Edit tour

Windows Analysis Report
rNuevaorden_pdf.exe

Overview

General Information

Sample name:	rNuevaorden_pdf.exe
Analysis ID:	1586732
MD5:	5c56f7b36c3eb8ef883c56b817deb84a
SHA1:	4cd5ac8d38c6a404060f8256bbeb3c47f4c6bf9f
SHA256:	04bdc8b7b3fef8114c7be89c4eb90769e91dc50c8af12d518f724f15519d71a8
Tags:	exeuser-Porcupine
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

AI detected suspicious sample

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Initial sample is a PE file and has a suspicious name

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

rNuevaorden_pdf.exe (PID: 5968 cmdline: "C:\Users\user\Desktop\rNuevaorden_pdf.exe" MD5: 5C56F7B36C3EB8EF883C56B817DEB84A)

RegAsm.exe (PID: 1196 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.lampadari.gr", "Username": "apamadick@lampadari.gr", "Password": "P8P[uVeJU=vh"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1332113164.00000000022F2000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1332113164.00000000022F2000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000003.1328318463.000000000047E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1328318463.000000000047E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000003.1328615566.000000000049D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1328615566.000000000049D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000008.00000002.3707413394.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.3707413394.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1332431486.0000000025E4D000.00000040.00000001.01000000.00000003.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0x186c:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000000.00000003.1328738169.0000000003DF1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1328738169.0000000003DF1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000003.1328860723.000000000049D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1328860723.000000000049D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000008.00000002.3710941669.0000000003195000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: rNuevaorden_pdf.exe PID: 5968	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: rNuevaorden_pdf.exe PID: 5968	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegAsm.exe PID: 1196	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 1196	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.3.rNuevaorden_pdf.exe.49ddfc.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.3.rNuevaorden_pdf.exe.49ddfc.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.3.rNuevaorden_pdf.exe.49ddfc.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3262b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3269d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x32727:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x327b9:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x32823:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x32895:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3292b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x329bb:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.3.rNuevaorden_pdf.exe.49ddfc.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2f811:$s2: GetPrivateProfileString 0x2ef33:$s3: get_OSFullName 0x3057e:$s5: remove_Key 0x30722:$s5: remove_Key 0x31675:$s6: FtpWebRequest 0x3260d:$s7: logins 0x32b7f:$s7: logins 0x35862:$s7: logins 0x35942:$s7: logins 0x37295:$s7: logins 0x364dc:$s9: 1.85 (Hash, version 2, native byte-order)
0.3.rNuevaorden_pdf.exe.49ddf8.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.3.rNuevaorden_pdf.exe.49ddf8.2.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.3.rNuevaorden_pdf.exe.49ddf8.2.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3262f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x326a1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3272b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x327bd:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x32827:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x32899:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3292f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x329bf:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.3.rNuevaorden_pdf.exe.49ddf8.2.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2f815:$s2: GetPrivateProfileString 0x2ef37:$s3: get_OSFullName 0x30582:$s5: remove_Key 0x30726:$s5: remove_Key 0x31679:$s6: FtpWebRequest 0x32611:$s7: logins 0x32b83:$s7: logins 0x35866:$s7: logins 0x35946:$s7: logins 0x37299:$s7: logins 0x364e0:$s9: 1.85 (Hash, version 2, native byte-order)
0.3.rNuevaorden_pdf.exe.49ddf8.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.3.rNuevaorden_pdf.exe.49ddf8.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.3.rNuevaorden_pdf.exe.49ddf8.2.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.3.rNuevaorden_pdf.exe.49ddf8.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3442b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3449d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34527:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x345b9:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34623:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x34695:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3472b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x347bb:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.3.rNuevaorden_pdf.exe.49ddf8.2.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x31611:$s2: GetPrivateProfileString 0x30d33:$s3: get_OSFullName 0x3237e:$s5: remove_Key 0x32522:$s5: remove_Key 0x33475:$s6: FtpWebRequest 0x3440d:$s7: logins 0x3497f:$s7: logins 0x37662:$s7: logins 0x37742:$s7: logins 0x39095:$s7: logins 0x382dc:$s9: 1.85 (Hash, version 2, native byte-order)
0.3.rNuevaorden_pdf.exe.49ddf8.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.3.rNuevaorden_pdf.exe.49ddf8.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.3.rNuevaorden_pdf.exe.49ddf8.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.3.rNuevaorden_pdf.exe.49ddf8.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3442b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3449d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34527:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x345b9:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34623:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x34695:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3472b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x347bb:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.3.rNuevaorden_pdf.exe.49ddf8.1.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x31611:$s2: GetPrivateProfileString 0x30d33:$s3: get_OSFullName 0x3237e:$s5: remove_Key 0x32522:$s5: remove_Key 0x33475:$s6: FtpWebRequest 0x3440d:$s7: logins 0x3497f:$s7: logins 0x37662:$s7: logins 0x37742:$s7: logins 0x39095:$s7: logins 0x382dc:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.rNuevaorden_pdf.exe.22f0000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.rNuevaorden_pdf.exe.22f0000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.rNuevaorden_pdf.exe.22f0000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.rNuevaorden_pdf.exe.22f0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3442b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3449d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34527:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x345b9:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34623:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x34695:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3472b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x347bb:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.rNuevaorden_pdf.exe.22f0000.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x31611:$s2: GetPrivateProfileString 0x30d33:$s3: get_OSFullName 0x3237e:$s5: remove_Key 0x32522:$s5: remove_Key 0x33475:$s6: FtpWebRequest 0x3440d:$s7: logins 0x3497f:$s7: logins 0x37662:$s7: logins 0x37742:$s7: logins 0x39095:$s7: logins 0x382dc:$s9: 1.85 (Hash, version 2, native byte-order)
0.3.rNuevaorden_pdf.exe.49ddfc.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.3.rNuevaorden_pdf.exe.49ddfc.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.3.rNuevaorden_pdf.exe.49ddfc.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.3.rNuevaorden_pdf.exe.49ddf8.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.3.rNuevaorden_pdf.exe.49ddfc.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3442b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3449d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34527:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x345b9:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34623:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x34695:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3472b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x347bb:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.3.rNuevaorden_pdf.exe.49ddfc.0.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x31611:$s2: GetPrivateProfileString 0x30d33:$s3: get_OSFullName 0x3237e:$s5: remove_Key 0x32522:$s5: remove_Key 0x33475:$s6: FtpWebRequest 0x3440d:$s7: logins 0x3497f:$s7: logins 0x37662:$s7: logins 0x37742:$s7: logins 0x39095:$s7: logins 0x382dc:$s9: 1.85 (Hash, version 2, native byte-order)
0.3.rNuevaorden_pdf.exe.49ddf8.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.3.rNuevaorden_pdf.exe.49ddf8.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3262f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x326a1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3272b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x327bd:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x32827:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x32899:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3292f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x329bf:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.3.rNuevaorden_pdf.exe.49ddf8.1.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2f815:$s2: GetPrivateProfileString 0x2ef37:$s3: get_OSFullName 0x30582:$s5: remove_Key 0x30726:$s5: remove_Key 0x31679:$s6: FtpWebRequest 0x32611:$s7: logins 0x32b83:$s7: logins 0x35866:$s7: logins 0x35946:$s7: logins 0x37299:$s7: logins 0x364e0:$s9: 1.85 (Hash, version 2, native byte-order)
8.2.RegAsm.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.RegAsm.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
8.2.RegAsm.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
8.2.RegAsm.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3442b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3449d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34527:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x345b9:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34623:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x34695:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3472b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x347bb:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
8.2.RegAsm.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x31611:$s2: GetPrivateProfileString 0x30d33:$s3: get_OSFullName 0x3237e:$s5: remove_Key 0x32522:$s5: remove_Key 0x33475:$s6: FtpWebRequest 0x3440d:$s7: logins 0x3497f:$s7: logins 0x37662:$s7: logins 0x37742:$s7: logins 0x39095:$s7: logins 0x382dc:$s9: 1.85 (Hash, version 2, native byte-order)
Click to see the 32 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: rNuevaorden_pdf.exe

Avira: detected

Found malware configuration

Source: 0.3.rNuevaorden_pdf.exe.49ddf8.2.raw.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.lampadari.gr", "Username": "apamadick@lampadari.gr", "Password": "P8P[uVeJU=vh"}

Multi AV Scanner detection for submitted file

Source: rNuevaorden_pdf.exe

ReversingLabs: Detection: 50%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: rNuevaorden_pdf.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 0.3.rNuevaorden_pdf.exe.49ddf8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.rNuevaorden_pdf.exe.49ddf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rNuevaorden_pdf.exe.22f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.rNuevaorden_pdf.exe.49ddfc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: unknown

DNS query: name: ip-api.com

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: ip-api.com

Source: rNuevaorden_pdf.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: rNuevaorden_pdf.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: rNuevaorden_pdf.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: rNuevaorden_pdf.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: rNuevaorden_pdf.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: rNuevaorden_pdf.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: rNuevaorden_pdf.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: rNuevaorden_pdf.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: rNuevaorden_pdf.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: RegAsm.exe, 00000008.00000002.3710941669.0000000003161000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.3710941669.0000000003243000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.3710941669.0000000003228000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: rNuevaorden_pdf.exe, 00000000.00000003.1328318463.000000000047E000.00000004.00000020.00020000.00000000.sdmp, rNuevaorden_pdf.exe, 00000000.00000003.1328615566.000000000049D000.00000004.00000020.00020000.00000000.sdmp, rNuevaorden_pdf.exe, 00000000.00000002.1332113164.00000000022F2000.00000040.10000000.00040000.00000000.sdmp, rNuevaorden_pdf.exe, 00000000.00000003.1328738169.0000000003DF1000.00000004.00000020.00020000.00000000.sdmp, rNuevaorden_pdf.exe, 00000000.00000003.1328860723.000000000049D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.3710941669.0000000003161000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.3707413394.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegAsm.exe, 00000008.00000002.3710941669.0000000003228000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: rNuevaorden_pdf.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: rNuevaorden_pdf.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: rNuevaorden_pdf.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: rNuevaorden_pdf.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: RegAsm.exe, 00000008.00000002.3710941669.0000000003161000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.3710941669.0000000003228000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: rNuevaorden_pdf.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: rNuevaorden_pdf.exe, 00000000.00000003.1328318463.000000000047E000.00000004.00000020.00020000.00000000.sdmp, rNuevaorden_pdf.exe, 00000000.00000003.1328615566.000000000049D000.00000004.00000020.00020000.00000000.sdmp, rNuevaorden_pdf.exe, 00000000.00000002.1332113164.00000000022F2000.00000040.10000000.00040000.00000000.sdmp, rNuevaorden_pdf.exe, 00000000.00000003.1328738169.0000000003DF1000.00000004.00000020.00020000.00000000.sdmp, rNuevaorden_pdf.exe, 00000000.00000003.1328860723.000000000049D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.3707413394.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: rNuevaorden_pdf.exe	String found in binary or memory: https://github.com/mullvad/mullvadvpn-app#readme0

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.3.rNuevaorden_pdf.exe.49ddfc.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.3.rNuevaorden_pdf.exe.49ddfc.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.3.rNuevaorden_pdf.exe.49ddf8.2.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.3.rNuevaorden_pdf.exe.49ddf8.2.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.3.rNuevaorden_pdf.exe.49ddf8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.3.rNuevaorden_pdf.exe.49ddf8.2.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.3.rNuevaorden_pdf.exe.49ddf8.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.3.rNuevaorden_pdf.exe.49ddf8.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.rNuevaorden_pdf.exe.22f0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.rNuevaorden_pdf.exe.22f0000.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.3.rNuevaorden_pdf.exe.49ddfc.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.3.rNuevaorden_pdf.exe.49ddfc.0.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.3.rNuevaorden_pdf.exe.49ddf8.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.3.rNuevaorden_pdf.exe.49ddf8.1.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 00000000.00000002.1332431486.0000000025E4D000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: rNuevaorden_pdf.exe

Source: C:\Users\user\Desktop\rNuevaorden_pdf.exe	Code function: 0_2_260354FB NtAllocateVirtualMemory,NtProtectVirtualMemory,NtProtectVirtualMemory,	0_2_260354FB
Source: C:\Users\user\Desktop\rNuevaorden_pdf.exe	Code function: 0_2_260653A0 __vbaFreeVar,NtSetInformationProcess,	0_2_260653A0
Source: C:\Users\user\Desktop\rNuevaorden_pdf.exe	Code function: 0_2_020D2CDF NtCreateSection,NtMapViewOfSection,CreateProcessW,NtGetContextThread,NtReadVirtualMemory,NtWriteVirtualMemory,NtUnmapViewOfSection,NtMapViewOfSection,NtSetContextThread,NtResumeThread,	0_2_020D2CDF
Source: C:\Users\user\Desktop\rNuevaorden_pdf.exe	Code function: 0_2_020D2CDA NtCreateSection,NtMapViewOfSection,CreateProcessW,NtGetContextThread,NtReadVirtualMemory,NtWriteVirtualMemory,NtUnmapViewOfSection,NtMapViewOfSection,NtSetContextThread,NtResumeThread,	0_2_020D2CDA
Source: C:\Users\user\Desktop\rNuevaorden_pdf.exe	Code function: 0_2_020D01BF NtCreateSection,NtMapViewOfSection,CreateProcessW,NtGetContextThread,NtReadVirtualMemory,NtWriteVirtualMemory,NtUnmapViewOfSection,NtMapViewOfSection,NtSetContextThread,NtResumeThread,	0_2_020D01BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0044386F NtDelayExecution,	8_2_0044386F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004460F2 NtProtectVirtualMemory,	8_2_004460F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004458B2 NtAllocateVirtualMemory,	8_2_004458B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0044315F NtCreateThreadEx,NtClose,	8_2_0044315F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00445F47 NtProtectVirtualMemory,	8_2_00445F47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00445FE2 NtAllocateVirtualMemory,	8_2_00445FE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004438E5 NtCreateThreadEx,NtClose,	8_2_004438E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004458F8 NtAllocateVirtualMemory,	8_2_004458F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0044316A NtCreateThreadEx,NtClose,	8_2_0044316A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00443DDE NtClose,	8_2_00443DDE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00443DB7 NtCreateThreadEx,NtClose,	8_2_00443DB7

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_030EA608	8_2_030EA608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_030E4A80	8_2_030E4A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_030ED968	8_2_030ED968
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_030E3E68	8_2_030E3E68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_030E41B0	8_2_030E41B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_06A02470	8_2_06A02470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_06A012C0	8_2_06A012C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_06A03C18	8_2_06A03C18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_06A03530	8_2_06A03530

Source: rNuevaorden_pdf.exe

Static PE information: invalid certificate

Source: rNuevaorden_pdf.exe, 00000000.00000003.1328318463.000000000047E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename756a5eef-0c1c-4bed-83c6-a963e51853c7.exe4 vs rNuevaorden_pdf.exe
Source: rNuevaorden_pdf.exe, 00000000.00000003.1328615566.000000000049D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename756a5eef-0c1c-4bed-83c6-a963e51853c7.exe4 vs rNuevaorden_pdf.exe
Source: rNuevaorden_pdf.exe, 00000000.00000003.1328738169.0000000003DF1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename756a5eef-0c1c-4bed-83c6-a963e51853c7.exe4 vs rNuevaorden_pdf.exe
Source: rNuevaorden_pdf.exe, 00000000.00000000.1255796268.000000002606C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameacvm7qw909e.exe vs rNuevaorden_pdf.exe
Source: rNuevaorden_pdf.exe, 00000000.00000002.1332113164.000000000232E000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename756a5eef-0c1c-4bed-83c6-a963e51853c7.exe4 vs rNuevaorden_pdf.exe
Source: rNuevaorden_pdf.exe, 00000000.00000003.1328860723.000000000049D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename756a5eef-0c1c-4bed-83c6-a963e51853c7.exe4 vs rNuevaorden_pdf.exe
Source: rNuevaorden_pdf.exe	Binary or memory string: OriginalFilenameacvm7qw909e.exe vs rNuevaorden_pdf.exe

Source: rNuevaorden_pdf.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 0.3.rNuevaorden_pdf.exe.49ddfc.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.3.rNuevaorden_pdf.exe.49ddfc.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.3.rNuevaorden_pdf.exe.49ddf8.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.3.rNuevaorden_pdf.exe.49ddf8.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.3.rNuevaorden_pdf.exe.49ddf8.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.3.rNuevaorden_pdf.exe.49ddf8.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.3.rNuevaorden_pdf.exe.49ddf8.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.3.rNuevaorden_pdf.exe.49ddf8.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.rNuevaorden_pdf.exe.22f0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.rNuevaorden_pdf.exe.22f0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.3.rNuevaorden_pdf.exe.49ddfc.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.3.rNuevaorden_pdf.exe.49ddfc.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.3.rNuevaorden_pdf.exe.49ddf8.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.3.rNuevaorden_pdf.exe.49ddf8.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 00000000.00000002.1332431486.0000000025E4D000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@1/1

Source: C:\Users\user\Desktop\rNuevaorden_pdf.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\eb42b1a5c308fc11edf1ddbdd25c8486_9e146be9-c76a-4720-bcdb-53011b87bd06

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Mutant created: NULL

Source: rNuevaorden_pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\rNuevaorden_pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegAsm.exe, 00000008.00000002.3710941669.0000000003273000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.3710941669.0000000003261000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: rNuevaorden_pdf.exe

ReversingLabs: Detection: 50%

Source: unknown	Process created: C:\Users\user\Desktop\rNuevaorden_pdf.exe "C:\Users\user\Desktop\rNuevaorden_pdf.exe"
Source: C:\Users\user\Desktop\rNuevaorden_pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Source: C:\Users\user\Desktop\rNuevaorden_pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\rNuevaorden_pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNuevaorden_pdf.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNuevaorden_pdf.exe	Section loaded: vb6zz.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNuevaorden_pdf.exe	Section loaded: vb6de.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNuevaorden_pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNuevaorden_pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNuevaorden_pdf.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNuevaorden_pdf.exe	Section loaded: vb6de.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNuevaorden_pdf.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNuevaorden_pdf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNuevaorden_pdf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNuevaorden_pdf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNuevaorden_pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNuevaorden_pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNuevaorden_pdf.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rNuevaorden_pdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\rNuevaorden_pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0BE35204-8F91-11CE-9DE3-00AA004BB851}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: rNuevaorden_pdf.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: rNuevaorden_pdf.exe

Static file information: File size 2283936 > 1048576

Source: rNuevaorden_pdf.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x225000

Source: rNuevaorden_pdf.exe

Static PE information: real checksum: 0x237139 should be: 0x2334ff

Source: C:\Users\user\Desktop\rNuevaorden_pdf.exe	Code function: 0_2_25E4CDB4 push D4006C00h; iretd	0_2_25E4CE05
Source: C:\Users\user\Desktop\rNuevaorden_pdf.exe	Code function: 0_2_020D2A23 pushad ; ret	0_2_020D2A26
Source: C:\Users\user\Desktop\rNuevaorden_pdf.exe	Code function: 0_2_020D1E30 pushad ; retf	0_2_020D1E36
Source: C:\Users\user\Desktop\rNuevaorden_pdf.exe	Code function: 0_2_020D4EBB push ds; ret	0_2_020D4ECC
Source: C:\Users\user\Desktop\rNuevaorden_pdf.exe	Code function: 0_2_020D12E6 push ss; iretd	0_2_020D12E8
Source: C:\Users\user\Desktop\rNuevaorden_pdf.exe	Code function: 0_2_020D47AC push es; iretd	0_2_020D47CB
Source: C:\Users\user\Desktop\rNuevaorden_pdf.exe	Code function: 0_2_020D0DD4 push esp; retf	0_2_020D0DE1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004434B4 push es; iretd	8_2_004434D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00443BC3 push ds; ret	8_2_00443BD4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_030E9E50 pushfd ; ret	8_2_030EA361

Source: C:\Users\user\Desktop\rNuevaorden_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNuevaorden_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNuevaorden_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNuevaorden_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNuevaorden_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNuevaorden_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNuevaorden_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNuevaorden_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNuevaorden_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNuevaorden_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rNuevaorden_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: rNuevaorden_pdf.exe, 00000000.00000003.1328318463.000000000047E000.00000004.00000020.00020000.00000000.sdmp, rNuevaorden_pdf.exe, 00000000.00000003.1328615566.000000000049D000.00000004.00000020.00020000.00000000.sdmp, rNuevaorden_pdf.exe, 00000000.00000002.1332113164.00000000022F2000.00000040.10000000.00040000.00000000.sdmp, rNuevaorden_pdf.exe, 00000000.00000003.1328738169.0000000003DF1000.00000004.00000020.00020000.00000000.sdmp, rNuevaorden_pdf.exe, 00000000.00000003.1328860723.000000000049D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.3710941669.0000000003243000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.3707413394.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegAsm.exe, 00000008.00000002.3710941669.0000000003195000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 30A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 3160000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 5160000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1352	Thread sleep count: 174 > 30			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1352	Thread sleep time: -174000s >= -30000s			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: RegAsm.exe, 00000008.00000002.3710941669.0000000003195000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: RegAsm.exe, 00000008.00000002.3710941669.0000000003195000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: RegAsm.exe, 00000008.00000002.3707413394.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
Source: RegAsm.exe, 00000008.00000002.3712475530.0000000006484000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 8_2_030E7138 CheckRemoteDebuggerPresent,

8_2_030E7138

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\rNuevaorden_pdf.exe	Code function: 0_2_26035AB1 mov eax, dword ptr fs:[00000030h]	0_2_26035AB1
Source: C:\Users\user\Desktop\rNuevaorden_pdf.exe	Code function: 0_2_020D2CDF mov eax, dword ptr fs:[00000030h]	0_2_020D2CDF
Source: C:\Users\user\Desktop\rNuevaorden_pdf.exe	Code function: 0_2_020D32B0 mov eax, dword ptr fs:[00000030h]	0_2_020D32B0
Source: C:\Users\user\Desktop\rNuevaorden_pdf.exe	Code function: 0_2_020D6F22 mov eax, dword ptr fs:[00000030h]	0_2_020D6F22
Source: C:\Users\user\Desktop\rNuevaorden_pdf.exe	Code function: 0_2_020D6C40 mov eax, dword ptr fs:[00000030h]	0_2_020D6C40
Source: C:\Users\user\Desktop\rNuevaorden_pdf.exe	Code function: 0_2_020D6CA6 mov eax, dword ptr fs:[00000030h]	0_2_020D6CA6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004458B2 mov ecx, dword ptr fs:[00000030h]	8_2_004458B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00445C2A mov eax, dword ptr fs:[00000030h]	8_2_00445C2A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004458E8 mov eax, dword ptr fs:[00000030h]	8_2_004458E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004458F8 mov ecx, dword ptr fs:[00000030h]	8_2_004458F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00445948 mov eax, dword ptr fs:[00000030h]	8_2_00445948
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004459AE mov eax, dword ptr fs:[00000030h]	8_2_004459AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00445A2B mov eax, dword ptr fs:[00000030h]	8_2_00445A2B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00445690 mov ecx, dword ptr fs:[00000030h]	8_2_00445690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00445ABF mov eax, dword ptr fs:[00000030h]	8_2_00445ABF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004457FC mov eax, dword ptr fs:[00000030h]	8_2_004457FC

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\rNuevaorden_pdf.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\rNuevaorden_pdf.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: F95008

Jump to behavior

Source: C:\Users\user\Desktop\rNuevaorden_pdf.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\rNuevaorden_pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.3.rNuevaorden_pdf.exe.49ddfc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.rNuevaorden_pdf.exe.49ddf8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.rNuevaorden_pdf.exe.49ddf8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.rNuevaorden_pdf.exe.49ddf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rNuevaorden_pdf.exe.22f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.rNuevaorden_pdf.exe.49ddfc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.rNuevaorden_pdf.exe.49ddf8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1332113164.00000000022F2000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1328318463.000000000047E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1328615566.000000000049D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3707413394.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1328738169.0000000003DF1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1328860723.000000000049D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rNuevaorden_pdf.exe PID: 5968, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1196, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 0.3.rNuevaorden_pdf.exe.49ddfc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.rNuevaorden_pdf.exe.49ddf8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.rNuevaorden_pdf.exe.49ddf8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.rNuevaorden_pdf.exe.49ddf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rNuevaorden_pdf.exe.22f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.rNuevaorden_pdf.exe.49ddfc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.rNuevaorden_pdf.exe.49ddf8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1332113164.00000000022F2000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1328318463.000000000047E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1328615566.000000000049D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3707413394.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1328738169.0000000003DF1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1328860723.000000000049D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3710941669.0000000003195000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rNuevaorden_pdf.exe PID: 5968, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1196, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.3.rNuevaorden_pdf.exe.49ddfc.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.rNuevaorden_pdf.exe.49ddf8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.rNuevaorden_pdf.exe.49ddf8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.rNuevaorden_pdf.exe.49ddf8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rNuevaorden_pdf.exe.22f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.rNuevaorden_pdf.exe.49ddfc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.rNuevaorden_pdf.exe.49ddf8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1332113164.00000000022F2000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1328318463.000000000047E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1328615566.000000000049D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3707413394.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1328738169.0000000003DF1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1328860723.000000000049D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rNuevaorden_pdf.exe PID: 5968, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1196, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	231 Windows Management Instrumentation	1 DLL Side-Loading	211 Process Injection	1 Masquerading	1 OS Credential Dumping	531 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	25 Virtualization/Sandbox Evasion	LSASS Memory	25 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	211 Process Injection	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	34 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
rNuevaorden_pdf.exe	50%	ReversingLabs	Win32.Trojan.MintZard
rNuevaorden_pdf.exe	100%	Avira	TR/Dropper.Gen

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip-api.com	208.95.112.1	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/line/?fields=hosting	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://account.dyn.com/	rNuevaorden_pdf.exe, 00000000.00000003.1328318463.000000000047E000.00000004.00000020.00020000.00000000.sdmp, rNuevaorden_pdf.exe, 00000000.00000003.1328615566.000000000049D000.00000004.00000020.00020000.00000000.sdmp, rNuevaorden_pdf.exe, 00000000.00000002.1332113164.00000000022F2000.00000040.10000000.00040000.00000000.sdmp, rNuevaorden_pdf.exe, 00000000.00000003.1328738169.0000000003DF1000.00000004.00000020.00020000.00000000.sdmp, rNuevaorden_pdf.exe, 00000000.00000003.1328860723.000000000049D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.3707413394.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	high
https://github.com/mullvad/mullvadvpn-app#readme0	rNuevaorden_pdf.exe	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegAsm.exe, 00000008.00000002.3710941669.0000000003161000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.3710941669.0000000003228000.00000004.00000800.00020000.00000000.sdmp	false	high
http://ip-api.com	RegAsm.exe, 00000008.00000002.3710941669.0000000003161000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.3710941669.0000000003243000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.3710941669.0000000003228000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1586732
Start date and time:	2025-01-09 15:05:17 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	rNuevaorden_pdf.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 82% Number of executed functions: 23 Number of non-executed functions: 11
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.253.45, 20.12.23.50
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: rNuevaorden_pdf.exe

Simulations

Behavior and APIs

Time	Type	Description
10:38:37	API Interceptor	145x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	I334hDwRjj.exe	Get hash	malicious	Blank Grabber, Njrat	Browse	ip-api.com/json/?fields=225545
	startup_str_466.bat	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	7dtpow.ps1	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	x.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	TR98760H.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	47SXvEQ.exe	Get hash	malicious	Blank Grabber, Xmrig	Browse	ip-api.com/json/?fields=225545
	test.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	ip-api.com/json/
	HaLCYOFjMN.exe	Get hash	malicious	DCRat, PureLog Stealer, RedLine, XWorm, zgRAT	Browse	ip-api.com/line/?fields=hosting
	1.exe	Get hash	malicious	Unknown	Browse	ip-api.com/json/?fields=hosting,query
	1.exe	Get hash	malicious	Unknown	Browse	ip-api.com/json/?fields=hosting,query

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	I334hDwRjj.exe	Get hash	malicious	Blank Grabber, Njrat	Browse	208.95.112.1
	startup_str_466.bat	Get hash	malicious	XWorm	Browse	208.95.112.1
	7dtpow.ps1	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	x.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	TR98760H.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	47SXvEQ.exe	Get hash	malicious	Blank Grabber, Xmrig	Browse	208.95.112.1
	test.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	208.95.112.1
	HaLCYOFjMN.exe	Get hash	malicious	DCRat, PureLog Stealer, RedLine, XWorm, zgRAT	Browse	208.95.112.1
	1.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	1.exe	Get hash	malicious	Unknown	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TUT-ASUS	I334hDwRjj.exe	Get hash	malicious	Blank Grabber, Njrat	Browse	208.95.112.1
	startup_str_466.bat	Get hash	malicious	XWorm	Browse	208.95.112.1
	7dtpow.ps1	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	x.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	TR98760H.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	47SXvEQ.exe	Get hash	malicious	Blank Grabber, Xmrig	Browse	208.95.112.1
	test.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	208.95.112.1
	HaLCYOFjMN.exe	Get hash	malicious	DCRat, PureLog Stealer, RedLine, XWorm, zgRAT	Browse	208.95.112.1
	1.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	1.exe	Get hash	malicious	Unknown	Browse	208.95.112.1

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\eb42b1a5c308fc11edf1ddbdd25c8486_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Users\user\Desktop\rNuevaorden_pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	50
Entropy (8bit):	1.5212424590621707
Encrypted:	false
SSDEEP:	3:/lvlp:p
MD5:	C851BF93667BDD6310D56581D955C2AE
SHA1:	8FC5AEC1542BD7471BF815632863622EFE23A834
SHA-256:	3C1A3E1EF8840689F0C6EC14E22435FC79EBC3F8771B7CD230F784CC81AE431D
SHA-512:	D3D597D36DE0EE75AA44F4F8571E56DAD810E7E6C9839F5D5E6BB05846AB6E61FAF1E9530333BD6EC5AB04098AAE935A522DBD149D214A5971A7368E18C3C9B4
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	........................................user.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.178697695122667
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	rNuevaorden_pdf.exe
File size:	2'283'936 bytes
MD5:	5c56f7b36c3eb8ef883c56b817deb84a
SHA1:	4cd5ac8d38c6a404060f8256bbeb3c47f4c6bf9f
SHA256:	04bdc8b7b3fef8114c7be89c4eb90769e91dc50c8af12d518f724f15519d71a8
SHA512:	62977535ce741a7be1d9c3e1e4cced8774592081eb6819c869aa982ae69fb4bf6a78bdbabaab8f7d81e82c0bb10ad4f55e4082194d95bf910c5788bf62378844
SSDEEP:	49152:Y3ASbdYAm4zEbdYAm4zWbdYAm4z23Ag3AWbdYAm4zSbdYAm4zO3AgS+t:qA4drWdr0drkASA0dr4dr8AX
TLSH:	BBB5BF0322208FAFED86DF3677BA80E443153C5903155A41329F7720EB779BE9D29A5B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................Rich............PE..L......g.................P"..P......4........`"....%.......

File Icon


Icon Hash:	0b3c394969696722

Static PE Info

General

Entrypoint:	0x25e41234
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x25e40000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x677FB18F [Thu Jan 9 11:22:55 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	42a4e0f64241075ea237a4cf00d0db9f

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	14/03/2024 01:00:00 07/02/2027 00:59:59
Subject Chain	CN=Mullvad VPN AB, O=Mullvad VPN AB, L=G\xf6teborg, C=SE, SERIALNUMBER=559238-4001, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=SE
Version:	3
Thumbprint MD5:	7068F855B513C1F69538E13DF0A7870D
Thumbprint SHA-1:	1F5E906F4E2DBE2A3C3226A6B0638E9327F76135
Thumbprint SHA-256:	4136B97CF51C1779F94FF626978743FF874E0EABB3AFB5CB00CB9E6DBB5440E8
Serial:	078050BBC100F2FFAF0FE03B15FE221A

Entrypoint Preview

Instruction
push 25E4A54Ch
call 00007F3A9908D0A5h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dh, al
push ebx
jns 00007F3A9908D0D5h
mov ecx, B04DD8DFh
mov byte ptr [edx], ah
sbb dword ptr [edx-17h], edx
and byte ptr [ebx], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
sub eax, 30303043h
sub eax, 61726543h
pop edi
push esi
popad
jno 00007F3A9908D117h
popad
add byte ptr [esi], dh
jnl 00007F3A9908D0D5h
xor ch, byte ptr [esi]
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
add al, al
fsub qword ptr [edi+37h]
pop ebp
fstp dword ptr [edx-019657BCh]
int 97h
sbb byte ptr [edi-3D100426h], ch
mov edx, ecx
jno 00007F3A9908D080h
inc esp
mov ch, 59h
xor bl, byte ptr [edx+2Fh]
mov dword ptr [4F3A5001h], eax
lodsd
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor dl, byte ptr [ecx+00420000h]
add byte ptr [eax], al
add byte ptr [726F4600h], al
insd
xor dword ptr [eax], eax
or eax, 46000501h
outsd
jc 00007F3A9908D11Fh
xor dword ptr [eax], eax
sbb dword ptr [ecx], eax
add byte ptr [edx+00h], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x226408	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x22c000	0x2894	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x22b000	0x29a0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x226000	0x180	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x224dd4	0x225000	ec8d87c508226191021b0385860d6104	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x226000	0xb30	0x1000	247ba9c57e0153ff8ad7a3e5007a70ef	False	0.27490234375	data	3.852615893128322	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x227000	0x4bac	0x1000	620f0b67a91f7f74151bc5be745b7110	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x22c000	0x2894	0x3000	2baf5f70157517665e235b7a5d5d044e	False	0.292724609375	data	3.958826443751654	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x22c0e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600			0.33599585062240667
RT_GROUP_ICON	0x22e690	0x14	data			1.15
RT_VERSION	0x22e6a4	0x1f0	MS Windows COFF PowerPC object file	German	Germany	0.49798387096774194

Imports

DLL

Import

KERNEL32.DLL

GetProcAddress, GetModuleHandleW

MSVBVM60.DLL

__vbaVarSub, _CIcos, _adj_fptan, __vbaVarMove, __vbaVarVargNofree, __vbaFreeVar, __vbaAryMove, __vbaStrVarMove, __vbaLenBstr, __vbaFreeVarList, _adj_fdiv_m64, __vbaNextEachVar, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaBoolErrVar, __vbaSetSystemError, __vbaHresultCheckObj, __vbaLenVar, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaRefVarAry, __vbaBoolVarNull, _CIsin, __vbaVargVarMove, __vbaVarZero, __vbaVarCmpGt, __vbaChkstk, EVENT_SINK_AddRef, __vbaVarTstEq, DllFunctionCall, __vbaVarOr, __vbaRedimPreserve, _adj_fpatan, __vbaRedim, EVENT_SINK_Release, __vbaNew, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, __vbaStrToUnicode, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaInStrVar, __vbaStrVarVal, __vbaUbound, __vbaVarCat, _CIlog, __vbaVar2Vec, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaI4Var, __vbaAryLock, __vbaVarAdd, __vbaVarDup, __vbaStrToAnsi, __vbaVarCopy, __vbaVarLateMemCallLd, _CIatan, __vbaStrMove, __vbaCastObj, __vbaStrVarCopy, __vbaForEachVar, _allmul, _CItan, __vbaAryUnlock, _CIexp, __vbaFreeObj, __vbaFreeStr

Possible Origin

Language of compilation system	Country where language is spoken	Map
German	Germany

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 15:06:20.502583027 CET	49700	80	192.168.2.7	208.95.112.1
Jan 9, 2025 15:06:20.507565022 CET	80	49700	208.95.112.1	192.168.2.7
Jan 9, 2025 15:06:20.507661104 CET	49700	80	192.168.2.7	208.95.112.1
Jan 9, 2025 15:06:20.508483887 CET	49700	80	192.168.2.7	208.95.112.1
Jan 9, 2025 15:06:20.513356924 CET	80	49700	208.95.112.1	192.168.2.7
Jan 9, 2025 15:06:20.962548018 CET	80	49700	208.95.112.1	192.168.2.7
Jan 9, 2025 15:06:21.008434057 CET	49700	80	192.168.2.7	208.95.112.1
Jan 9, 2025 15:07:27.843049049 CET	80	49700	208.95.112.1	192.168.2.7
Jan 9, 2025 15:07:27.843200922 CET	49700	80	192.168.2.7	208.95.112.1
Jan 9, 2025 15:08:00.979166031 CET	49700	80	192.168.2.7	208.95.112.1
Jan 9, 2025 15:08:00.984230995 CET	80	49700	208.95.112.1	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 15:06:20.489489079 CET	61032	53	192.168.2.7	1.1.1.1
Jan 9, 2025 15:06:20.496457100 CET	53	61032	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 9, 2025 15:06:20.489489079 CET	192.168.2.7	1.1.1.1	0x5ad0	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 9, 2025 15:06:20.496457100 CET	1.1.1.1	192.168.2.7	0x5ad0	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49700	208.95.112.1	80	1196	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 15:06:20.508483887 CET	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Jan 9, 2025 15:06:20.962548018 CET	175	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 14:06:20 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Target ID:	0
Start time:	09:06:12
Start date:	09/01/2025
Path:	C:\Users\user\Desktop\rNuevaorden_pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\rNuevaorden_pdf.exe"
Imagebase:	0x25e40000
File size:	2'283'936 bytes
MD5 hash:	5C56F7B36C3EB8EF883C56B817DEB84A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1332113164.00000000022F2000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1332113164.00000000022F2000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1328318463.000000000047E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000003.1328318463.000000000047E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1328615566.000000000049D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000003.1328615566.000000000049D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000000.00000002.1332431486.0000000025E4D000.00000040.00000001.01000000.00000003.sdmp, Author: Florian Roth Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1328738169.0000000003DF1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000003.1328738169.0000000003DF1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1328860723.000000000049D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000003.1328860723.000000000049D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	09:06:19
Start date:	09/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Imagebase:	0xce0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.3707413394.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.3707413394.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.3710941669.0000000003195000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	17.1%
Dynamic/Decrypted Code Coverage:	29.2%
Signature Coverage:	25.5%
Total number of Nodes:	212
Total number of Limit Nodes:	13

Executed Functions

Function 020D01BF Relevance: 30.3, APIs: 10, Strings: 7, Instructions: 528
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

:5l, xrefs: 020D2BFA
\Microsoft.NET\Framework\, xrefs: 020D3014
e, xrefs: 020D300D
D, xrefs: 020D307E
P, xrefs: 020D0186
m.ex, xrefs: 020D3006
egas, xrefs: 020D2FFF

Memory Dump Source

Source File: 00000000.00000002.1331946251.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_rNuevaorden_pdf.jbxd

Similarity

API ID:
String ID: D$P$\Microsoft.NET\Framework\$e$egas$m.ex$:5l
API String ID: 0-870784547
Opcode ID: a5ab6bf26550a7479030c5998fa4104f56a063e691e157acfb111672f830f752
Instruction ID: 4a9d61d38abfc5c6973fdeb61bb928f7c1e4cd1ba500377bcc39067d3eff0ae9
Opcode Fuzzy Hash: a5ab6bf26550a7479030c5998fa4104f56a063e691e157acfb111672f830f752
Instruction Fuzzy Hash: 4902CDB6D0235AAFDF12DFA4CC81AEDBBB9EF04304F1840AAE514A7202D7309955EF51

Function 020D2CDF Relevance: 26.6, APIs: 10, Strings: 5, Instructions: 369
nativethreadprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 020D2ECB
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 020D2EF8
CreateProcessW.KERNELBASE(?,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 020D30A3
NtGetContextThread.NTDLL(?,?), ref: 020D30C2
NtReadVirtualMemory.NTDLL(?,?,?,000001D8,?), ref: 020D30E8
NtWriteVirtualMemory.NTDLL(?,?,?,00000004,?), ref: 020D3112
NtUnmapViewOfSection.NTDLL(?,?), ref: 020D312D
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 020D3146
NtSetContextThread.NTDLL(?,00010003), ref: 020D3177
NtResumeThread.NTDLL(?,00000000), ref: 020D3184

Strings

\Microsoft.NET\Framework\, xrefs: 020D3014
e, xrefs: 020D300D
D, xrefs: 020D307E
m.ex, xrefs: 020D3006
egas, xrefs: 020D2FFF

Memory Dump Source

Source File: 00000000.00000002.1331946251.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_rNuevaorden_pdf.jbxd

Similarity

API ID: Section$ThreadView$ContextCreateMemoryVirtual$ProcessReadResumeUnmapWrite
String ID: D$\Microsoft.NET\Framework\$e$egas$m.ex
API String ID: 1951729442-1087957892
Opcode ID: bdfd8c2c08da80d8aef1ac999a3557cfaab083761e6134d184dbc6d082490619
Instruction ID: 8c12874ab9b28be47f8e9ec1d0aeceb0722d5bf7e028eed704562d8f8bd2d00c
Opcode Fuzzy Hash: bdfd8c2c08da80d8aef1ac999a3557cfaab083761e6134d184dbc6d082490619
Instruction Fuzzy Hash: 82E103B6D0235AAFDF11DFA4CC81AEEBBB9EF08304F1444AAE514A7201D730AA45DF55

Function 020D2CDA Relevance: 26.6, APIs: 10, Strings: 5, Instructions: 352
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 020D2ECB
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 020D2EF8

Strings

\Microsoft.NET\Framework\, xrefs: 020D3014
e, xrefs: 020D300D
D, xrefs: 020D307E
m.ex, xrefs: 020D3006
egas, xrefs: 020D2FFF

Memory Dump Source

Source File: 00000000.00000002.1331946251.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_rNuevaorden_pdf.jbxd

Similarity

API ID: Section$CreateView
String ID: D$\Microsoft.NET\Framework\$e$egas$m.ex
API String ID: 1585966358-1087957892
Opcode ID: cfb7f0904d5fdd6bf2801a2d1db18ae17906b1726f4676b0447f4946eb2ede80
Instruction ID: 74a3fb50fdca538883756ea57bc9ddb8dd3fce8b46def6343f5185cc4cb1139d
Opcode Fuzzy Hash: cfb7f0904d5fdd6bf2801a2d1db18ae17906b1726f4676b0447f4946eb2ede80
Instruction Fuzzy Hash: F6D104B6D0235AAFDF11DFE4CC85AEDBBB9AF08304F1440AAE524A7201D730AA45DF55

Function 260354FB Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 153
nativememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000100,00000000,00000100,00003000,00000040,?,NtQueryInformationProcess,2603425F,?,NtQueryInformationProcess,26034279,?,NtQueryInformationProcess,26034248,NtQueryInformationProcess), ref: 26035592
NtProtectVirtualMemory.NTDLL(000000FF,?,00000005,00000040,00000000,?,NtQueryInformationProcess,2603425F,?,NtQueryInformationProcess,26034279,?,NtQueryInformationProcess,26034248,NtQueryInformationProcess,260342EA), ref: 260355BD
NtProtectVirtualMemory.NTDLL(000000FF,?,00000005,00000000,00000000,?,NtQueryInformationProcess,2603425F,?,NtQueryInformationProcess,26034279,?,NtQueryInformationProcess,26034248,NtQueryInformationProcess,260342EA), ref: 260356B9

Strings

NtQueryInformationProcess, xrefs: 2603551D, 26035532, 2603554A, 26035562

Memory Dump Source

Source File: 00000000.00000002.1332461446.0000000025E56000.00000020.00000001.01000000.00000003.sdmp, Offset: 25E40000, based on PE: true

Associated: 00000000.00000002.1332353553.0000000025E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332394258.0000000025E41000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332431486.0000000025E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332461446.0000000025E4F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332810858.0000000026066000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332848906.0000000026067000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332848906.000000002606B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332915075.000000002606C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25e40000_rNuevaorden_pdf.jbxd

Yara matches

Similarity

API ID: MemoryVirtual$Protect$Allocate
String ID: NtQueryInformationProcess
API String ID: 955180148-2781105232
Opcode ID: e29e07d13ed49beb9fc8bf793599a9c8a34ec11761ef9bd0636c5ce333de281b
Instruction ID: f4f85828376075ea39488df7df3e35cec4baf85064ef787c7a2b7466b69f47b6
Opcode Fuzzy Hash: e29e07d13ed49beb9fc8bf793599a9c8a34ec11761ef9bd0636c5ce333de281b
Instruction Fuzzy Hash: 5B51C27180420AEFEB01CFA4CC80ADEBFB6EB95712F404755F111A71A1D775A650ABB1

Function 260653A0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtSetInformationProcess.NTDLL(000000FF,00000022,?,00000004), ref: 260653E6

Strings

0, xrefs: 260653DA

Memory Dump Source

Source File: 00000000.00000002.1332461446.0000000025E56000.00000020.00000001.01000000.00000003.sdmp, Offset: 25E40000, based on PE: true

Associated: 00000000.00000002.1332353553.0000000025E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332394258.0000000025E41000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332431486.0000000025E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332461446.0000000025E4F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332810858.0000000026066000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332848906.0000000026067000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332848906.000000002606B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332915075.000000002606C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25e40000_rNuevaorden_pdf.jbxd

Yara matches

Similarity

API ID: InformationProcess
String ID: 0
API String ID: 1801817001-4108050209
Opcode ID: 7c295924cde36f5c4c15b6beced2371ec29f75a5edf99083c36fa592cc24ae90
Instruction ID: c3e8ed72ecc3a2b7e6757148f14d0ff3a2cd7a40886c6a5fdec68170f8387c69
Opcode Fuzzy Hash: 7c295924cde36f5c4c15b6beced2371ec29f75a5edf99083c36fa592cc24ae90
Instruction Fuzzy Hash: 04E0EDB1840358BBDB11EFD9CE49F9EBEBCEB18B15F500255F60176680D3786A049AA2

Function 2605ED00 Relevance: 184.4, APIs: 102, Strings: 3, Instructions: 674
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaStrCat.MSVBVM60(25E4D9F8,25E4D9F0,?,6D6C60EF), ref: 2605ED8F
__vbaStrMove.MSVBVM60(?,6D6C60EF), ref: 2605ED9C
__vbaStrCat.MSVBVM60(bvm,00000000,?,6D6C60EF), ref: 2605EDA4
__vbaStrMove.MSVBVM60(?,6D6C60EF), ref: 2605EDAB
__vbaStrCat.MSVBVM60(25E4DA10,00000000,?,6D6C60EF), ref: 2605EDB3
__vbaStrMove.MSVBVM60(?,6D6C60EF), ref: 2605EDBA
#644.MSVBVM60(00000000,?,6D6C60EF), ref: 2605EDBD
GetModuleHandleW.KERNEL32(00000000,?,6D6C60EF), ref: 2605EDC4
__vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,6D6C60EF), ref: 2605EDDD

Part of subcall function 26062BD0: __vbaVarDup.MSVBVM60(6D5DD8B1,6D5CA323), ref: 26062C13
Part of subcall function 26062BD0: #653.MSVBVM60(?,?), ref: 26062C21
Part of subcall function 26062BD0: __vbaI4Var.MSVBVM60(?), ref: 26062C2B
Part of subcall function 26062BD0: __vbaFreeVar.MSVBVM60 ref: 26062C44
Part of subcall function 26062BD0: #632.MSVBVM60(?,?,?,?), ref: 26062C80
Part of subcall function 26062BD0: __vbaVarCat.MSVBVM60(?,?,00000008), ref: 26062C92
Part of subcall function 26062BD0: __vbaStrVarMove.MSVBVM60(00000000), ref: 26062C99
Part of subcall function 26062BD0: __vbaStrMove.MSVBVM60 ref: 26062CA4
Part of subcall function 26062BD0: __vbaFreeVarList.MSVBVM60(00000003,00000002,?,?), ref: 26062CB4
Part of subcall function 26062BD0: __vbaFreeVar.MSVBVM60(26062CF9), ref: 26062CF2

__vbaStrMove.MSVBVM60(?,6D6C60EF), ref: 2605EE0A
__vbaStrToAnsi.MSVBVM60(?,00000000,?,6D6C60EF), ref: 2605EE11
GetProcAddress.KERNEL32(00000000,00000000), ref: 2605EE1F
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,6D6C60EF), ref: 2605EE34
__vbaStrCat.MSVBVM60(25E4DA6C,25E4DA60), ref: 2605EE47
__vbaStrMove.MSVBVM60 ref: 2605EE4E
__vbaStrCat.MSVBVM60(25E4DA80,00000000), ref: 2605EE56
__vbaStrMove.MSVBVM60 ref: 2605EE83
#644.MSVBVM60(00000000), ref: 2605EE86
GetModuleHandleW.KERNEL32(00000000), ref: 2605EE8D
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 2605EEA2
__vbaFreeVar.MSVBVM60 ref: 2605EEAE
__vbaStrCat.MSVBVM60(25E4D8CC,25E4DA98), ref: 2605EEBE
__vbaStrMove.MSVBVM60 ref: 2605EEC5
__vbaStrCat.MSVBVM60(25E4D8D4,00000000), ref: 2605EECD
__vbaStrMove.MSVBVM60 ref: 2605EED4
__vbaStrCat.MSVBVM60(25E4DAA0,00000000), ref: 2605EEDC
__vbaStrMove.MSVBVM60 ref: 2605EEE3
__vbaStrCat.MSVBVM60(25E4DAA8,00000000), ref: 2605EEEB
__vbaStrMove.MSVBVM60 ref: 2605EEF2
__vbaStrCat.MSVBVM60(25E4DAB0,00000000), ref: 2605EEFA
__vbaStrMove.MSVBVM60 ref: 2605EF01
__vbaStrCat.MSVBVM60(25E4DAB8,00000000), ref: 2605EF09
__vbaStrMove.MSVBVM60 ref: 2605EF10
__vbaStrCat.MSVBVM60(25E4DAC0,00000000), ref: 2605EF18
__vbaStrMove.MSVBVM60 ref: 2605EF1F
__vbaStrCat.MSVBVM60(25E4D8D4,00000000), ref: 2605EF27
__vbaStrMove.MSVBVM60 ref: 2605EF2E
__vbaStrCat.MSVBVM60(25E4DAC8,00000000), ref: 2605EF36
__vbaStrMove.MSVBVM60 ref: 2605EF3D
__vbaStrCat.MSVBVM60(25E4DAA0,00000000), ref: 2605EF45
__vbaStrMove.MSVBVM60 ref: 2605EF4C
__vbaStrCat.MSVBVM60(25E4DAD0,00000000), ref: 2605EF54
__vbaStrMove.MSVBVM60 ref: 2605EF5B
__vbaStrCat.MSVBVM60(25E4DAD8,00000000), ref: 2605EF63
__vbaStrMove.MSVBVM60 ref: 2605EF6A
__vbaStrCat.MSVBVM60(25E4DAA0,00000000), ref: 2605EF72
__vbaStrMove.MSVBVM60 ref: 2605EF79
__vbaStrToAnsi.MSVBVM60(?,00000000), ref: 2605EF80
GetProcAddress.KERNEL32(00000000,00000000), ref: 2605EF8E
__vbaFreeStrList.MSVBVM60(0000000E,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 2605EFD3
__vbaRedim.MSVBVM60(00000080,00000004,?,00000003,00000001,0000000F,00000000), ref: 2605EFEB
__vbaNew.MSVBVM60(25E4DAFC,25E4DB0C), ref: 2605EFFE
__vbaObjSet.MSVBVM60(?,00000000), ref: 2605F009
__vbaCastObj.MSVBVM60(00000000), ref: 2605F010
__vbaObjSet.MSVBVM60(?,00000000), ref: 2605F01B
__vbaObjSetAddref.MSVBVM60(260672D0,00000000), ref: 2605F029
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 2605F039
__vbaObjSetAddref.MSVBVM60(?), ref: 2605F04F
#644.MSVBVM60(00000000), ref: 2605F056
__vbaFreeObj.MSVBVM60 ref: 2605F062
#644.MSVBVM60(?), ref: 2605F06C
__vbaAryLock.MSVBVM60(?,?,?,?,00000000), ref: 2605F09C
#644.MSVBVM60(?), ref: 2605F0B4
__vbaAryUnlock.MSVBVM60(?), ref: 2605F0C4
__vbaObjSetAddref.MSVBVM60(?,?,?,?,00000000), ref: 2605F101
#644.MSVBVM60(00000000,?,?,?,00000000), ref: 2605F108
__vbaFreeObj.MSVBVM60(?,?,?,00000000), ref: 2605F114
#644.MSVBVM60(260672CC,?,?,?,00000000), ref: 2605F123
__vbaAryLock.MSVBVM60(?,?,00000000,?,00000004,?,?,?,00000000), ref: 2605F143
#644.MSVBVM60(?,?,?,?,00000000), ref: 2605F158
__vbaAryUnlock.MSVBVM60(?,?,?,?,00000000), ref: 2605F168
#644.MSVBVM60(?,?,?,?,00000000), ref: 2605F181
__vbaRedim.MSVBVM60(00000080,00000004,26067214,00000003,00000001,00000010,00000000,00000000,?,?,?,?,00000000), ref: 2605F1BD
#644.MSVBVM60(?), ref: 2605F1CA
#644.MSVBVM60(?,-0000000C,00000000), ref: 2605F1F0
__vbaAryLock.MSVBVM60(?,00000000,00000000,-0000000C), ref: 2605F21C
__vbaStrCat.MSVBVM60(25E4DB34,25E4DB2C,?,00000040), ref: 2605F252
__vbaStrMove.MSVBVM60 ref: 2605F259
__vbaI4Str.MSVBVM60(00000000), ref: 2605F25C
VirtualProtect.KERNELBASE(?,00000000), ref: 2605F272
__vbaHresultCheckObj.MSVBVM60(00000000,?,25E4DB0C,0000002C,?,00000000), ref: 2605F28C
__vbaAryUnlock.MSVBVM60(?,?,00000000), ref: 2605F296
__vbaFreeStr.MSVBVM60(?,00000000), ref: 2605F29F
#644.MSVBVM60(?,?,00000000), ref: 2605F2AF
__vbaAryLock.MSVBVM60(?,00000000,00000000,00000000,-0000000C,?,00000000), ref: 2605F2EA
#644.MSVBVM60(?,?,00000000), ref: 2605F301
__vbaAryUnlock.MSVBVM60(?,?,00000000), ref: 2605F30D
#644.MSVBVM60(00000040,00000000,00000000,-0000000C,?,00000000), ref: 2605F347
#644.MSVBVM60(0424448B,00000000,?,?,00000000), ref: 2605F36D
#644.MSVBVM60(408B008B,00000000,?,?,00000000), ref: 2605F393
#644.MSVBVM60(20C4832C,00000000,?,?,00000000), ref: 2605F3B9
#644.MSVBVM60(E02474FF,00000000,?,?,00000000), ref: 2605F3DF
VirtualProtect.KERNELBASE(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000008,00000040,?,00000000,?,?,00000000), ref: 2605F436
__vbaHresultCheckObj.MSVBVM60(00000000,?,25E4DB0C,00000020,?,00000000), ref: 2605F450
__vbaAryLock.MSVBVM60(?,00000000,00000000,?,00000000), ref: 2605F47C
#644.MSVBVM60(?,?,00000000), ref: 2605F493
__vbaAryUnlock.MSVBVM60(?,?,00000000), ref: 2605F49F
#644.MSVBVM60(260672CC,00000000,?,00000000), ref: 2605F4CC
#644.MSVBVM60(00000000,00000000,?,?,00000000), ref: 2605F4E5
#644.MSVBVM60(-00000004,00000000,00000000,?,00000000), ref: 2605F4FD
__vbaFreeVar.MSVBVM60(?,-00000004,00000000,?,00000000), ref: 2605F51B
__vbaAryDestruct.MSVBVM60(00000000,?,2605F59C,?,00000000), ref: 2605F595

Strings

@, xrefs: 2605F1E5
bvm, xrefs: 2605ED9F
DqlqlqFquqnqcqtqiqoqnqCqaqlqlq, xrefs: 2605EDEA

Memory Dump Source

Source File: 00000000.00000002.1332461446.0000000025E56000.00000020.00000001.01000000.00000003.sdmp, Offset: 25E40000, based on PE: true

Associated: 00000000.00000002.1332353553.0000000025E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332394258.0000000025E41000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332431486.0000000025E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332461446.0000000025E4F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332810858.0000000026066000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332848906.0000000026067000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332848906.000000002606B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332915075.000000002606C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25e40000_rNuevaorden_pdf.jbxd

Yara matches

Similarity

API ID: __vba$#644Move$Free$List$LockUnlock$Addref$AddressAnsiCheckHandleHresultModuleProcProtectRedimVirtual$#632#653CastDestruct
String ID: @$DqlqlqFquqnqcqtqiqoqnqCqaqlqlq$bvm
API String ID: 3776562771-683613472
Opcode ID: f4e94e31408e10c15b4f84d0f5b4a8f39ead9e07a5642bd8fd9640623f0a42ab
Instruction ID: 22ff0296b6eaa22ac360ed90e4800aa96ad56a384b601d1870f828ba4149536c
Opcode Fuzzy Hash: f4e94e31408e10c15b4f84d0f5b4a8f39ead9e07a5642bd8fd9640623f0a42ab
Instruction Fuzzy Hash: 07422EB1D10209AFDB18DFA4CD88EEEBBBAFF58300F108559E505E7244DA78A945DF60

Function 25E4AF09 Relevance: 3.0, APIs: 2, Instructions: 31
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaFreeVar.MSVBVM60(?), ref: 26064E72

Part of subcall function 2605ED00: __vbaStrCat.MSVBVM60(25E4D9F8,25E4D9F0,?,6D6C60EF), ref: 2605ED8F
Part of subcall function 2605ED00: __vbaStrMove.MSVBVM60(?,6D6C60EF), ref: 2605ED9C
Part of subcall function 2605ED00: __vbaStrCat.MSVBVM60(bvm,00000000,?,6D6C60EF), ref: 2605EDA4
Part of subcall function 2605ED00: __vbaStrMove.MSVBVM60(?,6D6C60EF), ref: 2605EDAB
Part of subcall function 2605ED00: __vbaStrCat.MSVBVM60(25E4DA10,00000000,?,6D6C60EF), ref: 2605EDB3
Part of subcall function 2605ED00: __vbaStrMove.MSVBVM60(?,6D6C60EF), ref: 2605EDBA
Part of subcall function 2605ED00: #644.MSVBVM60(00000000,?,6D6C60EF), ref: 2605EDBD
Part of subcall function 2605ED00: GetModuleHandleW.KERNEL32(00000000,?,6D6C60EF), ref: 2605EDC4
Part of subcall function 2605ED00: __vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,6D6C60EF), ref: 2605EDDD
Part of subcall function 2605ED00: __vbaStrMove.MSVBVM60(?,6D6C60EF), ref: 2605EE0A
Part of subcall function 2605ED00: __vbaStrToAnsi.MSVBVM60(?,00000000,?,6D6C60EF), ref: 2605EE11
Part of subcall function 2605ED00: GetProcAddress.KERNEL32(00000000,00000000), ref: 2605EE1F
Part of subcall function 2605ED00: __vbaFreeStrList.MSVBVM60(00000002,?,?,?,6D6C60EF), ref: 2605EE34

Part of subcall function 260653A0: NtSetInformationProcess.NTDLL(000000FF,00000022,?,00000004), ref: 260653E6

__vbaFreeVar.MSVBVM60(00000000), ref: 26064E85

Memory Dump Source

Source File: 00000000.00000002.1332394258.0000000025E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 25E40000, based on PE: true

Associated: 00000000.00000002.1332353553.0000000025E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332431486.0000000025E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332461446.0000000025E4F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332461446.0000000025E56000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332810858.0000000026066000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332848906.0000000026067000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332848906.000000002606B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332915075.000000002606C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25e40000_rNuevaorden_pdf.jbxd

Yara matches

Similarity

API ID: __vba$FreeMove$List$#644AddressAnsiHandleInformationModuleProcProcess
String ID:
API String ID: 20434910-0
Opcode ID: 62720a7209574c0bba930a8c7698e7ddeb827410aa05042dead41e22bc12789c
Instruction ID: d744ad0eb47d1bb6aa17bad6b90d49e88c0e098120b2dd9cea3a657d915aa18f
Opcode Fuzzy Hash: 62720a7209574c0bba930a8c7698e7ddeb827410aa05042dead41e22bc12789c
Instruction Fuzzy Hash: 7FF030B1810228AACB15EF95CD94BDEBF7CBF14600F804529F40173144E7386504DAF2

Non-executed Functions

Function 26035AB1 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1332461446.0000000025E56000.00000020.00000001.01000000.00000003.sdmp, Offset: 25E40000, based on PE: true

Associated: 00000000.00000002.1332353553.0000000025E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332394258.0000000025E41000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332431486.0000000025E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332461446.0000000025E4F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332810858.0000000026066000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332848906.0000000026067000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332848906.000000002606B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332915075.000000002606C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25e40000_rNuevaorden_pdf.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef41f23567e4e7422021a95af9bb6b13c8200b2295415d293bf1cf4d9d63b1a6
Instruction ID: f0ee48950bb61063b276a0e1bd968c050c0a42066f3c001c3b007048a31fea66
Opcode Fuzzy Hash: ef41f23567e4e7422021a95af9bb6b13c8200b2295415d293bf1cf4d9d63b1a6
Instruction Fuzzy Hash: FD01A931A545068BD7529F04C4D0D9EBBE7FB70752B850073F5048BA35E26595E0F7A1

Function 020D32B0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331946251.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_rNuevaorden_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b399b04e11d1ff954b26d47aa0a54e719ae22316263aa56bc50ae1b8ddb9bc6
Instruction ID: 133f1f225038d9c778c657976eb6ec0269f69f11ed75dc2454a4dfeba846131f
Opcode Fuzzy Hash: 0b399b04e11d1ff954b26d47aa0a54e719ae22316263aa56bc50ae1b8ddb9bc6
Instruction Fuzzy Hash: 60F03933A167549BC661DB99D480B7AB3E9EB80A7072548A6E449A7A00D330FC40DF95

Function 020D6C40 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331946251.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_rNuevaorden_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb4a5ace1977a0deb1490e67cd7a3be34ec88689824f7f2dee9c6eb0fad554da
Instruction ID: d06c382b9760a7b92fcb2d43b1b8d4331e2c019d7fa1f3315bf30b73f1b69da8
Opcode Fuzzy Hash: eb4a5ace1977a0deb1490e67cd7a3be34ec88689824f7f2dee9c6eb0fad554da
Instruction Fuzzy Hash: 0EB00231255540DFC299CB06D154A6473B8F711641F4515E0E0454F961CB25A940DA05

Function 020D6CA6 Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331946251.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_rNuevaorden_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57926a28c9dec8f72c059f7a1c85c621d4514a41e2f67cef7632fc3e58e89236
Instruction ID: ad5df9df37d3adcab6b825ab64f3e16eebfa9b836013e718d34a0feeeb872266
Opcode Fuzzy Hash: 57926a28c9dec8f72c059f7a1c85c621d4514a41e2f67cef7632fc3e58e89236
Instruction Fuzzy Hash: 68B00135266A84CFC296CB0AC194F5073B8FB05B41F4614F0E4068BE62C338A900CA01

Function 020D6F22 Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1331946251.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20d0000_rNuevaorden_pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c66d579662c1b05e6188227b1babfe3779871d50f433a516804cf929716cd0cf
Instruction ID: f137c364cb3bae823ea3efedd3c6236d0f1cc7882400a73c312dd9e70c7f0342
Opcode Fuzzy Hash: c66d579662c1b05e6188227b1babfe3779871d50f433a516804cf929716cd0cf
Instruction Fuzzy Hash: 4AB00135266A80CFC296CB0AC294F5073B8FB09A41F4A14F0E4058BE62C339AA00CA01

Function 25E4A74B Relevance: 57.9, APIs: 22, Strings: 11, Instructions: 154
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaStrCat.MSVBVM60(@o@s@o@f,M@i@c@r), ref: 2606331D
__vbaStrMove.MSVBVM60 ref: 2606332A
__vbaStrCat.MSVBVM60(@t@ @E@n@h@a@n,00000000), ref: 26063332
__vbaStrMove.MSVBVM60 ref: 26063339
__vbaStrCat.MSVBVM60(@c@e@d@ @R@S@,00000000), ref: 26063341
__vbaStrMove.MSVBVM60 ref: 26063348
__vbaStrCat.MSVBVM60(A@ @a@n,00000000), ref: 26063350
__vbaStrMove.MSVBVM60 ref: 26063357
__vbaStrCat.MSVBVM60(@d@ @A@E@S@ ,00000000), ref: 2606335F
__vbaStrMove.MSVBVM60 ref: 26063366
__vbaStrCat.MSVBVM60(@C@r@y@,00000000), ref: 2606336E
__vbaStrMove.MSVBVM60 ref: 26063375
__vbaStrCat.MSVBVM60(p@t@o@g@r@a@,00000000), ref: 2606337D
__vbaStrMove.MSVBVM60 ref: 26063384
__vbaStrCat.MSVBVM60(p@h@i@c@ @P@r,00000000), ref: 2606338C
__vbaStrMove.MSVBVM60 ref: 26063393
__vbaStrCat.MSVBVM60(@o@v@i@d,00000000), ref: 2606339B
__vbaStrMove.MSVBVM60 ref: 260633A2
__vbaStrCat.MSVBVM60(@e@r@,00000000), ref: 260633AA

Part of subcall function 26062BD0: __vbaVarDup.MSVBVM60(6D5DD8B1,6D5CA323), ref: 26062C13
Part of subcall function 26062BD0: #653.MSVBVM60(?,?), ref: 26062C21
Part of subcall function 26062BD0: __vbaI4Var.MSVBVM60(?), ref: 26062C2B
Part of subcall function 26062BD0: __vbaFreeVar.MSVBVM60 ref: 26062C44
Part of subcall function 26062BD0: #632.MSVBVM60(?,?,?,?), ref: 26062C80
Part of subcall function 26062BD0: __vbaVarCat.MSVBVM60(?,?,00000008), ref: 26062C92
Part of subcall function 26062BD0: __vbaStrVarMove.MSVBVM60(00000000), ref: 26062C99
Part of subcall function 26062BD0: __vbaStrMove.MSVBVM60 ref: 26062CA4
Part of subcall function 26062BD0: __vbaFreeVarList.MSVBVM60(00000003,00000002,?,?), ref: 26062CB4
Part of subcall function 26062BD0: __vbaFreeVar.MSVBVM60(26062CF9), ref: 26062CF2

__vbaStrMove.MSVBVM60 ref: 260633D7
__vbaFreeStrList.MSVBVM60(00000009,?,?,?,?,?,?,?,?,?), ref: 260633FF
__vbaFreeVar.MSVBVM60 ref: 2606340B

Strings

@C@r@y@, xrefs: 26063369
@t@ @E@n@h@a@n, xrefs: 2606332D
@o@s@o@f, xrefs: 26063318
@c@e@d@ @R@S@, xrefs: 2606333C
@e@r@, xrefs: 260633A5
p@t@o@g@r@a@, xrefs: 26063378
@d@ @A@E@S@ , xrefs: 2606335A
A@ @a@n, xrefs: 2606334B
@o@v@i@d, xrefs: 26063396
p@h@i@c@ @P@r, xrefs: 26063387
M@i@c@r, xrefs: 26063313

Memory Dump Source

Source File: 00000000.00000002.1332394258.0000000025E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 25E40000, based on PE: true

Associated: 00000000.00000002.1332353553.0000000025E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332431486.0000000025E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332461446.0000000025E4F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332461446.0000000025E56000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332810858.0000000026066000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332848906.0000000026067000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332848906.000000002606B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332915075.000000002606C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25e40000_rNuevaorden_pdf.jbxd

Yara matches

Similarity

API ID: __vba$Move$Free$List$#632#653
String ID: @C@r@y@$@c@e@d@ @R@S@$@d@ @A@E@S@ $@e@r@$@o@s@o@f$@o@v@i@d$@t@ @E@n@h@a@n$A@ @a@n$M@i@c@r$p@h@i@c@ @P@r$p@t@o@g@r@a@
API String ID: 193477259-3817434718
Opcode ID: 4c4669226fb14a660fbbdbc54b85efeec6d16304f8282939f0a68e679b7db042
Instruction ID: 52f795d2c0fad7076cc1ca8ef28c380638f786d76d913db24c62ce1d06057537
Opcode Fuzzy Hash: 4c4669226fb14a660fbbdbc54b85efeec6d16304f8282939f0a68e679b7db042
Instruction Fuzzy Hash: 59514E71D14258AFCB05EFA9DD848EFBFB9FF59200B14815BF402A3245DA706945CFA2

Function 25E4A789 Relevance: 33.1, APIs: 22, Instructions: 134
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaStrCat.MSVBVM60(25E4E798,25E4E960), ref: 260634FD
__vbaStrMove.MSVBVM60 ref: 2606350A
__vbaStrCat.MSVBVM60(25E4E608,00000000), ref: 26063512
__vbaStrMove.MSVBVM60 ref: 26063519
__vbaStrCat.MSVBVM60(25E4E528,00000000), ref: 26063521
__vbaStrMove.MSVBVM60 ref: 26063528
__vbaStrCat.MSVBVM60(25E4E708,00000000), ref: 26063530
__vbaStrMove.MSVBVM60 ref: 26063537
__vbaStrCat.MSVBVM60(25E4EB0C,00000000), ref: 2606353F
__vbaStrMove.MSVBVM60 ref: 26063546
__vbaStrCat.MSVBVM60(25E4EB38,00000000), ref: 2606354E
__vbaStrMove.MSVBVM60 ref: 26063555
__vbaStrCat.MSVBVM60(25E4EB54,00000000), ref: 2606355D
__vbaStrMove.MSVBVM60 ref: 26063564
__vbaStrCat.MSVBVM60(25E4EB80,00000000), ref: 2606356C
__vbaStrMove.MSVBVM60 ref: 26063573
__vbaStrCat.MSVBVM60(25E4EBA4,00000000), ref: 2606357B
__vbaStrMove.MSVBVM60 ref: 26063582
__vbaStrCat.MSVBVM60(25E4EBBC,00000000), ref: 2606358A

Part of subcall function 26062BD0: __vbaVarDup.MSVBVM60(6D5DD8B1,6D5CA323), ref: 26062C13
Part of subcall function 26062BD0: #653.MSVBVM60(?,?), ref: 26062C21
Part of subcall function 26062BD0: __vbaI4Var.MSVBVM60(?), ref: 26062C2B
Part of subcall function 26062BD0: __vbaFreeVar.MSVBVM60 ref: 26062C44
Part of subcall function 26062BD0: #632.MSVBVM60(?,?,?,?), ref: 26062C80
Part of subcall function 26062BD0: __vbaVarCat.MSVBVM60(?,?,00000008), ref: 26062C92
Part of subcall function 26062BD0: __vbaStrVarMove.MSVBVM60(00000000), ref: 26062C99
Part of subcall function 26062BD0: __vbaStrMove.MSVBVM60 ref: 26062CA4
Part of subcall function 26062BD0: __vbaFreeVarList.MSVBVM60(00000003,00000002,?,?), ref: 26062CB4
Part of subcall function 26062BD0: __vbaFreeVar.MSVBVM60(26062CF9), ref: 26062CF2

__vbaStrMove.MSVBVM60 ref: 260635B7
__vbaFreeStrList.MSVBVM60(00000009,?,?,?,?,?,?,?,?,?), ref: 260635DF
__vbaFreeVar.MSVBVM60 ref: 260635EB

Memory Dump Source

Source File: 00000000.00000002.1332394258.0000000025E41000.00000020.00000001.01000000.00000003.sdmp, Offset: 25E40000, based on PE: true

Associated: 00000000.00000002.1332353553.0000000025E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332431486.0000000025E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332461446.0000000025E4F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332461446.0000000025E56000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332810858.0000000026066000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332848906.0000000026067000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332848906.000000002606B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332915075.000000002606C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25e40000_rNuevaorden_pdf.jbxd

Yara matches

Similarity

API ID: __vba$Move$Free$List$#632#653
String ID:
API String ID: 193477259-0
Opcode ID: 8bfac12dcef2bf08a37a79621ca8bd71a18bdf95edbe5ae3030ed123508e12a2
Instruction ID: 594353cfc8ef22c09c67a568611236ec1759cea0e2c34adc769f27523f7d4b0c
Opcode Fuzzy Hash: 8bfac12dcef2bf08a37a79621ca8bd71a18bdf95edbe5ae3030ed123508e12a2
Instruction Fuzzy Hash: EF41D8B1D10118ABDB15EFA9DD94DEFBFB9EF88600F10811BF512A3244DA746905CFA2

Function 26062BD0 Relevance: 15.1, APIs: 10, Instructions: 80
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaVarDup.MSVBVM60(6D5DD8B1,6D5CA323), ref: 26062C13
#653.MSVBVM60(?,?), ref: 26062C21
__vbaI4Var.MSVBVM60(?), ref: 26062C2B
__vbaFreeVar.MSVBVM60 ref: 26062C44
#632.MSVBVM60(?,?,?,?), ref: 26062C80
__vbaVarCat.MSVBVM60(?,?,00000008), ref: 26062C92
__vbaStrVarMove.MSVBVM60(00000000), ref: 26062C99
__vbaStrMove.MSVBVM60 ref: 26062CA4
__vbaFreeVarList.MSVBVM60(00000003,00000002,?,?), ref: 26062CB4
__vbaFreeVar.MSVBVM60(26062CF9), ref: 26062CF2

Memory Dump Source

Source File: 00000000.00000002.1332461446.0000000025E56000.00000020.00000001.01000000.00000003.sdmp, Offset: 25E40000, based on PE: true

Associated: 00000000.00000002.1332353553.0000000025E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332394258.0000000025E41000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332431486.0000000025E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332461446.0000000025E4F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332810858.0000000026066000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332848906.0000000026067000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332848906.000000002606B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332915075.000000002606C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25e40000_rNuevaorden_pdf.jbxd

Yara matches

Similarity

API ID: __vba$Free$Move$#632#653List
String ID:
API String ID: 1043057846-0
Opcode ID: 95851d63e413799c74686af03bb7d3f9bb30ad4542e4c4736d8f5ba44065f4e6
Instruction ID: 71c10ec567e85e34ed94e2adfb196aee7250ba35f00833d1eec5a7feb9a0c194
Opcode Fuzzy Hash: 95851d63e413799c74686af03bb7d3f9bb30ad4542e4c4736d8f5ba44065f4e6
Instruction Fuzzy Hash: 50312CB1C10209AFDF08DFE5C898AEEBBB9FB58304F108529E526A7241EB745609DF51

Function 2605F7C0 Relevance: 6.1, APIs: 4, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#644.MSVBVM60(?,2605F5B0,00000001,6D6AEC2C,00000000,?,?,?,?,?,?,Function_00001006), ref: 2605F817
#644.MSVBVM60(00000001,?,?,?,?,?,?,Function_00001006), ref: 2605F822
#644.MSVBVM60(00000000,00000000,00000000,?,?,?,?,?,?,Function_00001006), ref: 2605F834
#644.MSVBVM60(-00000004,00000000,00000000,00000004,?,?,?,?,?,?,Function_00001006), ref: 2605F852

Memory Dump Source

Source File: 00000000.00000002.1332461446.0000000025E56000.00000020.00000001.01000000.00000003.sdmp, Offset: 25E40000, based on PE: true

Associated: 00000000.00000002.1332353553.0000000025E40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332394258.0000000025E41000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332431486.0000000025E4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332461446.0000000025E4F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332810858.0000000026066000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332848906.0000000026067000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332848906.000000002606B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1332915075.000000002606C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_25e40000_rNuevaorden_pdf.jbxd

Yara matches

Similarity

API ID: #644
String ID:
API String ID: 700137900-0
Opcode ID: de06f6d2129a4f546272765fa76cac28983e0773be64c5eceaaa4a31cd5d397c
Instruction ID: 333727f692dcb66d60c4025d806442ce9195c653145c181d86024a69956958a4
Opcode Fuzzy Hash: de06f6d2129a4f546272765fa76cac28983e0773be64c5eceaaa4a31cd5d397c
Instruction Fuzzy Hash: 891173B0D00204AFD705DFB8CD84EAE7FFEEB59210B10465AF601E7244D678AD009BB5

Analysis Process: RegAsm.exePID: 1196, Parent PID: 5968COMMON

Execution Graph

Execution Coverage:	9.1%
Dynamic/Decrypted Code Coverage:	52.5%
Signature Coverage:	12.5%
Total number of Nodes:	40
Total number of Limit Nodes:	5

Executed Functions

Function 06A012C0 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$q, xrefs: 06A019E3
$q, xrefs: 06A019A2
$q, xrefs: 06A019CB
$q, xrefs: 06A019EF
$q, xrefs: 06A01996
$q, xrefs: 06A019BF

Memory Dump Source

Source File: 00000008.00000002.3713803744.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a00000_RegAsm.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q$$q$$q
API String ID: 0-2069967915
Opcode ID: c2f4ec20251601095a35109a74dc3556271ba68b1483a79b6cb0d613e179d5f1
Instruction ID: e2c9dac7058b927d39b30bc59128393feb3ae3c7495db49b6f36d2afea81a6dc
Opcode Fuzzy Hash: c2f4ec20251601095a35109a74dc3556271ba68b1483a79b6cb0d613e179d5f1
Instruction Fuzzy Hash: 61321F34E107198FDB14EBA5D8906DDF7B2FFC9300F64869AD409AB254EB70AD85CB90

Function 030EA608 Relevance: 3.1, Instructions: 3121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3710745303.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_30e0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7d322ab3c0ce19787a0d97795b9f51556eed1f0cb27c443d74fdc67fa7a4e02
Instruction ID: 833adeb6044286566e9a5bc4c4298c7c117204a1daf6fe6c33c999886089ae5b
Opcode Fuzzy Hash: d7d322ab3c0ce19787a0d97795b9f51556eed1f0cb27c443d74fdc67fa7a4e02
Instruction Fuzzy Hash: A3630931D10B198EDB51EF68C8806A9F7B1FF99300F55C79AE4587B121EB70AAC5CB81

Function 06A03C18 Relevance: 3.0, Strings: 2, Instructions: 473
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$q, xrefs: 06A041BC
$q, xrefs: 06A041C8

Memory Dump Source

Source File: 00000008.00000002.3713803744.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a00000_RegAsm.jbxd

Similarity

API ID:
String ID: $q$$q
API String ID: 0-3126353813
Opcode ID: b0c1a249c1dd6362218b59a4716e05b41de7b0c971f050b0bb83f5ea942d0df5
Instruction ID: 5dae2d3552302cf05bf930a43552c30d4d2ff526817e9cb2c67c10d7362e911d
Opcode Fuzzy Hash: b0c1a249c1dd6362218b59a4716e05b41de7b0c971f050b0bb83f5ea942d0df5
Instruction Fuzzy Hash: 4B02AD34B102058FEB54EB69E8947AEBBF2FF88310F148569D5159B385DB34EC86CB90

Function 030ED968 Relevance: 2.3, Instructions: 2312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3710745303.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_30e0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e47423a29ecc1657a6e7e3fefb9ad415000eb8cb4b69f87d00ba34aebab227c6
Instruction ID: c13c2fe728acad0b6c827faeb9b4d454720a26d2bfd3e16f52918565a8376a0b
Opcode Fuzzy Hash: e47423a29ecc1657a6e7e3fefb9ad415000eb8cb4b69f87d00ba34aebab227c6
Instruction Fuzzy Hash: 70331E31D107198EDB11EF68C8806ADF7B5FF89300F15C69AD458AB225EB70EAC5CB81

Function 030E7138 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 030E70DF

Memory Dump Source

Source File: 00000008.00000002.3710745303.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_30e0000_RegAsm.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 3a2b8da1bb668eb3bcd884473213b8d3b488601a8a6f26884893bbcf60ac5f71
Instruction ID: ed62da180bf2e3b8225351c52afb8dd6a8b8ee6e87bb037458e8c106c2f209f1
Opcode Fuzzy Hash: 3a2b8da1bb668eb3bcd884473213b8d3b488601a8a6f26884893bbcf60ac5f71
Instruction Fuzzy Hash: AA313472A05395CFCB11DB78D8443EDBBF4AF4A210F1844DAD484DB292E739C946CBA2

Function 004458B2 Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF), ref: 004458FF

Memory Dump Source

Source File: 00000008.00000002.3707413394.0000000000442000.00000040.80000000.00040000.00000000.sdmp, Offset: 00442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_442000_RegAsm.jbxd

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: eb69f8d9b78740c04d216e83b94b7996e97d0517f4c1fe46d79275544a19c94d
Instruction ID: f079a6b37922aa863eeefcf4a6099c8a15017739c5ae277024499a1a99c5ed02
Opcode Fuzzy Hash: eb69f8d9b78740c04d216e83b94b7996e97d0517f4c1fe46d79275544a19c94d
Instruction Fuzzy Hash: 0AF027B2908A40DFFF054B20C840BAC7774EB10350F210A77E402CA997D63C96038616

Function 004458F8 Relevance: 1.5, APIs: 1, Instructions: 23
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF), ref: 004458FF

Memory Dump Source

Source File: 00000008.00000002.3707413394.0000000000442000.00000040.80000000.00040000.00000000.sdmp, Offset: 00442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_442000_RegAsm.jbxd

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: f80b397d47d6d056492579c095cae3825192162b97e32dae43d9c690ab5b99f5
Instruction ID: 8bc12603ab5a862e0204d12fd9cf138d36d7a268b4fcd6de2f15b2a22ef4c2ed
Opcode Fuzzy Hash: f80b397d47d6d056492579c095cae3825192162b97e32dae43d9c690ab5b99f5
Instruction Fuzzy Hash: 86E068B1508946DFFF065B20CC40B5C73A4EB003A4F200637E003CAADAD73CD0028615

Function 06A02470 Relevance: .8, Instructions: 815COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3713803744.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a00000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44f54785aa3aa08760a90fde4af48e3515492300a504f5f4bd99b4c409a86fef
Instruction ID: 3e17a0e9245061d37c5a8e60b40077f63ad1180c269afdd32ce741a2e84d0408
Opcode Fuzzy Hash: 44f54785aa3aa08760a90fde4af48e3515492300a504f5f4bd99b4c409a86fef
Instruction Fuzzy Hash: 42627F34A103049FEB64EB68E598BADBBF2EF88354F148469D405DB394DB35ED42CB90

Function 030E4A80 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3710745303.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_30e0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dac2407e3fc4ff16e8bf3dbdc2054614ee5b607a851629e63d913309b95e8cea
Instruction ID: dcfb65562b321b824bb9fbca3ae857281bafd748bcc6049a8016b78ec4cf9272
Opcode Fuzzy Hash: dac2407e3fc4ff16e8bf3dbdc2054614ee5b607a851629e63d913309b95e8cea
Instruction Fuzzy Hash: F1B16C71F01209CFDB54CFAAD8817ADBBF2AF88314F188529D415EB294EB749885CB81

Function 030E3E68 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3710745303.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_30e0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43be0331b4271bde6a0efcc0b6898c68d079bdd35b91be004e0567bbbc0aa2e4
Instruction ID: 9fcb3ebdd9faee05739da117ed5daaecaea0698c6adc33fdd099892281c93995
Opcode Fuzzy Hash: 43be0331b4271bde6a0efcc0b6898c68d079bdd35b91be004e0567bbbc0aa2e4
Instruction Fuzzy Hash: 58917C75E01309DFDF54CFAAD8847EDBBF2AF88304F188529E414AB294DB749885CB85

Function 030E7060 Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 030E70DF

Memory Dump Source

Source File: 00000008.00000002.3710745303.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_30e0000_RegAsm.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 2a87070836f88d5094eae5fb0f696a38ee212bf1cd91b8b6e29b59a59debc163
Instruction ID: cfe771946fda34abe865a5279c640583fdb72a41dc5ef1f1d1e0554b5bc25a2c
Opcode Fuzzy Hash: 2a87070836f88d5094eae5fb0f696a38ee212bf1cd91b8b6e29b59a59debc163
Instruction Fuzzy Hash: D4215772C01259CFDB10CFAAC884BEEBBF4EF49310F14845AE855A7241D738A944CF65

Function 030E7068 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 030E70DF

Memory Dump Source

Source File: 00000008.00000002.3710745303.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_30e0000_RegAsm.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: f816805b4a105f03263a8016dc0b48454c7f021d013ca72abd11066ea8185805
Instruction ID: 7f62ca4ef94e6827d922d836cae6b3e7f47bd5300d55af1887197206cce5473a
Opcode Fuzzy Hash: f816805b4a105f03263a8016dc0b48454c7f021d013ca72abd11066ea8185805
Instruction Fuzzy Hash: D52148B2D01259CFDB14CF9AC884BEEFBF4AF48311F14841AE855A3240D738A944CF65

Function 06A0AAC0 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06A0AB4F

Memory Dump Source

Source File: 00000008.00000002.3713803744.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a00000_RegAsm.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1eacd71b6495373309b782e96f4bb488b9a89aec88fb95190671101f39b411d8
Instruction ID: 28c925940f0899f4f034ed6e697d57a3231aea32c7ae33f1e2fab99d18d41170
Opcode Fuzzy Hash: 1eacd71b6495373309b782e96f4bb488b9a89aec88fb95190671101f39b411d8
Instruction Fuzzy Hash: 3B21D2B5D002489FDB10CFAAD984ADEBBF5EB48314F14841AE918A7250D378A954CF65

Function 06A0AAC8 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06A0AB4F

Memory Dump Source

Source File: 00000008.00000002.3713803744.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a00000_RegAsm.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: b47773950e11b6aeff5a2f3a220461b3551ca8c0d8468a5a6d8f29298215b396
Instruction ID: c07498e9f9bb43eba2ee5a6d480f040b4a294860c05d12e1002c984444f51b8c
Opcode Fuzzy Hash: b47773950e11b6aeff5a2f3a220461b3551ca8c0d8468a5a6d8f29298215b396
Instruction Fuzzy Hash: 5E21E2B5D003489FDB10CFAAD984ADEFBF5EB48320F14841AE918A7350D378A944CFA5

Function 02F1D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3710396704.0000000002F1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2f1d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe2c42f57b380c500fc036757429bbbcd48e7673db8c60c2519272c3e7b568fa
Instruction ID: de982f16f7d4a8e9b1b019bd0bd05f1b5516454a93e8c17c7bdb22cde591219c
Opcode Fuzzy Hash: fe2c42f57b380c500fc036757429bbbcd48e7673db8c60c2519272c3e7b568fa
Instruction Fuzzy Hash: 5C21F276A04340EFDB14DF24D9C4B16BBB1EB84B54F64C56DEA0A4B24AC33AD447CA62

Function 02F1D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3710396704.0000000002F1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2f1d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 049863b72afee537a45d15dcdd3ec31949803e6176599602a4e9cadb07b598d0
Instruction ID: d8542298799cc8ea0cb35975d99bb04a23354353f2eb0ba5532707c204d74109
Opcode Fuzzy Hash: 049863b72afee537a45d15dcdd3ec31949803e6176599602a4e9cadb07b598d0
Instruction Fuzzy Hash: 5A21D1755093C08FCB12CF24D990711BF71EF46214F28C5EAD9498F6A7C33A980ACB62

Non-executed Functions

Function 06A03530 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$q, xrefs: 06A039DD
$q, xrefs: 06A0365D
$q, xrefs: 06A039E9
$q, xrefs: 06A03A92
$q, xrefs: 06A0362C
$q, xrefs: 06A03620
$q, xrefs: 06A03651
$q, xrefs: 06A03A7C
$q, xrefs: 06A03A9E
$q, xrefs: 06A03A88

Memory Dump Source

Source File: 00000008.00000002.3713803744.0000000006A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_6a00000_RegAsm.jbxd

Similarity

API ID:
String ID: $q$$q$$q$$q$$q$$q$$q$$q$$q$$q
API String ID: 0-1298971921
Opcode ID: aa13a5365a95f5a2e0adc39caa553d0390832dd5f8a3017d0db09468473933ab
Instruction ID: d7fef9bd407b01a69096b686c7a8af1b72eabbbff50bb75f1768479015d9259d
Opcode Fuzzy Hash: aa13a5365a95f5a2e0adc39caa553d0390832dd5f8a3017d0db09468473933ab
Instruction Fuzzy Hash: 20123E34F0161ACFEF64EB65D854BADB7B2BF85304F2085A9D406AB395DB309D81CB80

Function 030E41B0 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3710745303.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_30e0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9419c94d1d54f4ae8a8cf53cb00d9359062a36cb97d29ae12d43c63d64ad9b1f
Instruction ID: dc42a577742a98dcbcb796f126d7fffcb7a1d4b9ebf8b62fe27283397a42adf0
Opcode Fuzzy Hash: 9419c94d1d54f4ae8a8cf53cb00d9359062a36cb97d29ae12d43c63d64ad9b1f
Instruction Fuzzy Hash: FAB16E71F01209CFDB54CFAAD8857AEFBF2BF88304F188529D415AB294EB749845CB85

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report rNuevaorden_pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\eb42b1a5c308fc11edf1ddbdd25c8486_9e146be9-c76a-4720-bcdb-53011b87bd06

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
rNuevaorden_pdf.exe

Function 020D01BF Relevance: 30.3, APIs: 10, Strings: 7, Instructions: 528
COMMON

Function 020D2CDF Relevance: 26.6, APIs: 10, Strings: 5, Instructions: 369
nativethreadprocessCOMMON

Function 020D2CDA Relevance: 26.6, APIs: 10, Strings: 5, Instructions: 352
nativeCOMMON

Function 260354FB Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 153
nativememoryCOMMON

Function 260653A0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25
nativeCOMMON

Function 2605ED00 Relevance: 184.4, APIs: 102, Strings: 3, Instructions: 674
librarymemoryloaderCOMMON

Function 25E4AF09 Relevance: 3.0, APIs: 2, Instructions: 31
COMMON

Function 25E4A74B Relevance: 57.9, APIs: 22, Strings: 11, Instructions: 154
COMMON

Function 25E4A789 Relevance: 33.1, APIs: 22, Instructions: 134
COMMON

Function 26062BD0 Relevance: 15.1, APIs: 10, Instructions: 80
COMMON

Function 2605F7C0 Relevance: 6.1, APIs: 4, Instructions: 58
COMMON

Function 06A012C0 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Function 06A03C18 Relevance: 3.0, Strings: 2, Instructions: 473
COMMON

Function 030E7138 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 004458B2 Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Function 004458F8 Relevance: 1.5, APIs: 1, Instructions: 23
memorynativeCOMMON

Function 030E7060 Relevance: 1.6, APIs: 1, Instructions: 69
COMMON