Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
rComprobante_swift_8676534657698632.exe

Overview

General Information

Sample name:rComprobante_swift_8676534657698632.exe
Analysis ID:1588215
MD5:20536d622fb95bee3d87757e3efa74e0
SHA1:14e098d669f3f38235ad3152c0e5c45d20a827e0
SHA256:a3a54505cb30e3eda94163b884011c9547bdf83ffdb0cd83dbff798c5345948f
Tags:exeuser-Porcupine
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
AI detected suspicious sample
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • rComprobante_swift_8676534657698632.exe (PID: 7784 cmdline: "C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exe" MD5: 20536D622FB95BEE3D87757E3EFA74E0)
    • RegAsm.exe (PID: 7924 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • RegAsm.exe (PID: 7932 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.controlfire.com.mx", "Username": "usufffaz@controlfire.com.mx", "Password": "0a4XlE=4t8mz"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1447543594.0000000002392000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000000.00000002.1447543594.0000000002392000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000003.00000002.3814858618.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000003.00000002.3814858618.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000003.1425791083.0000000002CB1000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 15 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.3.rComprobante_swift_8676534657698632.exe.597b74.0.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.3.rComprobante_swift_8676534657698632.exe.597b74.0.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                0.3.rComprobante_swift_8676534657698632.exe.597b74.0.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.3.rComprobante_swift_8676534657698632.exe.597b74.0.raw.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                  • 0x34431:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                  • 0x344a3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                  • 0x3452d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                  • 0x345bf:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                  • 0x34629:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                  • 0x3469b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                  • 0x34731:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                  • 0x347c1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                  0.3.rComprobante_swift_8676534657698632.exe.597b74.0.raw.unpackMALWARE_Win_AgentTeslaV2AgenetTesla Type 2 Keylogger payloadditekSHen
                  • 0x315a6:$s2: GetPrivateProfileString
                  • 0x30c83:$s3: get_OSFullName
                  • 0x322fb:$s5: remove_Key
                  • 0x324b5:$s5: remove_Key
                  • 0x333de:$s6: FtpWebRequest
                  • 0x34413:$s7: logins
                  • 0x34985:$s7: logins
                  • 0x37674:$s7: logins
                  • 0x37748:$s7: logins
                  • 0x3909d:$s7: logins
                  • 0x382e2:$s9: 1.85 (Hash, version 2, native byte-order)
                  Click to see the 32 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: rComprobante_swift_8676534657698632.exeAvira: detected
                  Found malware configuration
                  Source: 0.3.rComprobante_swift_8676534657698632.exe.597b70.2.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.controlfire.com.mx", "Username": "usufffaz@controlfire.com.mx", "Password": "0a4XlE=4t8mz"}
                  Multi AV Scanner detection for submitted file
                  Source: rComprobante_swift_8676534657698632.exeReversingLabs: Detection: 47%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                  Machine Learning detection for sample
                  Source: rComprobante_swift_8676534657698632.exeJoe Sandbox ML: detected
                  Source: rComprobante_swift_8676534657698632.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

                  Networking

                  barindex
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: 0.3.rComprobante_swift_8676534657698632.exe.597b74.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.rComprobante_swift_8676534657698632.exe.597b70.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.rComprobante_swift_8676534657698632.exe.597b70.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.rComprobante_swift_8676534657698632.exe.2390000.0.unpack, type: UNPACKEDPE
                  Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                  Source: unknownDNS query: name: ip-api.com
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: ip-api.com
                  Source: rComprobante_swift_8676534657698632.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                  Source: rComprobante_swift_8676534657698632.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                  Source: rComprobante_swift_8676534657698632.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                  Source: rComprobante_swift_8676534657698632.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                  Source: rComprobante_swift_8676534657698632.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                  Source: rComprobante_swift_8676534657698632.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                  Source: rComprobante_swift_8676534657698632.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                  Source: rComprobante_swift_8676534657698632.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                  Source: rComprobante_swift_8676534657698632.exeString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                  Source: RegAsm.exe, 00000003.00000002.3816191029.0000000003081000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3816191029.0000000003163000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3816191029.0000000003148000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                  Source: rComprobante_swift_8676534657698632.exe, 00000000.00000002.1447543594.0000000002392000.00000040.10000000.00040000.00000000.sdmp, rComprobante_swift_8676534657698632.exe, 00000000.00000003.1443481161.0000000000591000.00000004.00000020.00020000.00000000.sdmp, rComprobante_swift_8676534657698632.exe, 00000000.00000003.1425791083.0000000002CB1000.00000004.00000020.00020000.00000000.sdmp, rComprobante_swift_8676534657698632.exe, 00000000.00000003.1425893879.0000000000591000.00000004.00000020.00020000.00000000.sdmp, rComprobante_swift_8676534657698632.exe, 00000000.00000003.1444309075.0000000000598000.00000004.00000020.00020000.00000000.sdmp, rComprobante_swift_8676534657698632.exe, 00000000.00000003.1425648572.0000000000572000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3814858618.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3816191029.0000000003081000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3816191029.0000000003148000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                  Source: rComprobante_swift_8676534657698632.exeString found in binary or memory: http://ocsp.digicert.com0
                  Source: rComprobante_swift_8676534657698632.exeString found in binary or memory: http://ocsp.digicert.com0A
                  Source: rComprobante_swift_8676534657698632.exeString found in binary or memory: http://ocsp.digicert.com0C
                  Source: rComprobante_swift_8676534657698632.exeString found in binary or memory: http://ocsp.digicert.com0X
                  Source: RegAsm.exe, 00000003.00000002.3816191029.0000000003081000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3816191029.0000000003148000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: rComprobante_swift_8676534657698632.exeString found in binary or memory: http://www.digicert.com/CPS0
                  Source: rComprobante_swift_8676534657698632.exe, 00000000.00000002.1447543594.0000000002392000.00000040.10000000.00040000.00000000.sdmp, rComprobante_swift_8676534657698632.exe, 00000000.00000003.1443481161.0000000000591000.00000004.00000020.00020000.00000000.sdmp, rComprobante_swift_8676534657698632.exe, 00000000.00000003.1425791083.0000000002CB1000.00000004.00000020.00020000.00000000.sdmp, rComprobante_swift_8676534657698632.exe, 00000000.00000003.1425893879.0000000000591000.00000004.00000020.00020000.00000000.sdmp, rComprobante_swift_8676534657698632.exe, 00000000.00000003.1444309075.0000000000598000.00000004.00000020.00020000.00000000.sdmp, rComprobante_swift_8676534657698632.exe, 00000000.00000003.1425648572.0000000000572000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3814858618.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                  Source: rComprobante_swift_8676534657698632.exeString found in binary or memory: https://github.com/mullvad/mullvadvpn-app#readme0

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 0.3.rComprobante_swift_8676534657698632.exe.597b74.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.3.rComprobante_swift_8676534657698632.exe.597b74.0.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.3.rComprobante_swift_8676534657698632.exe.597b70.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.3.rComprobante_swift_8676534657698632.exe.597b70.2.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.3.rComprobante_swift_8676534657698632.exe.597b70.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.3.rComprobante_swift_8676534657698632.exe.597b70.1.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.3.rComprobante_swift_8676534657698632.exe.597b70.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.3.rComprobante_swift_8676534657698632.exe.597b70.2.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.3.rComprobante_swift_8676534657698632.exe.597b70.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.3.rComprobante_swift_8676534657698632.exe.597b70.1.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.rComprobante_swift_8676534657698632.exe.2390000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.rComprobante_swift_8676534657698632.exe.2390000.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.3.rComprobante_swift_8676534657698632.exe.597b74.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.3.rComprobante_swift_8676534657698632.exe.597b74.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 00000000.00000002.1447981911.000000000330D000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess Stats: CPU usage > 49%
                  Source: C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exeCode function: 0_2_03526470 __vbaFreeVar,NtSetInformationProcess,0_2_03526470
                  Source: C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exeCode function: 0_2_034F54FB NtAllocateVirtualMemory,NtProtectVirtualMemory,NtProtectVirtualMemory,0_2_034F54FB
                  Source: C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exeCode function: 0_2_02342833 NtCreateSection,NtMapViewOfSection,CreateProcessW,NtGetContextThread,NtReadVirtualMemory,NtWriteVirtualMemory,NtUnmapViewOfSection,NtMapViewOfSection,NtSetContextThread,NtResumeThread,NtTerminateProcess,0_2_02342833
                  Source: C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exeCode function: 0_2_02342813 NtCreateSection,NtMapViewOfSection,CreateProcessW,NtGetContextThread,NtReadVirtualMemory,NtWriteVirtualMemory,NtUnmapViewOfSection,NtMapViewOfSection,NtSetContextThread,NtResumeThread,NtTerminateProcess,0_2_02342813
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0044640A NtAllocateVirtualMemory,3_2_0044640A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0044393E NtClose,3_2_0044393E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004435A5 NtDelayExecution,3_2_004435A5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004462D5 NtProtectVirtualMemory,3_2_004462D5
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00445ABD NtAllocateVirtualMemory,3_2_00445ABD
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004463CB NtProtectVirtualMemory,3_2_004463CB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00443BAA NtClose,NtCreateThreadEx,3_2_00443BAA
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00443C1A NtCreateThreadEx,3_2_00443C1A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0044643E NtProtectVirtualMemory,3_2_0044643E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00445BF7 NtAllocateVirtualMemory,3_2_00445BF7
                  Source: C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exeCode function: 0_2_0330AD200_2_0330AD20
                  Source: C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exeCode function: 0_2_0330CA230_2_0330CA23
                  Source: C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exeCode function: 0_2_0330CE940_2_0330CE94
                  Source: C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exeCode function: 0_2_0330C88A0_2_0330C88A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_014BA6283_2_014BA628
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_014BDA603_2_014BDA60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_014B4A803_2_014B4A80
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_014B3E683_2_014B3E68
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_014B41B03_2_014B41B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_068B24903_2_068B2490
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_068B12E03_2_068B12E0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_068B3C303_2_068B3C30
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_068B35483_2_068B3548
                  Source: rComprobante_swift_8676534657698632.exeStatic PE information: invalid certificate
                  Source: rComprobante_swift_8676534657698632.exe, 00000000.00000000.1344776729.000000000352D000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameacvm7qw909e.exe vs rComprobante_swift_8676534657698632.exe
                  Source: rComprobante_swift_8676534657698632.exe, 00000000.00000003.1443481161.0000000000591000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename924b0ba6-e74e-4c09-aebe-86b4db498070.exe4 vs rComprobante_swift_8676534657698632.exe
                  Source: rComprobante_swift_8676534657698632.exe, 00000000.00000003.1425791083.0000000002CB1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename924b0ba6-e74e-4c09-aebe-86b4db498070.exe4 vs rComprobante_swift_8676534657698632.exe
                  Source: rComprobante_swift_8676534657698632.exe, 00000000.00000003.1425893879.0000000000591000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename924b0ba6-e74e-4c09-aebe-86b4db498070.exe4 vs rComprobante_swift_8676534657698632.exe
                  Source: rComprobante_swift_8676534657698632.exe, 00000000.00000002.1447543594.00000000023CE000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilename924b0ba6-e74e-4c09-aebe-86b4db498070.exe4 vs rComprobante_swift_8676534657698632.exe
                  Source: rComprobante_swift_8676534657698632.exe, 00000000.00000003.1444309075.0000000000598000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename924b0ba6-e74e-4c09-aebe-86b4db498070.exe4 vs rComprobante_swift_8676534657698632.exe
                  Source: rComprobante_swift_8676534657698632.exe, 00000000.00000003.1425648572.0000000000572000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename924b0ba6-e74e-4c09-aebe-86b4db498070.exe4 vs rComprobante_swift_8676534657698632.exe
                  Source: rComprobante_swift_8676534657698632.exeBinary or memory string: OriginalFilenameacvm7qw909e.exe vs rComprobante_swift_8676534657698632.exe
                  Source: rComprobante_swift_8676534657698632.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                  Source: 0.3.rComprobante_swift_8676534657698632.exe.597b74.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.3.rComprobante_swift_8676534657698632.exe.597b74.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.3.rComprobante_swift_8676534657698632.exe.597b70.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.3.rComprobante_swift_8676534657698632.exe.597b70.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.3.rComprobante_swift_8676534657698632.exe.597b70.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.3.rComprobante_swift_8676534657698632.exe.597b70.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.3.rComprobante_swift_8676534657698632.exe.597b70.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.3.rComprobante_swift_8676534657698632.exe.597b70.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.3.rComprobante_swift_8676534657698632.exe.597b70.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.3.rComprobante_swift_8676534657698632.exe.597b70.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.rComprobante_swift_8676534657698632.exe.2390000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.rComprobante_swift_8676534657698632.exe.2390000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.3.rComprobante_swift_8676534657698632.exe.597b74.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.3.rComprobante_swift_8676534657698632.exe.597b74.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 00000000.00000002.1447981911.000000000330D000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/1@1/1
                  Source: C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\1d921b7dbd459b1bfc7fa12af4fbde00_9e146be9-c76a-4720-bcdb-53011b87bd06Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: NULL
                  Source: rComprobante_swift_8676534657698632.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: RegAsm.exe, 00000003.00000002.3816191029.0000000003193000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3816191029.0000000003180000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: rComprobante_swift_8676534657698632.exeReversingLabs: Detection: 47%
                  Source: unknownProcess created: C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exe "C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exe"
                  Source: C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
                  Source: C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
                  Source: C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exeSection loaded: msvbvm60.dllJump to behavior
                  Source: C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exeSection loaded: vb6zz.dllJump to behavior
                  Source: C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exeSection loaded: vb6de.dllJump to behavior
                  Source: C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exeSection loaded: sxs.dllJump to behavior
                  Source: C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exeSection loaded: vb6de.dllJump to behavior
                  Source: C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vaultcli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0BE35204-8F91-11CE-9DE3-00AA004BB851}\InprocServer32Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                  Source: rComprobante_swift_8676534657698632.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                  Source: rComprobante_swift_8676534657698632.exeStatic file information: File size 2288032 > 1048576
                  Source: rComprobante_swift_8676534657698632.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x226000
                  Source: rComprobante_swift_8676534657698632.exeStatic PE information: real checksum: 0x2391f8 should be: 0x2355be
                  Source: C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exeCode function: 0_2_0330CDB4 push D4006C00h; iretd 0_2_0330CE05
                  Source: C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exeCode function: 0_2_023413BD push esp; iretd 0_2_023413C6
                  Source: C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exeCode function: 0_2_02344919 push ds; retf 0_2_0234491A
                  Source: C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exeCode function: 0_2_02343974 pushad ; iretd 0_2_02343975
                  Source: C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exeCode function: 0_2_02344199 push edx; iretd 0_2_0234419A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00446417 push ss; retn 0008h3_2_0044641F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00443ACD push ds; retf 3_2_00443ACE
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_0044334D push edx; iretd 3_2_0044334E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00442B28 pushad ; iretd 3_2_00442B29
                  Source: C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Check if machine is in data center or colocation facility
                  Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: rComprobante_swift_8676534657698632.exe, 00000000.00000002.1447543594.0000000002392000.00000040.10000000.00040000.00000000.sdmp, rComprobante_swift_8676534657698632.exe, 00000000.00000003.1443481161.0000000000591000.00000004.00000020.00020000.00000000.sdmp, rComprobante_swift_8676534657698632.exe, 00000000.00000003.1425791083.0000000002CB1000.00000004.00000020.00020000.00000000.sdmp, rComprobante_swift_8676534657698632.exe, 00000000.00000003.1425893879.0000000000591000.00000004.00000020.00020000.00000000.sdmp, rComprobante_swift_8676534657698632.exe, 00000000.00000003.1444309075.0000000000598000.00000004.00000020.00020000.00000000.sdmp, rComprobante_swift_8676534657698632.exe, 00000000.00000003.1425648572.0000000000572000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3814858618.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3816191029.00000000030B5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3816191029.0000000003163000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 14B0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 3080000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2E90000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 391Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 410Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7940Thread sleep count: 391 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7940Thread sleep time: -391000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7940Thread sleep count: 410 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7940Thread sleep time: -410000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeLast function: Thread delayed
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeLast function: Thread delayed
                  Source: RegAsm.exe, 00000003.00000002.3816191029.0000000003163000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
                  Source: RegAsm.exe, 00000003.00000002.3816191029.0000000003163000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                  Source: RegAsm.exe, 00000003.00000002.3814858618.0000000000402000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: VMwareVBox
                  Source: RegAsm.exe, 00000003.00000002.3817367988.0000000006387000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information queried: ProcessInformationJump to behavior

                  Anti Debugging

                  barindex
                  Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_014B7068 CheckRemoteDebuggerPresent,3_2_014B7068
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exeCode function: 0_2_034F5AB1 mov eax, dword ptr fs:[00000030h]0_2_034F5AB1
                  Source: C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exeCode function: 0_2_02342833 mov eax, dword ptr fs:[00000030h]0_2_02342833
                  Source: C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exeCode function: 0_2_02342E04 mov eax, dword ptr fs:[00000030h]0_2_02342E04
                  Source: C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exeCode function: 0_2_02346B34 mov eax, dword ptr fs:[00000030h]0_2_02346B34
                  Source: C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exeCode function: 0_2_02346F14 mov eax, dword ptr fs:[00000030h]0_2_02346F14
                  Source: C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exeCode function: 0_2_02346D53 mov eax, dword ptr fs:[00000030h]0_2_02346D53
                  Source: C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exeCode function: 0_2_023469B2 mov eax, dword ptr fs:[00000030h]0_2_023469B2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_004460C8 mov eax, dword ptr fs:[00000030h]3_2_004460C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00445CE8 mov eax, dword ptr fs:[00000030h]3_2_00445CE8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00445D96 mov eax, dword ptr fs:[00000030h]3_2_00445D96
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00445A82 mov eax, dword ptr fs:[00000030h]3_2_00445A82
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00445B66 mov eax, dword ptr fs:[00000030h]3_2_00445B66
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 3_2_00445F07 mov eax, dword ptr fs:[00000030h]3_2_00445F07
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Maps a DLL or memory area into another process
                  Source: C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and writeJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 72F008Jump to behavior
                  Source: C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: D6A008Jump to behavior
                  Source: C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 0.3.rComprobante_swift_8676534657698632.exe.597b74.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.rComprobante_swift_8676534657698632.exe.597b70.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.rComprobante_swift_8676534657698632.exe.597b70.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.rComprobante_swift_8676534657698632.exe.597b70.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.rComprobante_swift_8676534657698632.exe.597b70.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.rComprobante_swift_8676534657698632.exe.2390000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.rComprobante_swift_8676534657698632.exe.597b74.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1447543594.0000000002392000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.3814858618.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.1425791083.0000000002CB1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.1443481161.0000000000591000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.1425893879.0000000000591000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.1444309075.0000000000598000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.1425648572.0000000000572000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: rComprobante_swift_8676534657698632.exe PID: 7784, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7932, type: MEMORYSTR
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: Yara matchFile source: 0.3.rComprobante_swift_8676534657698632.exe.597b74.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.rComprobante_swift_8676534657698632.exe.597b70.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.rComprobante_swift_8676534657698632.exe.597b70.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.rComprobante_swift_8676534657698632.exe.597b70.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.rComprobante_swift_8676534657698632.exe.597b70.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.rComprobante_swift_8676534657698632.exe.2390000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.rComprobante_swift_8676534657698632.exe.597b74.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1447543594.0000000002392000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.3814858618.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.1425791083.0000000002CB1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.1443481161.0000000000591000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.1425893879.0000000000591000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.1444309075.0000000000598000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.3816191029.00000000030B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.1425648572.0000000000572000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: rComprobante_swift_8676534657698632.exe PID: 7784, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7932, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 0.3.rComprobante_swift_8676534657698632.exe.597b74.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.rComprobante_swift_8676534657698632.exe.597b70.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.rComprobante_swift_8676534657698632.exe.597b70.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.rComprobante_swift_8676534657698632.exe.597b70.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.rComprobante_swift_8676534657698632.exe.597b70.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.rComprobante_swift_8676534657698632.exe.2390000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.3.rComprobante_swift_8676534657698632.exe.597b74.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1447543594.0000000002392000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.3814858618.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.1425791083.0000000002CB1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.1443481161.0000000000591000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.1425893879.0000000000591000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.1444309075.0000000000598000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.1425648572.0000000000572000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: rComprobante_swift_8676534657698632.exe PID: 7784, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7932, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts231
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		211
                  Process Injection                  		1
                  Masquerading                  		1
                  OS Credential Dumping                  		531
                  Security Software Discovery                  		Remote Services1
                  Email Collection                  		1
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                  DLL Side-Loading                  		25
                  Virtualization/Sandbox Evasion                  		LSASS Memory25
                  Virtualization/Sandbox Evasion                  		Remote Desktop Protocol1
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                  Disable or Modify Tools                  		Security Account Manager1
                  Process Discovery                  		SMB/Windows Admin Shares1
                  Data from Local System                  		2
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook211
                  Process Injection                  		NTDS1
                  Application Window Discovery                  		Distributed Component Object ModelInput Capture2
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Obfuscated Files or Information                  		LSA Secrets1
                  System Network Configuration Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  DLL Side-Loading                  		Cached Domain Credentials1
                  File and Directory Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync34
                  System Information Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  rComprobante_swift_8676534657698632.exe47%ReversingLabsWin32.Trojan.MintZard
                  rComprobante_swift_8676534657698632.exe100%AviraTR/Dropper.Gen
                  rComprobante_swift_8676534657698632.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  No Antivirus matches

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  s-part-0017.t-0009.t-msedge.net
                  		13.107.246.45
                  		truefalse
                    		high
                    ip-api.com
                    		208.95.112.1
                    		truefalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://ip-api.com/line/?fields=hostingfalse
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://account.dyn.com/rComprobante_swift_8676534657698632.exe, 00000000.00000002.1447543594.0000000002392000.00000040.10000000.00040000.00000000.sdmp, rComprobante_swift_8676534657698632.exe, 00000000.00000003.1443481161.0000000000591000.00000004.00000020.00020000.00000000.sdmp, rComprobante_swift_8676534657698632.exe, 00000000.00000003.1425791083.0000000002CB1000.00000004.00000020.00020000.00000000.sdmp, rComprobante_swift_8676534657698632.exe, 00000000.00000003.1425893879.0000000000591000.00000004.00000020.00020000.00000000.sdmp, rComprobante_swift_8676534657698632.exe, 00000000.00000003.1444309075.0000000000598000.00000004.00000020.00020000.00000000.sdmp, rComprobante_swift_8676534657698632.exe, 00000000.00000003.1425648572.0000000000572000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3814858618.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
                          		high
                          https://github.com/mullvad/mullvadvpn-app#readme0rComprobante_swift_8676534657698632.exefalse
                            		high
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegAsm.exe, 00000003.00000002.3816191029.0000000003081000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3816191029.0000000003148000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://ip-api.comRegAsm.exe, 00000003.00000002.3816191029.0000000003081000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3816191029.0000000003163000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3816191029.0000000003148000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                208.95.112.1
                                		ip-api.comUnited States
                                		53334TUT-ASUSfalse

                                General Information

                                Joe Sandbox version:42.0.0 Malachite
                                Analysis ID:1588215
                                Start date and time:2025-01-10 22:42:15 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 7m 26s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:9
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:rComprobante_swift_8676534657698632.exe
                                Detection:MAL
                                Classification:mal100.troj.spyw.evad.winEXE@5/1@1/1
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 81%
                                • Number of executed functions: 15
                                • Number of non-executed functions: 13
                                Cookbook Comments:
                                • Found application associated with file extension: .exe
                                • Override analysis time to 240000 for current running targets taking high CPU consumption

                                Warnings

                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                • Excluded IPs from analysis (whitelisted): 13.107.246.45, 52.149.20.212
                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • Report size getting too big, too many NtReadVirtualMemory calls found.
                                • VT rate limit hit for: rComprobante_swift_8676534657698632.exe

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                16:43:56API Interceptor772x Sleep call for process: RegAsm.exe modified

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                208.95.112.128uMwHvbTD.exeGet hashmaliciousAgentTeslaBrowse
                                • ip-api.com/line/?fields=hosting
                                e4Iw3lwFJ5.exeGet hashmaliciousAgentTeslaBrowse
                                • ip-api.com/line/?fields=hosting
                                uOCavrYu1y.exeGet hashmaliciousAgentTeslaBrowse
                                • ip-api.com/line/?fields=hosting
                                XoRPyi5s1i.exeGet hashmaliciousAgentTeslaBrowse
                                • ip-api.com/line/?fields=hosting
                                NX8j2O83Wu.exeGet hashmaliciousAgentTeslaBrowse
                                • ip-api.com/line/?fields=hosting
                                7569qiv4L2.exeGet hashmaliciousAgentTeslaBrowse
                                • ip-api.com/line/?fields=hosting
                                hCkkM0lH0P.exeGet hashmaliciousAgentTeslaBrowse
                                • ip-api.com/line/?fields=hosting
                                sDflTDPSLw.exeGet hashmaliciousAgentTeslaBrowse
                                • ip-api.com/line/?fields=hosting
                                2HCwqwLg1G.exeGet hashmaliciousAgentTeslaBrowse
                                • ip-api.com/line/?fields=hosting
                                CdbVaYf8jC.exeGet hashmaliciousAgentTeslaBrowse
                                • ip-api.com/line/?fields=hosting

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                s-part-0017.t-0009.t-msedge.net6ZoBPR3isG.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                • 13.107.246.45
                                iRmpdWgpoF.exeGet hashmaliciousUnknownBrowse
                                • 13.107.246.45
                                7cYDC0HciP.exeGet hashmaliciousUnknownBrowse
                                • 13.107.246.45
                                http://@1800-web.com/new/auth/6XEcGVvsnjwXq8bbJloqbuPkeuHjc6rLcgYUe/bGVvbi5ncmF2ZXNAYXRvcy5uZXQ=Get hashmaliciousUnknownBrowse
                                • 13.107.246.45
                                7cYDC0HciP.exeGet hashmaliciousUnknownBrowse
                                • 13.107.246.45
                                28uMwHvbTD.exeGet hashmaliciousAgentTeslaBrowse
                                • 13.107.246.45
                                https://services221.com/mm/Get hashmaliciousHTMLPhisherBrowse
                                • 13.107.246.45
                                8qQwTWK3jx.exeGet hashmaliciousUnknownBrowse
                                • 13.107.246.45
                                1018617432866721695.jsGet hashmaliciousStrela DownloaderBrowse
                                • 13.107.246.45
                                https://atpscan.global.hornetsecurity.com/?d=W3rdHn1Og9hhUJnVJzqWF36wMmxswAZldvtx3E21ybg&f=v8m9AqGfgV2Ri7cjqmfsuyl2V2Mu_lVW0BRsqcFw4upagWAQ1C-MqANvN6gf4zNV&i=&k=xREg&m=b_ORYMkPffImCXbCPli-aiR7Ga6rGe55sar2xtigCL4MrowDPSzt7ABKETTGxzegakAfoZ57KD02aVix8V8TVmZ2VcxzjeybXYrPiS2SB73LCKYktj5jv2aw6VcPRslz&n=s4crRkyHC4bab6S3yrgn1E3n-VmdqgfSqNiaCJyPrf6hnyL_SE4PHEo5SUcwwsFGV6rnB35iQFM5FLsE91obvZ0HTAEiqHnB8ROLzY5JVgg&r=oMs_cp4DXIjeQhcPWsPLyR3_oxBVUN4Iok_tSVE4DNNtzqeot7ZzvdXkh4vatwpC&s=bd82eb507a358fd35f72f18b86e67f3bfc1ce64bbeab0c01d700897b1b678efb&u=https%3A%2F%2Fe.trustifi.com%2F%23%2Ffff2af%2F32054d%2F67960f%2Fee6fed%2F5d1d11%2F46c760%2Ff79190%2Fc5ec40%2Fe8666a%2Fef542d%2F85972d%2F627493%2F9a11d6%2F1f4096%2F1d247f%2F818e78%2Fc53383%2Fd59aa0%2Fedfa57%2F7914c7%2Fc38cf6%2Ff74f56%2Ff45915%2F39dbbd%2Ff48710%2F1ddf22%2F37d5f2%2F9de9f7%2F96109e%2F882355%2F854b66%2F9d606d%2F2d0447%2Fad3b01%2F637d1c%2F3c0f2b%2F606f48%2Fa6d904%2F8fefe3%2F00a4bb%2F6520c6%2F9b795c%2Fb7de1a%2Fb5dde6%2F3f5692%2F997c7d%2Fc00925%2F782cce%2F511459%2Fab5aa8%2F91722a%2Feec933%2F3f4f91%2F894088%2F43adfa%2Fb78195%2F0407d0%2F56f022%2Fddf20e%2F946567%2Faa271a%2F507b7a%2Faccd06%2F50d63c%2F485c4b%2F07ced8%2Fd0ec21%2F260ce6%2Fb5edbb%2F79a81e%2F1fd160%2Ff4da41%2F7073e0%2F8a5e9a%2Fdac829%2F521e52%2Fa1a847%2F13ea63%2Fabb5a3%2Fe1901e%2Fd876f6%2F7b0bf4%2Fbd19df%2F89bdcd%2F1874d8%2F0fb7f3%2F72f438%2Fa098c5%2F4e2214%2F4b6e54%2F0c4a8fGet hashmaliciousHTMLPhisherBrowse
                                • 13.107.246.45
                                ip-api.com28uMwHvbTD.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                e4Iw3lwFJ5.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                uOCavrYu1y.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                XoRPyi5s1i.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                NX8j2O83Wu.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                7569qiv4L2.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                hCkkM0lH0P.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                sDflTDPSLw.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                2HCwqwLg1G.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                CdbVaYf8jC.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                TUT-ASUS28uMwHvbTD.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                e4Iw3lwFJ5.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                uOCavrYu1y.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                XoRPyi5s1i.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                NX8j2O83Wu.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                7569qiv4L2.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                hCkkM0lH0P.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                sDflTDPSLw.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                2HCwqwLg1G.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                CdbVaYf8jC.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\1d921b7dbd459b1bfc7fa12af4fbde00_9e146be9-c76a-4720-bcdb-53011b87bd06

                                Download File
                                Process:C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):45
                                Entropy (8bit):0.9111711733157262
                                Encrypted:false
                                SSDEEP:3:/lwltJ:Wz
                                MD5:3D7D230E8E9B4E8202935E38050E13E5
                                SHA1:DFABCB8DCBC48AB136F6F87A29BF4A7C9CCCCAAF
                                SHA-256:269E9F79960D5201DA265CEF43575B1EF31644174DA7A9AB23501AD3A0CACFC3
                                SHA-512:02BAF2F6CE0222EBFD4186641AC8F8BF8C54D0184A6C4C85F720171EEF8B1871ACCC9F3E522B80C8814428F52B007CE321312A76B4538D59E4A436D43011FF30
                                Malicious:false
                                Reputation:moderate, very likely benign file
                                Preview:........................................user.

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Entropy (8bit):7.182083645953907
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 99.15%
                                • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
                                • Generic Win/DOS Executable (2004/3) 0.02%
                                • DOS Executable Generic (2002/1) 0.02%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:rComprobante_swift_8676534657698632.exe
                                File size:2'288'032 bytes
                                MD5:20536d622fb95bee3d87757e3efa74e0
                                SHA1:14e098d669f3f38235ad3152c0e5c45d20a827e0
                                SHA256:a3a54505cb30e3eda94163b884011c9547bdf83ffdb0cd83dbff798c5345948f
                                SHA512:3c3fae25813c46e8990c63af25b5d160e6db594d525bf3423e6e9f7985f5fc50853e6b122f2ddf185361d2a656ceb01a5475668ff838b68e87531eb2dbf6546a
                                SSDEEP:49152:D3ASbdYAm4zEbdYAm4zWbdYAm4z23Ag3AWbdYAm4zSbdYAm4zO3AnMWc:rA4drWdr0drkASA0dr4dr8An
                                TLSH:16B5BF0722208FAFED4ADF39B7B680E443153C5903155A42329F7720EB739BE5D29A5B
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................Rich............PE..L...Ee.g.................`"..P......4........p"...0........

                                File Icon

                                Icon Hash:a3a3939a92b3929a

                                Static PE Info

                                General

                                Entrypoint:0x3301234
                                Entrypoint Section:.text
                                Digitally signed:true
                                Imagebase:0x3300000
                                Subsystem:windows gui
                                Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                DLL Characteristics:
                                Time Stamp:0x67816545 [Fri Jan 10 18:21:57 2025 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:4
                                OS Version Minor:0
                                File Version Major:4
                                File Version Minor:0
                                Subsystem Version Major:4
                                Subsystem Version Minor:0
                                Import Hash:42a4e0f64241075ea237a4cf00d0db9f

                                Authenticode Signature

                                Signature Valid:false
                                Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                Signature Validation Error:The digital signature of the object did not verify
                                Error Number:-2146869232
                                Not Before, Not After
                                • 14/03/2024 00:00:00 06/02/2027 23:59:59
                                Subject Chain
                                • CN=Mullvad VPN AB, O=Mullvad VPN AB, L=G\xf6teborg, C=SE, SERIALNUMBER=559238-4001, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=SE
                                Version:3
                                Thumbprint MD5:7068F855B513C1F69538E13DF0A7870D
                                Thumbprint SHA-1:1F5E906F4E2DBE2A3C3226A6B0638E9327F76135
                                Thumbprint SHA-256:4136B97CF51C1779F94FF626978743FF874E0EABB3AFB5CB00CB9E6DBB5440E8
                                Serial:078050BBC100F2FFAF0FE03B15FE221A

                                Entrypoint Preview

                                Instruction
                                push 0330A54Ch
                                call 00007FC5E8CF2A65h
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                xor byte ptr [eax], al
                                add byte ptr [eax], al
                                inc eax
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add dh, al
                                push ebx
                                jns 00007FC5E8CF2A95h
                                mov ecx, B04DD8DFh
                                mov byte ptr [edx], ah
                                sbb dword ptr [edx-17h], edx
                                and byte ptr [ebx], dh
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add dword ptr [eax], eax
                                add byte ptr [eax], al
                                sub eax, 30303043h
                                sub eax, 61726543h
                                pop edi
                                push esi
                                popad
                                jno 00007FC5E8CF2AD7h
                                popad
                                add byte ptr [esi], dh
                                jnl 00007FC5E8CF2A95h
                                xor ch, byte ptr [esi]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                dec esp
                                xor dword ptr [eax], eax
                                add al, al
                                fsub qword ptr [edi+37h]
                                pop ebp
                                fstp dword ptr [edx-019657BCh]
                                int 97h
                                sbb byte ptr [edi-3D100426h], ch
                                mov edx, ecx
                                jno 00007FC5E8CF2A40h
                                inc esp
                                mov ch, 59h
                                xor bl, byte ptr [edx+2Fh]
                                mov dword ptr [4F3A5001h], eax
                                lodsd
                                xor ebx, dword ptr [ecx-48EE309Ah]
                                or al, 00h
                                stosb
                                add byte ptr [eax-2Dh], ah
                                xchg eax, ebx
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                xor dl, byte ptr [ecx+00420000h]
                                add byte ptr [eax], al
                                add byte ptr [726F4600h], al
                                insd
                                xor dword ptr [eax], eax
                                or eax, 46000501h
                                outsd
                                jc 00007FC5E8CF2ADFh
                                xor dword ptr [eax], eax
                                sbb dword ptr [ecx], eax
                                add byte ptr [edx+00h], al

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x2274080x3c.rdata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x22d0000x2894.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x22c0000x29a0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x2270000x180.rdata
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x10000x225ea40x226000f0a7f769c323634d304a5a657a10ddd7unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .rdata0x2270000xb300x1000db4ef7e936fa79e64657be5f6530c920False0.2724609375data3.8506445784099332IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .data0x2280000x4bac0x1000620f0b67a91f7f74151bc5be745b7110False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .rsrc0x22d0000x28940x3000cf4509ef44e700a268c235d9994746cfFalse0.19539388020833334data4.245983192689374IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                RT_ICON0x22d0e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.21047717842323652
                                RT_GROUP_ICON0x22f6900x14data1.15
                                RT_VERSION0x22f6a40x1f0MS Windows COFF PowerPC object fileGermanGermany0.49798387096774194

                                Imports

                                DLLImport
                                KERNEL32.DLLGetProcAddress, GetModuleHandleW
                                MSVBVM60.DLL__vbaVarSub, _CIcos, _adj_fptan, __vbaVarMove, __vbaVarVargNofree, __vbaFreeVar, __vbaAryMove, __vbaStrVarMove, __vbaLenBstr, __vbaFreeVarList, _adj_fdiv_m64, __vbaNextEachVar, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaBoolErrVar, __vbaSetSystemError, __vbaHresultCheckObj, __vbaLenVar, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaRefVarAry, __vbaBoolVarNull, _CIsin, __vbaVargVarMove, __vbaVarZero, __vbaVarCmpGt, __vbaChkstk, EVENT_SINK_AddRef, __vbaVarTstEq, DllFunctionCall, __vbaVarOr, __vbaRedimPreserve, _adj_fpatan, __vbaRedim, EVENT_SINK_Release, __vbaNew, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, __vbaStrToUnicode, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaInStrVar, __vbaStrVarVal, __vbaUbound, __vbaVarCat, _CIlog, __vbaVar2Vec, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaI4Var, __vbaAryLock, __vbaVarAdd, __vbaVarDup, __vbaStrToAnsi, __vbaVarCopy, __vbaVarLateMemCallLd, _CIatan, __vbaStrMove, __vbaCastObj, __vbaStrVarCopy, __vbaForEachVar, _allmul, _CItan, __vbaAryUnlock, _CIexp, __vbaFreeObj, __vbaFreeStr

                                Possible Origin

                                Language of compilation systemCountry where language is spokenMap
                                GermanGermany

                                Network Behavior

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Jan 10, 2025 22:43:17.388911963 CET4978280192.168.2.9208.95.112.1
                                Jan 10, 2025 22:43:17.393784046 CET8049782208.95.112.1192.168.2.9
                                Jan 10, 2025 22:43:17.393872023 CET4978280192.168.2.9208.95.112.1
                                Jan 10, 2025 22:43:17.394695997 CET4978280192.168.2.9208.95.112.1
                                Jan 10, 2025 22:43:17.399478912 CET8049782208.95.112.1192.168.2.9
                                Jan 10, 2025 22:43:17.862212896 CET8049782208.95.112.1192.168.2.9
                                Jan 10, 2025 22:43:17.907365084 CET4978280192.168.2.9208.95.112.1
                                Jan 10, 2025 22:44:30.452542067 CET8049782208.95.112.1192.168.2.9
                                Jan 10, 2025 22:44:30.452717066 CET4978280192.168.2.9208.95.112.1
                                Jan 10, 2025 22:44:57.878417015 CET4978280192.168.2.9208.95.112.1
                                Jan 10, 2025 22:44:57.883426905 CET8049782208.95.112.1192.168.2.9

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Jan 10, 2025 22:43:17.373812914 CET5994153192.168.2.91.1.1.1
                                Jan 10, 2025 22:43:17.381058931 CET53599411.1.1.1192.168.2.9

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                Jan 10, 2025 22:43:17.373812914 CET192.168.2.91.1.1.10x54bbStandard query (0)ip-api.comA (IP address)IN (0x0001)false

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Jan 10, 2025 22:43:03.387883902 CET1.1.1.1192.168.2.90x5581No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                Jan 10, 2025 22:43:03.387883902 CET1.1.1.1192.168.2.90x5581No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false
                                Jan 10, 2025 22:43:17.381058931 CET1.1.1.1192.168.2.90x54bbNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false

                                HTTP Request Dependency Graph

                                • ip-api.com

                                HTTP Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.949782208.95.112.1807932C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                TimestampBytes transferredDirectionData
                                Jan 10, 2025 22:43:17.394695997 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                Host: ip-api.com
                                Connection: Keep-Alive
                                Jan 10, 2025 22:43:17.862212896 CET175INHTTP/1.1 200 OK
                                Date: Fri, 10 Jan 2025 21:43:16 GMT
                                Content-Type: text/plain; charset=utf-8
                                Content-Length: 6
                                Access-Control-Allow-Origin: *
                                X-Ttl: 60
                                X-Rl: 44
                                Data Raw: 66 61 6c 73 65 0a
                                Data Ascii: false


                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:16:43:06
                                Start date:10/01/2025
                                Path:C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\rComprobante_swift_8676534657698632.exe"
                                Imagebase:0x3300000
                                File size:2'288'032 bytes
                                MD5 hash:20536D622FB95BEE3D87757E3EFA74E0
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1447543594.0000000002392000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1447543594.0000000002392000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1425791083.0000000002CB1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000003.1425791083.0000000002CB1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1443481161.0000000000591000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000003.1443481161.0000000000591000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1425893879.0000000000591000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000003.1425893879.0000000000591000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000000.00000002.1447981911.000000000330D000.00000040.00000001.01000000.00000003.sdmp, Author: Florian Roth
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1444309075.0000000000598000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000003.1444309075.0000000000598000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1425648572.0000000000572000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000003.1425648572.0000000000572000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:2
                                Start time:16:43:16
                                Start date:10/01/2025
                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
                                Imagebase:0x420000
                                File size:65'440 bytes
                                MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:3
                                Start time:16:43:16
                                Start date:10/01/2025
                                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
                                Imagebase:0xb90000
                                File size:65'440 bytes
                                MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3814858618.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.3814858618.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3816191029.00000000030B5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:high
                                Has exited:false

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:18.6%
                                  Dynamic/Decrypted Code Coverage:25.7%
                                  Signature Coverage:30.7%
                                  Total number of Nodes:202
                                  Total number of Limit Nodes:13
                                  execution_graph 1213 330ad20 1214 330ad2a 1213->1214 1217 330af09 1214->1217 1215 3525ec9 1218 3525f00 1217->1218 1226 35263f0 1218->1226 1222 3525f49 1272 3526470 1222->1272 1225 3525f68 1225->1215 1276 34f54fb 1226->1276 1229 351fdd0 9 API calls 1287 3523ca0 __vbaVarDup #653 __vbaI4Var __vbaFreeVar 1229->1287 1231 351fed5 7 API calls 1232 3523ca0 10 API calls 1231->1232 1233 351ff4e 45 API calls 1232->1233 1236 352014c 1233->1236 1234 3520164 __vbaAryLock #644 __vbaAryUnlock 1234->1236 1235 35201c5 __vbaObjSetAddref #644 __vbaFreeObj #644 1292 34f5bcb 1235->1292 1236->1234 1236->1235 1238 352020b __vbaAryLock #644 __vbaAryUnlock #644 1293 34f5bae 1238->1293 1240 3520261 __vbaRedim #644 1294 34f5bae 1240->1294 1242 35202af #644 1295 34f5bae 1242->1295 1244 35202dc __vbaAryLock __vbaStrCat __vbaStrMove __vbaI4Str VirtualProtect 1245 3520362 __vbaAryUnlock __vbaFreeStr #644 1244->1245 1246 352034b __vbaHresultCheckObj 1244->1246 1250 3520397 1245->1250 1246->1245 1247 3520406 #644 1296 34f5bae 1247->1296 1248 35203af __vbaAryLock #644 __vbaAryUnlock 1248->1250 1250->1247 1250->1248 1251 352042c #644 1297 34f5bae 1251->1297 1253 3520452 #644 1298 34f5bae 1253->1298 1255 3520478 #644 1299 34f5bae 1255->1299 1257 352049e #644 1300 34f5bae 1257->1300 1259 35204c4 VirtualProtect 1260 352050f __vbaHresultCheckObj 1259->1260 1261 3520526 1259->1261 1260->1261 1262 3520542 __vbaAryLock #644 __vbaAryUnlock 1261->1262 1263 3520593 #644 1261->1263 1262->1261 1301 34f5bae 1263->1301 1265 35205ae #644 1302 34f5bae 1265->1302 1267 35205c3 #644 1268 35205df 1267->1268 1303 3520890 1268->1303 1270 35205e8 __vbaFreeVar 1271 352065f __vbaAryDestruct 1270->1271 1271->1222 1314 330e144 1272->1314 1274 35264b6 NtSetInformationProcess 1275 3525f52 __vbaFreeVar 1274->1275 1275->1225 1277 34f551d 1276->1277 1285 34f5ab1 GetPEB 1277->1285 1279 34f5527 1280 34f559f NtProtectVirtualMemory 1279->1280 1281 34f557c NtAllocateVirtualMemory 1279->1281 1282 34f559a __vbaFreeVar 1280->1282 1283 34f55ca 1280->1283 1281->1280 1281->1282 1282->1229 1284 34f5663 NtProtectVirtualMemory 1283->1284 1284->1282 1286 34f5ac3 1285->1286 1286->1279 1288 3523d20 1287->1288 1289 3523d91 __vbaFreeVar 1288->1289 1290 3523d28 #632 __vbaVarCat __vbaStrVarMove __vbaStrMove __vbaFreeVarList 1288->1290 1289->1231 1290->1288 1292->1238 1293->1240 1294->1242 1295->1244 1296->1251 1297->1253 1298->1255 1299->1257 1300->1259 1301->1265 1302->1267 1311 3520fb0 1303->1311 1305 35208cb #644 #644 1312 34f5bae 1305->1312 1307 35208fb #644 1313 34f5bcb 1307->1313 1309 3520918 #644 1310 3520937 1309->1310 1310->1270 1311->1305 1312->1307 1313->1309 1315 330e14d 1314->1315 1363 330a753 1364 3524380 19 API calls 1363->1364 1366 3523ca0 10 API calls 1364->1366 1367 35244a2 __vbaStrMove __vbaFreeStrList __vbaFreeVar 1366->1367 1368 3524530 1367->1368 1453 2344f30 1455 2344f47 1453->1455 1456 2346b34 GetPEB 1453->1456 1374 330a796 1375 3524740 __vbaVarVargNofree __vbaVarCopy __vbaVarTstEq 1374->1375 1377 35248db __vbaVarTstEq 1375->1377 1378 3524838 __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat 1375->1378 1379 3524953 __vbaVarTstEq 1377->1379 1380 3524900 1377->1380 1381 351fb50 1378->1381 1382 3524a45 __vbaVarTstEq 1379->1382 1383 352497c 9 API calls 1379->1383 1385 352493e __vbaVargVarMove 1380->1385 1384 35248a7 __vbaVargVarMove __vbaFreeStrList __vbaFreeVar 1381->1384 1387 3524b5a 1382->1387 1388 3524a6e 13 API calls 1382->1388 1386 351fb50 1383->1386 1389 3524b6c __vbaVarVargNofree __vbaVarCopy __vbaVarTstEq 1384->1389 1385->1387 1390 3524a09 __vbaVargVarMove __vbaFreeStrList __vbaFreeVar 1386->1390 1387->1389 1391 351fb50 1388->1391 1392 3524bc0 __vbaVarTstEq 1389->1392 1399 3524bb6 1389->1399 1390->1389 1395 3524b19 __vbaVargVarMove __vbaFreeStrList __vbaFreeVar 1391->1395 1393 3524bf1 19 API calls 1392->1393 1394 3524d08 __vbaVarTstEq 1392->1394 1396 351fb50 1393->1396 1397 3524efb __vbaVarTstEq 1394->1397 1398 3524d39 37 API calls 1394->1398 1395->1389 1400 3524cbd __vbaVargVarMove __vbaFreeStrList __vbaFreeVar 1396->1400 1397->1399 1402 3524f32 __vbaVarTstEq 1397->1402 1401 351fb50 1398->1401 1403 3525d7e __vbaVargVarMove 1399->1403 1404 3525d89 __vbaFreeVarList 1400->1404 1405 3524e8c __vbaVargVarMove __vbaFreeStrList __vbaFreeVar 1401->1405 1406 3524f63 19 API calls 1402->1406 1407 352507a __vbaVarTstEq 1402->1407 1403->1404 1405->1404 1408 351fb50 1406->1408 1409 3525150 __vbaVarTstEq 1407->1409 1410 35250ab 7 API calls 1407->1410 1413 352502f __vbaVargVarMove __vbaFreeStrList __vbaFreeVar 1408->1413 1409->1399 1412 3525187 __vbaVarTstEq 1409->1412 1414 351fb50 1410->1414 1412->1399 1416 35251be __vbaVarTstEq 1412->1416 1413->1404 1415 352511d __vbaVargVarMove __vbaFreeStrList __vbaFreeVar 1414->1415 1415->1404 1416->1399 1417 35251f5 __vbaVarTstEq 1416->1417 1418 3525226 19 API calls 1417->1418 1419 352533d __vbaVarTstEq 1417->1419 1420 351fb50 1418->1420 1421 3525498 __vbaVarTstEq 1419->1421 1422 352536e 21 API calls 1419->1422 1425 35252f2 __vbaVargVarMove __vbaFreeStrList __vbaFreeVar 1420->1425 1423 35256c4 __vbaVarTstEq 1421->1423 1424 35254c9 43 API calls 1421->1424 1426 351fb50 1422->1426 1428 35256f5 41 API calls 1423->1428 1429 35258dd __vbaVarTstEq 1423->1429 1427 351fb50 1424->1427 1425->1404 1430 3525449 __vbaVargVarMove __vbaFreeStrList __vbaFreeVar 1426->1430 1431 3525649 __vbaVargVarMove __vbaFreeStrList __vbaFreeVar 1427->1431 1432 351fb50 1428->1432 1433 352590e 47 API calls 1429->1433 1434 3525b2f __vbaVarTstEq 1429->1434 1430->1404 1431->1404 1435 3525866 __vbaVargVarMove __vbaFreeStrList __vbaFreeVar 1432->1435 1436 351fb50 1433->1436 1437 3525b60 11 API calls 1434->1437 1438 3525c2b __vbaVarTstEq 1434->1438 1435->1404 1440 3525aac __vbaVargVarMove __vbaFreeStrList __vbaFreeVar 1436->1440 1441 351fb50 1437->1441 1438->1399 1439 3525c65 __vbaVarTstEq 1438->1439 1439->1399 1442 3525c94 __vbaVarTstEq 1439->1442 1440->1404 1443 3525bf0 __vbaVargVarMove __vbaFreeStrList __vbaFreeVar 1441->1443 1442->1399 1444 3525cc3 __vbaVarTstEq 1442->1444 1443->1404 1444->1399 1445 3525cef __vbaVarTstEq 1444->1445 1445->1399 1446 3525d1b __vbaVarTstEq 1445->1446 1446->1399 1446->1404 1460 23469b2 GetPEB 1316 2342833 1317 2342844 1316->1317 1336 2342e04 GetPEB 1317->1336 1319 2342873 1320 2342cf8 1319->1320 1321 2342e04 GetPEB 1319->1321 1322 234288e 1321->1322 1322->1320 1323 23429fa NtCreateSection 1322->1323 1323->1320 1324 2342a31 NtMapViewOfSection 1323->1324 1324->1320 1325 2342a59 1324->1325 1326 2342bbc GetPEB 1325->1326 1329 2342af7 1325->1329 1326->1329 1327 2342bdf CreateProcessW 1327->1320 1328 2342c02 NtGetContextThread 1327->1328 1328->1329 1330 2342c23 NtReadVirtualMemory 1328->1330 1329->1327 1332 2342ce9 NtTerminateProcess 1329->1332 1330->1329 1331 2342c49 NtWriteVirtualMemory 1330->1331 1331->1329 1333 2342c6f NtUnmapViewOfSection NtMapViewOfSection 1331->1333 1332->1329 1333->1329 1334 2342ca3 NtSetContextThread 1333->1334 1334->1329 1335 2342cd4 NtResumeThread 1334->1335 1335->1320 1335->1329 1337 2342e19 1336->1337 1337->1319 1338 2344a13 1339 2344a1e 1338->1339 1342 2346b34 GetPEB 1339->1342 1343 2342813 1344 2342833 1343->1344 1345 2342e04 GetPEB 1344->1345 1346 2342873 1345->1346 1347 2342cf8 1346->1347 1348 2342e04 GetPEB 1346->1348 1349 234288e 1348->1349 1349->1347 1350 23429fa NtCreateSection 1349->1350 1350->1347 1351 2342a31 NtMapViewOfSection 1350->1351 1351->1347 1352 2342a59 1351->1352 1353 2342bbc GetPEB 1352->1353 1356 2342af7 1352->1356 1353->1356 1354 2342bdf CreateProcessW 1354->1347 1355 2342c02 NtGetContextThread 1354->1355 1355->1356 1357 2342c23 NtReadVirtualMemory 1355->1357 1356->1354 1359 2342ce9 NtTerminateProcess 1356->1359 1357->1356 1358 2342c49 NtWriteVirtualMemory 1357->1358 1358->1356 1360 2342c6f NtUnmapViewOfSection NtMapViewOfSection 1358->1360 1359->1356 1360->1356 1361 2342ca3 NtSetContextThread 1360->1361 1361->1356 1362 2342cd4 NtResumeThread 1361->1362 1362->1347 1362->1356 1458 2346d53 GetPEB 1459 2346f68 1458->1459 1459->1459

                                  Executed Functions

                                  Function 02342833 Relevance: 28.4, APIs: 11, Strings: 5, Instructions: 369nativethreadprocessCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 61 2342833-2342879 call 2342d01 call 2342e04 66 234287f-2342895 call 2342e04 61->66 67 2342cf8-2342cfe 61->67 66->67 70 234289b-2342988 call 2342d55 * 12 66->70 70->67 95 234298e-2342991 70->95 95->67 96 2342997-234299a 95->96 96->67 97 23429a0-23429a3 96->97 97->67 98 23429a9-23429ac 97->98 98->67 99 23429b2-23429b5 98->99 99->67 100 23429bb-23429be 99->100 100->67 101 23429c4-23429c7 100->101 101->67 102 23429cd-23429d0 101->102 102->67 103 23429d6-23429d9 102->103 103->67 104 23429df-23429e1 103->104 104->67 105 23429e7-23429f5 104->105 106 23429f7 105->106 107 23429fa-2342a2b NtCreateSection 105->107 106->107 107->67 108 2342a31-2342a53 NtMapViewOfSection 107->108 108->67 109 2342a59-2342a8f call 2342de5 108->109 112 2342ac7-2342af1 call 2342e42 call 2342de5 109->112 113 2342a91-2342a97 109->113 124 2342af7-2342b6e 112->124 125 2342bbc-2342bc8 GetPEB 112->125 114 2342a9c-2342aa0 113->114 116 2342aa2-2342ab5 call 2342de5 114->116 117 2342ab8-2342ac5 114->117 116->117 117->112 121 2342a99 117->121 121->114 129 2342b70-2342b80 124->129 126 2342bcb-2342bd2 125->126 128 2342bdf-2342bfc CreateProcessW 126->128 128->67 130 2342c02-2342c1d NtGetContextThread 128->130 129->129 131 2342b82-2342b85 129->131 132 2342ce4-2342ce7 130->132 133 2342c23-2342c43 NtReadVirtualMemory 130->133 134 2342b93-2342b97 131->134 136 2342cf0-2342cf3 132->136 137 2342ce9-2342ced NtTerminateProcess 132->137 133->132 135 2342c49-2342c6d NtWriteVirtualMemory 133->135 138 2342b87-2342b92 134->138 139 2342b99 134->139 135->132 140 2342c6f-2342ca1 NtUnmapViewOfSection NtMapViewOfSection 135->140 136->128 137->136 138->134 141 2342ba6-2342bab 139->141 142 2342ce1 140->142 143 2342ca3-2342cd2 NtSetContextThread 140->143 144 2342bad-2342bba 141->144 145 2342b9b-2342ba5 141->145 142->132 143->142 146 2342cd4-2342cdf NtResumeThread 143->146 144->126 145->141 146->67 146->142
                                  APIs
                                  • NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 02342A1F
                                  • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 02342A4C
                                  • CreateProcessW.KERNELBASE(?,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 02342BF7
                                  • NtGetContextThread.NTDLL(?,?), ref: 02342C16
                                  • NtReadVirtualMemory.NTDLL(?,?,?,000001D8,?), ref: 02342C3C
                                  • NtWriteVirtualMemory.NTDLL(?,?,?,00000004,?), ref: 02342C66
                                  • NtUnmapViewOfSection.NTDLL(?,?), ref: 02342C81
                                  • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 02342C9A
                                  • NtSetContextThread.NTDLL(?,00010003), ref: 02342CCB
                                  • NtResumeThread.NTDLL(?,00000000), ref: 02342CD8
                                  • NtTerminateProcess.NTDLL(?,00000000), ref: 02342CED
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1447508270.0000000002340000.00000040.00001000.00020000.00000000.sdmp, Offset: 02340000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2340000_rComprobante_swift_8676534657698632.jbxd
                                  Similarity
                                  • API ID: Section$ThreadView$ContextCreateMemoryProcessVirtual$ReadResumeTerminateUnmapWrite
                                  • String ID: D$\Microsoft.NET\Framework\$e$egas$m.ex
                                  • API String ID: 1528524012-1087957892
                                  • Opcode ID: bdfd8c2c08da80d8aef1ac999a3557cfaab083761e6134d184dbc6d082490619
                                  • Instruction ID: fcf01b34cec57881871995cbef10ddeb275c37f0697122ee50f5a850c5d6c194
                                  • Opcode Fuzzy Hash: bdfd8c2c08da80d8aef1ac999a3557cfaab083761e6134d184dbc6d082490619
                                  • Instruction Fuzzy Hash: 19E10971D00259AFDF21DFA4CC84AAEBBB9AF04304F1445AAF924B7255DB30AA81CF54
                                  Function 02342813 Relevance: 28.4, APIs: 11, Strings: 5, Instructions: 366nativeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 147 2342813-2342879 call 2342d01 call 2342e04 153 234287f-2342895 call 2342e04 147->153 154 2342cf8-2342cfe 147->154 153->154 157 234289b-2342988 call 2342d55 * 12 153->157 157->154 182 234298e-2342991 157->182 182->154 183 2342997-234299a 182->183 183->154 184 23429a0-23429a3 183->184 184->154 185 23429a9-23429ac 184->185 185->154 186 23429b2-23429b5 185->186 186->154 187 23429bb-23429be 186->187 187->154 188 23429c4-23429c7 187->188 188->154 189 23429cd-23429d0 188->189 189->154 190 23429d6-23429d9 189->190 190->154 191 23429df-23429e1 190->191 191->154 192 23429e7-23429f5 191->192 193 23429f7 192->193 194 23429fa-2342a2b NtCreateSection 192->194 193->194 194->154 195 2342a31-2342a53 NtMapViewOfSection 194->195 195->154 196 2342a59-2342a8f call 2342de5 195->196 199 2342ac7-2342af1 call 2342e42 call 2342de5 196->199 200 2342a91-2342a97 196->200 211 2342af7-2342b6e 199->211 212 2342bbc-2342bc8 GetPEB 199->212 201 2342a9c-2342aa0 200->201 203 2342aa2-2342ab5 call 2342de5 201->203 204 2342ab8-2342ac5 201->204 203->204 204->199 208 2342a99 204->208 208->201 216 2342b70-2342b80 211->216 213 2342bcb-2342bd2 212->213 215 2342bdf-2342bfc CreateProcessW 213->215 215->154 217 2342c02-2342c1d NtGetContextThread 215->217 216->216 218 2342b82-2342b85 216->218 219 2342ce4-2342ce7 217->219 220 2342c23-2342c43 NtReadVirtualMemory 217->220 221 2342b93-2342b97 218->221 223 2342cf0-2342cf3 219->223 224 2342ce9-2342ced NtTerminateProcess 219->224 220->219 222 2342c49-2342c6d NtWriteVirtualMemory 220->222 225 2342b87-2342b92 221->225 226 2342b99 221->226 222->219 227 2342c6f-2342ca1 NtUnmapViewOfSection NtMapViewOfSection 222->227 223->215 224->223 225->221 228 2342ba6-2342bab 226->228 229 2342ce1 227->229 230 2342ca3-2342cd2 NtSetContextThread 227->230 231 2342bad-2342bba 228->231 232 2342b9b-2342ba5 228->232 229->219 230->229 233 2342cd4-2342cdf NtResumeThread 230->233 231->213 232->228 233->154 233->229
                                  APIs
                                  • NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 02342A1F
                                  • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 02342A4C
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1447508270.0000000002340000.00000040.00001000.00020000.00000000.sdmp, Offset: 02340000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2340000_rComprobante_swift_8676534657698632.jbxd
                                  Similarity
                                  • API ID: Section$CreateView
                                  • String ID: D$\Microsoft.NET\Framework\$e$egas$m.ex
                                  • API String ID: 1585966358-1087957892
                                  • Opcode ID: 4dcec2b0e1db16c083379480d1836d25b9ead08addc150d6c8de811aae3ccab3
                                  • Instruction ID: ae0d970cd0c7427fdf491802d6ad2f963dd5cad8ec468d7c75b276269d720027
                                  • Opcode Fuzzy Hash: 4dcec2b0e1db16c083379480d1836d25b9ead08addc150d6c8de811aae3ccab3
                                  • Instruction Fuzzy Hash: 5DE10A71D00259AFDF21DFA4CC84AAEBBB9EF04304F1441AAF924B7255DB34AA81CF54
                                  Function 034F54FB Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 153nativememoryCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 234 34f54fb-34f557a call 34f57ee call 34f5ab1 call 34f5810 call 34f5a52 call 34f5810 call 34f5a52 call 34f5810 call 34f5a52 251 34f559f-34f55c3 NtProtectVirtualMemory 234->251 252 34f557c-34f5598 NtAllocateVirtualMemory 234->252 254 34f55ca-34f55cf 251->254 255 34f55c5 251->255 252->251 253 34f559a 252->253 256 34f56c2-34f56c7 253->256 257 34f55d2-34f55d5 254->257 255->256 258 34f55db-34f55f4 call 34f40f6 257->258 259 34f5663-34f56bc NtProtectVirtualMemory 257->259 262 34f55fb-34f5606 258->262 263 34f55f6-34f55f9 258->263 259->256 265 34f565e 262->265 263->262 264 34f5608-34f560b 263->264 266 34f560d-34f5621 264->266 267 34f5623-34f5626 264->267 265->257 266->265 268 34f5628-34f562b 267->268 269 34f5644-34f5647 267->269 268->269 271 34f562d-34f5642 268->271 269->265 270 34f5649-34f564c 269->270 270->265 272 34f564e-34f5651 270->272 271->265 272->265 273 34f5653-34f565b 272->273 273->265
                                  APIs
                                  • NtAllocateVirtualMemory.NTDLL(000000FF,00000100,00000000,00000100,00003000,00000040,?,NtQueryInformationProcess,034F425F,?,NtQueryInformationProcess,034F4279,?,NtQueryInformationProcess,034F4248,NtQueryInformationProcess), ref: 034F5592
                                  • NtProtectVirtualMemory.NTDLL(000000FF,?,00000005,00000040,00000000,?,NtQueryInformationProcess,034F425F,?,NtQueryInformationProcess,034F4279,?,NtQueryInformationProcess,034F4248,NtQueryInformationProcess,034F42EA), ref: 034F55BD
                                  • NtProtectVirtualMemory.NTDLL(000000FF,?,00000005,00000000,00000000,?,NtQueryInformationProcess,034F425F,?,NtQueryInformationProcess,034F4279,?,NtQueryInformationProcess,034F4248,NtQueryInformationProcess,034F42EA), ref: 034F56B9
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1448015159.0000000003316000.00000020.00000001.01000000.00000003.sdmp, Offset: 03300000, based on PE: true
                                  • Associated: 00000000.00000002.1447865298.0000000003300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1447929974.0000000003301000.00000020.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1447981911.000000000330D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448015159.000000000330F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448217749.0000000003527000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448259097.0000000003528000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448259097.000000000352C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448335122.000000000352D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3300000_rComprobante_swift_8676534657698632.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: MemoryVirtual$Protect$Allocate
                                  • String ID: NtQueryInformationProcess
                                  • API String ID: 955180148-2781105232
                                  • Opcode ID: ce8dcef05d45b1987f15fc4a442844644866270ffd3166982d2aec66448789c2
                                  • Instruction ID: 04689f7ce9df7f477013c7f070b1c08f604c85aab158795030538cf1733fa4b2
                                  • Opcode Fuzzy Hash: ce8dcef05d45b1987f15fc4a442844644866270ffd3166982d2aec66448789c2
                                  • Instruction Fuzzy Hash: 3F51F471900309AFEB10DFA8CD40EAEFBB5FB96310F1C439BD2249E2A5D77095458B69
                                  Function 03526470 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25nativeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 274 3526470-35264cd call 330e144 NtSetInformationProcess
                                  APIs
                                  • NtSetInformationProcess.NTDLL ref: 035264B6
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1448015159.0000000003316000.00000020.00000001.01000000.00000003.sdmp, Offset: 03300000, based on PE: true
                                  • Associated: 00000000.00000002.1447865298.0000000003300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1447929974.0000000003301000.00000020.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1447981911.000000000330D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448015159.000000000330F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448217749.0000000003527000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448259097.0000000003528000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448259097.000000000352C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448335122.000000000352D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3300000_rComprobante_swift_8676534657698632.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: InformationProcess
                                  • String ID: 0
                                  • API String ID: 1801817001-4108050209
                                  • Opcode ID: 7decf0f5c5dd8a91c403debec1a6f261e384134a3af2b8b22b91ec5588ed012e
                                  • Instruction ID: 09badcee9b4468286637df8d2f22a12e33b9ffb282c76f42bb2720ff8354f855
                                  • Opcode Fuzzy Hash: 7decf0f5c5dd8a91c403debec1a6f261e384134a3af2b8b22b91ec5588ed012e
                                  • Instruction Fuzzy Hash: 04E065B5940354BFD710EF98DE56F9DBEBCF709B11F500144F650666D1C3B8590886A2
                                  Function 0330AD20 Relevance: 1.5, Strings: 1, Instructions: 276COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 287 330ad20-330ad29 call 332b05e 289 330ad2a-330ad2c 287->289 290 330ad2e-330ad40 289->290 290->289 291 330ad42-330ad80 290->291 291->290 293 330ad82-3525ec9 call 330af09 call 3526500 291->293 299 3525ece-3525ef1 293->299
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1447929974.0000000003301000.00000020.00000001.01000000.00000003.sdmp, Offset: 03300000, based on PE: true
                                  • Associated: 00000000.00000002.1447865298.0000000003300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1447981911.000000000330D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448015159.000000000330F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448015159.0000000003316000.00000020.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448217749.0000000003527000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448259097.0000000003528000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448259097.000000000352C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448335122.000000000352D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3300000_rComprobante_swift_8676534657698632.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 3
                                  • API String ID: 0-1842515611
                                  • Opcode ID: 226c819a5e61023b28be3cc94101ac4d4e774da7ea6e70e2b8ae830f3c3ea4c8
                                  • Instruction ID: 4b9eea18498bb52532232fc411c6e24110116f353270ac7e5b0c7672fdccbf47
                                  • Opcode Fuzzy Hash: 226c819a5e61023b28be3cc94101ac4d4e774da7ea6e70e2b8ae830f3c3ea4c8
                                  • Instruction Fuzzy Hash: 7C41E22140E3D49FCB139B7888A4696BFB4AF07221B0945DBD8C0CF1A7C6296949D763
                                  Function 0351FDD0 Relevance: 184.4, APIs: 102, Strings: 3, Instructions: 674librarymemoryloaderCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 0 351fdd0-3520159 __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove #644 GetModuleHandleW __vbaFreeStrList call 3523ca0 __vbaStrMove __vbaStrToAnsi GetProcAddress __vbaFreeStrList __vbaStrCat __vbaStrMove __vbaStrCat call 3523ca0 __vbaStrMove #644 GetModuleHandleW __vbaFreeStrList __vbaFreeVar __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrCat __vbaStrMove __vbaStrToAnsi GetProcAddress __vbaFreeStrList __vbaRedim __vbaNew __vbaObjSet __vbaCastObj __vbaObjSet __vbaObjSetAddref __vbaFreeObjList __vbaObjSetAddref #644 __vbaFreeObj #644 call 34f5bae call 34f5bbd 9 352015f-3520162 0->9 10 3520164-35201c3 __vbaAryLock #644 __vbaAryUnlock call 34f5bae 9->10 11 35201c5-3520349 __vbaObjSetAddref #644 __vbaFreeObj #644 call 34f5bcb __vbaAryLock #644 __vbaAryUnlock #644 call 34f5bae __vbaRedim #644 call 34f5bae #644 call 34f5bae __vbaAryLock __vbaStrCat __vbaStrMove __vbaI4Str VirtualProtect 9->11 10->9 22 3520362-35203a5 __vbaAryUnlock __vbaFreeStr #644 call 34f5bae call 34f5bbd 11->22 23 352034b-352035c __vbaHresultCheckObj 11->23 28 35203ab-35203ad 22->28 23->22 29 3520406-352050d #644 call 34f5bae #644 call 34f5bae #644 call 34f5bae #644 call 34f5bae #644 call 34f5bae VirtualProtect 28->29 30 35203af-3520404 __vbaAryLock #644 __vbaAryUnlock call 34f5bae 28->30 43 3520526-3520538 call 34f5bbd 29->43 44 352050f-3520520 __vbaHresultCheckObj 29->44 30->28 47 352053e-3520540 43->47 44->43 48 3520542-3520591 __vbaAryLock #644 __vbaAryUnlock call 34f5bae 47->48 49 3520593-352066b #644 call 34f5bae #644 call 34f5bae #644 call 34f5bae call 3520890 __vbaFreeVar __vbaAryDestruct 47->49 48->47
                                  APIs
                                  • __vbaStrCat.MSVBVM60(0330D9F8,0330D9F0,?,6D4360EF), ref: 0351FE5F
                                  • __vbaStrMove.MSVBVM60(?,6D4360EF), ref: 0351FE6C
                                  • __vbaStrCat.MSVBVM60(bvm,00000000,?,6D4360EF), ref: 0351FE74
                                  • __vbaStrMove.MSVBVM60(?,6D4360EF), ref: 0351FE7B
                                  • __vbaStrCat.MSVBVM60(0330DA10,00000000,?,6D4360EF), ref: 0351FE83
                                  • __vbaStrMove.MSVBVM60(?,6D4360EF), ref: 0351FE8A
                                  • #644.MSVBVM60(00000000,?,6D4360EF), ref: 0351FE8D
                                  • GetModuleHandleW.KERNEL32(00000000,?,6D4360EF), ref: 0351FE94
                                  • __vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,6D4360EF), ref: 0351FEAD
                                    • Part of subcall function 03523CA0: __vbaVarDup.MSVBVM60(6D34D8B1,6D33A323), ref: 03523CE3
                                    • Part of subcall function 03523CA0: #653.MSVBVM60(?,?), ref: 03523CF1
                                    • Part of subcall function 03523CA0: __vbaI4Var.MSVBVM60(?), ref: 03523CFB
                                    • Part of subcall function 03523CA0: __vbaFreeVar.MSVBVM60 ref: 03523D14
                                    • Part of subcall function 03523CA0: #632.MSVBVM60(?,?,?,?), ref: 03523D50
                                    • Part of subcall function 03523CA0: __vbaVarCat.MSVBVM60(?,?,00000008), ref: 03523D62
                                    • Part of subcall function 03523CA0: __vbaStrVarMove.MSVBVM60(00000000), ref: 03523D69
                                    • Part of subcall function 03523CA0: __vbaStrMove.MSVBVM60 ref: 03523D74
                                    • Part of subcall function 03523CA0: __vbaFreeVarList.MSVBVM60(00000003,00000002,?,?), ref: 03523D84
                                    • Part of subcall function 03523CA0: __vbaFreeVar.MSVBVM60(03523DC9), ref: 03523DC2
                                  • __vbaStrMove.MSVBVM60(?,6D4360EF), ref: 0351FEDA
                                  • __vbaStrToAnsi.MSVBVM60(?,00000000,?,6D4360EF), ref: 0351FEE1
                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 0351FEEF
                                  • __vbaFreeStrList.MSVBVM60(00000002,?,?,?,6D4360EF), ref: 0351FF04
                                  • __vbaStrCat.MSVBVM60(0330DA6C,0330DA60), ref: 0351FF17
                                  • __vbaStrMove.MSVBVM60 ref: 0351FF1E
                                  • __vbaStrCat.MSVBVM60(0330DA80,00000000), ref: 0351FF26
                                  • __vbaStrMove.MSVBVM60 ref: 0351FF53
                                  • #644.MSVBVM60(00000000), ref: 0351FF56
                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0351FF5D
                                  • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0351FF72
                                  • __vbaFreeVar.MSVBVM60 ref: 0351FF7E
                                  • __vbaStrCat.MSVBVM60(0330D8CC,0330DA98), ref: 0351FF8E
                                  • __vbaStrMove.MSVBVM60 ref: 0351FF95
                                  • __vbaStrCat.MSVBVM60(0330D8D4,00000000), ref: 0351FF9D
                                  • __vbaStrMove.MSVBVM60 ref: 0351FFA4
                                  • __vbaStrCat.MSVBVM60(0330DAA0,00000000), ref: 0351FFAC
                                  • __vbaStrMove.MSVBVM60 ref: 0351FFB3
                                  • __vbaStrCat.MSVBVM60(0330DAA8,00000000), ref: 0351FFBB
                                  • __vbaStrMove.MSVBVM60 ref: 0351FFC2
                                  • __vbaStrCat.MSVBVM60(0330DAB0,00000000), ref: 0351FFCA
                                  • __vbaStrMove.MSVBVM60 ref: 0351FFD1
                                  • __vbaStrCat.MSVBVM60(0330DAB8,00000000), ref: 0351FFD9
                                  • __vbaStrMove.MSVBVM60 ref: 0351FFE0
                                  • __vbaStrCat.MSVBVM60(0330DAC0,00000000), ref: 0351FFE8
                                  • __vbaStrMove.MSVBVM60 ref: 0351FFEF
                                  • __vbaStrCat.MSVBVM60(0330D8D4,00000000), ref: 0351FFF7
                                  • __vbaStrMove.MSVBVM60 ref: 0351FFFE
                                  • __vbaStrCat.MSVBVM60(0330DAC8,00000000), ref: 03520006
                                  • __vbaStrMove.MSVBVM60 ref: 0352000D
                                  • __vbaStrCat.MSVBVM60(0330DAA0,00000000), ref: 03520015
                                  • __vbaStrMove.MSVBVM60 ref: 0352001C
                                  • __vbaStrCat.MSVBVM60(0330DAD0,00000000), ref: 03520024
                                  • __vbaStrMove.MSVBVM60 ref: 0352002B
                                  • __vbaStrCat.MSVBVM60(0330DAD8,00000000), ref: 03520033
                                  • __vbaStrMove.MSVBVM60 ref: 0352003A
                                  • __vbaStrCat.MSVBVM60(0330DAA0,00000000), ref: 03520042
                                  • __vbaStrMove.MSVBVM60 ref: 03520049
                                  • __vbaStrToAnsi.MSVBVM60(?,00000000), ref: 03520050
                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 0352005E
                                  • __vbaFreeStrList.MSVBVM60(0000000E,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 035200A3
                                  • __vbaRedim.MSVBVM60(00000080,00000004,?,00000003,00000001,0000000F,00000000), ref: 035200BB
                                  • __vbaNew.MSVBVM60(0330DAFC,0330DB0C), ref: 035200CE
                                  • __vbaObjSet.MSVBVM60(?,00000000), ref: 035200D9
                                  • __vbaCastObj.MSVBVM60(00000000), ref: 035200E0
                                  • __vbaObjSet.MSVBVM60(?,00000000), ref: 035200EB
                                  • __vbaObjSetAddref.MSVBVM60(035282D0,00000000), ref: 035200F9
                                  • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 03520109
                                  • __vbaObjSetAddref.MSVBVM60(?), ref: 0352011F
                                  • #644.MSVBVM60(00000000), ref: 03520126
                                  • __vbaFreeObj.MSVBVM60 ref: 03520132
                                  • #644.MSVBVM60(?), ref: 0352013C
                                  • __vbaAryLock.MSVBVM60(?,?,?,?,00000000), ref: 0352016C
                                  • #644.MSVBVM60(?), ref: 03520184
                                  • __vbaAryUnlock.MSVBVM60(?), ref: 03520194
                                  • __vbaObjSetAddref.MSVBVM60(?,?,?,?,00000000), ref: 035201D1
                                  • #644.MSVBVM60(00000000,?,?,?,00000000), ref: 035201D8
                                  • __vbaFreeObj.MSVBVM60(?,?,?,00000000), ref: 035201E4
                                  • #644.MSVBVM60(035282CC,?,?,?,00000000), ref: 035201F3
                                  • __vbaAryLock.MSVBVM60(?,?,00000000,?,00000004,?,?,?,00000000), ref: 03520213
                                  • #644.MSVBVM60(?,?,?,?,00000000), ref: 03520228
                                  • __vbaAryUnlock.MSVBVM60(?,?,?,?,00000000), ref: 03520238
                                  • #644.MSVBVM60(?,?,?,?,00000000), ref: 03520251
                                  • __vbaRedim.MSVBVM60(00000080,00000004,03528214,00000003,00000001,00000010,00000000,00000000,?,?,?,?,00000000), ref: 0352028D
                                  • #644.MSVBVM60(?), ref: 0352029A
                                  • #644.MSVBVM60(?,-0000000C,00000000), ref: 035202C0
                                  • __vbaAryLock.MSVBVM60(?,00000000,00000000,-0000000C), ref: 035202EC
                                  • __vbaStrCat.MSVBVM60(0330DB34,0330DB2C,?,00000040), ref: 03520322
                                  • __vbaStrMove.MSVBVM60 ref: 03520329
                                  • __vbaI4Str.MSVBVM60(00000000), ref: 0352032C
                                  • VirtualProtect.KERNELBASE(?,00000000), ref: 03520342
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,0330DB0C,0000002C,?,00000000), ref: 0352035C
                                  • __vbaAryUnlock.MSVBVM60(?,?,00000000), ref: 03520366
                                  • __vbaFreeStr.MSVBVM60(?,00000000), ref: 0352036F
                                  • #644.MSVBVM60(?,?,00000000), ref: 0352037F
                                  • __vbaAryLock.MSVBVM60(?,00000000,00000000,00000000,-0000000C,?,00000000), ref: 035203BA
                                  • #644.MSVBVM60(?,?,00000000), ref: 035203D1
                                  • __vbaAryUnlock.MSVBVM60(?,?,00000000), ref: 035203DD
                                  • #644.MSVBVM60(00000040,00000000,00000000,-0000000C,?,00000000), ref: 03520417
                                  • #644.MSVBVM60(0424448B,00000000,?,?,00000000), ref: 0352043D
                                  • #644.MSVBVM60(408B008B,00000000,?,?,00000000), ref: 03520463
                                  • #644.MSVBVM60(20C4832C,00000000,?,?,00000000), ref: 03520489
                                  • #644.MSVBVM60(E02474FF,00000000,?,?,00000000), ref: 035204AF
                                  • VirtualProtect.KERNELBASE(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000008,00000040,?,00000000,?,?,00000000), ref: 03520506
                                  • __vbaHresultCheckObj.MSVBVM60(00000000,?,0330DB0C,00000020,?,00000000), ref: 03520520
                                  • __vbaAryLock.MSVBVM60(?,00000000,00000000,?,00000000), ref: 0352054C
                                  • #644.MSVBVM60(?,?,00000000), ref: 03520563
                                  • __vbaAryUnlock.MSVBVM60(?,?,00000000), ref: 0352056F
                                  • #644.MSVBVM60(035282CC,00000000,?,00000000), ref: 0352059C
                                  • #644.MSVBVM60(00000000,00000000,?,?,00000000), ref: 035205B5
                                  • #644.MSVBVM60(-00000004,00000000,00000000,?,00000000), ref: 035205CD
                                  • __vbaFreeVar.MSVBVM60(?,-00000004,00000000,?,00000000), ref: 035205EB
                                  • __vbaAryDestruct.MSVBVM60(00000000,?,0352066C,?,00000000), ref: 03520665
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1448015159.0000000003316000.00000020.00000001.01000000.00000003.sdmp, Offset: 03300000, based on PE: true
                                  • Associated: 00000000.00000002.1447865298.0000000003300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1447929974.0000000003301000.00000020.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1447981911.000000000330D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448015159.000000000330F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448217749.0000000003527000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448259097.0000000003528000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448259097.000000000352C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448335122.000000000352D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3300000_rComprobante_swift_8676534657698632.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __vba$#644Move$Free$List$LockUnlock$Addref$AddressAnsiCheckHandleHresultModuleProcProtectRedimVirtual$#632#653CastDestruct
                                  • String ID: @$DqlqlqFquqnqcqtqiqoqnqCqaqlqlq$bvm
                                  • API String ID: 3776562771-683613472
                                  • Opcode ID: e8da74d92da21212c74a5cba93057ee069f14a17bff14947d894412d4d796105
                                  • Instruction ID: c0a02dd2f46431a476855a983573b02387267259084d3ff3c7a279c36d42c889
                                  • Opcode Fuzzy Hash: e8da74d92da21212c74a5cba93057ee069f14a17bff14947d894412d4d796105
                                  • Instruction Fuzzy Hash: 56425CB1E00218AFDB14EFA4DC98EAEBBB9FF59300F008159E505E7255DB74A909CF60
                                  Function 0330AF09 Relevance: 3.0, APIs: 2, Instructions: 31COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • __vbaFreeVar.MSVBVM60(?), ref: 03525F42
                                    • Part of subcall function 0351FDD0: __vbaStrCat.MSVBVM60(0330D9F8,0330D9F0,?,6D4360EF), ref: 0351FE5F
                                    • Part of subcall function 0351FDD0: __vbaStrMove.MSVBVM60(?,6D4360EF), ref: 0351FE6C
                                    • Part of subcall function 0351FDD0: __vbaStrCat.MSVBVM60(bvm,00000000,?,6D4360EF), ref: 0351FE74
                                    • Part of subcall function 0351FDD0: __vbaStrMove.MSVBVM60(?,6D4360EF), ref: 0351FE7B
                                    • Part of subcall function 0351FDD0: __vbaStrCat.MSVBVM60(0330DA10,00000000,?,6D4360EF), ref: 0351FE83
                                    • Part of subcall function 0351FDD0: __vbaStrMove.MSVBVM60(?,6D4360EF), ref: 0351FE8A
                                    • Part of subcall function 0351FDD0: #644.MSVBVM60(00000000,?,6D4360EF), ref: 0351FE8D
                                    • Part of subcall function 0351FDD0: GetModuleHandleW.KERNEL32(00000000,?,6D4360EF), ref: 0351FE94
                                    • Part of subcall function 0351FDD0: __vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,6D4360EF), ref: 0351FEAD
                                    • Part of subcall function 0351FDD0: __vbaStrMove.MSVBVM60(?,6D4360EF), ref: 0351FEDA
                                    • Part of subcall function 0351FDD0: __vbaStrToAnsi.MSVBVM60(?,00000000,?,6D4360EF), ref: 0351FEE1
                                    • Part of subcall function 0351FDD0: GetProcAddress.KERNEL32(00000000,00000000), ref: 0351FEEF
                                    • Part of subcall function 0351FDD0: __vbaFreeStrList.MSVBVM60(00000002,?,?,?,6D4360EF), ref: 0351FF04
                                    • Part of subcall function 03526470: NtSetInformationProcess.NTDLL ref: 035264B6
                                  • __vbaFreeVar.MSVBVM60(00000000), ref: 03525F55
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1447929974.0000000003301000.00000020.00000001.01000000.00000003.sdmp, Offset: 03300000, based on PE: true
                                  • Associated: 00000000.00000002.1447865298.0000000003300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1447981911.000000000330D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448015159.000000000330F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448015159.0000000003316000.00000020.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448217749.0000000003527000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448259097.0000000003528000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448259097.000000000352C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448335122.000000000352D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3300000_rComprobante_swift_8676534657698632.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __vba$FreeMove$List$#644AddressAnsiHandleInformationModuleProcProcess
                                  • String ID:
                                  • API String ID: 20434910-0
                                  • Opcode ID: a1bc81fd24118be09aab7d5a2c792a342b2d7eb741f3cd5ba201bc47b6a8a7cf
                                  • Instruction ID: 9780ddf73eb3c2801864dbe3970bbbe9aad2c37fceaa7003c9d9fd7bf3063484
                                  • Opcode Fuzzy Hash: a1bc81fd24118be09aab7d5a2c792a342b2d7eb741f3cd5ba201bc47b6a8a7cf
                                  • Instruction Fuzzy Hash: B6F090B5800369ABCB10EB54DD44FEEBFBCFF1A604F400529E401331A1D7786508CAA2

                                  Non-executed Functions

                                  Function 0330CA23 Relevance: 1.7, Strings: 1, Instructions: 455COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1447929974.0000000003301000.00000020.00000001.01000000.00000003.sdmp, Offset: 03300000, based on PE: true
                                  • Associated: 00000000.00000002.1447865298.0000000003300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1447981911.000000000330D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448015159.000000000330F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448015159.0000000003316000.00000020.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448217749.0000000003527000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448259097.0000000003528000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448259097.000000000352C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448335122.000000000352D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3300000_rComprobante_swift_8676534657698632.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: O
                                  • API String ID: 0-878818188
                                  • Opcode ID: 74258033e8a183199ed36185c78ee90c3733ec6bac4e975a332e6a4bbb651a57
                                  • Instruction ID: ecc79c33ba3220b4c76a1fdd72cfe74bda7f885b4e44c28dc9e8b93efd784bb7
                                  • Opcode Fuzzy Hash: 74258033e8a183199ed36185c78ee90c3733ec6bac4e975a332e6a4bbb651a57
                                  • Instruction Fuzzy Hash: 0051157140D3C49FC7439BBCC8A16857FF1AF4B604F1D09DAC8808F267D26A6A29D762
                                  Function 0330CE94 Relevance: .6, Instructions: 599COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1447929974.0000000003301000.00000020.00000001.01000000.00000003.sdmp, Offset: 03300000, based on PE: true
                                  • Associated: 00000000.00000002.1447865298.0000000003300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1447981911.000000000330D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448015159.000000000330F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448015159.0000000003316000.00000020.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448217749.0000000003527000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448259097.0000000003528000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448259097.000000000352C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448335122.000000000352D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3300000_rComprobante_swift_8676534657698632.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 40beaa0d61c742e122708c9729987af27e2028e9912ce3712d0780976d97452b
                                  • Instruction ID: e2610b15a6ff14017d145690ef297a4df1504bf0ea0b2eec2eed46961166760a
                                  • Opcode Fuzzy Hash: 40beaa0d61c742e122708c9729987af27e2028e9912ce3712d0780976d97452b
                                  • Instruction Fuzzy Hash: 0BA1772544F3E18FDB239B7898A56927FB09D0B26430E04D7C4C0CF5ABD268695EDB63
                                  Function 0330C88A Relevance: .1, Instructions: 123COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1447929974.0000000003301000.00000020.00000001.01000000.00000003.sdmp, Offset: 03300000, based on PE: true
                                  • Associated: 00000000.00000002.1447865298.0000000003300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1447981911.000000000330D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448015159.000000000330F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448015159.0000000003316000.00000020.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448217749.0000000003527000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448259097.0000000003528000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448259097.000000000352C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448335122.000000000352D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3300000_rComprobante_swift_8676534657698632.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9cf5128a16a8b891a422e25e755027ae182493ba4c77a0eb248f7fb36e6bbcba
                                  • Instruction ID: e9013baad6021b219cb08b48cfe7bc7d8e5ef7c294e3d9226c40defbe933ed34
                                  • Opcode Fuzzy Hash: 9cf5128a16a8b891a422e25e755027ae182493ba4c77a0eb248f7fb36e6bbcba
                                  • Instruction Fuzzy Hash: 6A4122A688E3D15FC7138B7888A56813FB0AE1322174E01DBC4C1CF1A7E65C5A1AD763
                                  Function 034F5AB1 Relevance: .0, Instructions: 42COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1448015159.0000000003316000.00000020.00000001.01000000.00000003.sdmp, Offset: 03300000, based on PE: true
                                  • Associated: 00000000.00000002.1447865298.0000000003300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1447929974.0000000003301000.00000020.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1447981911.000000000330D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448015159.000000000330F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448217749.0000000003527000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448259097.0000000003528000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448259097.000000000352C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448335122.000000000352D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3300000_rComprobante_swift_8676534657698632.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ef41f23567e4e7422021a95af9bb6b13c8200b2295415d293bf1cf4d9d63b1a6
                                  • Instruction ID: 8f2368b0acc0bdd1b2c87837e4dd2b277c983ef24930978b7ea24e5cf0921c91
                                  • Opcode Fuzzy Hash: ef41f23567e4e7422021a95af9bb6b13c8200b2295415d293bf1cf4d9d63b1a6
                                  • Instruction Fuzzy Hash: 8901A432E101068FC770EF08C0809A7F7E6FB62760B8E01E3E6154FB18E265E9A0C759
                                  Function 02342E04 Relevance: .0, Instructions: 28COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1447508270.0000000002340000.00000040.00001000.00020000.00000000.sdmp, Offset: 02340000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2340000_rComprobante_swift_8676534657698632.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0b399b04e11d1ff954b26d47aa0a54e719ae22316263aa56bc50ae1b8ddb9bc6
                                  • Instruction ID: 9e812a62117fc16a281207be883231ddf6cfe49dfd2128d4831d87bbdf71b626
                                  • Opcode Fuzzy Hash: 0b399b04e11d1ff954b26d47aa0a54e719ae22316263aa56bc50ae1b8ddb9bc6
                                  • Instruction Fuzzy Hash: 8BF06D322105109BC720DF59D440E6BF3F8EB80A7575588A6FD99EBA01CB30FC91CB90
                                  Function 02346D53 Relevance: .0, Instructions: 4COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1447508270.0000000002340000.00000040.00001000.00020000.00000000.sdmp, Offset: 02340000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2340000_rComprobante_swift_8676534657698632.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ca152b39143350b32d0dfc5ccac2600ca71a28d0571d4ec743c01fdc4bae2c88
                                  • Instruction ID: c41c3f28da5a80341333f7d56f9901947ea6a6b16f91cda690fac5313820466a
                                  • Opcode Fuzzy Hash: ca152b39143350b32d0dfc5ccac2600ca71a28d0571d4ec743c01fdc4bae2c88
                                  • Instruction Fuzzy Hash: 01B09230116640CFC2818B05C080A1033B8B700600F4101E0E0058B962C634A840C900
                                  Function 02346B34 Relevance: .0, Instructions: 3COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1447508270.0000000002340000.00000040.00001000.00020000.00000000.sdmp, Offset: 02340000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2340000_rComprobante_swift_8676534657698632.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 045d45c9be93118eea444c7e703f25290ea548a7cbd604abc163b5c2088040b7
                                  • Instruction ID: 33f0a6dd70835e18cc5cb9ed850c3827c5c29d27deb102a8ca9f0599ddde6adf
                                  • Opcode Fuzzy Hash: 045d45c9be93118eea444c7e703f25290ea548a7cbd604abc163b5c2088040b7
                                  • Instruction Fuzzy Hash: AFB00135266980CFC296CB0AC594FA173B8FB05B41F4654F0E4458BA62C339A900CA40
                                  Function 02346F14 Relevance: .0, Instructions: 3COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1447508270.0000000002340000.00000040.00001000.00020000.00000000.sdmp, Offset: 02340000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2340000_rComprobante_swift_8676534657698632.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1ccf2c1976f0ac5738f186c1fe9c762127c7477219e43b88e75d9a5c6058175a
                                  • Instruction ID: aa47abe0a2c4c0a56dc7effaf07fc95bdba0bc758bfd186c44dc4f77c1e74be3
                                  • Opcode Fuzzy Hash: 1ccf2c1976f0ac5738f186c1fe9c762127c7477219e43b88e75d9a5c6058175a
                                  • Instruction Fuzzy Hash: 25B00135666980CFC296CB0AD294F5073B9FB54A41F4614F1E4059BA62C739AD10CA00
                                  Function 023469B2 Relevance: .0, Instructions: 3COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1447508270.0000000002340000.00000040.00001000.00020000.00000000.sdmp, Offset: 02340000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_2340000_rComprobante_swift_8676534657698632.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4a8ca89fc25d6d8f455f7c4660aa67249a3fe6b9eb128e5975a13b9b01ed0134
                                  • Instruction ID: a395fe3399b75959f9478b5c0dc081751a3ccd416c90b9f138324038c1c77edd
                                  • Opcode Fuzzy Hash: 4a8ca89fc25d6d8f455f7c4660aa67249a3fe6b9eb128e5975a13b9b01ed0134
                                  • Instruction Fuzzy Hash: 56B001356AAA86CFC296CB0AC294F6073B8FB04B41F4654F0E4098BA62C338A900CE00
                                  Function 0330A753 Relevance: 57.9, APIs: 22, Strings: 11, Instructions: 151COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • __vbaStrCat.MSVBVM60(@o@s@o@f,M@i@c@r), ref: 035243ED
                                  • __vbaStrMove.MSVBVM60 ref: 035243FA
                                  • __vbaStrCat.MSVBVM60(@t@ @E@n@h@a@n,00000000), ref: 03524402
                                  • __vbaStrMove.MSVBVM60 ref: 03524409
                                  • __vbaStrCat.MSVBVM60(@c@e@d@ @R@S@,00000000), ref: 03524411
                                  • __vbaStrMove.MSVBVM60 ref: 03524418
                                  • __vbaStrCat.MSVBVM60(A@ @a@n,00000000), ref: 03524420
                                  • __vbaStrMove.MSVBVM60 ref: 03524427
                                  • __vbaStrCat.MSVBVM60(@d@ @A@E@S@ ,00000000), ref: 0352442F
                                  • __vbaStrMove.MSVBVM60 ref: 03524436
                                  • __vbaStrCat.MSVBVM60(@C@r@y@,00000000), ref: 0352443E
                                  • __vbaStrMove.MSVBVM60 ref: 03524445
                                  • __vbaStrCat.MSVBVM60(p@t@o@g@r@a@,00000000), ref: 0352444D
                                  • __vbaStrMove.MSVBVM60 ref: 03524454
                                  • __vbaStrCat.MSVBVM60(p@h@i@c@ @P@r,00000000), ref: 0352445C
                                  • __vbaStrMove.MSVBVM60 ref: 03524463
                                  • __vbaStrCat.MSVBVM60(@o@v@i@d,00000000), ref: 0352446B
                                  • __vbaStrMove.MSVBVM60 ref: 03524472
                                  • __vbaStrCat.MSVBVM60(@e@r@,00000000), ref: 0352447A
                                    • Part of subcall function 03523CA0: __vbaVarDup.MSVBVM60(6D34D8B1,6D33A323), ref: 03523CE3
                                    • Part of subcall function 03523CA0: #653.MSVBVM60(?,?), ref: 03523CF1
                                    • Part of subcall function 03523CA0: __vbaI4Var.MSVBVM60(?), ref: 03523CFB
                                    • Part of subcall function 03523CA0: __vbaFreeVar.MSVBVM60 ref: 03523D14
                                    • Part of subcall function 03523CA0: #632.MSVBVM60(?,?,?,?), ref: 03523D50
                                    • Part of subcall function 03523CA0: __vbaVarCat.MSVBVM60(?,?,00000008), ref: 03523D62
                                    • Part of subcall function 03523CA0: __vbaStrVarMove.MSVBVM60(00000000), ref: 03523D69
                                    • Part of subcall function 03523CA0: __vbaStrMove.MSVBVM60 ref: 03523D74
                                    • Part of subcall function 03523CA0: __vbaFreeVarList.MSVBVM60(00000003,00000002,?,?), ref: 03523D84
                                    • Part of subcall function 03523CA0: __vbaFreeVar.MSVBVM60(03523DC9), ref: 03523DC2
                                  • __vbaStrMove.MSVBVM60 ref: 035244A7
                                  • __vbaFreeStrList.MSVBVM60(00000009,?,?,?,?,?,?,?,?,?), ref: 035244CF
                                  • __vbaFreeVar.MSVBVM60 ref: 035244DB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1447929974.0000000003301000.00000020.00000001.01000000.00000003.sdmp, Offset: 03300000, based on PE: true
                                  • Associated: 00000000.00000002.1447865298.0000000003300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1447981911.000000000330D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448015159.000000000330F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448015159.0000000003316000.00000020.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448217749.0000000003527000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448259097.0000000003528000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448259097.000000000352C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448335122.000000000352D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3300000_rComprobante_swift_8676534657698632.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __vba$Move$Free$List$#632#653
                                  • String ID: @C@r@y@$@c@e@d@ @R@S@$@d@ @A@E@S@ $@e@r@$@o@s@o@f$@o@v@i@d$@t@ @E@n@h@a@n$A@ @a@n$M@i@c@r$p@h@i@c@ @P@r$p@t@o@g@r@a@
                                  • API String ID: 193477259-3817434718
                                  • Opcode ID: d9bade0622a2086a5c194057c80fdbe1e9dceb3caa0840457f5c140ba16677ef
                                  • Instruction ID: a46decd1d4a06ba76702bca9832e1c3a0ebc9c0cf958a0ecc6916fabdfbac6b2
                                  • Opcode Fuzzy Hash: d9bade0622a2086a5c194057c80fdbe1e9dceb3caa0840457f5c140ba16677ef
                                  • Instruction Fuzzy Hash: 70515F71E10258AFCB05DFA8DC90DEEBFB8FF89600B14815BE451E7256DA705909CFA1
                                  Function 0330A789 Relevance: 33.1, APIs: 22, Instructions: 134COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • __vbaStrCat.MSVBVM60(0330E798,0330E960), ref: 035245CD
                                  • __vbaStrMove.MSVBVM60 ref: 035245DA
                                  • __vbaStrCat.MSVBVM60(0330E608,00000000), ref: 035245E2
                                  • __vbaStrMove.MSVBVM60 ref: 035245E9
                                  • __vbaStrCat.MSVBVM60(0330E528,00000000), ref: 035245F1
                                  • __vbaStrMove.MSVBVM60 ref: 035245F8
                                  • __vbaStrCat.MSVBVM60(0330E708,00000000), ref: 03524600
                                  • __vbaStrMove.MSVBVM60 ref: 03524607
                                  • __vbaStrCat.MSVBVM60(0330EB0C,00000000), ref: 0352460F
                                  • __vbaStrMove.MSVBVM60 ref: 03524616
                                  • __vbaStrCat.MSVBVM60(0330EB38,00000000), ref: 0352461E
                                  • __vbaStrMove.MSVBVM60 ref: 03524625
                                  • __vbaStrCat.MSVBVM60(0330EB54,00000000), ref: 0352462D
                                  • __vbaStrMove.MSVBVM60 ref: 03524634
                                  • __vbaStrCat.MSVBVM60(0330EB80,00000000), ref: 0352463C
                                  • __vbaStrMove.MSVBVM60 ref: 03524643
                                  • __vbaStrCat.MSVBVM60(0330EBA4,00000000), ref: 0352464B
                                  • __vbaStrMove.MSVBVM60 ref: 03524652
                                  • __vbaStrCat.MSVBVM60(0330EBBC,00000000), ref: 0352465A
                                    • Part of subcall function 03523CA0: __vbaVarDup.MSVBVM60(6D34D8B1,6D33A323), ref: 03523CE3
                                    • Part of subcall function 03523CA0: #653.MSVBVM60(?,?), ref: 03523CF1
                                    • Part of subcall function 03523CA0: __vbaI4Var.MSVBVM60(?), ref: 03523CFB
                                    • Part of subcall function 03523CA0: __vbaFreeVar.MSVBVM60 ref: 03523D14
                                    • Part of subcall function 03523CA0: #632.MSVBVM60(?,?,?,?), ref: 03523D50
                                    • Part of subcall function 03523CA0: __vbaVarCat.MSVBVM60(?,?,00000008), ref: 03523D62
                                    • Part of subcall function 03523CA0: __vbaStrVarMove.MSVBVM60(00000000), ref: 03523D69
                                    • Part of subcall function 03523CA0: __vbaStrMove.MSVBVM60 ref: 03523D74
                                    • Part of subcall function 03523CA0: __vbaFreeVarList.MSVBVM60(00000003,00000002,?,?), ref: 03523D84
                                    • Part of subcall function 03523CA0: __vbaFreeVar.MSVBVM60(03523DC9), ref: 03523DC2
                                  • __vbaStrMove.MSVBVM60 ref: 03524687
                                  • __vbaFreeStrList.MSVBVM60(00000009,?,?,?,?,?,?,?,?,?), ref: 035246AF
                                  • __vbaFreeVar.MSVBVM60 ref: 035246BB
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1447929974.0000000003301000.00000020.00000001.01000000.00000003.sdmp, Offset: 03300000, based on PE: true
                                  • Associated: 00000000.00000002.1447865298.0000000003300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1447981911.000000000330D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448015159.000000000330F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448015159.0000000003316000.00000020.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448217749.0000000003527000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448259097.0000000003528000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448259097.000000000352C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448335122.000000000352D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3300000_rComprobante_swift_8676534657698632.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __vba$Move$Free$List$#632#653
                                  • String ID:
                                  • API String ID: 193477259-0
                                  • Opcode ID: fac09ee392adf0ec5b977f1cb58982077d0dcbdfff2f799683e2a55a53c15840
                                  • Instruction ID: 77160b9830361ce65e408eda96aa5ef3a08149419f4f3d023e7af71d62c2cb65
                                  • Opcode Fuzzy Hash: fac09ee392adf0ec5b977f1cb58982077d0dcbdfff2f799683e2a55a53c15840
                                  • Instruction Fuzzy Hash: 8541EDB1E10218AFDB14EFA9DC95DEEBFB8EF88600F10851BF412A3255DA705905CFA1
                                  Function 03523CA0 Relevance: 15.1, APIs: 10, Instructions: 80COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • __vbaVarDup.MSVBVM60(6D34D8B1,6D33A323), ref: 03523CE3
                                  • #653.MSVBVM60(?,?), ref: 03523CF1
                                  • __vbaI4Var.MSVBVM60(?), ref: 03523CFB
                                  • __vbaFreeVar.MSVBVM60 ref: 03523D14
                                  • #632.MSVBVM60(?,?,?,?), ref: 03523D50
                                  • __vbaVarCat.MSVBVM60(?,?,00000008), ref: 03523D62
                                  • __vbaStrVarMove.MSVBVM60(00000000), ref: 03523D69
                                  • __vbaStrMove.MSVBVM60 ref: 03523D74
                                  • __vbaFreeVarList.MSVBVM60(00000003,00000002,?,?), ref: 03523D84
                                  • __vbaFreeVar.MSVBVM60(03523DC9), ref: 03523DC2
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1448015159.0000000003316000.00000020.00000001.01000000.00000003.sdmp, Offset: 03300000, based on PE: true
                                  • Associated: 00000000.00000002.1447865298.0000000003300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1447929974.0000000003301000.00000020.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1447981911.000000000330D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448015159.000000000330F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448217749.0000000003527000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448259097.0000000003528000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448259097.000000000352C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448335122.000000000352D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3300000_rComprobante_swift_8676534657698632.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __vba$Free$Move$#632#653List
                                  • String ID:
                                  • API String ID: 1043057846-0
                                  • Opcode ID: 978b9be48ebcf39e8695c86e2e3b6e9c527694444bb690635e4141d1d39092b4
                                  • Instruction ID: 8476ab4c13ee78bfa753af5f02c9b94e55de71d6c9e5af4e15ec25667d61d346
                                  • Opcode Fuzzy Hash: 978b9be48ebcf39e8695c86e2e3b6e9c527694444bb690635e4141d1d39092b4
                                  • Instruction Fuzzy Hash: 7031FAB5C00209AFDB14EFE4D888EEDBBB8FB59704F108519E525A3255EA74560ACF50
                                  Function 03520890 Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • #644.MSVBVM60(?,03520680,00000001,6D41EC2C,00000000,?,?,?,?,?,?,Function_00001006), ref: 035208E7
                                  • #644.MSVBVM60(00000001,?,?,?,?,?,?,Function_00001006), ref: 035208F2
                                  • #644.MSVBVM60(00000000,00000000,00000000,?,?,?,?,?,?,Function_00001006), ref: 03520904
                                  • #644.MSVBVM60(-00000004,00000000,00000000,00000004,?,?,?,?,?,?,Function_00001006), ref: 03520922
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1448015159.0000000003316000.00000020.00000001.01000000.00000003.sdmp, Offset: 03300000, based on PE: true
                                  • Associated: 00000000.00000002.1447865298.0000000003300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1447929974.0000000003301000.00000020.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1447981911.000000000330D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448015159.000000000330F000.00000020.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448217749.0000000003527000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448259097.0000000003528000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448259097.000000000352C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.1448335122.000000000352D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_3300000_rComprobante_swift_8676534657698632.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: #644
                                  • String ID:
                                  • API String ID: 700137900-0
                                  • Opcode ID: 91381e0c4c2eaf1d6190e96eee69445b2598ae77cf96e0f76d608f5edc5dbd6e
                                  • Instruction ID: 5db018430a15064366055d929dafc4182df59cf1311acfe9495684bc039f8263
                                  • Opcode Fuzzy Hash: 91381e0c4c2eaf1d6190e96eee69445b2598ae77cf96e0f76d608f5edc5dbd6e
                                  • Instruction Fuzzy Hash: DF11CEB4900304AFD710FFB8DE45E6E7BFCEB5A610F00865AE512E7294D674AD058BA4

                                  Execution Graph

                                  Execution Coverage:9%
                                  Dynamic/Decrypted Code Coverage:19.2%
                                  Signature Coverage:11.5%
                                  Total number of Nodes:26
                                  Total number of Limit Nodes:1
                                  execution_graph 27653 4462d5 27656 445d96 GetPEB 27653->27656 27657 445f33 27656->27657 27657->27657 27643 14b7068 27644 14b70ac CheckRemoteDebuggerPresent 27643->27644 27645 14b70ee 27644->27645 27646 68baac8 DuplicateHandle 27647 68bab5e 27646->27647 27658 445bf7 27659 445bfd NtAllocateVirtualMemory 27658->27659 27660 445c0a 27659->27660 27661 44643e 27662 446442 27661->27662 27663 445d96 GetPEB 27662->27663 27664 446453 27663->27664 27665 44393e 27666 445f62 27665->27666 27667 443946 NtClose 27666->27667 27668 444249 27667->27668 27648 44640a 27649 4467d6 27648->27649 27652 4460c8 GetPEB 27649->27652 27669 443c1a 27670 443baf 27669->27670 27670->27669 27671 443bc1 27670->27671 27672 443946 NtClose 27670->27672 27672->27671

                                  Executed Functions

                                  Function 014B7068 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 899 14b7068-14b70ec CheckRemoteDebuggerPresent 901 14b70ee-14b70f4 899->901 902 14b70f5-14b7130 899->902 901->902
                                  APIs
                                  • CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 014B70DF
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.3815872813.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_14b0000_RegAsm.jbxd
                                  Similarity
                                  • API ID: CheckDebuggerPresentRemote
                                  • String ID:
                                  • API String ID: 3662101638-0
                                  • Opcode ID: 0eb4b945ffcf8d06c6ddf1f1b8d6c8bb8fbb78e231fef585db34cfa9c92a85ad
                                  • Instruction ID: f605ba6ce7c9ebd879ca7998242e1eb7e3abd1d09fe686bb3a2390ecba8a585d
                                  • Opcode Fuzzy Hash: 0eb4b945ffcf8d06c6ddf1f1b8d6c8bb8fbb78e231fef585db34cfa9c92a85ad
                                  • Instruction Fuzzy Hash: 6F2139B18002598FDB10CF9AD884BEEFBF4EF49311F14846AE855A7391D778A944CF61
                                  Function 00445ABD Relevance: 1.5, APIs: 1, Instructions: 19memorynativeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 915 445abd-445c04 NtAllocateVirtualMemory 917 446198 915->917 918 445c0a-445fec 915->918
                                  APIs
                                  • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000), ref: 00445C00
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.3814858618.0000000000442000.00000040.80000000.00040000.00000000.sdmp, Offset: 00442000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_442000_RegAsm.jbxd
                                  Similarity
                                  • API ID: AllocateMemoryVirtual
                                  • String ID:
                                  • API String ID: 2167126740-0
                                  • Opcode ID: 010cbde5f3dd20a8ac18e9a559dd8a8de6817243094f39f0405c17f6c909cebd
                                  • Instruction ID: e8c7f49d6f7e37a62d9c78b335f1b09385f0e63d29a31fd17043735037db397a
                                  • Opcode Fuzzy Hash: 010cbde5f3dd20a8ac18e9a559dd8a8de6817243094f39f0405c17f6c909cebd
                                  • Instruction Fuzzy Hash: ACE0867150854AFEFB08C740C955FE46B249710314F35435AE0129A0D3EE68A74AD717
                                  Function 00445BF7 Relevance: 1.5, APIs: 1, Instructions: 13memorynativeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 920 445bf7-445c04 NtAllocateVirtualMemory 922 446198 920->922 923 445c0a-445fec 920->923
                                  APIs
                                  • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000), ref: 00445C00
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.3814858618.0000000000442000.00000040.80000000.00040000.00000000.sdmp, Offset: 00442000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_442000_RegAsm.jbxd
                                  Similarity
                                  • API ID: AllocateMemoryVirtual
                                  • String ID:
                                  • API String ID: 2167126740-0
                                  • Opcode ID: 9e5e8c282f01c19766bf2fa28b7e713e5e6aef8a1221bda12729769639fb0c43
                                  • Instruction ID: 5ece25aaacc9f143c6b29158d1de3ad3e0e53b1f15d3b66850b187f7e58547b5
                                  • Opcode Fuzzy Hash: 9e5e8c282f01c19766bf2fa28b7e713e5e6aef8a1221bda12729769639fb0c43
                                  • Instruction Fuzzy Hash: 0BD0223000C69ADFEB098784C890AA53B649F42394B3503A3E036CF0F7E528E54DAB13
                                  Function 014B7062 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 892 14b7062-14b70ec CheckRemoteDebuggerPresent 895 14b70ee-14b70f4 892->895 896 14b70f5-14b7130 892->896 895->896
                                  APIs
                                  • CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 014B70DF
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.3815872813.00000000014B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_14b0000_RegAsm.jbxd
                                  Similarity
                                  • API ID: CheckDebuggerPresentRemote
                                  • String ID:
                                  • API String ID: 3662101638-0
                                  • Opcode ID: b7d6730bc16f5105f8a823eb8ca56b5e228ae06078488e678cf96b9e0cdda6ef
                                  • Instruction ID: 09a130d13ed0ad62f7b268f7370c93835bf32cfb725658b45e1eeb8a5e1975ea
                                  • Opcode Fuzzy Hash: b7d6730bc16f5105f8a823eb8ca56b5e228ae06078488e678cf96b9e0cdda6ef
                                  • Instruction Fuzzy Hash: 2F214AB18002598FDB10CF9AD884BEEBBF4EF49310F14842AE855A7391D7789944CF60
                                  Function 068BAAC0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 905 68baac0-68bab5c DuplicateHandle 906 68bab5e-68bab64 905->906 907 68bab65-68bab82 905->907 906->907
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 068BAB4F
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.3817661998.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_68b0000_RegAsm.jbxd
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: 4c2277d7bb8a4ef12a143bc05d930ffaaccd1a6932e7ef019f6cd24f3ba9d604
                                  • Instruction ID: 7b3bfca724f6801a1062f6864b5562fb5cd87ec1691c22db3e22dbc36099bd14
                                  • Opcode Fuzzy Hash: 4c2277d7bb8a4ef12a143bc05d930ffaaccd1a6932e7ef019f6cd24f3ba9d604
                                  • Instruction Fuzzy Hash: 8921E2B5D002489FDB10CFAAD984AEEFBF5EB48310F24842AE958A3350D374A955CF61
                                  Function 068BAAC8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 910 68baac8-68bab5c DuplicateHandle 911 68bab5e-68bab64 910->911 912 68bab65-68bab82 910->912 911->912
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 068BAB4F
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.3817661998.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_68b0000_RegAsm.jbxd
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: 33f4353683204da32a2ba0cf3a0d8be2ff3d1420d00ee2f4010f1b73bb25aa23
                                  • Instruction ID: e0a99bab7aada9ae075e202f198898ee456c59e2115f2342506467f021284579
                                  • Opcode Fuzzy Hash: 33f4353683204da32a2ba0cf3a0d8be2ff3d1420d00ee2f4010f1b73bb25aa23
                                  • Instruction Fuzzy Hash: 0621F5B5D002489FDB10CF9AD984ADEFBF4EB48310F14842AE958A3350D374A954CF64
                                  Function 011CD01C Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.3815358305.00000000011CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_11cd000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b7c098094d4796a9f6f14e54a607c464a7a3cc7fc669938d3d179e1293220dc1
                                  • Instruction ID: 8a453247c5f8b2f3edeab4ce1edd741ff7e9629a40fdf0ed4f2cb611bda6ddd2
                                  • Opcode Fuzzy Hash: b7c098094d4796a9f6f14e54a607c464a7a3cc7fc669938d3d179e1293220dc1
                                  • Instruction Fuzzy Hash: D2212271604340DFDF19DF98E9C0B26BBA1EB94B14F20C5BDD84A4B242C736D467CAA2
                                  Function 011CD006 Relevance: .1, Instructions: 63COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000003.00000002.3815358305.00000000011CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_3_2_11cd000_RegAsm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f931c883c4dc6cc9cd0c0b60f57bd3493ec1d1607f2101679b8bc81d912218c9
                                  • Instruction ID: 49d4fc2650be0d834e02e477c3aba5820febaccc3b3887fa570d0a35abcc0a77
                                  • Opcode Fuzzy Hash: f931c883c4dc6cc9cd0c0b60f57bd3493ec1d1607f2101679b8bc81d912218c9
                                  • Instruction Fuzzy Hash: 2621C2714083809FCB07CF18D994715BF71EB46314F28C5EAD8498F667C33A985ACBA2