Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SyfCbCNRRU.exe

Overview

General Information

Sample Name:SyfCbCNRRU.exe
Original Sample Name:d5445d98bdbd8a339bcafe31aa223d9e.exe
Analysis ID:864080
MD5:d5445d98bdbd8a339bcafe31aa223d9e
SHA1:c4036c0b438de8cf23fee5bcc564edc186b954db
SHA256:413ec94d35627af97c57c6482630e6b2bb299eebf164e187ea7df0a0eb80ecc6
Tags:32exeMassLogger
Infos:

Detection

AgentTesla
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Contains functionality to capture screen (.Net source)
Tries to harvest and steal ftp login credentials
.NET source code references suspicious native API functions
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
.NET source code contains potential unpacker
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Found inlined nop instructions (likely shell or obfuscated code)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
May sleep (evasive loops) to hinder dynamic analysis
Detected potential crypto function
Yara detected Credential Stealer
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Enables debug privileges

Classification

  • System is w10x64
  • SyfCbCNRRU.exe (PID: 7040 cmdline: C:\Users\user\Desktop\SyfCbCNRRU.exe MD5: D5445D98BDBD8A339BCAFE31AA223D9E)
    • RegAsm.exe (PID: 5124 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000001.00000002.520992752.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000001.00000002.520992752.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
    • 0xd4f2:$a1: get_encryptedPassword
    • 0xd887:$a2: get_encryptedUsername
    • 0xd29c:$a3: get_timePasswordChanged
    • 0xd3a2:$a4: get_passwordField
    • 0xd508:$a5: set_encryptedPassword
    • 0xf0e5:$a7: get_logins
    • 0xedb3:$a8: GetOutlookPasswords
    • 0xeafb:$a9: StartKeylogger
    • 0xf01c:$a10: KeyLoggerEventArgs
    • 0xeb0a:$a11: KeyLoggerEventArgsEventHandler
    00000000.00000002.265836712.00000000027A1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000000.00000002.265836712.00000000027A1000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
      • 0x105af6:$a1: get_encryptedPassword
      • 0x119d12:$a1: get_encryptedPassword
      • 0x1efb5a:$a1: get_encryptedPassword
      • 0x105e8b:$a2: get_encryptedUsername
      • 0x11a0a7:$a2: get_encryptedUsername
      • 0x1efeef:$a2: get_encryptedUsername
      • 0x1058a0:$a3: get_timePasswordChanged
      • 0x119abc:$a3: get_timePasswordChanged
      • 0x1ef904:$a3: get_timePasswordChanged
      • 0x1059a6:$a4: get_passwordField
      • 0x119bc2:$a4: get_passwordField
      • 0x1efa0a:$a4: get_passwordField
      • 0x105b0c:$a5: set_encryptedPassword
      • 0x119d28:$a5: set_encryptedPassword
      • 0x1efb70:$a5: set_encryptedPassword
      • 0x1076e9:$a7: get_logins
      • 0x11b905:$a7: get_logins
      • 0x1f174d:$a7: get_logins
      • 0x1073b7:$a8: GetOutlookPasswords
      • 0x11b5d3:$a8: GetOutlookPasswords
      • 0x1f141b:$a8: GetOutlookPasswords
      Process Memory Space: SyfCbCNRRU.exe PID: 7040JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Click to see the 4 entries
        SourceRuleDescriptionAuthorStrings
        0.2.SyfCbCNRRU.exe.2899404.2.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          0.2.SyfCbCNRRU.exe.2899404.2.unpackINDICATOR_SUSPICIOUS_EXE_DotNetProcHookDetects executables with potential process hoockingditekSHen
          • 0xc61c:$s1: UnHook
          • 0xc623:$s2: SetHook
          • 0xc62b:$s3: CallNextHook
          • 0xc638:$s4: _hook
          0.2.SyfCbCNRRU.exe.2899404.2.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
          • 0xb8f2:$a1: get_encryptedPassword
          • 0xbc87:$a2: get_encryptedUsername
          • 0xb69c:$a3: get_timePasswordChanged
          • 0xb7a2:$a4: get_passwordField
          • 0xb908:$a5: set_encryptedPassword
          • 0xd4e5:$a7: get_logins
          • 0xd1b3:$a8: GetOutlookPasswords
          • 0xcefb:$a9: StartKeylogger
          • 0xd41c:$a10: KeyLoggerEventArgs
          • 0xcf0a:$a11: KeyLoggerEventArgsEventHandler
          1.2.RegAsm.exe.400000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
            1.2.RegAsm.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Click to see the 14 entries
              No Sigma rule has matched
              No Snort rule has matched

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: SyfCbCNRRU.exeReversingLabs: Detection: 27%
              Source: SyfCbCNRRU.exeVirustotal: Detection: 35%Perma Link
              Source: SyfCbCNRRU.exeJoe Sandbox ML: detected
              Source: SyfCbCNRRU.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: SyfCbCNRRU.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: F:\Desktop V500\important\CSharp-RunPE-master\RunPE\obj\Debug\SeaCyanPul.pdb source: SyfCbCNRRU.exe, 00000000.00000002.265836712.00000000027A1000.00000004.00000800.00020000.00000000.sdmp, SyfCbCNRRU.exe, 00000000.00000002.268240261.0000000004FD0000.00000004.08000000.00040000.00000000.sdmp
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 012A4610h1_2_012A41F8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 012A3825h1_2_012A2D38
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 012A3EC9h1_2_012A3C08
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 012A4610h1_2_012A41E9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 012AF2F1h1_2_012AF03C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h1_2_012A288B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 012AFBA1h1_2_012AF8E8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 012AE5E9h1_2_012AE330
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 012AEE99h1_2_012AEBE0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h1_2_012A2A6D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h1_2_012A2258
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 012A4610h1_2_012A453E
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 012AF749h1_2_012AF48F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp 012AEA41h1_2_012AE787

              Networking

              barindex
              Source: Yara matchFile source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.SyfCbCNRRU.exe.2899404.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.SyfCbCNRRU.exe.27bbbd0.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.SyfCbCNRRU.exe.27b859c.0.raw.unpack, type: UNPACKEDPE
              Source: SyfCbCNRRU.exe, 00000000.00000002.265836712.00000000027A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.520992752.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
              Source: SyfCbCNRRU.exeString found in binary or memory: http://edstarcoordinator.com/api.asmx/GetSystems
              Source: SyfCbCNRRU.exe, 00000000.00000002.265836712.00000000027A1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.520992752.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Source: 1.2.RegAsm.exe.400000.0.unpack, KrakenStub/KrakenSteak.cs.Net Code: TakeScreenshot
              Source: SyfCbCNRRU.exe, 00000000.00000002.265275088.0000000000B3A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

              System Summary

              barindex
              Source: 0.2.SyfCbCNRRU.exe.2899404.2.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 0.2.SyfCbCNRRU.exe.2899404.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 0.2.SyfCbCNRRU.exe.2899404.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 0.2.SyfCbCNRRU.exe.2899404.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 0.2.SyfCbCNRRU.exe.27bbbd0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 0.2.SyfCbCNRRU.exe.27bbbd0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 0.2.SyfCbCNRRU.exe.27b859c.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 0.2.SyfCbCNRRU.exe.27b859c.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 00000001.00000002.520992752.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 00000000.00000002.265836712.00000000027A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: Process Memory Space: SyfCbCNRRU.exe PID: 7040, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: Process Memory Space: RegAsm.exe PID: 5124, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: SyfCbCNRRU.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 0.2.SyfCbCNRRU.exe.2899404.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 0.2.SyfCbCNRRU.exe.2899404.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 0.2.SyfCbCNRRU.exe.2899404.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 0.2.SyfCbCNRRU.exe.2899404.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 0.2.SyfCbCNRRU.exe.27bbbd0.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 0.2.SyfCbCNRRU.exe.27bbbd0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 0.2.SyfCbCNRRU.exe.27b859c.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 0.2.SyfCbCNRRU.exe.27b859c.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 00000001.00000002.520992752.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 00000000.00000002.265836712.00000000027A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: Process Memory Space: SyfCbCNRRU.exe PID: 7040, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: Process Memory Space: RegAsm.exe PID: 5124, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: SyfCbCNRRU.exe, 00000000.00000002.265836712.00000000027A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSeaCyanPul.dll" vs SyfCbCNRRU.exe
              Source: SyfCbCNRRU.exe, 00000000.00000002.265836712.00000000027A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameKrakenStub.exe6 vs SyfCbCNRRU.exe
              Source: SyfCbCNRRU.exe, 00000000.00000003.256112733.0000000000BB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDataBasePracticalJob.dllJ vs SyfCbCNRRU.exe
              Source: SyfCbCNRRU.exe, 00000000.00000002.267014370.00000000037D4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDataBasePracticalJob.dllJ vs SyfCbCNRRU.exe
              Source: SyfCbCNRRU.exe, 00000000.00000000.255167077.00000000004FE000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameRareCommodityHelper.exeH vs SyfCbCNRRU.exe
              Source: SyfCbCNRRU.exe, 00000000.00000002.267865549.0000000004E80000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameDataBasePracticalJob.dllJ vs SyfCbCNRRU.exe
              Source: SyfCbCNRRU.exe, 00000000.00000002.265275088.0000000000B3A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SyfCbCNRRU.exe
              Source: SyfCbCNRRU.exe, 00000000.00000002.268240261.0000000004FD0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSeaCyanPul.dll" vs SyfCbCNRRU.exe
              Source: SyfCbCNRRU.exeBinary or memory string: OriginalFilenameRareCommodityHelper.exeH vs SyfCbCNRRU.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Users\user\Desktop\SyfCbCNRRU.exeCode function: 0_2_0275F9B00_2_0275F9B0
              Source: C:\Users\user\Desktop\SyfCbCNRRU.exeCode function: 0_2_027550C00_2_027550C0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_012AA9C81_2_012AA9C8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_012AB2A91_2_012AB2A9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_012A2D381_2_012A2D38
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_012A3C081_2_012A3C08
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_012A66B81_2_012A66B8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_012AF03C1_2_012AF03C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_012AF8E81_2_012AF8E8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_012AE3301_2_012AE330
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_012AABE81_2_012AABE8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_012AEBE01_2_012AEBE0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_012A22301_2_012A2230
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_012AA2301_2_012AA230
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_012AA2401_2_012AA240
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_012A22581_2_012A2258
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_012A14691_2_012A1469
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_012AF48F1_2_012AF48F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_012AE7871_2_012AE787
              Source: SyfCbCNRRU.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: SyfCbCNRRU.exeReversingLabs: Detection: 27%
              Source: SyfCbCNRRU.exeVirustotal: Detection: 35%
              Source: SyfCbCNRRU.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\SyfCbCNRRU.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: SyfCbCNRRU.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
              Source: C:\Users\user\Desktop\SyfCbCNRRU.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\SyfCbCNRRU.exe C:\Users\user\Desktop\SyfCbCNRRU.exe
              Source: C:\Users\user\Desktop\SyfCbCNRRU.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
              Source: C:\Users\user\Desktop\SyfCbCNRRU.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
              Source: C:\Users\user\Desktop\SyfCbCNRRU.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SyfCbCNRRU.exe.logJump to behavior
              Source: classification engineClassification label: mal96.troj.spyw.evad.winEXE@3/1@0/0
              Source: SyfCbCNRRU.exe, RareCommodityHelper/MainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 0.0.SyfCbCNRRU.exe.4c0000.0.unpack, RareCommodityHelper/MainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 1.2.RegAsm.exe.400000.0.unpack, KrakenStub/KrakenDumpedList.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: 1.2.RegAsm.exe.400000.0.unpack, KrakenStub/KrakenSteak.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
              Source: C:\Users\user\Desktop\SyfCbCNRRU.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: SyfCbCNRRU.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: SyfCbCNRRU.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: F:\Desktop V500\important\CSharp-RunPE-master\RunPE\obj\Debug\SeaCyanPul.pdb source: SyfCbCNRRU.exe, 00000000.00000002.265836712.00000000027A1000.00000004.00000800.00020000.00000000.sdmp, SyfCbCNRRU.exe, 00000000.00000002.268240261.0000000004FD0000.00000004.08000000.00040000.00000000.sdmp

              Data Obfuscation

              barindex
              Source: SyfCbCNRRU.exe, PathNode.cs.Net Code: ANTR3ND0 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 0.0.SyfCbCNRRU.exe.4c0000.0.unpack, PathNode.cs.Net Code: ANTR3ND0 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: initial sampleStatic PE information: section name: .text entropy: 7.693686657770114
              Source: C:\Users\user\Desktop\SyfCbCNRRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SyfCbCNRRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SyfCbCNRRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SyfCbCNRRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SyfCbCNRRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SyfCbCNRRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SyfCbCNRRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SyfCbCNRRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SyfCbCNRRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SyfCbCNRRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SyfCbCNRRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SyfCbCNRRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SyfCbCNRRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SyfCbCNRRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SyfCbCNRRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SyfCbCNRRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SyfCbCNRRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SyfCbCNRRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SyfCbCNRRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SyfCbCNRRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SyfCbCNRRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SyfCbCNRRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SyfCbCNRRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SyfCbCNRRU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\SyfCbCNRRU.exe TID: 3132Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\SyfCbCNRRU.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\SyfCbCNRRU.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 1_2_012AA9C8 LdrInitializeThunk,1_2_012AA9C8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\SyfCbCNRRU.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Source: 1.2.RegAsm.exe.400000.0.unpack, KrakenStub/KrakenSteak.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll')
              Source: 1.2.RegAsm.exe.400000.0.unpack, KrakenStub/FFDecryptor.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
              Source: C:\Users\user\Desktop\SyfCbCNRRU.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior