Edit tour

Windows Analysis Report
Comprobante.de.pago.pdf.exe

Overview

General Information

Sample name:	Comprobante.de.pago.pdf.exe
Analysis ID:	1586989
MD5:	4975e77aa7db89e438da054870282656
SHA1:	01c131d5d3d87470b6c74673f310bf742b0b1cdf
SHA256:	16362b718dada80d2e68e3495d78e32fc5bfa05d730ec1a451daf6cff9e6cabe
Tags:	exeuser-threatinte1
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Sigma detected: Suspicious Double Extension File Execution

Yara detected AgentTesla

AI detected suspicious sample

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Initial sample is a PE file and has a suspicious name

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Comprobante.de.pago.pdf.exe (PID: 7012 cmdline: "C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe" MD5: 4975E77AA7DB89E438DA054870282656)

RegAsm.exe (PID: 6228 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.lampadari.gr", "Username": "apamadick@lampadari.gr", "Password": "P8P[uVeJU=vh"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000003.1720843527.0000000000585000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1720843527.0000000000585000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000003.1721037732.0000000000585000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1721037732.0000000000585000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1723590669.000000002FDDD000.00000040.00000001.01000000.00000003.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0x186c:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000000.00000002.1723294768.0000000003E42000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1723294768.0000000003E42000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000003.1720964076.0000000003D41000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1720964076.0000000003D41000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.2902848965.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.2902848965.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000001.00000002.2904528958.0000000003355000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Comprobante.de.pago.pdf.exe PID: 7012	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Comprobante.de.pago.pdf.exe PID: 7012	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegAsm.exe PID: 6228	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 6228	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.3.Comprobante.de.pago.pdf.exe.585998.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.3.Comprobante.de.pago.pdf.exe.585998.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.3.Comprobante.de.pago.pdf.exe.585998.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.3.Comprobante.de.pago.pdf.exe.585998.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3442b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3449d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34527:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x345b9:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34623:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x34695:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3472b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x347bb:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.3.Comprobante.de.pago.pdf.exe.585998.1.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x31611:$s2: GetPrivateProfileString 0x30d33:$s3: get_OSFullName 0x3237e:$s5: remove_Key 0x32522:$s5: remove_Key 0x33475:$s6: FtpWebRequest 0x3440d:$s7: logins 0x3497f:$s7: logins 0x37662:$s7: logins 0x37742:$s7: logins 0x39095:$s7: logins 0x382dc:$s9: 1.85 (Hash, version 2, native byte-order)
1.2.RegAsm.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.RegAsm.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
1.2.RegAsm.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
1.2.RegAsm.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3442b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3449d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34527:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x345b9:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34623:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x34695:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3472b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x347bb:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
1.2.RegAsm.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x31611:$s2: GetPrivateProfileString 0x30d33:$s3: get_OSFullName 0x3237e:$s5: remove_Key 0x32522:$s5: remove_Key 0x33475:$s6: FtpWebRequest 0x3440d:$s7: logins 0x3497f:$s7: logins 0x37662:$s7: logins 0x37742:$s7: logins 0x39095:$s7: logins 0x382dc:$s9: 1.85 (Hash, version 2, native byte-order)
0.3.Comprobante.de.pago.pdf.exe.585998.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.3.Comprobante.de.pago.pdf.exe.585998.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.3.Comprobante.de.pago.pdf.exe.585998.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3262b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3269d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x32727:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x327b9:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x32823:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x32895:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3292b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x329bb:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.3.Comprobante.de.pago.pdf.exe.585998.1.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2f811:$s2: GetPrivateProfileString 0x2ef33:$s3: get_OSFullName 0x3057e:$s5: remove_Key 0x30722:$s5: remove_Key 0x31675:$s6: FtpWebRequest 0x3260d:$s7: logins 0x32b7f:$s7: logins 0x35862:$s7: logins 0x35942:$s7: logins 0x37295:$s7: logins 0x364dc:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.Comprobante.de.pago.pdf.exe.3e40000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Comprobante.de.pago.pdf.exe.3e40000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.Comprobante.de.pago.pdf.exe.3e40000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.Comprobante.de.pago.pdf.exe.3e40000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3442b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3449d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34527:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x345b9:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34623:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x34695:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3472b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x347bb:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.Comprobante.de.pago.pdf.exe.3e40000.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x31611:$s2: GetPrivateProfileString 0x30d33:$s3: get_OSFullName 0x3237e:$s5: remove_Key 0x32522:$s5: remove_Key 0x33475:$s6: FtpWebRequest 0x3440d:$s7: logins 0x3497f:$s7: logins 0x37662:$s7: logins 0x37742:$s7: logins 0x39095:$s7: logins 0x382dc:$s9: 1.85 (Hash, version 2, native byte-order)
0.3.Comprobante.de.pago.pdf.exe.585998.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.3.Comprobante.de.pago.pdf.exe.585998.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.3.Comprobante.de.pago.pdf.exe.585998.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.3.Comprobante.de.pago.pdf.exe.585998.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3442b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3449d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34527:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x345b9:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34623:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x34695:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3472b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x347bb:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.3.Comprobante.de.pago.pdf.exe.585998.0.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x31611:$s2: GetPrivateProfileString 0x30d33:$s3: get_OSFullName 0x3237e:$s5: remove_Key 0x32522:$s5: remove_Key 0x33475:$s6: FtpWebRequest 0x3440d:$s7: logins 0x3497f:$s7: logins 0x37662:$s7: logins 0x37742:$s7: logins 0x39095:$s7: logins 0x382dc:$s9: 1.85 (Hash, version 2, native byte-order)
0.3.Comprobante.de.pago.pdf.exe.585998.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.3.Comprobante.de.pago.pdf.exe.585998.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.3.Comprobante.de.pago.pdf.exe.585998.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3262b:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3269d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x32727:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x327b9:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x32823:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x32895:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3292b:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x329bb:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.3.Comprobante.de.pago.pdf.exe.585998.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2f811:$s2: GetPrivateProfileString 0x2ef33:$s3: get_OSFullName 0x3057e:$s5: remove_Key 0x30722:$s5: remove_Key 0x31675:$s6: FtpWebRequest 0x3260d:$s7: logins 0x32b7f:$s7: logins 0x35862:$s7: logins 0x35942:$s7: logins 0x37295:$s7: logins 0x364dc:$s9: 1.85 (Hash, version 2, native byte-order)
Click to see the 23 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Double Extension File Execution

Source: Process started

Author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe", CommandLine: "C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe, NewProcessName: C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe, OriginalFileName: C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe", ProcessId: 7012, ProcessName: Comprobante.de.pago.pdf.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Comprobante.de.pago.pdf.exe

Avira: detected

Found malware configuration

Source: 1.2.RegAsm.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.lampadari.gr", "Username": "apamadick@lampadari.gr", "Password": "P8P[uVeJU=vh"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Source: Comprobante.de.pago.pdf.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 0.3.Comprobante.de.pago.pdf.exe.585998.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Comprobante.de.pago.pdf.exe.3e40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Comprobante.de.pago.pdf.exe.585998.0.raw.unpack, type: UNPACKEDPE

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: unknown

DNS query: name: ip-api.com

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: ip-api.com

Source: Comprobante.de.pago.pdf.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Comprobante.de.pago.pdf.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Comprobante.de.pago.pdf.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Comprobante.de.pago.pdf.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Comprobante.de.pago.pdf.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Comprobante.de.pago.pdf.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Comprobante.de.pago.pdf.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Comprobante.de.pago.pdf.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Comprobante.de.pago.pdf.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: RegAsm.exe, 00000001.00000002.2904528958.0000000003321000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2904528958.00000000033FF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2904528958.00000000033E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: Comprobante.de.pago.pdf.exe, 00000000.00000003.1720843527.0000000000585000.00000004.00000020.00020000.00000000.sdmp, Comprobante.de.pago.pdf.exe, 00000000.00000003.1721037732.0000000000585000.00000004.00000020.00020000.00000000.sdmp, Comprobante.de.pago.pdf.exe, 00000000.00000002.1723294768.0000000003E42000.00000040.10000000.00040000.00000000.sdmp, Comprobante.de.pago.pdf.exe, 00000000.00000003.1720964076.0000000003D41000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2904528958.0000000003321000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2902848965.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2904528958.00000000033E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: Comprobante.de.pago.pdf.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: Comprobante.de.pago.pdf.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: Comprobante.de.pago.pdf.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: Comprobante.de.pago.pdf.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: RegAsm.exe, 00000001.00000002.2904528958.0000000003321000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2904528958.00000000033E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Comprobante.de.pago.pdf.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: Comprobante.de.pago.pdf.exe, 00000000.00000003.1720843527.0000000000585000.00000004.00000020.00020000.00000000.sdmp, Comprobante.de.pago.pdf.exe, 00000000.00000003.1721037732.0000000000585000.00000004.00000020.00020000.00000000.sdmp, Comprobante.de.pago.pdf.exe, 00000000.00000002.1723294768.0000000003E42000.00000040.10000000.00040000.00000000.sdmp, Comprobante.de.pago.pdf.exe, 00000000.00000003.1720964076.0000000003D41000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2902848965.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: Comprobante.de.pago.pdf.exe	String found in binary or memory: https://github.com/mullvad/mullvadvpn-app#readme0

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.3.Comprobante.de.pago.pdf.exe.585998.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.3.Comprobante.de.pago.pdf.exe.585998.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.3.Comprobante.de.pago.pdf.exe.585998.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.3.Comprobante.de.pago.pdf.exe.585998.1.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.Comprobante.de.pago.pdf.exe.3e40000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Comprobante.de.pago.pdf.exe.3e40000.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.3.Comprobante.de.pago.pdf.exe.585998.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.3.Comprobante.de.pago.pdf.exe.585998.0.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.3.Comprobante.de.pago.pdf.exe.585998.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.3.Comprobante.de.pago.pdf.exe.585998.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 00000000.00000002.1723590669.000000002FDDD000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Comprobante.de.pago.pdf.exe

Source: C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe	Code function: 0_2_2FFF5D10 __vbaFreeVar,NtSetInformationProcess,	0_2_2FFF5D10
Source: C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe	Code function: 0_2_2FFC54FB NtAllocateVirtualMemory,NtProtectVirtualMemory,NtProtectVirtualMemory,	0_2_2FFC54FB
Source: C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe	Code function: 0_2_028C2C8B NtCreateSection,NtMapViewOfSection,CreateProcessW,NtGetContextThread,NtReadVirtualMemory,NtWriteVirtualMemory,NtUnmapViewOfSection,NtMapViewOfSection,NtSetContextThread,NtResumeThread,	0_2_028C2C8B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_004464CA NtAllocateVirtualMemory,	1_2_004464CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0044355F NtDelayExecution,	1_2_0044355F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_004461D6 NtProtectVirtualMemory,	1_2_004461D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_004459BD NtAllocateVirtualMemory,	1_2_004459BD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00443296 NtClose,	1_2_00443296
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_004432B5 NtCreateThreadEx,NtClose,	1_2_004432B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00446368 NtProtectVirtualMemory,	1_2_00446368
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00445C4B NtAllocateVirtualMemory,	1_2_00445C4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_004465CE NtProtectVirtualMemory,	1_2_004465CE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_004461E9 NtProtectVirtualMemory,	1_2_004461E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00445D96 NtAllocateVirtualMemory,	1_2_00445D96
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00443F81 NtCreateThreadEx,NtClose,	1_2_00443F81
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_004437BB NtCreateThreadEx,NtClose,	1_2_004437BB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0314A6CD	1_2_0314A6CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_03144A80	1_2_03144A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_03143E68	1_2_03143E68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_031441B0	1_2_031441B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0314DD28	1_2_0314DD28

Source: Comprobante.de.pago.pdf.exe

Static PE information: invalid certificate

Source: Comprobante.de.pago.pdf.exe, 00000000.00000003.1720843527.0000000000585000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename756a5eef-0c1c-4bed-83c6-a963e51853c7.exe4 vs Comprobante.de.pago.pdf.exe
Source: Comprobante.de.pago.pdf.exe, 00000000.00000003.1721037732.0000000000585000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename756a5eef-0c1c-4bed-83c6-a963e51853c7.exe4 vs Comprobante.de.pago.pdf.exe
Source: Comprobante.de.pago.pdf.exe, 00000000.00000000.1655314564.000000002FFFD000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameacvm7qw909e.exe vs Comprobante.de.pago.pdf.exe
Source: Comprobante.de.pago.pdf.exe, 00000000.00000002.1723294768.0000000003E7E000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename756a5eef-0c1c-4bed-83c6-a963e51853c7.exe4 vs Comprobante.de.pago.pdf.exe
Source: Comprobante.de.pago.pdf.exe, 00000000.00000003.1720964076.0000000003D41000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename756a5eef-0c1c-4bed-83c6-a963e51853c7.exe4 vs Comprobante.de.pago.pdf.exe
Source: Comprobante.de.pago.pdf.exe	Binary or memory string: OriginalFilenameacvm7qw909e.exe vs Comprobante.de.pago.pdf.exe

Source: Comprobante.de.pago.pdf.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 0.3.Comprobante.de.pago.pdf.exe.585998.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.3.Comprobante.de.pago.pdf.exe.585998.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.3.Comprobante.de.pago.pdf.exe.585998.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.3.Comprobante.de.pago.pdf.exe.585998.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.Comprobante.de.pago.pdf.exe.3e40000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Comprobante.de.pago.pdf.exe.3e40000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.3.Comprobante.de.pago.pdf.exe.585998.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.3.Comprobante.de.pago.pdf.exe.585998.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.3.Comprobante.de.pago.pdf.exe.585998.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.3.Comprobante.de.pago.pdf.exe.585998.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 00000000.00000002.1723590669.000000002FDDD000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@1/1

Source: C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\bc49718863ee53e026d805ec372039e9_9e146be9-c76a-4720-bcdb-53011b87bd06

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Mutant created: NULL

Source: Comprobante.de.pago.pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegAsm.exe, 00000001.00000002.2904528958.000000000341D000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: unknown	Process created: C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe "C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe"
Source: C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Source: C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe	Section loaded: vb6zz.dll	Jump to behavior
Source: C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe	Section loaded: vb6de.dll	Jump to behavior
Source: C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe	Section loaded: vb6de.dll	Jump to behavior
Source: C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0BE35204-8F91-11CE-9DE3-00AA004BB851}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: Comprobante.de.pago.pdf.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Comprobante.de.pago.pdf.exe

Static file information: File size 2288032 > 1048576

Source: Comprobante.de.pago.pdf.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x226000

Source: Comprobante.de.pago.pdf.exe

Static PE information: real checksum: 0x235921 should be: 0x231ce7

Source: C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe	Code function: 0_2_2FDDCDFB push D4006C00h; iretd	0_2_2FDDCE05
Source: C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe	Code function: 0_2_00528DF9 push ebp; iretd	0_2_00528DFA
Source: C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe	Code function: 0_2_00528DA9 push eax; iretd	0_2_00528DAA
Source: C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe	Code function: 0_2_028C1AEB pushfd ; retf	0_2_028C1AEC
Source: C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe	Code function: 0_2_028C1A3B push ebx; ret	0_2_028C1A3D
Source: C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe	Code function: 0_2_028C07A9 push ebx; retf	0_2_028C18A0
Source: C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe	Code function: 0_2_028C1F0C push es; ret	0_2_028C1F10
Source: C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe	Code function: 0_2_028C2902 pushfd ; iretd	0_2_028C2908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0044585B push edx; iretd	1_2_0044585C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00445647 push ds; retf	1_2_00445648
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00445641 push ds; retf	1_2_00445643
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00446305 push ebp; ret	1_2_00446308
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00444FB5 push cs; retf	1_2_00444FCB

Source: C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Comprobante.de.pago.pdf.exe, 00000000.00000003.1720843527.0000000000585000.00000004.00000020.00020000.00000000.sdmp, Comprobante.de.pago.pdf.exe, 00000000.00000003.1721037732.0000000000585000.00000004.00000020.00020000.00000000.sdmp, Comprobante.de.pago.pdf.exe, 00000000.00000002.1723294768.0000000003E42000.00000040.10000000.00040000.00000000.sdmp, Comprobante.de.pago.pdf.exe, 00000000.00000003.1720964076.0000000003D41000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2904528958.0000000003355000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2904528958.00000000033FF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2902848965.0000000000402000.00000040.80000000.00040000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 3060000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 3320000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 3060000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6352	Thread sleep count: 169 > 30			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6352	Thread sleep time: -169000s >= -30000s			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: RegAsm.exe, 00000001.00000002.2904528958.00000000033FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: RegAsm.exe, 00000001.00000002.2902848965.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: vmware
Source: RegAsm.exe, 00000001.00000002.2902848965.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
Source: RegAsm.exe, 00000001.00000002.2905844566.00000000065C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 1_2_03147068 CheckRemoteDebuggerPresent,

1_2_03147068

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe	Code function: 0_2_2FFC5AB1 mov eax, dword ptr fs:[00000030h]	0_2_2FFC5AB1
Source: C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe	Code function: 0_2_028C2C8B mov eax, dword ptr fs:[00000030h]	0_2_028C2C8B
Source: C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe	Code function: 0_2_028C6E91 mov eax, dword ptr fs:[00000030h]	0_2_028C6E91
Source: C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe	Code function: 0_2_028C6E35 mov eax, dword ptr fs:[00000030h]	0_2_028C6E35
Source: C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe	Code function: 0_2_028C325C mov eax, dword ptr fs:[00000030h]	0_2_028C325C
Source: C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe	Code function: 0_2_028C6F1C mov eax, dword ptr fs:[00000030h]	0_2_028C6F1C
Source: C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe	Code function: 0_2_028C733E mov eax, dword ptr fs:[00000030h]	0_2_028C733E
Source: C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe	Code function: 0_2_028C7096 mov eax, dword ptr fs:[00000030h]	0_2_028C7096
Source: C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe	Code function: 0_2_028C6CD3 mov eax, dword ptr fs:[00000030h]	0_2_028C6CD3
Source: C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe	Code function: 0_2_028C6D25 mov eax, dword ptr fs:[00000030h]	0_2_028C6D25
Source: C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe	Code function: 0_2_028C453A mov ecx, dword ptr fs:[00000030h]	0_2_028C453A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00443296 mov ecx, dword ptr fs:[00000030h]	1_2_00443296
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00445C78 mov eax, dword ptr fs:[00000030h]	1_2_00445C78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_0044609A mov eax, dword ptr fs:[00000030h]	1_2_0044609A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00445DE7 mov eax, dword ptr fs:[00000030h]	1_2_00445DE7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00445DF2 mov eax, dword ptr fs:[00000030h]	1_2_00445DF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00445A4A mov eax, dword ptr fs:[00000030h]	1_2_00445A4A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00445A2F mov eax, dword ptr fs:[00000030h]	1_2_00445A2F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00445A81 mov eax, dword ptr fs:[00000030h]	1_2_00445A81
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00445A95 mov eax, dword ptr fs:[00000030h]	1_2_00445A95
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00446309 mov ecx, dword ptr fs:[00000030h]	1_2_00446309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00445BED mov eax, dword ptr fs:[00000030h]	1_2_00445BED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 1_2_00445B91 mov eax, dword ptr fs:[00000030h]	1_2_00445B91

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: E2E008

Jump to behavior

Source: C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.3.Comprobante.de.pago.pdf.exe.585998.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Comprobante.de.pago.pdf.exe.585998.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Comprobante.de.pago.pdf.exe.3e40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Comprobante.de.pago.pdf.exe.585998.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Comprobante.de.pago.pdf.exe.585998.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1720843527.0000000000585000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1721037732.0000000000585000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1723294768.0000000003E42000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1720964076.0000000003D41000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2902848965.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Comprobante.de.pago.pdf.exe PID: 7012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6228, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 0.3.Comprobante.de.pago.pdf.exe.585998.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Comprobante.de.pago.pdf.exe.585998.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Comprobante.de.pago.pdf.exe.3e40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Comprobante.de.pago.pdf.exe.585998.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Comprobante.de.pago.pdf.exe.585998.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1720843527.0000000000585000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1721037732.0000000000585000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1723294768.0000000003E42000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1720964076.0000000003D41000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2902848965.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2904528958.0000000003355000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Comprobante.de.pago.pdf.exe PID: 7012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6228, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.3.Comprobante.de.pago.pdf.exe.585998.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Comprobante.de.pago.pdf.exe.585998.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Comprobante.de.pago.pdf.exe.3e40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Comprobante.de.pago.pdf.exe.585998.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Comprobante.de.pago.pdf.exe.585998.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1720843527.0000000000585000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1721037732.0000000000585000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1723294768.0000000003E42000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1720964076.0000000003D41000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2902848965.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Comprobante.de.pago.pdf.exe PID: 7012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6228, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	231 Windows Management Instrumentation	1 DLL Side-Loading	211 Process Injection	1 Masquerading	1 OS Credential Dumping	531 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	25 Virtualization/Sandbox Evasion	LSASS Memory	25 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	211 Process Injection	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	34 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Comprobante.de.pago.pdf.exe	100%	Avira	TR/Dropper.Gen

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip-api.com	208.95.112.1	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/line/?fields=hosting	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://account.dyn.com/	Comprobante.de.pago.pdf.exe, 00000000.00000003.1720843527.0000000000585000.00000004.00000020.00020000.00000000.sdmp, Comprobante.de.pago.pdf.exe, 00000000.00000003.1721037732.0000000000585000.00000004.00000020.00020000.00000000.sdmp, Comprobante.de.pago.pdf.exe, 00000000.00000002.1723294768.0000000003E42000.00000040.10000000.00040000.00000000.sdmp, Comprobante.de.pago.pdf.exe, 00000000.00000003.1720964076.0000000003D41000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2902848965.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	high
https://github.com/mullvad/mullvadvpn-app#readme0	Comprobante.de.pago.pdf.exe	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegAsm.exe, 00000001.00000002.2904528958.0000000003321000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2904528958.00000000033E4000.00000004.00000800.00020000.00000000.sdmp	false	high
http://ip-api.com	RegAsm.exe, 00000001.00000002.2904528958.0000000003321000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2904528958.00000000033FF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000001.00000002.2904528958.00000000033E4000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1586989
Start date and time:	2025-01-09 20:43:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Comprobante.de.pago.pdf.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 80% Number of executed functions: 15 Number of non-executed functions: 16
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: Comprobante.de.pago.pdf.exe

Simulations

Behavior and APIs

Time	Type	Description
14:44:46	API Interceptor	139x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	p.exe	Get hash	malicious	Unknown	Browse	ip-api.com/csv/?fields=query
	rNuevaorden_pdf.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	I334hDwRjj.exe	Get hash	malicious	Blank Grabber, Njrat	Browse	ip-api.com/json/?fields=225545
	startup_str_466.bat	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	7dtpow.ps1	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	x.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	TR98760H.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	47SXvEQ.exe	Get hash	malicious	Blank Grabber, Xmrig	Browse	ip-api.com/json/?fields=225545
	test.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	ip-api.com/json/
	HaLCYOFjMN.exe	Get hash	malicious	DCRat, PureLog Stealer, RedLine, XWorm, zgRAT	Browse	ip-api.com/line/?fields=hosting

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	p.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	rNuevaorden_pdf.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	I334hDwRjj.exe	Get hash	malicious	Blank Grabber, Njrat	Browse	208.95.112.1
	startup_str_466.bat	Get hash	malicious	XWorm	Browse	208.95.112.1
	7dtpow.ps1	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	x.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	TR98760H.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	47SXvEQ.exe	Get hash	malicious	Blank Grabber, Xmrig	Browse	208.95.112.1
	test.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	208.95.112.1
	HaLCYOFjMN.exe	Get hash	malicious	DCRat, PureLog Stealer, RedLine, XWorm, zgRAT	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TUT-ASUS	p.exe	Get hash	malicious	Unknown	Browse	208.95.112.1
	rNuevaorden_pdf.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	I334hDwRjj.exe	Get hash	malicious	Blank Grabber, Njrat	Browse	208.95.112.1
	startup_str_466.bat	Get hash	malicious	XWorm	Browse	208.95.112.1
	7dtpow.ps1	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	x.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	TR98760H.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	47SXvEQ.exe	Get hash	malicious	Blank Grabber, Xmrig	Browse	208.95.112.1
	test.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	208.95.112.1
	HaLCYOFjMN.exe	Get hash	malicious	DCRat, PureLog Stealer, RedLine, XWorm, zgRAT	Browse	208.95.112.1

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\bc49718863ee53e026d805ec372039e9_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	46
Entropy (8bit):	1.0424600748477153
Encrypted:	false
SSDEEP:	3:/lbq:4
MD5:	8CB7B7F28464C3FCBAE8A10C46204572
SHA1:	767FE80969EC2E67F54CC1B6D383C76E7859E2DE
SHA-256:	ED5E3DCEB0A1D68803745084985051C1ED41E11AC611DF8600B1A471F3752E96
SHA-512:	9BA84225FDB6C0FD69AD99B69824EC5B8D2B8FD3BB4610576DB4AD79ADF381F7F82C4C9522EC89F7171907577FAF1B4E70B82364F516CF8BBFED99D2ADEA43AF
Malicious:	false
Reputation:	high, very likely benign file
Preview:	........................................user.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.175604599526794
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Comprobante.de.pago.pdf.exe
File size:	2'288'032 bytes
MD5:	4975e77aa7db89e438da054870282656
SHA1:	01c131d5d3d87470b6c74673f310bf742b0b1cdf
SHA256:	16362b718dada80d2e68e3495d78e32fc5bfa05d730ec1a451daf6cff9e6cabe
SHA512:	93f214fb28ebaa4ac45141401e6d29f401f062087fa81eb0a494527e3ae0d66ea0daff6022f89b6f8881e295279f2c5c2fb84a322e3108f62f2aac3ae59d8ff6
SSDEEP:	49152:HX3ASbdYAm4zEbdYAm4zWbdYAm4z23Ag3AWbdYAm4zSbdYAm4zO3AGyhdWn:HnA4drWdr0drkASA0dr4dr8AGi
TLSH:	FCB5CF0322208F6FED8ADF3673BA80E443153C5907155A42329F7720EB779BE5D29A5B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................Rich............PE..L......g.................`"..P......4........p"..../.......

File Icon


Icon Hash:	a3a3939a92b3929a

Static PE Info

General

Entrypoint:	0x2fdd1234
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x2fdd0000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x6780170B [Thu Jan 9 18:35:55 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	42a4e0f64241075ea237a4cf00d0db9f

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	14/03/2024 00:00:00 06/02/2027 23:59:59
Subject Chain	CN=Mullvad VPN AB, O=Mullvad VPN AB, L=G\xf6teborg, C=SE, SERIALNUMBER=559238-4001, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=SE
Version:	3
Thumbprint MD5:	7068F855B513C1F69538E13DF0A7870D
Thumbprint SHA-1:	1F5E906F4E2DBE2A3C3226A6B0638E9327F76135
Thumbprint SHA-256:	4136B97CF51C1779F94FF626978743FF874E0EABB3AFB5CB00CB9E6DBB5440E8
Serial:	078050BBC100F2FFAF0FE03B15FE221A

Entrypoint Preview

Instruction
push 2FDDA54Ch
call 00007FD2947FB345h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dh, al
push ebx
jns 00007FD2947FB375h
mov ecx, B04DD8DFh
mov byte ptr [edx], ah
sbb dword ptr [edx-17h], edx
and byte ptr [ebx], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
sub eax, 30303043h
sub eax, 61726543h
pop edi
push esi
popad
jno 00007FD2947FB3B7h
popad
add byte ptr [esi], dh
jnl 00007FD2947FB375h
xor ch, byte ptr [esi]
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
add al, al
fsub qword ptr [edi+37h]
pop ebp
fstp dword ptr [edx-019657BCh]
int 97h
sbb byte ptr [edi-3D100426h], ch
mov edx, ecx
jno 00007FD2947FB320h
inc esp
mov ch, 59h
xor bl, byte ptr [edx+2Fh]
mov dword ptr [4F3A5001h], eax
lodsd
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor dl, byte ptr [ecx+00420000h]
add byte ptr [eax], al
add byte ptr [726F4600h], al
insd
xor dword ptr [eax], eax
or eax, 46000501h
outsd
jc 00007FD2947FB3BFh
xor dword ptr [eax], eax
sbb dword ptr [ecx], eax
add byte ptr [edx+00h], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x227408	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x22d000	0x2894	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x22c000	0x29a0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x227000	0x180	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x225744	0x226000	20f265c0c4f333648589b1b1f8f2d4c7	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x227000	0xb30	0x1000	e8eeb57f1a4bf4d49c950ed1deafcf11	False	0.2734375	data	3.86650564830794	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x228000	0x4bac	0x1000	620f0b67a91f7f74151bc5be745b7110	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x22d000	0x2894	0x3000	cf4509ef44e700a268c235d9994746cf	False	0.19539388020833334	data	4.245983192689374	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x22d0e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600			0.21047717842323652
RT_GROUP_ICON	0x22f690	0x14	data			1.15
RT_VERSION	0x22f6a4	0x1f0	MS Windows COFF PowerPC object file	German	Germany	0.49798387096774194

Imports

DLL

Import

KERNEL32.DLL

GetProcAddress, GetModuleHandleW

MSVBVM60.DLL

__vbaVarSub, _CIcos, _adj_fptan, __vbaVarMove, __vbaVarVargNofree, __vbaFreeVar, __vbaAryMove, __vbaStrVarMove, __vbaLenBstr, __vbaFreeVarList, _adj_fdiv_m64, __vbaNextEachVar, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaBoolErrVar, __vbaSetSystemError, __vbaHresultCheckObj, __vbaLenVar, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaRefVarAry, __vbaBoolVarNull, _CIsin, __vbaVargVarMove, __vbaVarZero, __vbaVarCmpGt, __vbaChkstk, EVENT_SINK_AddRef, __vbaVarTstEq, DllFunctionCall, __vbaVarOr, __vbaRedimPreserve, _adj_fpatan, __vbaRedim, EVENT_SINK_Release, __vbaNew, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, __vbaStrToUnicode, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaInStrVar, __vbaStrVarVal, __vbaUbound, __vbaVarCat, _CIlog, __vbaVar2Vec, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaI4Var, __vbaAryLock, __vbaVarAdd, __vbaVarDup, __vbaStrToAnsi, __vbaVarCopy, __vbaVarLateMemCallLd, _CIatan, __vbaStrMove, __vbaCastObj, __vbaStrVarCopy, __vbaForEachVar, _allmul, _CItan, __vbaAryUnlock, _CIexp, __vbaFreeObj, __vbaFreeStr

Possible Origin

Language of compilation system	Country where language is spoken	Map
German	Germany

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 20:44:04.652734995 CET	49731	80	192.168.2.4	208.95.112.1
Jan 9, 2025 20:44:04.657840014 CET	80	49731	208.95.112.1	192.168.2.4
Jan 9, 2025 20:44:04.657927990 CET	49731	80	192.168.2.4	208.95.112.1
Jan 9, 2025 20:44:04.658655882 CET	49731	80	192.168.2.4	208.95.112.1
Jan 9, 2025 20:44:04.663541079 CET	80	49731	208.95.112.1	192.168.2.4
Jan 9, 2025 20:44:05.463661909 CET	80	49731	208.95.112.1	192.168.2.4
Jan 9, 2025 20:44:05.516781092 CET	49731	80	192.168.2.4	208.95.112.1
Jan 9, 2025 20:45:30.556902885 CET	80	49731	208.95.112.1	192.168.2.4
Jan 9, 2025 20:45:30.557085037 CET	49731	80	192.168.2.4	208.95.112.1
Jan 9, 2025 20:45:45.488734961 CET	49731	80	192.168.2.4	208.95.112.1
Jan 9, 2025 20:45:45.494040012 CET	80	49731	208.95.112.1	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 20:44:04.640311956 CET	62725	53	192.168.2.4	1.1.1.1
Jan 9, 2025 20:44:04.647618055 CET	53	62725	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 9, 2025 20:44:04.640311956 CET	192.168.2.4	1.1.1.1	0x5b25	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 9, 2025 20:44:04.647618055 CET	1.1.1.1	192.168.2.4	0x5b25	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	208.95.112.1	80	6228	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 20:44:04.658655882 CET	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Jan 9, 2025 20:44:05.463661909 CET	175	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 19:44:04 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Target ID:	0
Start time:	14:43:56
Start date:	09/01/2025
Path:	C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Comprobante.de.pago.pdf.exe"
Imagebase:	0x2fdd0000
File size:	2'288'032 bytes
MD5 hash:	4975E77AA7DB89E438DA054870282656
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1720843527.0000000000585000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000003.1720843527.0000000000585000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1721037732.0000000000585000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000003.1721037732.0000000000585000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000000.00000002.1723590669.000000002FDDD000.00000040.00000001.01000000.00000003.sdmp, Author: Florian Roth Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1723294768.0000000003E42000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1723294768.0000000003E42000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1720964076.0000000003D41000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000003.1720964076.0000000003D41000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	14:44:03
Start date:	09/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Imagebase:	0xdc0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2902848965.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.2902848965.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2904528958.0000000003355000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	22.2%
Dynamic/Decrypted Code Coverage:	21.1%
Signature Coverage:	23.2%
Total number of Nodes:	190
Total number of Limit Nodes:	13

Executed Functions

Function 028C2C8B Relevance: 26.6, APIs: 10, Strings: 5, Instructions: 369
nativethreadprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 028C2E77
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 028C2EA4
CreateProcessW.KERNELBASE(?,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 028C304F
NtGetContextThread.NTDLL(?,?), ref: 028C306E
NtReadVirtualMemory.NTDLL(?,?,?,000001D8,?), ref: 028C3094
NtWriteVirtualMemory.NTDLL(?,?,?,00000004,?), ref: 028C30BE
NtUnmapViewOfSection.NTDLL(?,?), ref: 028C30D9
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 028C30F2
NtSetContextThread.NTDLL(?,00010003), ref: 028C3123
NtResumeThread.NTDLL(?,00000000), ref: 028C3130

Strings

m.ex, xrefs: 028C2FB2
e, xrefs: 028C2FB9
egas, xrefs: 028C2FAB
D, xrefs: 028C302A
\Microsoft.NET\Framework\, xrefs: 028C2FC0

Memory Dump Source

Source File: 00000000.00000002.1723201366.00000000028C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28c0000_Comprobante.jbxd

Similarity

API ID: Section$ThreadView$ContextCreateMemoryVirtual$ProcessReadResumeUnmapWrite
String ID: D$\Microsoft.NET\Framework\$e$egas$m.ex
API String ID: 1951729442-1087957892
Opcode ID: bdfd8c2c08da80d8aef1ac999a3557cfaab083761e6134d184dbc6d082490619
Instruction ID: 311f9232dcf37a0bb427ba09d06b11f38b5ad22bf6fb6ba71d44a1331b819676
Opcode Fuzzy Hash: bdfd8c2c08da80d8aef1ac999a3557cfaab083761e6134d184dbc6d082490619
Instruction Fuzzy Hash: F7E1E4BAD00259AFDF11DFA4CC80AEDBBB9AF04304F2484AAF519E7201D7349A56CF55

Function 2FFC54FB Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 153
nativememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000100,00000000,00000100,00003000,00000040,?,NtQueryInformationProcess,2FFC425F,?,NtQueryInformationProcess,2FFC4279,?,NtQueryInformationProcess,2FFC4248,NtQueryInformationProcess), ref: 2FFC5592
NtProtectVirtualMemory.NTDLL(000000FF,?,00000005,00000040,00000000,?,NtQueryInformationProcess,2FFC425F,?,NtQueryInformationProcess,2FFC4279,?,NtQueryInformationProcess,2FFC4248,NtQueryInformationProcess,2FFC42EA), ref: 2FFC55BD
NtProtectVirtualMemory.NTDLL(000000FF,?,00000005,00000000,00000000,?,NtQueryInformationProcess,2FFC425F,?,NtQueryInformationProcess,2FFC4279,?,NtQueryInformationProcess,2FFC4248,NtQueryInformationProcess,2FFC42EA), ref: 2FFC56B9

Strings

NtQueryInformationProcess, xrefs: 2FFC551D, 2FFC5532, 2FFC554A, 2FFC5562

Memory Dump Source

Source File: 00000000.00000002.1723644226.000000002FDE6000.00000020.00000001.01000000.00000003.sdmp, Offset: 2FDD0000, based on PE: true

Associated: 00000000.00000002.1723484498.000000002FDD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723539110.000000002FDD1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723590669.000000002FDDD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723644226.000000002FDDF000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723928370.000000002FFF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723985843.000000002FFF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723985843.000000002FFFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724050644.000000002FFFD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fdd0000_Comprobante.jbxd

Yara matches

Similarity

API ID: MemoryVirtual$Protect$Allocate
String ID: NtQueryInformationProcess
API String ID: 955180148-2781105232
Opcode ID: d7a76f36304703e7b6a1fb1005654a13bcfeb6461ac797474d99e47ac478e6c0
Instruction ID: 71fd680668b43d5598718634016c37ffc1a962c4dcde14fe7e02fb52da9040d4
Opcode Fuzzy Hash: d7a76f36304703e7b6a1fb1005654a13bcfeb6461ac797474d99e47ac478e6c0
Instruction Fuzzy Hash: A1518E7190422BAFDB00CBA9C880E9EBBB7EF84320F984755D211A63E1D774A644DB65

Function 2FFF5D10 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtSetInformationProcess.NTDLL ref: 2FFF5D56

Strings

0, xrefs: 2FFF5D4A

Memory Dump Source

Source File: 00000000.00000002.1723644226.000000002FDE6000.00000020.00000001.01000000.00000003.sdmp, Offset: 2FDD0000, based on PE: true

Associated: 00000000.00000002.1723484498.000000002FDD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723539110.000000002FDD1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723590669.000000002FDDD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723644226.000000002FDDF000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723928370.000000002FFF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723985843.000000002FFF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723985843.000000002FFFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724050644.000000002FFFD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fdd0000_Comprobante.jbxd

Yara matches

Similarity

API ID: InformationProcess
String ID: 0
API String ID: 1801817001-4108050209
Opcode ID: 7d08401a11ed3ec0743a01d1df6bb1d70ba57e2b135db9965baad2833af64cc4
Instruction ID: 9c2e006ac6d3fe2969b562916f71e4e3af934824dec132b9c7899a0747c432a8
Opcode Fuzzy Hash: 7d08401a11ed3ec0743a01d1df6bb1d70ba57e2b135db9965baad2833af64cc4
Instruction Fuzzy Hash: AFE0E572845358BBE720EF988D49F9EBBBDEB08B11F540355F600766D4D378190586B1

Function 2FFEF670 Relevance: 184.4, APIs: 102, Strings: 3, Instructions: 674
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaStrCat.MSVBVM60(2FDDD9F8,2FDDD9F0,?,6CF060EF), ref: 2FFEF6FF
__vbaStrMove.MSVBVM60(?,6CF060EF), ref: 2FFEF70C
__vbaStrCat.MSVBVM60(bvm,00000000,?,6CF060EF), ref: 2FFEF714
__vbaStrMove.MSVBVM60(?,6CF060EF), ref: 2FFEF71B
__vbaStrCat.MSVBVM60(2FDDDA10,00000000,?,6CF060EF), ref: 2FFEF723
__vbaStrMove.MSVBVM60(?,6CF060EF), ref: 2FFEF72A
#644.MSVBVM60(00000000,?,6CF060EF), ref: 2FFEF72D
GetModuleHandleW.KERNEL32(00000000,?,6CF060EF), ref: 2FFEF734
__vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,6CF060EF), ref: 2FFEF74D

Part of subcall function 2FFF3540: __vbaVarDup.MSVBVM60(6CE1D8B1,6CE0A323), ref: 2FFF3583
Part of subcall function 2FFF3540: #653.MSVBVM60(?,?), ref: 2FFF3591
Part of subcall function 2FFF3540: __vbaI4Var.MSVBVM60(?), ref: 2FFF359B
Part of subcall function 2FFF3540: __vbaFreeVar.MSVBVM60 ref: 2FFF35B4
Part of subcall function 2FFF3540: #632.MSVBVM60(?,?,?,?), ref: 2FFF35F0
Part of subcall function 2FFF3540: __vbaVarCat.MSVBVM60(?,?,00000008), ref: 2FFF3602
Part of subcall function 2FFF3540: __vbaStrVarMove.MSVBVM60(00000000), ref: 2FFF3609
Part of subcall function 2FFF3540: __vbaStrMove.MSVBVM60 ref: 2FFF3614
Part of subcall function 2FFF3540: __vbaFreeVarList.MSVBVM60(00000003,00000002,?,?), ref: 2FFF3624
Part of subcall function 2FFF3540: __vbaFreeVar.MSVBVM60(2FFF3669), ref: 2FFF3662

__vbaStrMove.MSVBVM60(?,6CF060EF), ref: 2FFEF77A
__vbaStrToAnsi.MSVBVM60(?,00000000,?,6CF060EF), ref: 2FFEF781
GetProcAddress.KERNEL32(00000000,00000000), ref: 2FFEF78F
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,6CF060EF), ref: 2FFEF7A4
__vbaStrCat.MSVBVM60(2FDDDA6C,2FDDDA60), ref: 2FFEF7B7
__vbaStrMove.MSVBVM60 ref: 2FFEF7BE
__vbaStrCat.MSVBVM60(2FDDDA80,00000000), ref: 2FFEF7C6
__vbaStrMove.MSVBVM60 ref: 2FFEF7F3
#644.MSVBVM60(00000000), ref: 2FFEF7F6
GetModuleHandleW.KERNEL32(00000000), ref: 2FFEF7FD
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 2FFEF812
__vbaFreeVar.MSVBVM60 ref: 2FFEF81E
__vbaStrCat.MSVBVM60(2FDDD8CC,2FDDDA98), ref: 2FFEF82E
__vbaStrMove.MSVBVM60 ref: 2FFEF835
__vbaStrCat.MSVBVM60(2FDDD8D4,00000000), ref: 2FFEF83D
__vbaStrMove.MSVBVM60 ref: 2FFEF844
__vbaStrCat.MSVBVM60(2FDDDAA0,00000000), ref: 2FFEF84C
__vbaStrMove.MSVBVM60 ref: 2FFEF853
__vbaStrCat.MSVBVM60(2FDDDAA8,00000000), ref: 2FFEF85B
__vbaStrMove.MSVBVM60 ref: 2FFEF862
__vbaStrCat.MSVBVM60(2FDDDAB0,00000000), ref: 2FFEF86A
__vbaStrMove.MSVBVM60 ref: 2FFEF871
__vbaStrCat.MSVBVM60(2FDDDAB8,00000000), ref: 2FFEF879
__vbaStrMove.MSVBVM60 ref: 2FFEF880
__vbaStrCat.MSVBVM60(2FDDDAC0,00000000), ref: 2FFEF888
__vbaStrMove.MSVBVM60 ref: 2FFEF88F
__vbaStrCat.MSVBVM60(2FDDD8D4,00000000), ref: 2FFEF897
__vbaStrMove.MSVBVM60 ref: 2FFEF89E
__vbaStrCat.MSVBVM60(2FDDDAC8,00000000), ref: 2FFEF8A6
__vbaStrMove.MSVBVM60 ref: 2FFEF8AD
__vbaStrCat.MSVBVM60(2FDDDAA0,00000000), ref: 2FFEF8B5
__vbaStrMove.MSVBVM60 ref: 2FFEF8BC
__vbaStrCat.MSVBVM60(2FDDDAD0,00000000), ref: 2FFEF8C4
__vbaStrMove.MSVBVM60 ref: 2FFEF8CB
__vbaStrCat.MSVBVM60(2FDDDAD8,00000000), ref: 2FFEF8D3
__vbaStrMove.MSVBVM60 ref: 2FFEF8DA
__vbaStrCat.MSVBVM60(2FDDDAA0,00000000), ref: 2FFEF8E2
__vbaStrMove.MSVBVM60 ref: 2FFEF8E9
__vbaStrToAnsi.MSVBVM60(?,00000000), ref: 2FFEF8F0
GetProcAddress.KERNEL32(00000000,00000000), ref: 2FFEF8FE
__vbaFreeStrList.MSVBVM60(0000000E,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 2FFEF943
__vbaRedim.MSVBVM60(00000080,00000004,?,00000003,00000001,0000000F,00000000), ref: 2FFEF95B
__vbaNew.MSVBVM60(2FDDDAFC,2FDDDB0C), ref: 2FFEF96E
__vbaObjSet.MSVBVM60(?,00000000), ref: 2FFEF979
__vbaCastObj.MSVBVM60(00000000), ref: 2FFEF980
__vbaObjSet.MSVBVM60(?,00000000), ref: 2FFEF98B
__vbaObjSetAddref.MSVBVM60(2FFF82D0,00000000), ref: 2FFEF999
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 2FFEF9A9
__vbaObjSetAddref.MSVBVM60(?), ref: 2FFEF9BF
#644.MSVBVM60(00000000), ref: 2FFEF9C6
__vbaFreeObj.MSVBVM60 ref: 2FFEF9D2
#644.MSVBVM60(?), ref: 2FFEF9DC
__vbaAryLock.MSVBVM60(?,?,?,?,00000000), ref: 2FFEFA0C
#644.MSVBVM60(?), ref: 2FFEFA24
__vbaAryUnlock.MSVBVM60(?), ref: 2FFEFA34
__vbaObjSetAddref.MSVBVM60(?,?,?,?,00000000), ref: 2FFEFA71
#644.MSVBVM60(00000000,?,?,?,00000000), ref: 2FFEFA78
__vbaFreeObj.MSVBVM60(?,?,?,00000000), ref: 2FFEFA84
#644.MSVBVM60(2FFF82CC,?,?,?,00000000), ref: 2FFEFA93
__vbaAryLock.MSVBVM60(?,?,00000000,?,00000004,?,?,?,00000000), ref: 2FFEFAB3
#644.MSVBVM60(?,?,?,?,00000000), ref: 2FFEFAC8
__vbaAryUnlock.MSVBVM60(?,?,?,?,00000000), ref: 2FFEFAD8
#644.MSVBVM60(?,?,?,?,00000000), ref: 2FFEFAF1
__vbaRedim.MSVBVM60(00000080,00000004,2FFF8214,00000003,00000001,00000010,00000000,00000000,?,?,?,?,00000000), ref: 2FFEFB2D
#644.MSVBVM60(?), ref: 2FFEFB3A
#644.MSVBVM60(?,-0000000C,00000000), ref: 2FFEFB60
__vbaAryLock.MSVBVM60(?,00000000,00000000,-0000000C), ref: 2FFEFB8C
__vbaStrCat.MSVBVM60(2FDDDB34,2FDDDB2C,?,00000040), ref: 2FFEFBC2
__vbaStrMove.MSVBVM60 ref: 2FFEFBC9
__vbaI4Str.MSVBVM60(00000000), ref: 2FFEFBCC
VirtualProtect.KERNELBASE(?,00000000), ref: 2FFEFBE2
__vbaHresultCheckObj.MSVBVM60(00000000,?,2FDDDB0C,0000002C,?,00000000), ref: 2FFEFBFC
__vbaAryUnlock.MSVBVM60(?,?,00000000), ref: 2FFEFC06
__vbaFreeStr.MSVBVM60(?,00000000), ref: 2FFEFC0F
#644.MSVBVM60(?,?,00000000), ref: 2FFEFC1F
__vbaAryLock.MSVBVM60(?,00000000,00000000,00000000,-0000000C,?,00000000), ref: 2FFEFC5A
#644.MSVBVM60(?,?,00000000), ref: 2FFEFC71
__vbaAryUnlock.MSVBVM60(?,?,00000000), ref: 2FFEFC7D
#644.MSVBVM60(00000040,00000000,00000000,-0000000C,?,00000000), ref: 2FFEFCB7
#644.MSVBVM60(0424448B,00000000,?,?,00000000), ref: 2FFEFCDD
#644.MSVBVM60(408B008B,00000000,?,?,00000000), ref: 2FFEFD03
#644.MSVBVM60(20C4832C,00000000,?,?,00000000), ref: 2FFEFD29
#644.MSVBVM60(E02474FF,00000000,?,?,00000000), ref: 2FFEFD4F
VirtualProtect.KERNELBASE(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000008,00000040,?,00000000,?,?,00000000), ref: 2FFEFDA6
__vbaHresultCheckObj.MSVBVM60(00000000,?,2FDDDB0C,00000020,?,00000000), ref: 2FFEFDC0
__vbaAryLock.MSVBVM60(?,00000000,00000000,?,00000000), ref: 2FFEFDEC
#644.MSVBVM60(?,?,00000000), ref: 2FFEFE03
__vbaAryUnlock.MSVBVM60(?,?,00000000), ref: 2FFEFE0F
#644.MSVBVM60(2FFF82CC,00000000,?,00000000), ref: 2FFEFE3C
#644.MSVBVM60(00000000,00000000,?,?,00000000), ref: 2FFEFE55
#644.MSVBVM60(-00000004,00000000,00000000,?,00000000), ref: 2FFEFE6D
__vbaFreeVar.MSVBVM60(?,-00000004,00000000,?,00000000), ref: 2FFEFE8B
__vbaAryDestruct.MSVBVM60(00000000,?,2FFEFF0C,?,00000000), ref: 2FFEFF05

Strings

@, xrefs: 2FFEFB55
bvm, xrefs: 2FFEF70F
DqlqlqFquqnqcqtqiqoqnqCqaqlqlq, xrefs: 2FFEF75A

Memory Dump Source

Source File: 00000000.00000002.1723644226.000000002FDE6000.00000020.00000001.01000000.00000003.sdmp, Offset: 2FDD0000, based on PE: true

Associated: 00000000.00000002.1723484498.000000002FDD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723539110.000000002FDD1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723590669.000000002FDDD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723644226.000000002FDDF000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723928370.000000002FFF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723985843.000000002FFF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723985843.000000002FFFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724050644.000000002FFFD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fdd0000_Comprobante.jbxd

Yara matches

Similarity

API ID: __vba$#644Move$Free$List$LockUnlock$Addref$AddressAnsiCheckHandleHresultModuleProcProtectRedimVirtual$#632#653CastDestruct
String ID: @$DqlqlqFquqnqcqtqiqoqnqCqaqlqlq$bvm
API String ID: 3776562771-683613472
Opcode ID: 1612472a0cdf68550edad45eaa83b93fa066e4a49ab1853541c72af12ea92d5a
Instruction ID: 5840592ee5eb4cd59262bfa9e203703b8ff3a3b8cf926dfd96ed58bb9b9c4bbe
Opcode Fuzzy Hash: 1612472a0cdf68550edad45eaa83b93fa066e4a49ab1853541c72af12ea92d5a
Instruction Fuzzy Hash: 4242D9B2D00219AFDB14DFA5CC84EAEBBB9FF48310F108659E506E7394DA74A945CF60

Function 2FDDAF09 Relevance: 3.0, APIs: 2, Instructions: 31
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaFreeVar.MSVBVM60(?), ref: 2FFF57E2

Part of subcall function 2FFEF670: __vbaStrCat.MSVBVM60(2FDDD9F8,2FDDD9F0,?,6CF060EF), ref: 2FFEF6FF
Part of subcall function 2FFEF670: __vbaStrMove.MSVBVM60(?,6CF060EF), ref: 2FFEF70C
Part of subcall function 2FFEF670: __vbaStrCat.MSVBVM60(bvm,00000000,?,6CF060EF), ref: 2FFEF714
Part of subcall function 2FFEF670: __vbaStrMove.MSVBVM60(?,6CF060EF), ref: 2FFEF71B
Part of subcall function 2FFEF670: __vbaStrCat.MSVBVM60(2FDDDA10,00000000,?,6CF060EF), ref: 2FFEF723
Part of subcall function 2FFEF670: __vbaStrMove.MSVBVM60(?,6CF060EF), ref: 2FFEF72A
Part of subcall function 2FFEF670: #644.MSVBVM60(00000000,?,6CF060EF), ref: 2FFEF72D
Part of subcall function 2FFEF670: GetModuleHandleW.KERNEL32(00000000,?,6CF060EF), ref: 2FFEF734
Part of subcall function 2FFEF670: __vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,6CF060EF), ref: 2FFEF74D
Part of subcall function 2FFEF670: __vbaStrMove.MSVBVM60(?,6CF060EF), ref: 2FFEF77A
Part of subcall function 2FFEF670: __vbaStrToAnsi.MSVBVM60(?,00000000,?,6CF060EF), ref: 2FFEF781
Part of subcall function 2FFEF670: GetProcAddress.KERNEL32(00000000,00000000), ref: 2FFEF78F
Part of subcall function 2FFEF670: __vbaFreeStrList.MSVBVM60(00000002,?,?,?,6CF060EF), ref: 2FFEF7A4

Part of subcall function 2FFF5D10: NtSetInformationProcess.NTDLL ref: 2FFF5D56

__vbaFreeVar.MSVBVM60(00000000), ref: 2FFF57F5

Memory Dump Source

Source File: 00000000.00000002.1723539110.000000002FDD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 2FDD0000, based on PE: true

Associated: 00000000.00000002.1723484498.000000002FDD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723590669.000000002FDDD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723644226.000000002FDDF000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723644226.000000002FDE6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723928370.000000002FFF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723985843.000000002FFF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723985843.000000002FFFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724050644.000000002FFFD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fdd0000_Comprobante.jbxd

Yara matches

Similarity

API ID: __vba$FreeMove$List$#644AddressAnsiHandleInformationModuleProcProcess
String ID:
API String ID: 20434910-0
Opcode ID: c896e458f568ee7553a3a6abfe844c83a5c15cb50dc47f6d79281ff0014b217c
Instruction ID: 0b2d614a77e2c50a56fc9e49b20571d7bf262374d00319f1b1a8bcb789a66ba2
Opcode Fuzzy Hash: c896e458f568ee7553a3a6abfe844c83a5c15cb50dc47f6d79281ff0014b217c
Instruction Fuzzy Hash: 02F01D7281021DABDF24EBA4CD44B9EBB7DFF18600F840629E401B32E0D7386508CAA5

Non-executed Functions

Function 2FFC5AB1 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1723644226.000000002FDE6000.00000020.00000001.01000000.00000003.sdmp, Offset: 2FDD0000, based on PE: true

Associated: 00000000.00000002.1723484498.000000002FDD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723539110.000000002FDD1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723590669.000000002FDDD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723644226.000000002FDDF000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723928370.000000002FFF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723985843.000000002FFF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723985843.000000002FFFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724050644.000000002FFFD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fdd0000_Comprobante.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef41f23567e4e7422021a95af9bb6b13c8200b2295415d293bf1cf4d9d63b1a6
Instruction ID: 59558f5be4993443184884d8788bb99cc758ec3fe3790f3bf89be48c1f7931c5
Opcode Fuzzy Hash: ef41f23567e4e7422021a95af9bb6b13c8200b2295415d293bf1cf4d9d63b1a6
Instruction Fuzzy Hash: 09018C32610127DBC760EB1AC080992B7A7FF70764B8D02A3E5048BB25E2A6F990C651

Function 028C6F1C Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1723201366.00000000028C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28c0000_Comprobante.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edc08f61acc9f5cc15bc5d1fa67eb7274fb49b6e8f41d95be92fd142b7a216f6
Instruction ID: be07d096b4ad70621e1719f25bc1b4f6f367fda3e5eb452956186a21cba4effe
Opcode Fuzzy Hash: edc08f61acc9f5cc15bc5d1fa67eb7274fb49b6e8f41d95be92fd142b7a216f6
Instruction Fuzzy Hash: CEF0A73D229259CFC750CB15C484D36F3EDFB9826876195AEF40ACBA19E334E544CE50

Function 028C325C Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1723201366.00000000028C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28c0000_Comprobante.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b399b04e11d1ff954b26d47aa0a54e719ae22316263aa56bc50ae1b8ddb9bc6
Instruction ID: 16fccf18637eeb619204f83f0930361a8bc52be9cda4c1a24b139329881d047b
Opcode Fuzzy Hash: 0b399b04e11d1ff954b26d47aa0a54e719ae22316263aa56bc50ae1b8ddb9bc6
Instruction Fuzzy Hash: 5FF0393B2106549FCA60DB99C480A6AB3E9FB8067173588ADE48DD7A14C330FC42CB90

Function 028C453A Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1723201366.00000000028C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28c0000_Comprobante.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5206b5fdde261f5c4ffe55f60533539a84919425955c4bd864ae13984b1d46f1
Instruction ID: 6775742beadf8eef3e636b93134f7318793952e22f365c837b85ec0108b16ed0
Opcode Fuzzy Hash: 5206b5fdde261f5c4ffe55f60533539a84919425955c4bd864ae13984b1d46f1
Instruction Fuzzy Hash: F7D012BD211544DFC709AB28F47473533A6EB88729F750CACE006DA981DB3D9485CF12

Function 028C7096 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1723201366.00000000028C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28c0000_Comprobante.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5731e5a84f94e33c26e754f65156c3b218c94ee109a1d41aab747fae4793ccf0
Instruction ID: 05e8b5742db539e81cc4174594596026e77d48ff69d33bb057d3ffc13d19160b
Opcode Fuzzy Hash: 5731e5a84f94e33c26e754f65156c3b218c94ee109a1d41aab747fae4793ccf0
Instruction Fuzzy Hash: 4DB01239219548CFC2C1CB05C050F1077F8F700600F0110F0F00A8BD11C338E800CD01

Function 028C6CD3 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1723201366.00000000028C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28c0000_Comprobante.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde7dd23c866fd0e5427e328a64a23a4a7a3ee29ed8c7cdc229f235b66456861
Instruction ID: c5fdcd3e73d392331be04f4fdb87fb3375e74b9bbd9d407804a87ba4a80c75b7
Opcode Fuzzy Hash: dde7dd23c866fd0e5427e328a64a23a4a7a3ee29ed8c7cdc229f235b66456861
Instruction Fuzzy Hash: B7B01238114540CFD2D5CF0AC080F1033B8F740600F4501F0F0028F951C734DD00C900

Function 028C6E91 Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1723201366.00000000028C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28c0000_Comprobante.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f939d55f2c63572dd8f9070e8f1955d47f255820f43dfd4451017f1251b844b4
Instruction ID: 19f5fbdaeb6b1774d00d12580d3ef4c7ced085c7a95a350a1cf9363335675157
Opcode Fuzzy Hash: f939d55f2c63572dd8f9070e8f1955d47f255820f43dfd4451017f1251b844b4
Instruction Fuzzy Hash: 70B00135266981CFC2A6CB0AC194F6073B8FB04A51F4654F0E4059BE62C338AA00DA40

Function 028C6E35 Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1723201366.00000000028C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28c0000_Comprobante.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01f553cc35015694a6b99fe1575bc5e4f12082bc079a8ea33aad92f6dcddaea6
Instruction ID: 3fbcf16ee543997b5bb480118da3ee13fde7a9222f026dd6911fa0adc062c95f
Opcode Fuzzy Hash: 01f553cc35015694a6b99fe1575bc5e4f12082bc079a8ea33aad92f6dcddaea6
Instruction Fuzzy Hash: 2EB00139266980CFC296DB0AC1A4F5073B8FB05B45F8614F0E4458BA62C338A900CA01

Function 028C6D25 Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1723201366.00000000028C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28c0000_Comprobante.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e609441c6bf96b14726226fb1f65896002eed9097537fb59771a22ea209f5011
Instruction ID: 696e96d1acc2f29c2ab54321e1842fe1ea55b3caf99830f55fcef4630c6b48f8
Opcode Fuzzy Hash: e609441c6bf96b14726226fb1f65896002eed9097537fb59771a22ea209f5011
Instruction Fuzzy Hash: D3B00135266981CFD296CB4AC2A4F5073B8FB04A41F4614F1E4058BAA2C338A900CA10

Function 028C733E Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1723201366.00000000028C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28c0000_Comprobante.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1bbdb82ec5f2f0086ea04d2d42af104018b1aab3f96ec8585fadfab406ea36f
Instruction ID: ca45eebd35cd693e88a0d7199b09ab4cc9d5ab6b7af17f5b962d3ac296bfd03d
Opcode Fuzzy Hash: a1bbdb82ec5f2f0086ea04d2d42af104018b1aab3f96ec8585fadfab406ea36f
Instruction Fuzzy Hash: 50B00136266A80CFC296CB0AC594F5073B8FB05A51F4694F0E4058BE62C738A900CE11

Function 2FDDA771 Relevance: 57.9, APIs: 22, Strings: 11, Instructions: 140
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaStrCat.MSVBVM60(@o@s@o@f,M@i@c@r), ref: 2FFF3C8D
__vbaStrMove.MSVBVM60 ref: 2FFF3C9A
__vbaStrCat.MSVBVM60(@t@ @E@n@h@a@n,00000000), ref: 2FFF3CA2
__vbaStrMove.MSVBVM60 ref: 2FFF3CA9
__vbaStrCat.MSVBVM60(@c@e@d@ @R@S@,00000000), ref: 2FFF3CB1
__vbaStrMove.MSVBVM60 ref: 2FFF3CB8
__vbaStrCat.MSVBVM60(A@ @a@n,00000000), ref: 2FFF3CC0
__vbaStrMove.MSVBVM60 ref: 2FFF3CC7
__vbaStrCat.MSVBVM60(@d@ @A@E@S@ ,00000000), ref: 2FFF3CCF
__vbaStrMove.MSVBVM60 ref: 2FFF3CD6
__vbaStrCat.MSVBVM60(@C@r@y@,00000000), ref: 2FFF3CDE
__vbaStrMove.MSVBVM60 ref: 2FFF3CE5
__vbaStrCat.MSVBVM60(p@t@o@g@r@a@,00000000), ref: 2FFF3CED
__vbaStrMove.MSVBVM60 ref: 2FFF3CF4
__vbaStrCat.MSVBVM60(p@h@i@c@ @P@r,00000000), ref: 2FFF3CFC
__vbaStrMove.MSVBVM60 ref: 2FFF3D03
__vbaStrCat.MSVBVM60(@o@v@i@d,00000000), ref: 2FFF3D0B
__vbaStrMove.MSVBVM60 ref: 2FFF3D12
__vbaStrCat.MSVBVM60(@e@r@,00000000), ref: 2FFF3D1A

Part of subcall function 2FFF3540: __vbaVarDup.MSVBVM60(6CE1D8B1,6CE0A323), ref: 2FFF3583
Part of subcall function 2FFF3540: #653.MSVBVM60(?,?), ref: 2FFF3591
Part of subcall function 2FFF3540: __vbaI4Var.MSVBVM60(?), ref: 2FFF359B
Part of subcall function 2FFF3540: __vbaFreeVar.MSVBVM60 ref: 2FFF35B4
Part of subcall function 2FFF3540: #632.MSVBVM60(?,?,?,?), ref: 2FFF35F0
Part of subcall function 2FFF3540: __vbaVarCat.MSVBVM60(?,?,00000008), ref: 2FFF3602
Part of subcall function 2FFF3540: __vbaStrVarMove.MSVBVM60(00000000), ref: 2FFF3609
Part of subcall function 2FFF3540: __vbaStrMove.MSVBVM60 ref: 2FFF3614
Part of subcall function 2FFF3540: __vbaFreeVarList.MSVBVM60(00000003,00000002,?,?), ref: 2FFF3624
Part of subcall function 2FFF3540: __vbaFreeVar.MSVBVM60(2FFF3669), ref: 2FFF3662

__vbaStrMove.MSVBVM60 ref: 2FFF3D47
__vbaFreeStrList.MSVBVM60(00000009,?,?,?,?,?,?,?,?,?), ref: 2FFF3D6F
__vbaFreeVar.MSVBVM60 ref: 2FFF3D7B

Strings

A@ @a@n, xrefs: 2FFF3CBB
@C@r@y@, xrefs: 2FFF3CD9
@t@ @E@n@h@a@n, xrefs: 2FFF3C9D
p@t@o@g@r@a@, xrefs: 2FFF3CE8
p@h@i@c@ @P@r, xrefs: 2FFF3CF7
@o@v@i@d, xrefs: 2FFF3D06
@e@r@, xrefs: 2FFF3D15
@c@e@d@ @R@S@, xrefs: 2FFF3CAC
M@i@c@r, xrefs: 2FFF3C83
@d@ @A@E@S@ , xrefs: 2FFF3CCA
@o@s@o@f, xrefs: 2FFF3C88

Memory Dump Source

Source File: 00000000.00000002.1723539110.000000002FDD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 2FDD0000, based on PE: true

Associated: 00000000.00000002.1723484498.000000002FDD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723590669.000000002FDDD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723644226.000000002FDDF000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723644226.000000002FDE6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723928370.000000002FFF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723985843.000000002FFF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723985843.000000002FFFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724050644.000000002FFFD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fdd0000_Comprobante.jbxd

Yara matches

Similarity

API ID: __vba$Move$Free$List$#632#653
String ID: @C@r@y@$@c@e@d@ @R@S@$@d@ @A@E@S@ $@e@r@$@o@s@o@f$@o@v@i@d$@t@ @E@n@h@a@n$A@ @a@n$M@i@c@r$p@h@i@c@ @P@r$p@t@o@g@r@a@
API String ID: 193477259-3817434718
Opcode ID: 2837ef12fa2fe9c6dc0f0dc83774a8ddc15df0959ec087acce58dcd6b162adcd
Instruction ID: 900a3664aedf80b65bfe0366339ec69860adc6c9fd674cc82c57f36d848e5919
Opcode Fuzzy Hash: 2837ef12fa2fe9c6dc0f0dc83774a8ddc15df0959ec087acce58dcd6b162adcd
Instruction Fuzzy Hash: 9B41C972D10259AFDB05EFA9CC84DEEBBB9FF88600B14825BF401A7254DA745909CFA1

Function 2FDDA789 Relevance: 33.1, APIs: 22, Instructions: 134COMMON

Download Yara Rule

APIs

__vbaStrCat.MSVBVM60(2FDDE798,2FDDE960), ref: 2FFF3E6D
__vbaStrMove.MSVBVM60 ref: 2FFF3E7A
__vbaStrCat.MSVBVM60(2FDDE608,00000000), ref: 2FFF3E82
__vbaStrMove.MSVBVM60 ref: 2FFF3E89
__vbaStrCat.MSVBVM60(2FDDE528,00000000), ref: 2FFF3E91
__vbaStrMove.MSVBVM60 ref: 2FFF3E98
__vbaStrCat.MSVBVM60(2FDDE708,00000000), ref: 2FFF3EA0
__vbaStrMove.MSVBVM60 ref: 2FFF3EA7
__vbaStrCat.MSVBVM60(2FDDEB0C,00000000), ref: 2FFF3EAF
__vbaStrMove.MSVBVM60 ref: 2FFF3EB6
__vbaStrCat.MSVBVM60(2FDDEB38,00000000), ref: 2FFF3EBE
__vbaStrMove.MSVBVM60 ref: 2FFF3EC5
__vbaStrCat.MSVBVM60(2FDDEB54,00000000), ref: 2FFF3ECD
__vbaStrMove.MSVBVM60 ref: 2FFF3ED4
__vbaStrCat.MSVBVM60(2FDDEB80,00000000), ref: 2FFF3EDC
__vbaStrMove.MSVBVM60 ref: 2FFF3EE3
__vbaStrCat.MSVBVM60(2FDDEBA4,00000000), ref: 2FFF3EEB
__vbaStrMove.MSVBVM60 ref: 2FFF3EF2
__vbaStrCat.MSVBVM60(2FDDEBBC,00000000), ref: 2FFF3EFA

Part of subcall function 2FFF3540: __vbaVarDup.MSVBVM60(6CE1D8B1,6CE0A323), ref: 2FFF3583
Part of subcall function 2FFF3540: #653.MSVBVM60(?,?), ref: 2FFF3591
Part of subcall function 2FFF3540: __vbaI4Var.MSVBVM60(?), ref: 2FFF359B
Part of subcall function 2FFF3540: __vbaFreeVar.MSVBVM60 ref: 2FFF35B4
Part of subcall function 2FFF3540: #632.MSVBVM60(?,?,?,?), ref: 2FFF35F0
Part of subcall function 2FFF3540: __vbaVarCat.MSVBVM60(?,?,00000008), ref: 2FFF3602
Part of subcall function 2FFF3540: __vbaStrVarMove.MSVBVM60(00000000), ref: 2FFF3609
Part of subcall function 2FFF3540: __vbaStrMove.MSVBVM60 ref: 2FFF3614
Part of subcall function 2FFF3540: __vbaFreeVarList.MSVBVM60(00000003,00000002,?,?), ref: 2FFF3624
Part of subcall function 2FFF3540: __vbaFreeVar.MSVBVM60(2FFF3669), ref: 2FFF3662

__vbaStrMove.MSVBVM60 ref: 2FFF3F27
__vbaFreeStrList.MSVBVM60(00000009,?,?,?,?,?,?,?,?,?), ref: 2FFF3F4F
__vbaFreeVar.MSVBVM60 ref: 2FFF3F5B

Memory Dump Source

Source File: 00000000.00000002.1723539110.000000002FDD1000.00000020.00000001.01000000.00000003.sdmp, Offset: 2FDD0000, based on PE: true

Associated: 00000000.00000002.1723484498.000000002FDD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723590669.000000002FDDD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723644226.000000002FDDF000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723644226.000000002FDE6000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723928370.000000002FFF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723985843.000000002FFF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723985843.000000002FFFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724050644.000000002FFFD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fdd0000_Comprobante.jbxd

Yara matches

Similarity

API ID: __vba$Move$Free$List$#632#653
String ID:
API String ID: 193477259-0
Opcode ID: 7b7e11ff98aaa61ddfbe02894c4748fc6074a3ea9ee0b167a1e439305ce71dbc
Instruction ID: 5fe3cc485dd620f1131f0efc9e4546e7a998ab03fec4f7e2e5b33508f8506be6
Opcode Fuzzy Hash: 7b7e11ff98aaa61ddfbe02894c4748fc6074a3ea9ee0b167a1e439305ce71dbc
Instruction Fuzzy Hash: 6F41CFB2D1011CABDB55DFA9CC84DEEBBB9EF88700F10815BF402A3254DA746909CFA1

Function 2FFF3540 Relevance: 15.1, APIs: 10, Instructions: 80COMMON

Download Yara Rule

APIs

__vbaVarDup.MSVBVM60(6CE1D8B1,6CE0A323), ref: 2FFF3583
#653.MSVBVM60(?,?), ref: 2FFF3591
__vbaI4Var.MSVBVM60(?), ref: 2FFF359B
__vbaFreeVar.MSVBVM60 ref: 2FFF35B4
#632.MSVBVM60(?,?,?,?), ref: 2FFF35F0
__vbaVarCat.MSVBVM60(?,?,00000008), ref: 2FFF3602
__vbaStrVarMove.MSVBVM60(00000000), ref: 2FFF3609
__vbaStrMove.MSVBVM60 ref: 2FFF3614
__vbaFreeVarList.MSVBVM60(00000003,00000002,?,?), ref: 2FFF3624
__vbaFreeVar.MSVBVM60(2FFF3669), ref: 2FFF3662

Memory Dump Source

Source File: 00000000.00000002.1723644226.000000002FDE6000.00000020.00000001.01000000.00000003.sdmp, Offset: 2FDD0000, based on PE: true

Associated: 00000000.00000002.1723484498.000000002FDD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723539110.000000002FDD1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723590669.000000002FDDD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723644226.000000002FDDF000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723928370.000000002FFF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723985843.000000002FFF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723985843.000000002FFFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724050644.000000002FFFD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fdd0000_Comprobante.jbxd

Yara matches

Similarity

API ID: __vba$Free$Move$#632#653List
String ID:
API String ID: 1043057846-0
Opcode ID: 8e6dc45ea9f51805dbfef16227e2cee222c63e8f88b885ce9b7a0bc1c6ca8cdf
Instruction ID: f562cc79226813140eb047ef8389420e5f9e4d45fb9874e8ee3cddc5eb536827
Opcode Fuzzy Hash: 8e6dc45ea9f51805dbfef16227e2cee222c63e8f88b885ce9b7a0bc1c6ca8cdf
Instruction Fuzzy Hash: BE31C8B2C0020DAFDB04DFA5C884EEEBBB9FB48714F008619E525A7390EB785619CF50

Function 2FFF0130 Relevance: 6.1, APIs: 4, Instructions: 58COMMON

Download Yara Rule

APIs

#644.MSVBVM60(?,2FFEFF20,00000001,6CEEEC2C,00000000,?,?,?,?,?,?,Function_00001006), ref: 2FFF0187
#644.MSVBVM60(00000001,?,?,?,?,?,?,Function_00001006), ref: 2FFF0192
#644.MSVBVM60(00000000,00000000,00000000,?,?,?,?,?,?,Function_00001006), ref: 2FFF01A4
#644.MSVBVM60(-00000004,00000000,00000000,00000004,?,?,?,?,?,?,Function_00001006), ref: 2FFF01C2

Memory Dump Source

Source File: 00000000.00000002.1723644226.000000002FDE6000.00000020.00000001.01000000.00000003.sdmp, Offset: 2FDD0000, based on PE: true

Associated: 00000000.00000002.1723484498.000000002FDD0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723539110.000000002FDD1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723590669.000000002FDDD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723644226.000000002FDDF000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723928370.000000002FFF7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723985843.000000002FFF8000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1723985843.000000002FFFC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1724050644.000000002FFFD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2fdd0000_Comprobante.jbxd

Yara matches

Similarity

API ID: #644
String ID:
API String ID: 700137900-0
Opcode ID: 4101a6381b10bc0fb8424739667328de148d4d5a107f858bd6c8a2b4ce079a3a
Instruction ID: eeef7e020e89829340de614454815de086fb8e4e60faf73fda3811529d5f8038
Opcode Fuzzy Hash: 4101a6381b10bc0fb8424739667328de148d4d5a107f858bd6c8a2b4ce079a3a
Instruction Fuzzy Hash: 16118CB1D00208AFD704DBB9CD80EAEBBBEEB48720B14431AE501E33A4D6786D00CB60

Analysis Process: RegAsm.exePID: 6228, Parent PID: 7012COMMON

Execution Graph

Execution Coverage:	9.3%
Dynamic/Decrypted Code Coverage:	9.7%
Signature Coverage:	9.7%
Total number of Nodes:	31
Total number of Limit Nodes:	0

Executed Functions

Function 0314A6CD Relevance: 2.8, Instructions: 2759COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2903933231.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3140000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e336a950b91b4fb9557ad425acc4bb1c37d24abe98e74814f1bc7caf128bbec6
Instruction ID: 24935ad35320b3ba0b5997f992ad5f0a863b55eabdbf00e25405e3d25d47535e
Opcode Fuzzy Hash: e336a950b91b4fb9557ad425acc4bb1c37d24abe98e74814f1bc7caf128bbec6
Instruction Fuzzy Hash: BD53E531C10B1A8ADB51EF68C890599F7B1FF99300F15D79AE4587B221FB70AAD4CB81

Function 03147068 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 031470DF

Memory Dump Source

Source File: 00000001.00000002.2903933231.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3140000_RegAsm.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 0dc3d6a6e98914c0e1aa253540fc30ccce2a80bbf8921389a5917f73d101e568
Instruction ID: 5b18c525820707f3ee51cab36ef79e5fb2309263d1f37779c7e94395fc74a227
Opcode Fuzzy Hash: 0dc3d6a6e98914c0e1aa253540fc30ccce2a80bbf8921389a5917f73d101e568
Instruction Fuzzy Hash: 2E2125B28012598FCB10CF9AD984BEEFBF4AF49320F14846AE459B7250D778A944CF65

Function 004459BD Relevance: 1.5, APIs: 1, Instructions: 28
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000), ref: 00445D9D

Memory Dump Source

Source File: 00000001.00000002.2902848965.0000000000442000.00000040.80000000.00040000.00000000.sdmp, Offset: 00442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_442000_RegAsm.jbxd

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 283af8b6fff400df6543712bb3061a0b8413ae34f48b2a5070f880ecefdd20e2
Instruction ID: 1a5acb39db5aae2b03a091339b4b330749e96e546191f31a262f57f3db21f8be
Opcode Fuzzy Hash: 283af8b6fff400df6543712bb3061a0b8413ae34f48b2a5070f880ecefdd20e2
Instruction Fuzzy Hash: 5FF0A771508542EFEB05C740C896F9C7BA4BF01308F244296A0429B1D1DA78E602D712

Function 00445C4B Relevance: 1.5, APIs: 1, Instructions: 27
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000), ref: 00445D9D

Memory Dump Source

Source File: 00000001.00000002.2902848965.0000000000442000.00000040.80000000.00040000.00000000.sdmp, Offset: 00442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_442000_RegAsm.jbxd

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 287b3376fd21f26de0df136aedac01950156459d7427143cf8e8e389bac5d5f2
Instruction ID: 2e84749359dffac31345b85070a828cbe2b98a4c5cf7316c249972bc98c716a2
Opcode Fuzzy Hash: 287b3376fd21f26de0df136aedac01950156459d7427143cf8e8e389bac5d5f2
Instruction Fuzzy Hash: B6F0A77190C6819FF70AC750C865BE93F709F12314F2542EF90428E0D3D92C9606C712

Function 00445D96 Relevance: 1.5, APIs: 1, Instructions: 14
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000), ref: 00445D9D

Memory Dump Source

Source File: 00000001.00000002.2902848965.0000000000442000.00000040.80000000.00040000.00000000.sdmp, Offset: 00442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_442000_RegAsm.jbxd

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 61a393746a203315afd59c6e3be928e985eb98682a7d78fafb5053d0dd83222d
Instruction ID: 8edfb8ee8904fb40599f40bf4ab24fd4cd20ffa869e4555b0818ac8740eb5c7c
Opcode Fuzzy Hash: 61a393746a203315afd59c6e3be928e985eb98682a7d78fafb5053d0dd83222d
Instruction Fuzzy Hash: B9D05E3190D581CFFB068B14C8547AC7B62AF62308B1A40E2D0868E5EACA3CDA06D716

Function 03143E68 Relevance: 1.5, Strings: 1, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\VJm, xrefs: 031440B3

Memory Dump Source

Source File: 00000001.00000002.2903933231.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3140000_RegAsm.jbxd

Similarity

API ID:
String ID: \VJm
API String ID: 0-4047210350
Opcode ID: 7064492c5278617e9b387b6505488b0d6e3c1d6f1b71efe7a19d5430a05dbdc0
Instruction ID: 7de18c89a0ee14ed95421dfc874d67b36fd062cc7f493cc9ac6ca21249d2ab1b
Opcode Fuzzy Hash: 7064492c5278617e9b387b6505488b0d6e3c1d6f1b71efe7a19d5430a05dbdc0
Instruction Fuzzy Hash: 7B917E70E002099FDF14CFAAD9917DDBBF2AF8C714F188529E414AB294EB349895CB81

Function 03144A80 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2903933231.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3140000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4674140c8241ef8f2fb6918ac9500c101739d54a77d7fd1a429025b08f9e1e9
Instruction ID: 01e6a9c45ae67c263ea8599ac1c99b501d4e74aa28e7a0ce2f0ffd5705eb559e
Opcode Fuzzy Hash: d4674140c8241ef8f2fb6918ac9500c101739d54a77d7fd1a429025b08f9e1e9
Instruction Fuzzy Hash: B2B13F70E002098FDB14CFAAD99579DBBF2AF8C714F188529D415EB294EF749885CB81

Function 03147060 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 031470DF

Memory Dump Source

Source File: 00000001.00000002.2903933231.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3140000_RegAsm.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: ffd049d84b2a32df6a822973c5f24129f64c934d540eed46dd6c16dac98c70a8
Instruction ID: fea47be876ce9ebe8e72001d0533992186eb49feb0c085a836f242390bb3e4b8
Opcode Fuzzy Hash: ffd049d84b2a32df6a822973c5f24129f64c934d540eed46dd6c16dac98c70a8
Instruction Fuzzy Hash: E12136B280125ACFCB10CFA9D985BEEFBF4AF49320F14846AE455B3250D778A944CF60

Function 0153D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2903338328.000000000153D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0153D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_153d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 272eae68816956346685a6ca25ab4904ae1fccce93ee77c20effd60f1fe7bbf9
Instruction ID: df177c86d5297a6853e3924bc7f5c7fa2764d34d89223de8363d7c8091b17c7a
Opcode Fuzzy Hash: 272eae68816956346685a6ca25ab4904ae1fccce93ee77c20effd60f1fe7bbf9
Instruction Fuzzy Hash: 70210071604200DFCB15DFA8D984B2AFBB5FB84B14F60C969D8494F256D33AD446CA61

Function 0153D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2903338328.000000000153D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0153D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_153d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba8cd123528781676b86ac6fc5f931996ee33609d3a4ab10b7c71828b73696fe
Instruction ID: ed6e79787eaa7cf07b400861fbef12c20de2a10e7a74e3f41da667c7ef8ef8e6
Opcode Fuzzy Hash: ba8cd123528781676b86ac6fc5f931996ee33609d3a4ab10b7c71828b73696fe
Instruction Fuzzy Hash: 34217C755093808FDB02CF64D994B15BF71FB86614F28C5EAD8498F667C33A980ACB62

Non-executed Functions

Function 0314DD28 Relevance: 2.0, Instructions: 1962COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2903933231.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3140000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75f15112cbad85265ebe5e33700325f9c5acee497581ad18fac644bebe59db28
Instruction ID: 2a4d17828966ea3bd7bb127e641c50cc93c31bed14147263d58259bfea99a477
Opcode Fuzzy Hash: 75f15112cbad85265ebe5e33700325f9c5acee497581ad18fac644bebe59db28
Instruction Fuzzy Hash: EF23E931D10B198ECB11EF68C8945ADF7B1FF99300F15D79AE458AB221EB70AAC5CB41

Function 031441B0 Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

\VJm, xrefs: 03144467

Memory Dump Source

Source File: 00000001.00000002.2903933231.0000000003140000.00000040.00000800.00020000.00000000.sdmp, Offset: 03140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_3140000_RegAsm.jbxd

Similarity

API ID:
String ID: \VJm
API String ID: 0-4047210350
Opcode ID: 5f1f4c30f35e8ad3e4b2360e044e032357efadb5f6d53ac31c835a8a96d5581c
Instruction ID: 5cee0b8a4583c89367038b836273fe5ff7c3eb0b1faba215c851a86aae5d2bd4
Opcode Fuzzy Hash: 5f1f4c30f35e8ad3e4b2360e044e032357efadb5f6d53ac31c835a8a96d5581c
Instruction Fuzzy Hash: 61B15E70E00219CFDF10CFAAD99579DBBF2AF8C714F188529D419AB254EF749845CB81

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Comprobante.de.pago.pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\bc49718863ee53e026d805ec372039e9_9e146be9-c76a-4720-bcdb-53011b87bd06

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
Comprobante.de.pago.pdf.exe

Function 028C2C8B Relevance: 26.6, APIs: 10, Strings: 5, Instructions: 369
nativethreadprocessCOMMON

Function 2FFC54FB Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 153
nativememoryCOMMON

Function 2FFF5D10 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25
nativeCOMMON

Function 2FFEF670 Relevance: 184.4, APIs: 102, Strings: 3, Instructions: 674
librarymemoryloaderCOMMON

Function 2FDDAF09 Relevance: 3.0, APIs: 2, Instructions: 31
COMMON

Function 2FDDA771 Relevance: 57.9, APIs: 22, Strings: 11, Instructions: 140
COMMON

Function 03147068 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 004459BD Relevance: 1.5, APIs: 1, Instructions: 28
memorynativeCOMMON

Function 00445C4B Relevance: 1.5, APIs: 1, Instructions: 27
memorynativeCOMMON

Function 00445D96 Relevance: 1.5, APIs: 1, Instructions: 14
memorynativeCOMMON

Function 03143E68 Relevance: 1.5, Strings: 1, Instructions: 238
COMMON

Function 03147060 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON