Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Invoice.exe

Overview

General Information

Sample Name:Invoice.exe
Analysis ID:863303
MD5:5ccc83a775f796de3dd319752d32a509
SHA1:f564530c7f2e11f3320fac2a57e8abd33bd67126
SHA256:8a6bebf08f6c223ed9821ee3b80e420060c66770402687f5c98555f9b0cd02a3
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Contains functionality to capture screen (.Net source)
Tries to harvest and steal ftp login credentials
.NET source code references suspicious native API functions
Machine Learning detection for sample
.NET source code contains potential unpacker
Yara detected Generic Downloader
Sample has a suspicious name (potential lure to open the executable)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Detected potential crypto function
Yara detected Credential Stealer
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

  • System is w10x64
  • Invoice.exe (PID: 7148 cmdline: C:\Users\user\Desktop\Invoice.exe MD5: 5CCC83A775F796DE3DD319752D32A509)
    • RegAsm.exe (PID: 2380 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000001.00000002.512262420.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000001.00000002.512262420.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
    • 0xd3aa:$a1: get_encryptedPassword
    • 0xd73f:$a2: get_encryptedUsername
    • 0xd154:$a3: get_timePasswordChanged
    • 0xd25a:$a4: get_passwordField
    • 0xd3c0:$a5: set_encryptedPassword
    • 0xef90:$a7: get_logins
    • 0xec5e:$a8: GetOutlookPasswords
    • 0xe9a6:$a9: StartKeylogger
    • 0xeec7:$a10: KeyLoggerEventArgs
    • 0xe9b5:$a11: KeyLoggerEventArgsEventHandler
    00000000.00000002.256900468.0000000002E91000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000002.256900468.0000000002E91000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
      • 0x105792:$a1: get_encryptedPassword
      • 0x1197ae:$a1: get_encryptedPassword
      • 0x1ef3f2:$a1: get_encryptedPassword
      • 0x105b27:$a2: get_encryptedUsername
      • 0x119b43:$a2: get_encryptedUsername
      • 0x1ef787:$a2: get_encryptedUsername
      • 0x10553c:$a3: get_timePasswordChanged
      • 0x119558:$a3: get_timePasswordChanged
      • 0x1ef19c:$a3: get_timePasswordChanged
      • 0x105642:$a4: get_passwordField
      • 0x11965e:$a4: get_passwordField
      • 0x1ef2a2:$a4: get_passwordField
      • 0x1057a8:$a5: set_encryptedPassword
      • 0x1197c4:$a5: set_encryptedPassword
      • 0x1ef408:$a5: set_encryptedPassword
      • 0x107378:$a7: get_logins
      • 0x11b394:$a7: get_logins
      • 0x1f0fd8:$a7: get_logins
      • 0x107046:$a8: GetOutlookPasswords
      • 0x11b062:$a8: GetOutlookPasswords
      • 0x1f0ca6:$a8: GetOutlookPasswords
      Process Memory Space: Invoice.exe PID: 7148JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Click to see the 4 entries
        SourceRuleDescriptionAuthorStrings
        0.2.Invoice.exe.2f891e8.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          0.2.Invoice.exe.2f891e8.1.unpackINDICATOR_SUSPICIOUS_EXE_DotNetProcHookDetects executables with potential process hoockingditekSHen
          • 0xc4d4:$s1: UnHook
          • 0xc4db:$s2: SetHook
          • 0xc4e3:$s3: CallNextHook
          • 0xc4f0:$s4: _hook
          0.2.Invoice.exe.2f891e8.1.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
          • 0xb7aa:$a1: get_encryptedPassword
          • 0xbb3f:$a2: get_encryptedUsername
          • 0xb554:$a3: get_timePasswordChanged
          • 0xb65a:$a4: get_passwordField
          • 0xb7c0:$a5: set_encryptedPassword
          • 0xd390:$a7: get_logins
          • 0xd05e:$a8: GetOutlookPasswords
          • 0xcda6:$a9: StartKeylogger
          • 0xd2c7:$a10: KeyLoggerEventArgs
          • 0xcdb5:$a11: KeyLoggerEventArgsEventHandler
          1.2.RegAsm.exe.400000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
            1.2.RegAsm.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Click to see the 14 entries
              No Sigma rule has matched
              No Snort rule has matched

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: Invoice.exeReversingLabs: Detection: 21%
              Source: Invoice.exeVirustotal: Detection: 20%Perma Link
              Source: Invoice.exeJoe Sandbox ML: detected
              Source: Invoice.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: Invoice.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: F:\Desktop V500\important\CSharp-RunPE-master\RunPE\obj\Debug\SeaCyanPul.pdb source: Invoice.exe, 00000000.00000002.256900468.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, Invoice.exe, 00000000.00000002.259381177.00000000054E0000.00000004.08000000.00040000.00000000.sdmp
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 03034610h1_2_030341F8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 03033825h1_2_03032D38
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 03033EC9h1_2_03033C08
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 0303E5E9h1_2_0303E330
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 0303EE99h1_2_0303EBE0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h1_2_03032258
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h1_2_03032A6D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 03034610h1_2_030341E9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 0303F2F1h1_2_0303F038
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h1_2_0303288B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 0303FBA1h1_2_0303F8E8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 0303EA41h1_2_0303E787
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 03034610h1_2_0303453E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 0303F749h1_2_0303F48F

              Networking

              barindex
              Source: Yara matchFile source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Invoice.exe.2f891e8.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Invoice.exe.2eabbb0.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.Invoice.exe.2ea857c.0.raw.unpack, type: UNPACKEDPE
              Source: Invoice.exe, 00000000.00000002.256900468.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.512262420.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
              Source: Invoice.exeString found in binary or memory: http://edstarcoordinator.com/api.asmx/GetSystems
              Source: Invoice.exe, 00000000.00000002.256900468.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.512262420.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Source: 1.2.RegAsm.exe.400000.0.unpack, KrakenStub/KrakenSteak.cs.Net Code: TakeScreenshot
              Source: Invoice.exe, 00000000.00000002.256149307.00000000011DA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

              System Summary

              barindex
              Source: 0.2.Invoice.exe.2f891e8.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 0.2.Invoice.exe.2f891e8.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 0.2.Invoice.exe.2f891e8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 0.2.Invoice.exe.2f891e8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 0.2.Invoice.exe.2eabbb0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 0.2.Invoice.exe.2eabbb0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 0.2.Invoice.exe.2ea857c.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 0.2.Invoice.exe.2ea857c.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 00000001.00000002.512262420.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 00000000.00000002.256900468.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: Process Memory Space: Invoice.exe PID: 7148, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: Process Memory Space: RegAsm.exe PID: 2380, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: initial sampleStatic PE information: Filename: Invoice.exe
              Source: Invoice.exeStatic file information: Suspicious name
              Source: Invoice.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 0.2.Invoice.exe.2f891e8.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 0.2.Invoice.exe.2f891e8.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 0.2.Invoice.exe.2f891e8.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 0.2.Invoice.exe.2f891e8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 0.2.Invoice.exe.2eabbb0.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 0.2.Invoice.exe.2eabbb0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 0.2.Invoice.exe.2ea857c.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 0.2.Invoice.exe.2ea857c.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 00000001.00000002.512262420.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 00000000.00000002.256900468.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: Process Memory Space: Invoice.exe PID: 7148, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: Process Memory Space: RegAsm.exe PID: 2380, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: C:\Users\user\Desktop\Invoice.exeCode function: 0_2_013550D00_2_013550D0
              Source: C:\Users\user\Desktop\Invoice.exeCode function: 0_2_0135F9B00_2_0135F9B0
              Source: C:\Users\user\Desktop\Invoice.exeCode function: 0_2_0135E5E80_2_0135E5E8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0303B2A91_2_0303B2A9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0303A9C81_2_0303A9C8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_030366B81_2_030366B8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_03032D381_2_03032D38
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_03033C081_2_03033C08
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0303E3301_2_0303E330
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0303EBE01_2_0303EBE0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0303ABE81_2_0303ABE8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_030322301_2_03032230
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0303A2301_2_0303A230
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0303A2401_2_0303A240
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_030322581_2_03032258
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0303F0381_2_0303F038
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0303F8E81_2_0303F8E8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0303E7871_2_0303E787
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0303F48F1_2_0303F48F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_057E52601_2_057E5260
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_057EE2481_2_057EE248
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_057E7F601_2_057E7F60
              Source: Invoice.exe, 00000000.00000002.256900468.0000000002E91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSeaCyanPul.dll" vs Invoice.exe
              Source: Invoice.exe, 00000000.00000002.256900468.0000000002E91000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameKrakenStub.exe6 vs Invoice.exe
              Source: Invoice.exe, 00000000.00000003.246609960.000000000124D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDataBasePracticalJob.dllJ vs Invoice.exe
              Source: Invoice.exe, 00000000.00000002.259381177.00000000054E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSeaCyanPul.dll" vs Invoice.exe
              Source: Invoice.exe, 00000000.00000002.259017463.0000000005420000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameDataBasePracticalJob.dllJ vs Invoice.exe
              Source: Invoice.exe, 00000000.00000000.245827312.0000000000ABE000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameRareCommodityHelper.exeH vs Invoice.exe
              Source: Invoice.exe, 00000000.00000002.258459348.0000000003EC4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDataBasePracticalJob.dllJ vs Invoice.exe
              Source: Invoice.exeBinary or memory string: OriginalFilenameRareCommodityHelper.exeH vs Invoice.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
              Source: Invoice.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: Invoice.exeReversingLabs: Detection: 21%
              Source: Invoice.exeVirustotal: Detection: 20%
              Source: Invoice.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\Invoice.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\Invoice.exe C:\Users\user\Desktop\Invoice.exe
              Source: C:\Users\user\Desktop\Invoice.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
              Source: C:\Users\user\Desktop\Invoice.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
              Source: C:\Users\user\Desktop\Invoice.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Invoice.exe.logJump to behavior
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@0/0
              Source: Invoice.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
              Source: C:\Users\user\Desktop\Invoice.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: Invoice.exe, RareCommodityHelper/MainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 1.2.RegAsm.exe.400000.0.unpack, KrakenStub/KrakenDumpedList.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 1.2.RegAsm.exe.400000.0.unpack, KrakenStub/KrakenSteak.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: C:\Users\user\Desktop\Invoice.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: Invoice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: Invoice.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: F:\Desktop V500\important\CSharp-RunPE-master\RunPE\obj\Debug\SeaCyanPul.pdb source: Invoice.exe, 00000000.00000002.256900468.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, Invoice.exe, 00000000.00000002.259381177.00000000054E0000.00000004.08000000.00040000.00000000.sdmp

              Data Obfuscation

              barindex
              Source: Invoice.exe, PathNode.cs.Net Code: ANTR3ND0 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: initial sampleStatic PE information: section name: .text entropy: 7.692787601373311
              Source: C:\Users\user\Desktop\Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Invoice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Invoice.exe TID: 2888Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Invoice.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\Invoice.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_0303A9C8 LdrInitializeThunk,1_2_0303A9C8
              Source: C:\Users\user\Desktop\Invoice.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Source: 1.2.RegAsm.exe.400000.0.unpack, KrakenStub/KrakenSteak.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll')
              Source: 1.2.RegAsm.exe.400000.0.unpack, KrakenStub/FFDecryptor.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
              Source: C:\Users\user\Desktop\Invoice.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
              Source: C:\Users\user\Desktop\Invoice.exeQueries volume information: C:\Users\user\Desktop\Invoice.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Invoice.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.