdmp String found in binary or memory: https://github.com/dotnet/runtime
Source: rJUSTIFICANTEDEPAGO.exe, 00000002.00000002.2801043131.0000000000789000.00000004.00000001.01000000.00000004.sdmp String found in binary or memory: https://github.com/dotnet/runtimeBSJB
Source: unknown DNS traffic detected: queries for: drive.google.com
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1Ll5Auv3nDnZ4O0Qt2f2ZcFUknFi4BgKW HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/npt87m3l1utm86tkghdjh82fk6qcfges/1679307750000/00651307112604445902/*/1Ll5Auv3nDnZ4O0Qt2f2ZcFUknFi4BgKW?e=download&uuid=ea605c4e-1574-48ab-a781-ae85f09da2da HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0s-98-docs.googleusercontent.comConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 172.217.16.206:443 -> 192.168.11.20:49816 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.186.33:443 -> 192.168.11.20:49817 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\rJUSTIFICANTEDEPAGO.exe Code function: 2_2_00405402 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,LdrInitializeThunk,SendMessageW,CreatePopupMenu,LdrInitializeThunk,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 2_2_00405402
Uses 32bit PE files
Source: rJUSTIFICANTEDEPAGO.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\rJUSTIFICANTEDEPAGO.exe Code function: 2_2_00403350 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 2_2_00403350
Detected potential crypto function
Source: C:\Users\user\Desktop\rJUSTIFICANTEDEPAGO.exe Code function: 2_2_00404C3F 2_2_00404C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_360A4140 7_2_360A4140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_360A4D58 7_2_360A4D58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Code function: 7_2_360A4488 7_2_360A4488
PE file does not import any functions
Source: System.Reflection.TypeExtensions.dll.2.dr Static PE information: No import functions for PE file found
Tries to load missing DLLs
Source: C:\Users\user\Desktop\rJUSTIFICANTEDEPAGO.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: edgegdi.dll Jump to behavior
PE / OLE file has an invalid certificate
Source: rJUSTIFICANTEDEPAGO.exe Static PE information: invalid certificate
Source: rJUSTIFICANTEDEPAGO.exe Virustotal: Detection: 21%
Source: C:\Users\user\Desktop\rJUSTIFICANTEDEPAGO.exe File read: C:\Users\user\Desktop\rJUSTIFICANTEDEPAGO.exe Jump to behavior
Source: rJUSTIFICANTEDEPAGO.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\rJUSTIFICANTEDEPAGO.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\rJUSTIFICANTEDEPAGO.exe C:\Users\user\Desktop\rJUSTIFICANTEDEPAGO.exe
Source: C:\Users\user\Desktop\rJUSTIFICANTEDEPAGO.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\Desktop\rJUSTIFICANTEDEPAGO.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rJUSTIFICANTEDEPAGO.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\Desktop\rJUSTIFICANTEDEPAGO.exe Jump to behavior
Source: C:\Users\user\Desktop\rJUSTIFICANTEDEPAGO.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\rJUSTIFICANTEDEPAGO.exe Code function: 2_2_00403350 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 2_2_00403350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\rJUSTIFICANTEDEPAGO.exe File created: C:\Users\user\AppData\Local\Temp\nsz625B.tmp Jump to behavior
Source: classification engine Classification label: mal96.troj.spyw.evad.winEXE@4/14@2/2
Source: C:\Users\user\Desktop\rJUSTIFICANTEDEPAGO.exe Code function: 2_2_004020FE LdrInitializeThunk,CoCreateInstance,LdrInitializeThunk, 2_2_004020FE
Source: C:\Users\user\Desktop\rJUSTIFICANTEDEPAGO.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\rJUSTIFICANTEDEPAGO.exe Code function: 2_2_004046C3 GetDlgItem,SetWindowTextW,LdrInitializeThunk,LdrInitializeThunk,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,LdrInitializeThunk,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 2_2_004046C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8068:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8068:304:WilStaging_02
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\Desktop\rJUSTIFICANTEDEPAGO.exe Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Replyingly\Avnbgen\Spisekamrenes Jump to behavior
Source: rJUSTIFICANTEDEPAGO.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000002.00000002.2804076292.0000000005376000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\rJUSTIFICANTEDEPAGO.exe Code function: 2_2_10002DE0 push eax; ret 2_2_10002E0E
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\rJUSTIFICANTEDEPAGO.exe Code function: 2_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 2_2_10001B18
Binary contains a suspicious time stamp
Source: System.Reflection.Primitives.dll.2.dr Static PE information: 0xE40AD0DE [Wed Mar 28 09:54:38 2091 UTC]
Drops PE files
Source: C:\Users\user\Desktop\rJUSTIFICANTEDEPAGO.exe File created: C:\Users\user\AppData\Local\Temp\nsz62F8.tmp\AdvSplash.dll Jump to dropped file
Source: C:\Users\user\Desktop\rJUSTIFICANTEDEPAGO.exe File created: C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\Rntgenstraaler\Overholde\Wingdings\System.Reflection.TypeExtensions.dll Jump to dropped file
Source: C:\Users\user\Desktop\rJUSTIFICANTEDEPAGO.exe File created: C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\Nonteachable\Bekmpelsesforanstaltninger\Carcinoid2\Efterplaprer\System.Reflection.Primitives.dll Jump to dropped file
Source: C:\Users\user\Desktop\rJUSTIFICANTEDEPAGO.exe File created: C:\Users\user\AppData\Local\Temp\nsz62F8.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\rJUSTIFICANTEDEPAGO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect Any.run
Source: C:\Users\user\Desktop\rJUSTIFICANTEDEPAGO.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\rJUSTIFICANTEDEPAGO.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: rJUSTIFICANTEDEPAGO.exe, 00000002.00000002.2802808162.0000000000858000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: rJUSTIFICANTEDEPAGO.exe, 00000002.00000002.2802808162.0000000000858000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\rJUSTIFICANTEDEPAGO.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\Rntgenstraaler\Overholde\Wingdings\System.Reflection.TypeExtensions.dll Jump to dropped file
Source: C:\Users\user\Desktop\rJUSTIFICANTEDEPAGO.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Musicalises34\Coleman\Biarcuated\Nonteachable\Bekmpelsesforanstaltninger\Carcinoid2\Efterplaprer\System.Reflection.Primitives.dll Jump to dropped file
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Window / User API: threadDelayed 1885 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\rJUSTIFICANTEDEPAGO.exe Code function: 2_2_0040596D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 2_2_0040596D
Source: C:\Users\user\Desktop\rJUSTIFICANTEDEPAGO.exe Code function: 2_2_004065A2 FindFirstFileW,FindClose, 2_2_004065A2
Source: C:\Users\user\Desktop\rJUSTIFICANTEDEPAGO.exe Code function: 2_2_00402862 FindFirstFileW, 2_2_00402862
Source: C:\Users\user\Desktop\rJUSTIFICANTEDEPAGO.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\rJUSTIFICANTEDEPAGO.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\rJUSTIFICANTEDEPAGO.exe API call chain: ExitProcess graph end node
Source: rJUSTIFICANTEDEPAGO.exe, 00000002.00000002.2886151117.0000000010059000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.6876893530.00000000070F9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: rJUSTIFICANTEDEPAGO.exe, 00000002.00000002.2886151117.0000000010059000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.6876893530.00000000070F9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: CasPol.exe, 00000007.00000002.6876893530.00000000070F9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicshutdown
Source: rJUSTIFICANTEDEPAGO.exe, 00000002.00000002.2886151117.0000000010059000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.6876893530.00000000070F9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: rJUSTIFICANTEDEPAGO.exe, 00000002.00000002.2886151117.0000000010059000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.6876893530.00000000070F9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: rJUSTIFICANTEDEPAGO.exe, 00000002.00000002.2886151117.0000000010059000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.6876893530.00000000070F9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: CasPol.exe, 00000007.00000002.6876893530.00000000070F9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicvss
Source: CasPol.exe, 00000007.00000002.6872352349.00000000054F5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: rJUSTIFICANTEDEPAGO.exe, 00000002.00000002.2802808162.0000000000858000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: rJUSTIFICANTEDEPAGO.exe, 00000002.00000002.2886151117.0000000010059000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.6876893530.00000000070F9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: rJUSTIFICANTEDEPAGO.exe, 00000002.00000002.2886151117.0000000010059000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.6876893530.00000000070F9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: rJUSTIFICANTEDEPAGO.exe, 00000002.00000002.2886151117.0000000010059000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000007.00000002.6876893530.00000000070F9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: rJUSTIFICANTEDEPAGO.exe, 00000002.00000002.2802808162.0000000000858000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe
Source: CasPol.exe, 00000007.00000002.6876893530.00000000070F9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicheartbeat
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\rJUSTIFICANTEDEPAGO.exe Code function: 2_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, 2_2_10001B18
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Process token adjusted: Debug Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\rJUSTIFICANTEDEPAGO.exe Code function: 2_2_00401E43 LdrInitializeThunk,ShowWindow,EnableWindow, 2_2_00401E43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\rJUSTIFICANTEDEPAGO.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: F00000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\rJUSTIFICANTEDEPAGO.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\user\Desktop\rJUSTIFICANTEDEPAGO.exe Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\rJUSTIFICANTEDEPAGO.exe Code function: 2_2_00403350 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 2_2_00403350

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 00000007.00000002.6893759617.00000000360C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 4160, type: MEMORYSTR
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000007.00000002.6893759617.00000000360C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 4160, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 00000007.00000002.6893759617.00000000360C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CasPol.exe PID: 4160, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 830400 Sample: rJUSTIFICANTEDEPAGO.exe Startdate: 20/03/2023 Architecture: WINDOWS Score: 96 26 googlehosted.l.googleusercontent.com 2->26 28 drive.google.com 2->28 30 doc-0s-98-docs.googleusercontent.com 2->30 36 Multi AV Scanner detection for submitted file 2->36 38 Yara detected GuLoader 2->38 40 Yara detected AgentTesla 2->40 42 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->42 8 rJUSTIFICANTEDEPAGO.exe 5 52 2->8         started        signatures3 process4 file5 18 C:\Users\user\AppData\Local\...\System.dll, PE32 8->18 dropped 20 C:\Users\user\AppData\Local\...\AdvSplash.dll, PE32 8->20 dropped 22 C:\...\System.Reflection.TypeExtensions.dll, PE32+ 8->22 dropped 24 C:\Users\...\System.Reflection.Primitives.dll, PE32 8->24 dropped 44 Writes to foreign memory regions 8->44 46 Tries to detect Any.run 8->46 12 CasPol.exe 11 8->12         started        signatures6 process7 dnsIp8 32 googlehosted.l.googleusercontent.com 142.250.186.33, 443, 49817 GOOGLEUS United States 12->32 34 drive.google.com 172.217.16.206, 443, 49816 GOOGLEUS United States 12->34 48 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->48 50 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->50 52 Tries to steal Mail credentials (via file / registry access) 12->52 54 3 other signatures 12->54 16 conhost.exe 12->16         started        signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.217.16.206
 drive.google.com United States
15169 GOOGLEUS false
142.250.186.33
 googlehosted.l.googleusercontent.com United States
15169 GOOGLEUS false

Contacted Domains

Name IP Active
drive.google.com 172.217.16.206 true
googlehosted.l.googleusercontent.com 142.250.186.33 true
doc-0s-98-docs.googleusercontent.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://doc-0s-98-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/npt87m3l1utm86tkghdjh82fk6qcfges/1679307750000/00651307112604445902/*/1Ll5Auv3nDnZ4O0Qt2f2ZcFUknFi4BgKW?e=download&uuid=ea605c4e-1574-48ab-a781-ae85f09da2da false
    		high