Windows Analysis Report
Shipping Documents inv. 523435300XX.exe

Overview

General Information

Sample name: Shipping Documents inv. 523435300XX.exe
Analysis ID: 1448084
MD5: efae427357884a8d496facd0298f6af8
SHA1: a69384c7d0d889050d55e557b51e97aa8a3554f7
SHA256: b86258bbf5182d3da8292cbff6262a90cef9dd418fd8b6706fde5747662da2ae
Tags: exeRedLineStealer
Infos:

Detection

AgentTesla, PureLog Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Contains functionality to log keystrokes (.Net Source)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Found malware configuration
Source: 2.2.RegSvcs.exe.3d96458.5.raw.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.gmail.com", "Username": "officestore2022@gmail.com", "Password": "xhcgmrubwdhylrry"}
Multi AV Scanner detection for submitted file
Source: Shipping Documents inv. 523435300XX.exe ReversingLabs: Detection: 32%
Source: Shipping Documents inv. 523435300XX.exe Virustotal: Detection: 32% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 89.7% probability
Machine Learning detection for sample
Source: Shipping Documents inv. 523435300XX.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: Shipping Documents inv. 523435300XX.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: Binary string: _.pdb source: RegSvcs.exe, 00000002.00000002.3225656041.000000000295F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3226282758.0000000002D20000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3242552295.0000000003D91000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: RegSvcs.pdb, source: jBpFfg.exe, 00000003.00000000.2135037340.0000000000E12000.00000002.00000001.01000000.00000007.sdmp, jBpFfg.exe.2.dr
Source: Binary string: wntdll.pdbUGP source: Shipping Documents inv. 523435300XX.exe, 00000000.00000003.1992055764.0000000003E40000.00000004.00001000.00020000.00000000.sdmp, Shipping Documents inv. 523435300XX.exe, 00000000.00000003.1992163435.0000000004360000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: Shipping Documents inv. 523435300XX.exe, 00000000.00000003.1992055764.0000000003E40000.00000004.00001000.00020000.00000000.sdmp, Shipping Documents inv. 523435300XX.exe, 00000000.00000003.1992163435.0000000004360000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: RegSvcs.pdb source: jBpFfg.exe, 00000003.00000000.2135037340.0000000000E12000.00000002.00000001.01000000.00000007.sdmp, jBpFfg.exe.2.dr
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00E24696 GetFileAttributesW,FindFirstFileW,FindClose, 0_2_00E24696
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00E2C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 0_2_00E2C9C7
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00E2C93C FindFirstFileW,FindClose, 0_2_00E2C93C
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00E2F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00E2F200
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00E2F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00E2F35D
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00E2F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_00E2F65E
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00E23A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00E23A2B
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00E23D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00E23D4E
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00E2BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_00E2BF27
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49705 -> 64.233.184.108:587
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View IP Address: 172.67.74.152 172.67.74.152
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.5:49705 -> 64.233.184.108:587
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00E325E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile, 0_2_00E325E2
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: api.ipify.org
Source: global traffic DNS traffic detected: DNS query: smtp.gmail.com
Source: RegSvcs.exe, 00000002.00000002.3243725014.00000000057CB000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3243673072.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3243673072.00000000057B2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3226494405.0000000002E17000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.pki.goog/gsr1/gsr1.crl0;
Source: RegSvcs.exe, 00000002.00000002.3243725014.00000000057CB000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3243673072.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3226494405.0000000002E17000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.pki.goog/gtsr1/gtsr1.crl0W
Source: RegSvcs.exe, 00000002.00000002.3224787288.0000000000F30000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3224787288.0000000000EB4000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3243673072.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3226494405.0000000002E17000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crls.pki.goog/gts1c3/QqFxbi9M48c.crl0
Source: RegSvcs.exe, 00000002.00000002.3243725014.00000000057CB000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3243673072.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3243673072.00000000057B2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3226494405.0000000002E17000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.pki.goog/gsr10)
Source: RegSvcs.exe, 00000002.00000002.3224787288.0000000000F30000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3224787288.0000000000EB4000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3243673072.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3226494405.0000000002E17000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.pki.goog/gts1c301
Source: RegSvcs.exe, 00000002.00000002.3243725014.00000000057CB000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3243673072.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3226494405.0000000002E17000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.pki.goog/gtsr100
Source: RegSvcs.exe, 00000002.00000002.3243725014.00000000057CB000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3243673072.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3243673072.00000000057B2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3226494405.0000000002E17000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pki.goog/gsr1/gsr1.crt02
Source: RegSvcs.exe, 00000002.00000002.3224787288.0000000000F30000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3224787288.0000000000EB4000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3243673072.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3226494405.0000000002E17000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pki.goog/repo/certs/gts1c3.der0
Source: RegSvcs.exe, 00000002.00000002.3243725014.00000000057CB000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3243673072.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3226494405.0000000002E17000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pki.goog/repo/certs/gtsr1.der04
Source: RegSvcs.exe, 00000002.00000002.3226494405.0000000002D91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000002.00000002.3226494405.0000000002E0F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://smtp.gmail.com
Source: RegSvcs.exe, 00000002.00000002.3225656041.000000000295F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3243289603.0000000005380000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3226282758.0000000002D20000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3242552295.0000000003D91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.dyn.com/
Source: RegSvcs.exe, 00000002.00000002.3225656041.000000000295F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3243289603.0000000005380000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3226494405.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3226282758.0000000002D20000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3242552295.0000000003D91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org
Source: RegSvcs.exe, 00000002.00000002.3226494405.0000000002D91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/
Source: RegSvcs.exe, 00000002.00000002.3226494405.0000000002D91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/t
Source: RegSvcs.exe, 00000002.00000002.3243725014.00000000057CB000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3243673072.00000000057C0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3226494405.0000000002E17000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://pki.goog/repository/0
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.5:49704 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 2.2.RegSvcs.exe.5380000.8.raw.unpack, R1W.cs .Net Code: XzfKyIvDT
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00E3425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 0_2_00E3425A
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00E34458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_00E34458
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00E3425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 0_2_00E3425A
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00E20219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState, 0_2_00E20219
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00E4CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 0_2_00E4CDAC

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 2.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.Shipping Documents inv. 523435300XX.exe.2510000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 2.2.RegSvcs.exe.3d96458.5.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.299ffc6.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.299f0de.2.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.299f0de.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.2d20000.4.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.2d20ee8.3.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.3de3390.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.5380000.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.3de3390.7.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.2d20000.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.5380000.8.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.3d95570.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.3d95570.6.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.3d96458.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.2d20ee8.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.299ffc6.1.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000000.00000002.1994390069.0000000002510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000002.00000002.3243289603.0000000005380000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000002.00000002.3222160800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000002.00000002.3226282758.0000000002D20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Binary is likely a compiled AutoIt script file
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: This is a third-party compiled AutoIt script. 0_2_00DC3B4C
Source: Shipping Documents inv. 523435300XX.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Shipping Documents inv. 523435300XX.exe, 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_b88bc182-7
Source: Shipping Documents inv. 523435300XX.exe, 00000000.00000002.1993927160.0000000000E75000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_49304f44-5
Source: Shipping Documents inv. 523435300XX.exe String found in binary or memory: This is a third-party compiled AutoIt script. memstr_f9ebf38c-4
Source: Shipping Documents inv. 523435300XX.exe String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_0a3254a4-4
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Shipping Documents inv. 523435300XX.exe
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00E240B1: CreateFileW,_memset,DeviceIoControl,CloseHandle, 0_2_00E240B1
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00E18858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 0_2_00E18858
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00E2545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 0_2_00E2545F
Detected potential crypto function
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00DCE800 0_2_00DCE800
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00DEDBB5 0_2_00DEDBB5
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00E4804A 0_2_00E4804A
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00DCE060 0_2_00DCE060
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00DD4140 0_2_00DD4140
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00DE2405 0_2_00DE2405
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00DF6522 0_2_00DF6522
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00E40665 0_2_00E40665
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00DF267E 0_2_00DF267E
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00DD6843 0_2_00DD6843
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00DE283A 0_2_00DE283A
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00DF89DF 0_2_00DF89DF
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00E40AE2 0_2_00E40AE2
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00DF6A94 0_2_00DF6A94
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00DD8A0E 0_2_00DD8A0E
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00E1EB07 0_2_00E1EB07
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00E28B13 0_2_00E28B13
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00DECD61 0_2_00DECD61
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00DF7006 0_2_00DF7006
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00DD3190 0_2_00DD3190
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00DD710E 0_2_00DD710E
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00DC1287 0_2_00DC1287
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00DE33C7 0_2_00DE33C7
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00DEF419 0_2_00DEF419
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00DE16C4 0_2_00DE16C4
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00DD5680 0_2_00DD5680
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00DE78D3 0_2_00DE78D3
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00DD58C0 0_2_00DD58C0
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00DE1BB8 0_2_00DE1BB8
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00DF9D05 0_2_00DF9D05
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00DCFE40 0_2_00DCFE40
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00DE1FD0 0_2_00DE1FD0
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00DEBFE6 0_2_00DEBFE6
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_018E3660 0_2_018E3660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_00408C60 2_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0040DC11 2_2_0040DC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_00407C3F 2_2_00407C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_00418CCC 2_2_00418CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_00406CA0 2_2_00406CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_004028B0 2_2_004028B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0041A4BE 2_2_0041A4BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_00418244 2_2_00418244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_00401650 2_2_00401650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_00402F20 2_2_00402F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_004193C4 2_2_004193C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_00418788 2_2_00418788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_00402F89 2_2_00402F89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_00402B90 2_2_00402B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_004073A0 2_2_004073A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_02A9D6F0 2_2_02A9D6F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_02A9CAD8 2_2_02A9CAD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_02A9CE20 2_2_02A9CE20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_02A90FD0 2_2_02A90FD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_02A91030 2_2_02A91030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_063495A0 2_2_063495A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0634EDC0 2_2_0634EDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06346258 2_2_06346258
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0634CAF8 2_2_0634CAF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0634634F 2_2_0634634F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0634F517 2_2_0634F517
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0634BBF8 2_2_0634BBF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06340006 2_2_06340006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06340040 2_2_06340040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06740740 2_2_06740740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_067464C0 2_2_067464C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06745530 2_2_06745530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06741F20 2_2_06741F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_067486B8 2_2_067486B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06741830 2_2_06741830
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Code function: 6_2_01400BC0 6_2_01400BC0
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: String function: 0040E1D8 appears 44 times
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: String function: 00DE0D27 appears 70 times
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: String function: 00DE8B40 appears 42 times
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: String function: 00DC7F41 appears 35 times
Sample file is different than original file name gathered from version info
Source: Shipping Documents inv. 523435300XX.exe, 00000000.00000003.1991396095.000000000448D000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Shipping Documents inv. 523435300XX.exe
Source: Shipping Documents inv. 523435300XX.exe, 00000000.00000002.1994390069.0000000002510000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilename828fa1cf-c07a-41d9-8abe-44ba12064e60.exe4 vs Shipping Documents inv. 523435300XX.exe
Source: Shipping Documents inv. 523435300XX.exe, 00000000.00000003.1991205602.0000000003F63000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Shipping Documents inv. 523435300XX.exe
Uses 32bit PE files
Source: Shipping Documents inv. 523435300XX.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Yara signature match
Source: 2.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.Shipping Documents inv. 523435300XX.exe.2510000.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 2.2.RegSvcs.exe.3d96458.5.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.299ffc6.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.299f0de.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.299f0de.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.2d20000.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.2d20ee8.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.3de3390.7.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.5380000.8.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.3de3390.7.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.2d20000.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.5380000.8.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.3d95570.6.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.3d95570.6.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.3d96458.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.2d20ee8.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.299ffc6.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000000.00000002.1994390069.0000000002510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000002.00000002.3243289603.0000000005380000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000002.00000002.3222160800.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000002.00000002.3226282758.0000000002D20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.3d96458.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.3d96458.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.3de3390.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.3de3390.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.299ffc6.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.299ffc6.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.5380000.8.raw.unpack, KLhJmaON.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.RegSvcs.exe.5380000.8.raw.unpack, KLhJmaON.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.RegSvcs.exe.5380000.8.raw.unpack, 7hO8luD.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.RegSvcs.exe.5380000.8.raw.unpack, 7hO8luD.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.RegSvcs.exe.5380000.8.raw.unpack, 7hO8luD.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.RegSvcs.exe.5380000.8.raw.unpack, 7hO8luD.cs Cryptographic APIs: 'TransformFinalBlock'
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@7/8@2/2
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00E2A2D5 GetLastError,FormatMessageW, 0_2_00E2A2D5
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00E18713 AdjustTokenPrivileges,CloseHandle, 0_2_00E18713
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00E18CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 0_2_00E18CC3
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00E2B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode, 0_2_00E2B59E
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00E3F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 0_2_00E3F121
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00E386D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear, 0_2_00E386D0
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00DC4FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource, 0_2_00DC4FE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File created: C:\Users\user\AppData\Roaming\jBpFfg Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5704:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5660:120:WilError_03
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe File created: C:\Users\user\AppData\Local\Temp\autAB36.tmp Jump to behavior
Source: Shipping Documents inv. 523435300XX.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Shipping Documents inv. 523435300XX.exe ReversingLabs: Detection: 32%
Source: Shipping Documents inv. 523435300XX.exe Virustotal: Detection: 32%
Source: unknown Process created: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe "C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe"
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe "C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe"
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe "C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe"
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe" Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: Shipping Documents inv. 523435300XX.exe Static file information: File size 1137664 > 1048576
Source: Shipping Documents inv. 523435300XX.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Shipping Documents inv. 523435300XX.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Shipping Documents inv. 523435300XX.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Shipping Documents inv. 523435300XX.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Shipping Documents inv. 523435300XX.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Shipping Documents inv. 523435300XX.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: Shipping Documents inv. 523435300XX.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: _.pdb source: RegSvcs.exe, 00000002.00000002.3225656041.000000000295F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3226282758.0000000002D20000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3242552295.0000000003D91000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: RegSvcs.pdb, source: jBpFfg.exe, 00000003.00000000.2135037340.0000000000E12000.00000002.00000001.01000000.00000007.sdmp, jBpFfg.exe.2.dr
Source: Binary string: wntdll.pdbUGP source: Shipping Documents inv. 523435300XX.exe, 00000000.00000003.1992055764.0000000003E40000.00000004.00001000.00020000.00000000.sdmp, Shipping Documents inv. 523435300XX.exe, 00000000.00000003.1992163435.0000000004360000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: Shipping Documents inv. 523435300XX.exe, 00000000.00000003.1992055764.0000000003E40000.00000004.00001000.00020000.00000000.sdmp, Shipping Documents inv. 523435300XX.exe, 00000000.00000003.1992163435.0000000004360000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: RegSvcs.pdb source: jBpFfg.exe, 00000003.00000000.2135037340.0000000000E12000.00000002.00000001.01000000.00000007.sdmp, jBpFfg.exe.2.dr
Source: Shipping Documents inv. 523435300XX.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Shipping Documents inv. 523435300XX.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Shipping Documents inv. 523435300XX.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Shipping Documents inv. 523435300XX.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Shipping Documents inv. 523435300XX.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 2.2.RegSvcs.exe.3d96458.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 2.2.RegSvcs.exe.3de3390.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 2.2.RegSvcs.exe.299ffc6.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 2.2.RegSvcs.exe.5380000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 2.2.RegSvcs.exe.2d20ee8.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00E3C304 LoadLibraryA,GetProcAddress, 0_2_00E3C304
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00DE8B85 push ecx; ret 0_2_00DE8B98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0041C40C push cs; iretd 2_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_00423149 push eax; ret 2_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0041C50E push cs; iretd 2_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_004231C8 push eax; ret 2_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0040E21D push ecx; ret 2_2_0040E230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0041C6BE push ebx; ret 2_2_0041C6BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_02A94FA9 push es; ret 2_2_02A94FAF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0634E2B1 push esp; retf 2_2_0634E2B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0634E0D8 push esp; retf 2_2_0634E2B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0634D938 pushad ; ret 2_2_0634D939
Source: 2.2.RegSvcs.exe.3d96458.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'uQ5kGQT8Wn4QT', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 2.2.RegSvcs.exe.3de3390.7.raw.unpack, WP6RZJql8gZrNhVA9v.cs High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'uQ5kGQT8Wn4QT', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 2.2.RegSvcs.exe.299ffc6.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'uQ5kGQT8Wn4QT', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 2.2.RegSvcs.exe.5380000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'uQ5kGQT8Wn4QT', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 2.2.RegSvcs.exe.2d20ee8.3.raw.unpack, WP6RZJql8gZrNhVA9v.cs High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'uQ5kGQT8Wn4QT', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File created: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run jBpFfg Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run jBpFfg Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Source: initial sample Icon embedded in binary file: icon matches a legit application icon: download (15).png
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00DC4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_00DC4A35
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00E455FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 0_2_00E455FD
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00DE33C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00DE33C7
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Memory allocated: 1650000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Memory allocated: 31E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Memory allocated: 16F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Memory allocated: 13C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Memory allocated: 2D30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Memory allocated: 4D30000 memory reserve | memory write watch Jump to behavior
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 2_2_004019F0
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 4611 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 1605 Jump to behavior
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe API coverage: 4.7 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe TID: 5496 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe TID: 7064 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00E24696 GetFileAttributesW,FindFirstFileW,FindClose, 0_2_00E24696
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00E2C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 0_2_00E2C9C7
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00E2C93C FindFirstFileW,FindClose, 0_2_00E2C93C
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00E2F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00E2F200
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00E2F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00E2F35D
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00E2F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_00E2F65E
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00E23A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00E23A2B
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00E23D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00E23D4E
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00E2BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_00E2BF27
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00DC4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_00DC4AFE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99886 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99781 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99672 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99562 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99453 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99343 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99234 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99125 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 99015 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98906 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98797 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98687 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98578 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98468 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98359 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98250 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98140 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 98031 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97921 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97812 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97702 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97593 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97484 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97374 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97262 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 97072 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96966 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96794 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96687 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 96578 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: RegSvcs.exe, 00000002.00000002.3225656041.000000000295F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3243289603.0000000005380000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3226282758.0000000002D20000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.3242552295.0000000003D91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: hgfsZrw6
Source: RegSvcs.exe, 00000002.00000002.3243725014.00000000057CB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe API call chain: ExitProcess graph end node
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00E341FD BlockInput, 0_2_00E341FD
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00DC3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 0_2_00DC3B4C
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00DF5CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_00DF5CCC
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 2_2_004019F0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00E3C304 LoadLibraryA,GetProcAddress, 0_2_00E3C304
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_018E3550 mov eax, dword ptr fs:[00000030h] 0_2_018E3550
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_018E34F0 mov eax, dword ptr fs:[00000030h] 0_2_018E34F0
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_018E1ED0 mov eax, dword ptr fs:[00000030h] 0_2_018E1ED0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00E181F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 0_2_00E181F7
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00DEA395 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00DEA395
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00DEA364 SetUnhandledExceptionFilter, 0_2_00DEA364
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_0040CE09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_0040E61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00416F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_004123F1 SetUnhandledExceptionFilter, 2_2_004123F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: A92008 Jump to behavior
Contains functionality to execute programs as a different user
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00E18C93 LogonUserW, 0_2_00E18C93
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00DC3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 0_2_00DC3B4C
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00DC4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_00DC4A35
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00E24EF5 mouse_event, 0_2_00E24EF5
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe" Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00E181F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 0_2_00E181F7
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00E24C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 0_2_00E24C03
Source: Shipping Documents inv. 523435300XX.exe Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Shipping Documents inv. 523435300XX.exe Binary or memory string: Shell_TrayWnd
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00DE886B cpuid 0_2_00DE886B
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: GetLocaleInfoA, 2_2_00417A20
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Queries volume information: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Queries volume information: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\jBpFfg\jBpFfg.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00DF50D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00DF50D7
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00E02230 GetUserNameW, 0_2_00E02230
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00DF418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 0_2_00DF418A
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00DC4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_00DC4AFE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 2.2.RegSvcs.exe.3d96458.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.299ffc6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.299f0de.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.299f0de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.2d20000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.2d20ee8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.3de3390.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5380000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.3de3390.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.2d20000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5380000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.3d95570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.3d95570.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.3d96458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.2d20ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.299ffc6.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.3243289603.0000000005380000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3225656041.000000000295F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3226494405.0000000002E0F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3226282758.0000000002D20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3226494405.0000000002E17000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3226494405.0000000002DE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3242552295.0000000003D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 3992, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: 2.2.RegSvcs.exe.3d96458.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.299ffc6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.299f0de.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.299f0de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.2d20000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.2d20ee8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.3de3390.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5380000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.3de3390.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.2d20000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5380000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.3d95570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.3d95570.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.3d96458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.2d20ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.299ffc6.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.3243289603.0000000005380000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3225656041.000000000295F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3226282758.0000000002D20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3242552295.0000000003D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\FTP Navigator\Ftplist.txt Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
OS version to string mapping found (often used in BOTs)
Source: Shipping Documents inv. 523435300XX.exe Binary or memory string: WIN_81
Source: Shipping Documents inv. 523435300XX.exe Binary or memory string: WIN_XP
Source: Shipping Documents inv. 523435300XX.exe Binary or memory string: WIN_XPe
Source: Shipping Documents inv. 523435300XX.exe Binary or memory string: WIN_VISTA
Source: Shipping Documents inv. 523435300XX.exe Binary or memory string: WIN_7
Source: Shipping Documents inv. 523435300XX.exe Binary or memory string: WIN_8
Source: Shipping Documents inv. 523435300XX.exe Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
Yara detected Credential Stealer
Source: Yara match File source: 2.2.RegSvcs.exe.3d96458.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.299ffc6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.299f0de.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.299f0de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.2d20000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.2d20ee8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.3de3390.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5380000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.3de3390.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.2d20000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5380000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.3d95570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.3d95570.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.3d96458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.2d20ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.299ffc6.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.3243289603.0000000005380000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3225656041.000000000295F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3226282758.0000000002D20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3226494405.0000000002DE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3242552295.0000000003D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 3992, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 2.2.RegSvcs.exe.3d96458.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.299ffc6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.299f0de.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.299f0de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.2d20000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.2d20ee8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.3de3390.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5380000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.3de3390.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.2d20000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5380000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.3d95570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.3d95570.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.3d96458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.2d20ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.299ffc6.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.3243289603.0000000005380000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3225656041.000000000295F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3226494405.0000000002E0F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3226282758.0000000002D20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3226494405.0000000002E17000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3226494405.0000000002DE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3242552295.0000000003D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 3992, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: 2.2.RegSvcs.exe.3d96458.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.299ffc6.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.299f0de.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.299f0de.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.2d20000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.2d20ee8.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.3de3390.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5380000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.3de3390.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.2d20000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5380000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.3d95570.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.3d95570.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.3d96458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.2d20ee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.299ffc6.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.3243289603.0000000005380000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3225656041.000000000295F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3226282758.0000000002D20000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3242552295.0000000003D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00E36596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket, 0_2_00E36596
Source: C:\Users\user\Desktop\Shipping Documents inv. 523435300XX.exe Code function: 0_2_00E36A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 0_2_00E36A5A
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1448084 Sample: Shipping Documents inv. 523... Startdate: 27/05/2024 Architecture: WINDOWS Score: 100 25 smtp.gmail.com 2->25 27 api.ipify.org 2->27 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->45 47 9 other signatures 2->47 7 Shipping Documents inv. 523435300XX.exe 4 2->7         started        10 jBpFfg.exe 2 2->10         started        12 jBpFfg.exe 1 2->12         started        signatures3 process4 signatures5 49 Binary is likely a compiled AutoIt script file 7->49 51 Writes to foreign memory regions 7->51 53 Maps a DLL or memory area into another process 7->53 14 RegSvcs.exe 16 4 7->14         started        19 conhost.exe 10->19         started        21 conhost.exe 12->21         started        process6 dnsIp7 29 smtp.gmail.com 64.233.184.108, 49705, 587 GOOGLEUS United States 14->29 31 api.ipify.org 172.67.74.152, 443, 49704 CLOUDFLARENETUS United States 14->31 23 C:\Users\user\AppData\Roaming\...\jBpFfg.exe, PE32 14->23 dropped 33 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->33 35 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->35 37 Tries to steal Mail credentials (via file / registry access) 14->37 39 3 other signatures 14->39 file8 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
64.233.184.108
 smtp.gmail.com United States
15169 GOOGLEUS false
172.67.74.152
 api.ipify.org United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
api.ipify.org 172.67.74.152 true
smtp.gmail.com 64.233.184.108 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.ipify.org/ false
  • URL Reputation: safe
  • URL Reputation: safe
 unknown