Edit tour

Windows Analysis Report
tb4B9ni6vl.exe

Overview

General Information

Sample name:	tb4B9ni6vl.exe renamed because original name is a hash value
Original sample name:	d41dac29dbd4d480221a0598ef8a784fcc856f2cca2dae9c8dd38adc01d7ebb8.exe
Analysis ID:	1588913
MD5:	2be05e23b58f0391fa6ff8f4fd3e4cf2
SHA1:	6016c4770545b024784d39359aa1476b468ff127
SHA256:	d41dac29dbd4d480221a0598ef8a784fcc856f2cca2dae9c8dd38adc01d7ebb8
Tags:	AgentTeslaexeuser-adrian__luca
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

AI detected suspicious sample

Check if machine is in data center or colocation facility

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Generic Downloader

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

tb4B9ni6vl.exe (PID: 7712 cmdline: "C:\Users\user\Desktop\tb4B9ni6vl.exe" MD5: 2BE05E23B58F0391FA6FF8F4FD3E4CF2)

RegAsm.exe (PID: 7844 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.horeca-bucuresti.ro", "Username": "biggiemma@horeca-bucuresti.ro", "Password": "e)rWKbKP8~mO"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.3763860907.0000000002445000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3762739371.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.3762739371.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000003.1373711464.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1373711464.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.1378261499.0000000002D02000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1378261499.0000000002D02000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000003.1373552995.0000000004041000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1373552995.0000000004041000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000003.1373443509.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1373443509.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: tb4B9ni6vl.exe PID: 7712	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: tb4B9ni6vl.exe PID: 7712	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegAsm.exe PID: 7844	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 7844	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 10 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.3.tb4B9ni6vl.exe.a4ea58.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.3.tb4B9ni6vl.exe.a4ea58.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.3.tb4B9ni6vl.exe.a4ea58.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3261f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x32691:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3271b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x327ad:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x32817:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x32889:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3291f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x329af:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.3.tb4B9ni6vl.exe.a4ea58.1.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2f819:$s2: GetPrivateProfileString 0x2eedd:$s3: get_OSFullName 0x30562:$s5: remove_Key 0x30703:$s5: remove_Key 0x315f0:$s6: FtpWebRequest 0x32601:$s7: logins 0x32b73:$s7: logins 0x35884:$s7: logins 0x35936:$s7: logins 0x37289:$s7: logins 0x364d0:$s9: 1.85 (Hash, version 2, native byte-order)
2.2.RegAsm.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegAsm.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2.2.RegAsm.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegAsm.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3441f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34491:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3451b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x345ad:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34617:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x34689:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3471f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x347af:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegAsm.exe.400000.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x31619:$s2: GetPrivateProfileString 0x30cdd:$s3: get_OSFullName 0x32362:$s5: remove_Key 0x32503:$s5: remove_Key 0x333f0:$s6: FtpWebRequest 0x34401:$s7: logins 0x34973:$s7: logins 0x37684:$s7: logins 0x37736:$s7: logins 0x39089:$s7: logins 0x382d0:$s9: 1.85 (Hash, version 2, native byte-order)
0.3.tb4B9ni6vl.exe.a4ea58.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.3.tb4B9ni6vl.exe.a4ea58.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.3.tb4B9ni6vl.exe.a4ea58.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3261f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x32691:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3271b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x327ad:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x32817:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x32889:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3291f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x329af:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.3.tb4B9ni6vl.exe.a4ea58.0.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x2f819:$s2: GetPrivateProfileString 0x2eedd:$s3: get_OSFullName 0x30562:$s5: remove_Key 0x30703:$s5: remove_Key 0x315f0:$s6: FtpWebRequest 0x32601:$s7: logins 0x32b73:$s7: logins 0x35884:$s7: logins 0x35936:$s7: logins 0x37289:$s7: logins 0x364d0:$s9: 1.85 (Hash, version 2, native byte-order)
0.3.tb4B9ni6vl.exe.a4ea58.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.3.tb4B9ni6vl.exe.a4ea58.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.3.tb4B9ni6vl.exe.a4ea58.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.3.tb4B9ni6vl.exe.a4ea58.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3441f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34491:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3451b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x345ad:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34617:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x34689:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3471f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x347af:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.3.tb4B9ni6vl.exe.a4ea58.1.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x31619:$s2: GetPrivateProfileString 0x30cdd:$s3: get_OSFullName 0x32362:$s5: remove_Key 0x32503:$s5: remove_Key 0x333f0:$s6: FtpWebRequest 0x34401:$s7: logins 0x34973:$s7: logins 0x37684:$s7: logins 0x37736:$s7: logins 0x39089:$s7: logins 0x382d0:$s9: 1.85 (Hash, version 2, native byte-order)
0.3.tb4B9ni6vl.exe.a4ea58.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.3.tb4B9ni6vl.exe.a4ea58.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.3.tb4B9ni6vl.exe.a4ea58.0.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.3.tb4B9ni6vl.exe.a4ea58.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3441f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34491:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3451b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x345ad:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34617:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x34689:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3471f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x347af:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.3.tb4B9ni6vl.exe.a4ea58.0.raw.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x31619:$s2: GetPrivateProfileString 0x30cdd:$s3: get_OSFullName 0x32362:$s5: remove_Key 0x32503:$s5: remove_Key 0x333f0:$s6: FtpWebRequest 0x34401:$s7: logins 0x34973:$s7: logins 0x37684:$s7: logins 0x37736:$s7: logins 0x39089:$s7: logins 0x382d0:$s9: 1.85 (Hash, version 2, native byte-order)
0.2.tb4B9ni6vl.exe.2d00000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.tb4B9ni6vl.exe.2d00000.1.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.tb4B9ni6vl.exe.2d00000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.tb4B9ni6vl.exe.2d00000.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x3441f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34491:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x3451b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x345ad:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34617:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x34689:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3471f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x347af:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.tb4B9ni6vl.exe.2d00000.1.unpack	MALWARE_Win_AgentTeslaV2	AgenetTesla Type 2 Keylogger payload	ditekSHen	0x31619:$s2: GetPrivateProfileString 0x30cdd:$s3: get_OSFullName 0x32362:$s5: remove_Key 0x32503:$s5: remove_Key 0x333f0:$s6: FtpWebRequest 0x34401:$s7: logins 0x34973:$s7: logins 0x37684:$s7: logins 0x37736:$s7: logins 0x39089:$s7: logins 0x382d0:$s9: 1.85 (Hash, version 2, native byte-order)
Click to see the 23 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: tb4B9ni6vl.exe

Avira: detected

Found malware configuration

Source: 2.2.RegAsm.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.horeca-bucuresti.ro", "Username": "biggiemma@horeca-bucuresti.ro", "Password": "e)rWKbKP8~mO"}

Multi AV Scanner detection for submitted file

Source: tb4B9ni6vl.exe	ReversingLabs: Detection: 71%
Source: tb4B9ni6vl.exe	Virustotal: Detection: 68%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: tb4B9ni6vl.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.tb4B9ni6vl.exe.a4ea58.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.tb4B9ni6vl.exe.a4ea58.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tb4B9ni6vl.exe.2d00000.1.unpack, type: UNPACKEDPE

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: unknown

DNS query: name: ip-api.com

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: ip-api.com

Source: tb4B9ni6vl.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: tb4B9ni6vl.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: tb4B9ni6vl.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: tb4B9ni6vl.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: tb4B9ni6vl.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: tb4B9ni6vl.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: tb4B9ni6vl.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: tb4B9ni6vl.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: tb4B9ni6vl.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: RegAsm.exe, 00000002.00000002.3763860907.00000000024F2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3763860907.00000000024EA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3763860907.0000000002411000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: tb4B9ni6vl.exe, 00000000.00000003.1373711464.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp, tb4B9ni6vl.exe, 00000000.00000002.1378261499.0000000002D02000.00000040.10000000.00040000.00000000.sdmp, tb4B9ni6vl.exe, 00000000.00000003.1373552995.0000000004041000.00000004.00000020.00020000.00000000.sdmp, tb4B9ni6vl.exe, 00000000.00000003.1373443509.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3763860907.00000000024D8000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3762739371.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3763860907.0000000002411000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: tb4B9ni6vl.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: tb4B9ni6vl.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: tb4B9ni6vl.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: tb4B9ni6vl.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: RegAsm.exe, 00000002.00000002.3763860907.00000000024D8000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3763860907.0000000002411000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: tb4B9ni6vl.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: tb4B9ni6vl.exe, 00000000.00000003.1373711464.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp, tb4B9ni6vl.exe, 00000000.00000002.1378261499.0000000002D02000.00000040.10000000.00040000.00000000.sdmp, tb4B9ni6vl.exe, 00000000.00000003.1373552995.0000000004041000.00000004.00000020.00020000.00000000.sdmp, tb4B9ni6vl.exe, 00000000.00000003.1373443509.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3762739371.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: tb4B9ni6vl.exe	String found in binary or memory: https://mozilla.org0/

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.3.tb4B9ni6vl.exe.a4ea58.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.3.tb4B9ni6vl.exe.a4ea58.1.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.3.tb4B9ni6vl.exe.a4ea58.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.3.tb4B9ni6vl.exe.a4ea58.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.3.tb4B9ni6vl.exe.a4ea58.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.3.tb4B9ni6vl.exe.a4ea58.1.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.3.tb4B9ni6vl.exe.a4ea58.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.3.tb4B9ni6vl.exe.a4ea58.0.raw.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: 0.2.tb4B9ni6vl.exe.2d00000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.tb4B9ni6vl.exe.2d00000.1.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\tb4B9ni6vl.exe	Code function: 0_2_0026C1F0 __vbaFreeVar,NtSetInformationProcess,	0_2_0026C1F0
Source: C:\Users\user\Desktop\tb4B9ni6vl.exe	Code function: 0_2_002058FB NtAllocateVirtualMemory,NtProtectVirtualMemory,NtProtectVirtualMemory,	0_2_002058FB
Source: C:\Users\user\Desktop\tb4B9ni6vl.exe	Code function: 0_2_009B28EC NtCreateSection,NtMapViewOfSection,RpcServerRegisterIf3,CreateProcessW,NtGetContextThread,NtReadVirtualMemory,NtWriteVirtualMemory,NtUnmapViewOfSection,NtMapViewOfSection,NtSetContextThread,NtResumeThread,	0_2_009B28EC
Source: C:\Users\user\Desktop\tb4B9ni6vl.exe	Code function: 0_2_009B28B2 NtCreateSection,NtMapViewOfSection,RpcServerRegisterIf3,CreateProcessW,NtGetContextThread,NtReadVirtualMemory,NtWriteVirtualMemory,NtUnmapViewOfSection,NtMapViewOfSection,NtSetContextThread,NtResumeThread,	0_2_009B28B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004460CF NtAllocateVirtualMemory,	2_2_004460CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00446194 NtProtectVirtualMemory,	2_2_00446194
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00443A0A NtDelayExecution,	2_2_00443A0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00446298 NtProtectVirtualMemory,	2_2_00446298
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00445B79 NtAllocateVirtualMemory,	2_2_00445B79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00444394 NtClose,	2_2_00444394
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00443BAA NtCreateThreadEx,NtClose,	2_2_00443BAA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004441C8 NtClose,	2_2_004441C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00443A2E NtDelayExecution,	2_2_00443A2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0044423B NtDelayExecution,	2_2_0044423B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00444310 NtCreateThreadEx,NtClose,	2_2_00444310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00444338 NtCreateThreadEx,NtClose,	2_2_00444338

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0220A6BD	2_2_0220A6BD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_02204A88	2_2_02204A88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0220D890	2_2_0220D890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_02203E70	2_2_02203E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_022041B8	2_2_022041B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_05C81130	2_2_05C81130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_05C83A88	2_2_05C83A88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_05C833A0	2_2_05C833A0

Source: tb4B9ni6vl.exe

Static PE information: invalid certificate

Source: tb4B9ni6vl.exe, 00000000.00000002.1378261499.0000000002D3E000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamefc288b27-c6cf-4c74-9578-1c1adc1c204c.exe4 vs tb4B9ni6vl.exe
Source: tb4B9ni6vl.exe, 00000000.00000002.1376574614.0000000000273000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameacvm7qw909e.exe vs tb4B9ni6vl.exe
Source: tb4B9ni6vl.exe, 00000000.00000003.1373711464.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefc288b27-c6cf-4c74-9578-1c1adc1c204c.exe4 vs tb4B9ni6vl.exe
Source: tb4B9ni6vl.exe, 00000000.00000003.1373552995.0000000004041000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefc288b27-c6cf-4c74-9578-1c1adc1c204c.exe4 vs tb4B9ni6vl.exe
Source: tb4B9ni6vl.exe, 00000000.00000003.1373443509.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefc288b27-c6cf-4c74-9578-1c1adc1c204c.exe4 vs tb4B9ni6vl.exe
Source: tb4B9ni6vl.exe	Binary or memory string: OriginalFilenameacvm7qw909e.exe vs tb4B9ni6vl.exe

Source: tb4B9ni6vl.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 0.3.tb4B9ni6vl.exe.a4ea58.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.3.tb4B9ni6vl.exe.a4ea58.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.3.tb4B9ni6vl.exe.a4ea58.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.3.tb4B9ni6vl.exe.a4ea58.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.3.tb4B9ni6vl.exe.a4ea58.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.3.tb4B9ni6vl.exe.a4ea58.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.3.tb4B9ni6vl.exe.a4ea58.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.3.tb4B9ni6vl.exe.a4ea58.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: 0.2.tb4B9ni6vl.exe.2d00000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.tb4B9ni6vl.exe.2d00000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@1/1

Source: C:\Users\user\Desktop\tb4B9ni6vl.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\bb7e5d0cf2dfb2b59be71d56e848e059_9e146be9-c76a-4720-bcdb-53011b87bd06

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Mutant created: NULL

Source: tb4B9ni6vl.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\tb4B9ni6vl.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegAsm.exe, 00000002.00000002.3763860907.000000000250F000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3763860907.0000000002522000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: tb4B9ni6vl.exe	ReversingLabs: Detection: 71%
Source: tb4B9ni6vl.exe	Virustotal: Detection: 68%

Source: unknown	Process created: C:\Users\user\Desktop\tb4B9ni6vl.exe "C:\Users\user\Desktop\tb4B9ni6vl.exe"
Source: C:\Users\user\Desktop\tb4B9ni6vl.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Source: C:\Users\user\Desktop\tb4B9ni6vl.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\tb4B9ni6vl.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tb4B9ni6vl.exe	Section loaded: msvbvm60.dll	Jump to behavior
Source: C:\Users\user\Desktop\tb4B9ni6vl.exe	Section loaded: vb6zz.dll	Jump to behavior
Source: C:\Users\user\Desktop\tb4B9ni6vl.exe	Section loaded: vb6de.dll	Jump to behavior
Source: C:\Users\user\Desktop\tb4B9ni6vl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\tb4B9ni6vl.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\tb4B9ni6vl.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\tb4B9ni6vl.exe	Section loaded: vb6de.dll	Jump to behavior
Source: C:\Users\user\Desktop\tb4B9ni6vl.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\tb4B9ni6vl.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tb4B9ni6vl.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\tb4B9ni6vl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\tb4B9ni6vl.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\tb4B9ni6vl.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tb4B9ni6vl.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tb4B9ni6vl.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\tb4B9ni6vl.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0BE35204-8F91-11CE-9DE3-00AA004BB851}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: tb4B9ni6vl.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: tb4B9ni6vl.exe

Static PE information: Image base 0x7fff0000 > 0x60000000

Source: tb4B9ni6vl.exe

Static file information: File size 2524496 > 1048576

Source: tb4B9ni6vl.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x25d000

Source: tb4B9ni6vl.exe

Static PE information: real checksum: 0x26f10e should be: 0x26b4d4

Source: C:\Users\user\Desktop\tb4B9ni6vl.exe	Code function: 0_2_009B4092 push ss; retf	0_2_009B409D
Source: C:\Users\user\Desktop\tb4B9ni6vl.exe	Code function: 0_2_009B140F push ds; retf	0_2_009B1420
Source: C:\Users\user\Desktop\tb4B9ni6vl.exe	Code function: 0_2_009B5C62 push ss; retf	0_2_009B5C7A
Source: C:\Users\user\Desktop\tb4B9ni6vl.exe	Code function: 0_2_009B4D97 push edx; iretd	0_2_009B4D98
Source: C:\Users\user\Desktop\tb4B9ni6vl.exe	Code function: 0_2_009B3E9C pushfd ; iretd	0_2_009B3EC7
Source: C:\Users\user\Desktop\tb4B9ni6vl.exe	Code function: 0_2_009B5213 push ebp; retf	0_2_009B5214
Source: C:\Users\user\Desktop\tb4B9ni6vl.exe	Code function: 0_2_009B0FAF push esi; ret	0_2_009B0FB0
Source: C:\Users\user\Desktop\tb4B9ni6vl.exe	Code function: 0_2_009B4704 pushad ; ret	0_2_009B470C
Source: C:\Users\user\Desktop\tb4B9ni6vl.exe	Code function: 0_2_009FA979 push esp; iretd	0_2_009FA97B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00444D5D push ss; retf	2_2_00444D75
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0044550A push 395F3F06h; iretd	2_2_00445516
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0044318D push ss; retf	2_2_00443198
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00443E92 push edx; iretd	2_2_00443E93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0044430E push ebp; retf	2_2_0044430F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004437FF pushad ; ret	2_2_00443807
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00442F97 pushfd ; iretd	2_2_00442FC2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_05C88D8E push esp; ret	2_2_05C88D8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_05C895F0 push ebp; ret	2_2_05C895FE

Source: C:\Users\user\Desktop\tb4B9ni6vl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tb4B9ni6vl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tb4B9ni6vl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tb4B9ni6vl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tb4B9ni6vl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tb4B9ni6vl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tb4B9ni6vl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tb4B9ni6vl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tb4B9ni6vl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tb4B9ni6vl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tb4B9ni6vl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: tb4B9ni6vl.exe, 00000000.00000003.1373711464.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp, tb4B9ni6vl.exe, 00000000.00000002.1378261499.0000000002D02000.00000040.10000000.00040000.00000000.sdmp, tb4B9ni6vl.exe, 00000000.00000003.1373552995.0000000004041000.00000004.00000020.00020000.00000000.sdmp, tb4B9ni6vl.exe, 00000000.00000003.1373443509.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3763860907.0000000002445000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3763860907.00000000024F2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3762739371.0000000000402000.00000040.80000000.00040000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 21C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2410000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2220000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 1559			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 8434			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7852	Thread sleep count: 1559 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7852	Thread sleep time: -1559000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7852	Thread sleep count: 8434 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7852	Thread sleep time: -8434000s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Last function: Thread delayed

Source: RegAsm.exe, 00000002.00000002.3763860907.00000000024F2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: RegAsm.exe, 00000002.00000002.3762739371.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: vmware
Source: RegAsm.exe, 00000002.00000002.3762739371.0000000000402000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
Source: RegAsm.exe, 00000002.00000002.3765422285.0000000005794000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_02207070 CheckRemoteDebuggerPresent,

2_2_02207070

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\tb4B9ni6vl.exe	Code function: 0_2_00205EB1 mov eax, dword ptr fs:[00000030h]	0_2_00205EB1
Source: C:\Users\user\Desktop\tb4B9ni6vl.exe	Code function: 0_2_009B28EC mov eax, dword ptr fs:[00000030h]	0_2_009B28EC
Source: C:\Users\user\Desktop\tb4B9ni6vl.exe	Code function: 0_2_009B6817 mov eax, dword ptr fs:[00000030h]	0_2_009B6817
Source: C:\Users\user\Desktop\tb4B9ni6vl.exe	Code function: 0_2_009B687E mov eax, dword ptr fs:[00000030h]	0_2_009B687E
Source: C:\Users\user\Desktop\tb4B9ni6vl.exe	Code function: 0_2_009B6D27 mov eax, dword ptr fs:[00000030h]	0_2_009B6D27
Source: C:\Users\user\Desktop\tb4B9ni6vl.exe	Code function: 0_2_009B2EBD mov eax, dword ptr fs:[00000030h]	0_2_009B2EBD
Source: C:\Users\user\Desktop\tb4B9ni6vl.exe	Code function: 0_2_009B6AD3 mov eax, dword ptr fs:[00000030h]	0_2_009B6AD3
Source: C:\Users\user\Desktop\tb4B9ni6vl.exe	Code function: 0_2_009B6FBF mov ecx, dword ptr fs:[00000030h]	0_2_009B6FBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004460CF mov edx, dword ptr fs:[00000030h]	2_2_004460CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004458E3 mov eax, dword ptr fs:[00000030h]	2_2_004458E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004460BA mov ecx, dword ptr fs:[00000030h]	2_2_004460BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00445979 mov eax, dword ptr fs:[00000030h]	2_2_00445979
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00445D10 mov eax, dword ptr fs:[00000030h]	2_2_00445D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00445912 mov eax, dword ptr fs:[00000030h]	2_2_00445912
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004459E2 mov eax, dword ptr fs:[00000030h]	2_2_004459E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004459EF mov eax, dword ptr fs:[00000030h]	2_2_004459EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00445E22 mov eax, dword ptr fs:[00000030h]	2_2_00445E22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00445A2D mov eax, dword ptr fs:[00000030h]	2_2_00445A2D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00445A8A mov eax, dword ptr fs:[00000030h]	2_2_00445A8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004442A0 mov ecx, dword ptr fs:[00000030h]	2_2_004442A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00445B13 mov eax, dword ptr fs:[00000030h]	2_2_00445B13
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00445BCE mov eax, dword ptr fs:[00000030h]	2_2_00445BCE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\tb4B9ni6vl.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\tb4B9ni6vl.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 37D008

Jump to behavior

Source: C:\Users\user\Desktop\tb4B9ni6vl.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\tb4B9ni6vl.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.3.tb4B9ni6vl.exe.a4ea58.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.tb4B9ni6vl.exe.a4ea58.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.tb4B9ni6vl.exe.a4ea58.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.tb4B9ni6vl.exe.a4ea58.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tb4B9ni6vl.exe.2d00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3762739371.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1373711464.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1378261499.0000000002D02000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1373552995.0000000004041000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1373443509.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tb4B9ni6vl.exe PID: 7712, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7844, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 0.3.tb4B9ni6vl.exe.a4ea58.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.tb4B9ni6vl.exe.a4ea58.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.tb4B9ni6vl.exe.a4ea58.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.tb4B9ni6vl.exe.a4ea58.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tb4B9ni6vl.exe.2d00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3763860907.0000000002445000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3762739371.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1373711464.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1378261499.0000000002D02000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1373552995.0000000004041000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1373443509.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tb4B9ni6vl.exe PID: 7712, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7844, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.3.tb4B9ni6vl.exe.a4ea58.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.tb4B9ni6vl.exe.a4ea58.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.tb4B9ni6vl.exe.a4ea58.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.tb4B9ni6vl.exe.a4ea58.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.tb4B9ni6vl.exe.2d00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.3762739371.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1373711464.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1378261499.0000000002D02000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1373552995.0000000004041000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1373443509.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: tb4B9ni6vl.exe PID: 7712, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7844, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	231 Windows Management Instrumentation	1 DLL Side-Loading	211 Process Injection	1 Masquerading	1 OS Credential Dumping	531 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	25 Virtualization/Sandbox Evasion	LSASS Memory	25 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	1 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	211 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	34 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
tb4B9ni6vl.exe	71%	ReversingLabs	Win32.Trojan.AgentTesla
tb4B9ni6vl.exe	68%	Virustotal		Browse
tb4B9ni6vl.exe	100%	Avira	TR/Dropper.Gen

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ip-api.com	208.95.112.1	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/line/?fields=hosting	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://mozilla.org0/	tb4B9ni6vl.exe	false	high
https://account.dyn.com/	tb4B9ni6vl.exe, 00000000.00000003.1373711464.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp, tb4B9ni6vl.exe, 00000000.00000002.1378261499.0000000002D02000.00000040.10000000.00040000.00000000.sdmp, tb4B9ni6vl.exe, 00000000.00000003.1373552995.0000000004041000.00000004.00000020.00020000.00000000.sdmp, tb4B9ni6vl.exe, 00000000.00000003.1373443509.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3762739371.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegAsm.exe, 00000002.00000002.3763860907.00000000024D8000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3763860907.0000000002411000.00000004.00000800.00020000.00000000.sdmp	false	high
http://ip-api.com	RegAsm.exe, 00000002.00000002.3763860907.00000000024F2000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3763860907.00000000024EA000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.3763860907.0000000002411000.00000004.00000800.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588913
Start date and time:	2025-01-11 07:04:04 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	tb4B9ni6vl.exe renamed because original name is a hash value
Original Sample Name:	d41dac29dbd4d480221a0598ef8a784fcc856f2cca2dae9c8dd38adc01d7ebb8.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 85% Number of executed functions: 21 Number of non-executed functions: 13
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.12.23.50
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:05:37	API Interceptor	1105765x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	juE8dtqPkx.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	YY3k9rjxpY.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	4LbgdNQgna.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	toIuQILmr1.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	LfZAz7DQzo.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Q5QrxfKnFA.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	RHOqJ5BrHW.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	J8V6dFanEo.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	3FjrbCZgDN.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	ewYjhndHg2.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	juE8dtqPkx.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	YY3k9rjxpY.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	4LbgdNQgna.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	toIuQILmr1.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	LfZAz7DQzo.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Q5QrxfKnFA.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	RHOqJ5BrHW.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	J8V6dFanEo.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	3FjrbCZgDN.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	ewYjhndHg2.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TUT-ASUS	juE8dtqPkx.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	YY3k9rjxpY.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	4LbgdNQgna.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	toIuQILmr1.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	LfZAz7DQzo.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Q5QrxfKnFA.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	RHOqJ5BrHW.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	J8V6dFanEo.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	3FjrbCZgDN.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	ewYjhndHg2.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\bb7e5d0cf2dfb2b59be71d56e848e059_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Users\user\Desktop\tb4B9ni6vl.exe
File Type:	data
Category:	dropped
Size (bytes):	45
Entropy (8bit):	0.9111711733157262
Encrypted:	false
SSDEEP:	3:/lwltAOl:WKK
MD5:	1249116D570D2994CF7B4CD674646796
SHA1:	13E7AF8AC4636DBAED0C23C14B17ACEA00F87214
SHA-256:	487DC40611285BD6566DD58CD32B8FFF1C56CCB9924EC2DCB74C76F421C8F9AD
SHA-512:	849529569C30BDAE95C6B2609A75E9B7C263E370BFB03680BF648FCE4CF9FEF9AB4AB25C4738CCC3642727B18DB68E94D97CB0D0D833E19795076FB7FDB5269B
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	........................................user.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.263738519315181
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00%
File name:	tb4B9ni6vl.exe
File size:	2'524'496 bytes
MD5:	2be05e23b58f0391fa6ff8f4fd3e4cf2
SHA1:	6016c4770545b024784d39359aa1476b468ff127
SHA256:	d41dac29dbd4d480221a0598ef8a784fcc856f2cca2dae9c8dd38adc01d7ebb8
SHA512:	6753dbc9b858ccbc08c402b21da4b3d43785097f5cfd8e02cb894c4d55735e34e907403737b5a7d183c5fe94bc6a034613cf434c582408ab3ebb22c1067a42de
SSDEEP:	49152:w3ASbdYAm4zEbdYAm4zWbdYAm4z23Ag3AWbdYAm4zSbdYAm4zO3AKBGmhesZjzQ:iA4drWdr0drkASA0dr4dr8AVHsBzQ
TLSH:	0FC5D00322208F6FED4ADF39B7BA80E443153C5903155A42329F7720DB779BE9D29A5B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....ag..................%..p......e.#.......%...............................&.......&....................................

File Icon


Icon Hash:	a3a3939a92b3929a

Static PE Info

General

Entrypoint:	0x8022c165
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x7fff0000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x67618BED [Tue Dec 17 14:34:21 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	42a4e0f64241075ea237a4cf00d0db9f

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	02/04/2024 02:00:00 19/06/2027 01:59:59
Subject Chain	CN=Mozilla Corporation, OU=Firefox Engineering Operations, O=Mozilla Corporation, L=San Francisco, S=California, C=US
Version:	3
Thumbprint MD5:	C7D85E7FB216697F9E1CDEEABDF1D6A3
Thumbprint SHA-1:	40890F2FE1ACAE18072FA7F3C0AE456AACC8570D
Thumbprint SHA-256:	BB8FFB6AB921F253B7D24AA68E449286E17DA713C38142EDA6D909E9892EE179
Serial:	0737B0D0DCDCAB8D78D2F40CB122F93F

Entrypoint Preview

Instruction
jmp 00007F0070665F6Fh
add byte ptr [eax+6149B581h], ch
ror byte ptr [ebx], 0000004Eh
into
les esi, fword ptr [ebx-13DBE9EBh]
sbb eax, EF04DE58h
loop 00007F00708A0A34h
lahf
push esp
jl 00007F00708A0A63h
call far A2B7h : D409199Fh
add eax, 590D6517h
mov esi, A80AEEC0h
xchg eax, ecx

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x25cc24	0x3c	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x263000	0x2894	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x265000	0x3550
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x266000	0x1434	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x180	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x25c34c	0x25d000	3788dfd120423459f40db665022ecd50	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x25e000	0x4bac	0x1000	620f0b67a91f7f74151bc5be745b7110	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x263000	0x2894	0x3000	2861c851f2d23123af116585c3b24974	False	0.19539388020833334	data	4.245051604246246	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x266000	0x2c9a	0x3000	afa18b8e558400cc726c45d74db1dae7	False	0.344970703125	data	3.721147362799404	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x2630e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600			0.21047717842323652
RT_GROUP_ICON	0x265690	0x14	data			1.15
RT_VERSION	0x2656a4	0x1f0	MS Windows COFF PowerPC object file	German	Germany	0.49798387096774194

Imports

DLL

Import

KERNEL32.DLL

GetProcAddress, GetModuleHandleW

MSVBVM60.DLL

__vbaVarSub, _CIcos, _adj_fptan, __vbaVarMove, __vbaVarVargNofree, __vbaFreeVar, __vbaAryMove, __vbaStrVarMove, __vbaLenBstr, __vbaFreeVarList, _adj_fdiv_m64, __vbaNextEachVar, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaBoolErrVar, __vbaSetSystemError, __vbaHresultCheckObj, __vbaLenVar, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaRefVarAry, __vbaBoolVarNull, _CIsin, __vbaVargVarMove, __vbaVarZero, __vbaVarCmpGt, __vbaChkstk, EVENT_SINK_AddRef, __vbaVarTstEq, DllFunctionCall, __vbaVarOr, __vbaRedimPreserve, _adj_fpatan, __vbaRedim, EVENT_SINK_Release, __vbaNew, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, __vbaStrToUnicode, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaInStrVar, __vbaStrVarVal, __vbaUbound, __vbaVarCat, _CIlog, __vbaVar2Vec, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaI4Var, __vbaAryLock, __vbaVarAdd, __vbaVarDup, __vbaStrToAnsi, __vbaVarCopy, __vbaVarLateMemCallLd, _CIatan, __vbaStrMove, __vbaCastObj, __vbaStrVarCopy, __vbaForEachVar, _allmul, _CItan, __vbaAryUnlock, _CIexp, __vbaFreeObj, __vbaFreeStr

Possible Origin

Language of compilation system	Country where language is spoken	Map
German	Germany

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 07:05:05.982884884 CET	49753	80	192.168.2.10	208.95.112.1
Jan 11, 2025 07:05:05.987890005 CET	80	49753	208.95.112.1	192.168.2.10
Jan 11, 2025 07:05:05.987982988 CET	49753	80	192.168.2.10	208.95.112.1
Jan 11, 2025 07:05:05.989252090 CET	49753	80	192.168.2.10	208.95.112.1
Jan 11, 2025 07:05:05.994097948 CET	80	49753	208.95.112.1	192.168.2.10
Jan 11, 2025 07:05:06.443876028 CET	80	49753	208.95.112.1	192.168.2.10
Jan 11, 2025 07:05:06.487710953 CET	49753	80	192.168.2.10	208.95.112.1
Jan 11, 2025 07:05:56.760061026 CET	80	49753	208.95.112.1	192.168.2.10
Jan 11, 2025 07:05:56.760157108 CET	49753	80	192.168.2.10	208.95.112.1
Jan 11, 2025 07:06:46.458125114 CET	49753	80	192.168.2.10	208.95.112.1
Jan 11, 2025 07:06:46.463113070 CET	80	49753	208.95.112.1	192.168.2.10

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 07:05:05.955554962 CET	53499	53	192.168.2.10	1.1.1.1
Jan 11, 2025 07:05:05.962693930 CET	53	53499	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 07:05:05.955554962 CET	192.168.2.10	1.1.1.1	0x8b7e	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 07:05:05.962693930 CET	1.1.1.1	192.168.2.10	0x8b7e	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49753	208.95.112.1	80	7844	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 07:05:05.989252090 CET	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Jan 11, 2025 07:05:06.443876028 CET	175	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 06:05:05 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

Target ID:	0
Start time:	01:04:56
Start date:	11/01/2025
Path:	C:\Users\user\Desktop\tb4B9ni6vl.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\tb4B9ni6vl.exe"
Imagebase:	0x10000
File size:	2'524'496 bytes
MD5 hash:	2BE05E23B58F0391FA6FF8F4FD3E4CF2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1373711464.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000003.1373711464.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1378261499.0000000002D02000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1378261499.0000000002D02000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1373552995.0000000004041000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000003.1373552995.0000000004041000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1373443509.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000003.1373443509.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	01:05:04
Start date:	11/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
Imagebase:	0x10000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3763860907.0000000002445000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.3762739371.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.3762739371.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	19.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	27.5%
Total number of Nodes:	193
Total number of Limit Nodes:	13

Executed Functions

Function 009B28B2 Relevance: 28.4, APIs: 10, Strings: 6, Instructions: 363
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 009B2AD8
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 009B2B05

Strings

m.ex, xrefs: 009B2C13
egas, xrefs: 009B2C0C
\Microsoft.NET\Framework\, xrefs: 009B2C21
|'xX, xrefs: 009B28B8
e, xrefs: 009B2C1A
D, xrefs: 009B2C8B

Memory Dump Source

Source File: 00000000.00000002.1377833111.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_tb4B9ni6vl.jbxd

Similarity

API ID: Section$CreateView
String ID: D$\Microsoft.NET\Framework\$e$egas$m.ex$|'xX
API String ID: 1585966358-1512431686
Opcode ID: 0f230d55ef63ab1dd61552786c1438069c36ed1a152f540815d0e4e58c6b328e
Instruction ID: bb94a9ce47278aeae137d8ede77db8b9ae86317b013cb701c054bf91620b52d3
Opcode Fuzzy Hash: 0f230d55ef63ab1dd61552786c1438069c36ed1a152f540815d0e4e58c6b328e
Instruction Fuzzy Hash: 82E16972D00259AFDF11DFA4CE85AEEBBB8FF44720F14446AE924AB241D7309A52CF50

Function 009B28EC Relevance: 26.6, APIs: 10, Strings: 5, Instructions: 369
nativethreadprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 009B2AD8
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 009B2B05
CreateProcessW.KERNELBASE(?,?,00000000,00000000,00000000,00000004,00000000,00000000,00000044,?), ref: 009B2CB0
NtGetContextThread.NTDLL(?,?), ref: 009B2CCF
NtReadVirtualMemory.NTDLL(?,?,?,000001D8,?), ref: 009B2CF5
NtWriteVirtualMemory.NTDLL(?,?,?,00000004,?), ref: 009B2D1F
NtUnmapViewOfSection.NTDLL(?,?), ref: 009B2D3A
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 009B2D53
NtSetContextThread.NTDLL(?,00010003), ref: 009B2D84
NtResumeThread.NTDLL(?,00000000), ref: 009B2D91

Strings

m.ex, xrefs: 009B2C13
egas, xrefs: 009B2C0C
\Microsoft.NET\Framework\, xrefs: 009B2C21
e, xrefs: 009B2C1A
D, xrefs: 009B2C8B

Memory Dump Source

Source File: 00000000.00000002.1377833111.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_tb4B9ni6vl.jbxd

Similarity

API ID: Section$ThreadView$ContextCreateMemoryVirtual$ProcessReadResumeUnmapWrite
String ID: D$\Microsoft.NET\Framework\$e$egas$m.ex
API String ID: 1951729442-1087957892
Opcode ID: bdfd8c2c08da80d8aef1ac999a3557cfaab083761e6134d184dbc6d082490619
Instruction ID: 03b78511efc4df4ec92e4266d0f3843172f08bb2c36fca3251eafd33b947e3c8
Opcode Fuzzy Hash: bdfd8c2c08da80d8aef1ac999a3557cfaab083761e6134d184dbc6d082490619
Instruction Fuzzy Hash: 1EE136B2D00259AFDF10DFA5CE85AEEBBB8FF44710F14446AE914AB241D7349A41CF94

Function 002058FB Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 153
nativememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000100,00000000,00000100,00003000,00000040,?,NtQueryInformationProcess,0020465F,?,NtQueryInformationProcess,00204679,?,NtQueryInformationProcess,00204648,NtQueryInformationProcess), ref: 00205992
NtProtectVirtualMemory.NTDLL(000000FF,?,00000005,00000040,00000000,?,NtQueryInformationProcess,0020465F,?,NtQueryInformationProcess,00204679,?,NtQueryInformationProcess,00204648,NtQueryInformationProcess,002046EA), ref: 002059BD
NtProtectVirtualMemory.NTDLL(000000FF,?,00000005,00000000,00000000,?,NtQueryInformationProcess,0020465F,?,NtQueryInformationProcess,00204679,?,NtQueryInformationProcess,00204648,NtQueryInformationProcess,002046EA), ref: 00205AB9

Strings

NtQueryInformationProcess, xrefs: 0020591D, 00205932, 0020594A, 00205962

Memory Dump Source

Source File: 00000000.00000002.1375656335.0000000000130000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.1375436874.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375462713.0000000000011000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375530743.000000000001E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375656335.000000000001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1376345270.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1376345270.0000000000272000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1376574614.0000000000273000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_tb4B9ni6vl.jbxd

Similarity

API ID: MemoryVirtual$Protect$Allocate
String ID: NtQueryInformationProcess
API String ID: 955180148-2781105232
Opcode ID: 3115b2ad904579c2bbfeae84a3b2adedb6d27203cc52787e22d5cd13e10c7f28
Instruction ID: 4c5b3417e9a63610fbd1e7b051f74e56d315712f6ed0e73b519e46051aef16bf
Opcode Fuzzy Hash: 3115b2ad904579c2bbfeae84a3b2adedb6d27203cc52787e22d5cd13e10c7f28
Instruction Fuzzy Hash: 5C51D67592071A9FDF00DFA8CC85BAFBBB9FB85320F148305E110A61D2E3B156648F61

Function 0026C1F0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtSetInformationProcess.NTDLL ref: 0026C236

Strings

0, xrefs: 0026C22A

Memory Dump Source

Source File: 00000000.00000002.1375656335.0000000000130000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.1375436874.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375462713.0000000000011000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375530743.000000000001E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375656335.000000000001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1376345270.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1376345270.0000000000272000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1376574614.0000000000273000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_tb4B9ni6vl.jbxd

Similarity

API ID: InformationProcess
String ID: 0
API String ID: 1801817001-4108050209
Opcode ID: 4bfa53723ae4ba89d26cef7e1459302cc1de43613a8231c2dff16ebd31f6c04d
Instruction ID: 8b84978950f63152012624381f8e06e1c5dca26392cace12ab4e1150ed4fe616
Opcode Fuzzy Hash: 4bfa53723ae4ba89d26cef7e1459302cc1de43613a8231c2dff16ebd31f6c04d
Instruction Fuzzy Hash: 3EE065B0940244BBD710EFD8CD06BDDBABCE708B14F604244FB00665C1D3B8194487A1

Function 002062F0 Relevance: 186.2, APIs: 102, Strings: 4, Instructions: 674
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaStrCat.MSVBVM60(0001DDF8,0001DDF0,?,6D6260EF), ref: 0020637F
__vbaStrMove.MSVBVM60(?,6D6260EF), ref: 0020638C
__vbaStrCat.MSVBVM60(bvm,00000000,?,6D6260EF), ref: 00206394
__vbaStrMove.MSVBVM60(?,6D6260EF), ref: 0020639B
__vbaStrCat.MSVBVM60(0001DE10,00000000,?,6D6260EF), ref: 002063A3
__vbaStrMove.MSVBVM60(?,6D6260EF), ref: 002063AA
#644.MSVBVM60(00000000,?,6D6260EF), ref: 002063AD
GetModuleHandleW.KERNEL32(00000000,?,6D6260EF), ref: 002063B4
__vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,6D6260EF), ref: 002063CD

Part of subcall function 0020A0E0: __vbaVarDup.MSVBVM60(6D53D8B1,6D52A323), ref: 0020A123
Part of subcall function 0020A0E0: #653.MSVBVM60(?,?), ref: 0020A131
Part of subcall function 0020A0E0: __vbaI4Var.MSVBVM60(?), ref: 0020A13B
Part of subcall function 0020A0E0: __vbaFreeVar.MSVBVM60 ref: 0020A154
Part of subcall function 0020A0E0: #632.MSVBVM60(?,?,?,?), ref: 0020A190
Part of subcall function 0020A0E0: __vbaVarCat.MSVBVM60(?,?,00000008), ref: 0020A1A2
Part of subcall function 0020A0E0: __vbaStrVarMove.MSVBVM60(00000000), ref: 0020A1A9
Part of subcall function 0020A0E0: __vbaStrMove.MSVBVM60 ref: 0020A1B4
Part of subcall function 0020A0E0: __vbaFreeVarList.MSVBVM60(00000003,00000002,?,?), ref: 0020A1C4
Part of subcall function 0020A0E0: __vbaFreeVar.MSVBVM60(0020A209), ref: 0020A202

__vbaStrMove.MSVBVM60(?,6D6260EF), ref: 002063FA
__vbaStrToAnsi.MSVBVM60(?,00000000,?,6D6260EF), ref: 00206401
GetProcAddress.KERNEL32(00000000,00000000), ref: 0020640F
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,6D6260EF), ref: 00206424
__vbaStrCat.MSVBVM60(0001DE6C,0001DE60), ref: 00206437
__vbaStrMove.MSVBVM60 ref: 0020643E
__vbaStrCat.MSVBVM60(0001DE80,00000000), ref: 00206446
__vbaStrMove.MSVBVM60 ref: 00206473
#644.MSVBVM60(00000000), ref: 00206476
GetModuleHandleW.KERNEL32(00000000), ref: 0020647D
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00206492
__vbaFreeVar.MSVBVM60 ref: 0020649E
__vbaStrCat.MSVBVM60(0001DCCC,0001DE98), ref: 002064AE
__vbaStrMove.MSVBVM60 ref: 002064B5
__vbaStrCat.MSVBVM60(0001DCD4,00000000), ref: 002064BD
__vbaStrMove.MSVBVM60 ref: 002064C4
__vbaStrCat.MSVBVM60(0001DEA0,00000000), ref: 002064CC
__vbaStrMove.MSVBVM60 ref: 002064D3
__vbaStrCat.MSVBVM60(0001DEA8,00000000), ref: 002064DB
__vbaStrMove.MSVBVM60 ref: 002064E2
__vbaStrCat.MSVBVM60(0001DEB0,00000000), ref: 002064EA
__vbaStrMove.MSVBVM60 ref: 002064F1
__vbaStrCat.MSVBVM60(0001DEB8,00000000), ref: 002064F9
__vbaStrMove.MSVBVM60 ref: 00206500
__vbaStrCat.MSVBVM60(0001DEC0,00000000), ref: 00206508
__vbaStrMove.MSVBVM60 ref: 0020650F
__vbaStrCat.MSVBVM60(0001DCD4,00000000), ref: 00206517
__vbaStrMove.MSVBVM60 ref: 0020651E
__vbaStrCat.MSVBVM60(0001DEC8,00000000), ref: 00206526
__vbaStrMove.MSVBVM60 ref: 0020652D
__vbaStrCat.MSVBVM60(0001DEA0,00000000), ref: 00206535
__vbaStrMove.MSVBVM60 ref: 0020653C
__vbaStrCat.MSVBVM60(0001DED0,00000000), ref: 00206544
__vbaStrMove.MSVBVM60 ref: 0020654B
__vbaStrCat.MSVBVM60(0001DED8,00000000), ref: 00206553
__vbaStrMove.MSVBVM60 ref: 0020655A
__vbaStrCat.MSVBVM60(0001DEA0,00000000), ref: 00206562
__vbaStrMove.MSVBVM60 ref: 00206569
__vbaStrToAnsi.MSVBVM60(?,00000000), ref: 00206570
GetProcAddress.KERNEL32(00000000,00000000), ref: 0020657E
__vbaFreeStrList.MSVBVM60(0000000E,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 002065C3
__vbaRedim.MSVBVM60(00000080,00000004,?,00000003,00000001,0000000F,00000000), ref: 002065DB
__vbaNew.MSVBVM60(0001DEFC,0001DF0C), ref: 002065EE
__vbaObjSet.MSVBVM60(?,00000000), ref: 002065F9
__vbaCastObj.MSVBVM60(00000000), ref: 00206600
__vbaObjSet.MSVBVM60(?,00000000), ref: 0020660B
__vbaObjSetAddref.MSVBVM60(0026E2D0,00000000), ref: 00206619
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00206629
__vbaObjSetAddref.MSVBVM60(?), ref: 0020663F
#644.MSVBVM60(00000000), ref: 00206646
__vbaFreeObj.MSVBVM60 ref: 00206652
#644.MSVBVM60(?), ref: 0020665C
__vbaAryLock.MSVBVM60(?,?,?,?,00000000), ref: 0020668C
#644.MSVBVM60(?), ref: 002066A4
__vbaAryUnlock.MSVBVM60(?), ref: 002066B4
__vbaObjSetAddref.MSVBVM60(?,?,?,?,00000000), ref: 002066F1
#644.MSVBVM60(00000000,?,?,?,00000000), ref: 002066F8
__vbaFreeObj.MSVBVM60(?,?,?,00000000), ref: 00206704
#644.MSVBVM60(0026E2CC,?,?,?,00000000), ref: 00206713
__vbaAryLock.MSVBVM60(?,?,00000000,?,00000004,?,?,?,00000000), ref: 00206733
#644.MSVBVM60(00011406,?,?,?,00000000), ref: 00206748
__vbaAryUnlock.MSVBVM60(?,?,?,?,00000000), ref: 00206758
#644.MSVBVM60(?,?,?,?,00000000), ref: 00206771
__vbaRedim.MSVBVM60(00000080,00000004,0026E214,00000003,00000001,00000010,00000000,00000000,?,?,?,?,00000000), ref: 002067AD
#644.MSVBVM60(?), ref: 002067BA
#644.MSVBVM60(?,-0000000C,00000000), ref: 002067E0
__vbaAryLock.MSVBVM60(?,00000000,00000000,-0000000C), ref: 0020680C
__vbaStrCat.MSVBVM60(0001DF34,0001DF2C,00011406,00000040), ref: 00206842
__vbaStrMove.MSVBVM60 ref: 00206849
__vbaI4Str.MSVBVM60(00000000), ref: 0020684C
VirtualProtect.KERNELBASE(?,00000000), ref: 00206862
__vbaHresultCheckObj.MSVBVM60(00000000,?,0001DF0C,0000002C,?,00000000), ref: 0020687C
__vbaAryUnlock.MSVBVM60(?,?,00000000), ref: 00206886
__vbaFreeStr.MSVBVM60(?,00000000), ref: 0020688F
#644.MSVBVM60(?,?,00000000), ref: 0020689F
__vbaAryLock.MSVBVM60(?,00000000,00000000,00000000,-0000000C,?,00000000), ref: 002068DA
#644.MSVBVM60(?,?,00000000), ref: 002068F1
__vbaAryUnlock.MSVBVM60(?,?,00000000), ref: 002068FD
#644.MSVBVM60(00000040,00000000,00000000,-0000000C,?,00000000), ref: 00206937
#644.MSVBVM60(0424448B,00000000,?,?,00000000), ref: 0020695D
#644.MSVBVM60(408B008B,00000000,?,?,00000000), ref: 00206983
#644.MSVBVM60(20C4832C,00000000,?,?,00000000), ref: 002069A9
#644.MSVBVM60(E02474FF,00000000,?,?,00000000), ref: 002069CF
VirtualProtect.KERNELBASE(00011406,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000008,00000040,?,00000000,?,?,00000000), ref: 00206A26
__vbaHresultCheckObj.MSVBVM60(00000000,?,0001DF0C,00000020,?,00000000), ref: 00206A40
__vbaAryLock.MSVBVM60(?,00000000,00000000,?,00000000), ref: 00206A6C
#644.MSVBVM60(?,?,00000000), ref: 00206A83
__vbaAryUnlock.MSVBVM60(?,?,00000000), ref: 00206A8F
#644.MSVBVM60(0026E2CC,00000000,?,00000000), ref: 00206ABC
#644.MSVBVM60(00000000,00000000,?,?,00000000), ref: 00206AD5
#644.MSVBVM60(-00000004,00000000,00000000,?,00000000), ref: 00206AED
__vbaFreeVar.MSVBVM60(?,-00000004,00000000,?,00000000), ref: 00206B0B
__vbaAryDestruct.MSVBVM60(00000000,?,00206B8C,?,00000000), ref: 00206B85

Strings

@, xrefs: 002067D5
bvm, xrefs: 0020638F
`bm, xrefs: 0020649E, 00206B0B
DqlqlqFquqnqcqtqiqoqnqCqaqlqlq, xrefs: 002063DA

Memory Dump Source

Source File: 00000000.00000002.1375656335.0000000000130000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.1375436874.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375462713.0000000000011000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375530743.000000000001E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375656335.000000000001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1376345270.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1376345270.0000000000272000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1376574614.0000000000273000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_tb4B9ni6vl.jbxd

Similarity

API ID: __vba$#644Move$Free$List$LockUnlock$Addref$AddressAnsiCheckHandleHresultModuleProcProtectRedimVirtual$#632#653CastDestruct
String ID: @$DqlqlqFquqnqcqtqiqoqnqCqaqlqlq$bvm$`bm
API String ID: 3776562771-2549648649
Opcode ID: 7a9e4d65bfdd92c7488f8ccb75d4b4a92b9ff054ea4b26e007523afb9f89e578
Instruction ID: ae19caf2b68bc1002114b2ef37aa5acfeaae8ccff0c77916ce1949befd43f84d
Opcode Fuzzy Hash: 7a9e4d65bfdd92c7488f8ccb75d4b4a92b9ff054ea4b26e007523afb9f89e578
Instruction Fuzzy Hash: D6423BB5D10219AFDB14DFA4DC89EEEBBB9FF48300F00C15AE605A7251DAB4A945CF60

Function 0001B309 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaFreeVar.MSVBVM60(?), ref: 0026BCE2

Part of subcall function 002062F0: __vbaStrCat.MSVBVM60(0001DDF8,0001DDF0,?,6D6260EF), ref: 0020637F
Part of subcall function 002062F0: __vbaStrMove.MSVBVM60(?,6D6260EF), ref: 0020638C
Part of subcall function 002062F0: __vbaStrCat.MSVBVM60(bvm,00000000,?,6D6260EF), ref: 00206394
Part of subcall function 002062F0: __vbaStrMove.MSVBVM60(?,6D6260EF), ref: 0020639B
Part of subcall function 002062F0: __vbaStrCat.MSVBVM60(0001DE10,00000000,?,6D6260EF), ref: 002063A3
Part of subcall function 002062F0: __vbaStrMove.MSVBVM60(?,6D6260EF), ref: 002063AA
Part of subcall function 002062F0: #644.MSVBVM60(00000000,?,6D6260EF), ref: 002063AD
Part of subcall function 002062F0: GetModuleHandleW.KERNEL32(00000000,?,6D6260EF), ref: 002063B4
Part of subcall function 002062F0: __vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,6D6260EF), ref: 002063CD
Part of subcall function 002062F0: __vbaStrMove.MSVBVM60(?,6D6260EF), ref: 002063FA
Part of subcall function 002062F0: __vbaStrToAnsi.MSVBVM60(?,00000000,?,6D6260EF), ref: 00206401
Part of subcall function 002062F0: GetProcAddress.KERNEL32(00000000,00000000), ref: 0020640F
Part of subcall function 002062F0: __vbaFreeStrList.MSVBVM60(00000002,?,?,?,6D6260EF), ref: 00206424

Part of subcall function 0026C1F0: NtSetInformationProcess.NTDLL ref: 0026C236

__vbaFreeVar.MSVBVM60(00000000), ref: 0026BCF5

Strings

`bm, xrefs: 0026BCD9

Memory Dump Source

Source File: 00000000.00000002.1375462713.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.1375436874.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375530743.000000000001E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375656335.000000000001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375656335.0000000000130000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1376345270.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1376345270.0000000000272000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1376574614.0000000000273000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_tb4B9ni6vl.jbxd

Similarity

API ID: __vba$FreeMove$List$#644AddressAnsiHandleInformationModuleProcProcess
String ID: `bm
API String ID: 20434910-121691798
Opcode ID: c5f9aff612a662e1821663de9e104f57aa4a1cf06ec6fb6643546cd41318827b
Instruction ID: e925c35102c71a51e76ce796693e1fa3fd52d61ae7bf32bd76a99c555d38f0d5
Opcode Fuzzy Hash: c5f9aff612a662e1821663de9e104f57aa4a1cf06ec6fb6643546cd41318827b
Instruction Fuzzy Hash: BCF06D70820258AACB15EB54CD05BEEBBB8BF09B00F500069E50173141D7B865948AA1

Non-executed Functions

Function 00205EB1 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1375656335.0000000000130000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.1375436874.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375462713.0000000000011000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375530743.000000000001E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375656335.000000000001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1376345270.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1376345270.0000000000272000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1376574614.0000000000273000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_tb4B9ni6vl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef41f23567e4e7422021a95af9bb6b13c8200b2295415d293bf1cf4d9d63b1a6
Instruction ID: 84955960c7ad70a15c3235a4cdb2f8e3f7f75d2ecf7da0db890f14322f765e33
Opcode Fuzzy Hash: ef41f23567e4e7422021a95af9bb6b13c8200b2295415d293bf1cf4d9d63b1a6
Instruction Fuzzy Hash: 6A01D132630B278BCB20AF04C0449A7B7AAFB31760F950422E44447ED6E375EEA0CF11

Function 009B2EBD Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1377833111.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_tb4B9ni6vl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b399b04e11d1ff954b26d47aa0a54e719ae22316263aa56bc50ae1b8ddb9bc6
Instruction ID: 7e48da9f3224b8b550dcfa322cb9e4b46dc7ff869dd6703bf69743b530d5797f
Opcode Fuzzy Hash: 0b399b04e11d1ff954b26d47aa0a54e719ae22316263aa56bc50ae1b8ddb9bc6
Instruction Fuzzy Hash: D0F06D32210564DBC760EB5ACA409AAB3FCEB94770B254815E4499BA01D330FC4097A0

Function 009B6FBF Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1377833111.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_tb4B9ni6vl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1a6dcdea3342a7a72876fe8a7b1589bfbaed65d9ce639e43120d4104721110e
Instruction ID: 1ba02e7bde4193175a08c10590e63ddfb95ee7b79b621faa8083a029fae7805f
Opcode Fuzzy Hash: a1a6dcdea3342a7a72876fe8a7b1589bfbaed65d9ce639e43120d4104721110e
Instruction Fuzzy Hash: 86C04034159441CBC359DB95C155BE07331F7C0718F34456CF0071F54247AB6907D740

Function 009B6AD3 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1377833111.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_tb4B9ni6vl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8539da049063bef8adf3d94d59f1889e654f143c59e68d50339725345bc4b5e2
Instruction ID: 91b114992dc0d88bc04664ba73b3b4691168c6be18669c64ee1c0e0eae6ea44a
Opcode Fuzzy Hash: 8539da049063bef8adf3d94d59f1889e654f143c59e68d50339725345bc4b5e2
Instruction Fuzzy Hash: D2B09234125440CFC2818A0AC250A903374FB00720F214891E4024BA51C23CF900DA00

Function 009B6817 Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1377833111.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_tb4B9ni6vl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 372415e9e8cffc2d3689bc32529b5c7e17dadaa47c7c50a124329dcd1fc7c9f1
Instruction ID: b8388c6edc1952ace1886a8539f001e3d0be70d6261eb16f087367c3fafd50ed
Opcode Fuzzy Hash: 372415e9e8cffc2d3689bc32529b5c7e17dadaa47c7c50a124329dcd1fc7c9f1
Instruction Fuzzy Hash: 87B00135266980CFC296CB0AC294F5073B8FB04A41F4614F4E4058BA62C338AA00CA00

Function 009B687E Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1377833111.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_tb4B9ni6vl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b94a04b6e078c85674e19733439a7be174f4f8d4728e55fdea551be3ae466bff
Instruction ID: ecefd92c7d1271b5953bc55f4c8d25ddccc960576a82d0cade32e7f73a10a9c6
Opcode Fuzzy Hash: b94a04b6e078c85674e19733439a7be174f4f8d4728e55fdea551be3ae466bff
Instruction Fuzzy Hash: 7FB00135266981CFD296CB4AC594F5077B8FB04A41F4614F1E4058BA62C338A900CA10

Function 009B6D27 Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1377833111.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9b0000_tb4B9ni6vl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8cf9f99ad5648ab98f4869b4ab0ce955a8baaa77e670ecf4975d02acf0258fb
Instruction ID: caba6d26315296d23548974c7e7dec74316f6a19b57831a262f6e9655b8a9e6d
Opcode Fuzzy Hash: e8cf9f99ad5648ab98f4869b4ab0ce955a8baaa77e670ecf4975d02acf0258fb
Instruction Fuzzy Hash: 97B00175266A80CFC296CB0AC294F5173B8FB04A41F4618F0E4059BAA2C378AD00CA00

Function 0001AB7C Relevance: 59.6, APIs: 22, Strings: 12, Instructions: 134
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaStrCat.MSVBVM60(@o@s@o@f,M@i@c@r), ref: 0026A18D
__vbaStrMove.MSVBVM60 ref: 0026A19A
__vbaStrCat.MSVBVM60(@t@ @E@n@h@a@n,00000000), ref: 0026A1A2
__vbaStrMove.MSVBVM60 ref: 0026A1A9
__vbaStrCat.MSVBVM60(@c@e@d@ @R@S@,00000000), ref: 0026A1B1
__vbaStrMove.MSVBVM60 ref: 0026A1B8
__vbaStrCat.MSVBVM60(A@ @a@n,00000000), ref: 0026A1C0
__vbaStrMove.MSVBVM60 ref: 0026A1C7
__vbaStrCat.MSVBVM60(@d@ @A@E@S@ ,00000000), ref: 0026A1CF
__vbaStrMove.MSVBVM60 ref: 0026A1D6
__vbaStrCat.MSVBVM60(@C@r@y@,00000000), ref: 0026A1DE
__vbaStrMove.MSVBVM60 ref: 0026A1E5
__vbaStrCat.MSVBVM60(p@t@o@g@r@a@,00000000), ref: 0026A1ED
__vbaStrMove.MSVBVM60 ref: 0026A1F4
__vbaStrCat.MSVBVM60(p@h@i@c@ @P@r,00000000), ref: 0026A1FC
__vbaStrMove.MSVBVM60 ref: 0026A203
__vbaStrCat.MSVBVM60(@o@v@i@d,00000000), ref: 0026A20B
__vbaStrMove.MSVBVM60 ref: 0026A212
__vbaStrCat.MSVBVM60(@e@r@,00000000), ref: 0026A21A

Part of subcall function 0020A0E0: __vbaVarDup.MSVBVM60(6D53D8B1,6D52A323), ref: 0020A123
Part of subcall function 0020A0E0: #653.MSVBVM60(?,?), ref: 0020A131
Part of subcall function 0020A0E0: __vbaI4Var.MSVBVM60(?), ref: 0020A13B
Part of subcall function 0020A0E0: __vbaFreeVar.MSVBVM60 ref: 0020A154
Part of subcall function 0020A0E0: #632.MSVBVM60(?,?,?,?), ref: 0020A190
Part of subcall function 0020A0E0: __vbaVarCat.MSVBVM60(?,?,00000008), ref: 0020A1A2
Part of subcall function 0020A0E0: __vbaStrVarMove.MSVBVM60(00000000), ref: 0020A1A9
Part of subcall function 0020A0E0: __vbaStrMove.MSVBVM60 ref: 0020A1B4
Part of subcall function 0020A0E0: __vbaFreeVarList.MSVBVM60(00000003,00000002,?,?), ref: 0020A1C4
Part of subcall function 0020A0E0: __vbaFreeVar.MSVBVM60(0020A209), ref: 0020A202

__vbaStrMove.MSVBVM60 ref: 0026A247
__vbaFreeStrList.MSVBVM60(00000009,?,?,?,?,?,?,?,?,?), ref: 0026A26F
__vbaFreeVar.MSVBVM60 ref: 0026A27B

Strings

@t@ @E@n@h@a@n, xrefs: 0026A19D
A@ @a@n, xrefs: 0026A1BB
@C@r@y@, xrefs: 0026A1D9
p@h@i@c@ @P@r, xrefs: 0026A1F7
p@t@o@g@r@a@, xrefs: 0026A1E8
`bm, xrefs: 0026A27B
@o@v@i@d, xrefs: 0026A206
@o@s@o@f, xrefs: 0026A188
@e@r@, xrefs: 0026A215
@d@ @A@E@S@ , xrefs: 0026A1CA
@c@e@d@ @R@S@, xrefs: 0026A1AC
M@i@c@r, xrefs: 0026A183

Memory Dump Source

Source File: 00000000.00000002.1375462713.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.1375436874.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375530743.000000000001E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375656335.000000000001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375656335.0000000000130000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1376345270.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1376345270.0000000000272000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1376574614.0000000000273000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_tb4B9ni6vl.jbxd

Similarity

API ID: __vba$Move$Free$List$#632#653
String ID: @C@r@y@$@c@e@d@ @R@S@$@d@ @A@E@S@ $@e@r@$@o@s@o@f$@o@v@i@d$@t@ @E@n@h@a@n$A@ @a@n$M@i@c@r$p@h@i@c@ @P@r$p@t@o@g@r@a@$`bm
API String ID: 193477259-691305777
Opcode ID: f786c52a1339f58cdd21da43902cb27a19ec31006359a1ea0e469d71ee8cfdfb
Instruction ID: 07b93dfa31a2ff5a4d6414a2696d75562bb5d81752ef7f359bc2c0aca4f87109
Opcode Fuzzy Hash: f786c52a1339f58cdd21da43902cb27a19ec31006359a1ea0e469d71ee8cfdfb
Instruction Fuzzy Hash: 0641CCB1D10258ABDB05EFA9DC45DEEBBB9EF88700F10811BF502A7290DAB45945CFA1

Function 0001AB89 Relevance: 40.4, APIs: 22, Strings: 1, Instructions: 134COMMON

Download Yara Rule

APIs

__vbaStrCat.MSVBVM60(0001EB98,0001ED60), ref: 0026A36D
__vbaStrMove.MSVBVM60 ref: 0026A37A
__vbaStrCat.MSVBVM60(0001EA08,00000000), ref: 0026A382
__vbaStrMove.MSVBVM60 ref: 0026A389
__vbaStrCat.MSVBVM60(0001E928,00000000), ref: 0026A391
__vbaStrMove.MSVBVM60 ref: 0026A398
__vbaStrCat.MSVBVM60(0001EB08,00000000), ref: 0026A3A0
__vbaStrMove.MSVBVM60 ref: 0026A3A7
__vbaStrCat.MSVBVM60(0001EF0C,00000000), ref: 0026A3AF
__vbaStrMove.MSVBVM60 ref: 0026A3B6
__vbaStrCat.MSVBVM60(0001EF38,00000000), ref: 0026A3BE
__vbaStrMove.MSVBVM60 ref: 0026A3C5
__vbaStrCat.MSVBVM60(0001EF54,00000000), ref: 0026A3CD
__vbaStrMove.MSVBVM60 ref: 0026A3D4
__vbaStrCat.MSVBVM60(0001EF80,00000000), ref: 0026A3DC
__vbaStrMove.MSVBVM60 ref: 0026A3E3
__vbaStrCat.MSVBVM60(0001EFA4,00000000), ref: 0026A3EB
__vbaStrMove.MSVBVM60 ref: 0026A3F2
__vbaStrCat.MSVBVM60(0001EFBC,00000000), ref: 0026A3FA

Part of subcall function 0020A0E0: __vbaVarDup.MSVBVM60(6D53D8B1,6D52A323), ref: 0020A123
Part of subcall function 0020A0E0: #653.MSVBVM60(?,?), ref: 0020A131
Part of subcall function 0020A0E0: __vbaI4Var.MSVBVM60(?), ref: 0020A13B
Part of subcall function 0020A0E0: __vbaFreeVar.MSVBVM60 ref: 0020A154
Part of subcall function 0020A0E0: #632.MSVBVM60(?,?,?,?), ref: 0020A190
Part of subcall function 0020A0E0: __vbaVarCat.MSVBVM60(?,?,00000008), ref: 0020A1A2
Part of subcall function 0020A0E0: __vbaStrVarMove.MSVBVM60(00000000), ref: 0020A1A9
Part of subcall function 0020A0E0: __vbaStrMove.MSVBVM60 ref: 0020A1B4
Part of subcall function 0020A0E0: __vbaFreeVarList.MSVBVM60(00000003,00000002,?,?), ref: 0020A1C4
Part of subcall function 0020A0E0: __vbaFreeVar.MSVBVM60(0020A209), ref: 0020A202

__vbaStrMove.MSVBVM60 ref: 0026A427
__vbaFreeStrList.MSVBVM60(00000009,?,?,?,?,?,?,?,?,?), ref: 0026A44F
__vbaFreeVar.MSVBVM60 ref: 0026A45B

Strings

`bm, xrefs: 0026A45B

Memory Dump Source

Source File: 00000000.00000002.1375462713.0000000000011000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.1375436874.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375530743.000000000001E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375656335.000000000001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375656335.0000000000130000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1376345270.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1376345270.0000000000272000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1376574614.0000000000273000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_tb4B9ni6vl.jbxd

Similarity

API ID: __vba$Move$Free$List$#632#653
String ID: `bm
API String ID: 193477259-121691798
Opcode ID: 51408199163d271c01831ae2f675d8e370d5bf7c60ca3d02734a7cdcba120f5b
Instruction ID: 028db7edefae56df10169fe0903c10b3e845c3bde4d0f46cfbffc34e09037422
Opcode Fuzzy Hash: 51408199163d271c01831ae2f675d8e370d5bf7c60ca3d02734a7cdcba120f5b
Instruction Fuzzy Hash: CA41DEB1D10258ABDB15EFA9DC45DEEBBB9EF88700F10811BF502A7240DAB45945CFA1

Function 0020A0E0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

__vbaVarDup.MSVBVM60(6D53D8B1,6D52A323), ref: 0020A123
#653.MSVBVM60(?,?), ref: 0020A131
__vbaI4Var.MSVBVM60(?), ref: 0020A13B
__vbaFreeVar.MSVBVM60 ref: 0020A154
#632.MSVBVM60(?,?,?,?), ref: 0020A190
__vbaVarCat.MSVBVM60(?,?,00000008), ref: 0020A1A2
__vbaStrVarMove.MSVBVM60(00000000), ref: 0020A1A9
__vbaStrMove.MSVBVM60 ref: 0020A1B4
__vbaFreeVarList.MSVBVM60(00000003,00000002,?,?), ref: 0020A1C4
__vbaFreeVar.MSVBVM60(0020A209), ref: 0020A202

Strings

`bm, xrefs: 0020A154, 0020A202

Memory Dump Source

Source File: 00000000.00000002.1375656335.0000000000130000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.1375436874.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375462713.0000000000011000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375530743.000000000001E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375656335.000000000001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1376345270.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1376345270.0000000000272000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1376574614.0000000000273000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_tb4B9ni6vl.jbxd

Similarity

API ID: __vba$Free$Move$#632#653List
String ID: `bm
API String ID: 1043057846-121691798
Opcode ID: a4b9dbc8b4ba3e585ce96689d9122515de745c66ab3831d1baa4fd4e26185987
Instruction ID: 76f49264fa07c1e74b39e93e53a64aa378f967a6a34ece6eb89769c0e81c1968
Opcode Fuzzy Hash: a4b9dbc8b4ba3e585ce96689d9122515de745c66ab3831d1baa4fd4e26185987
Instruction Fuzzy Hash: 05310AB1C0020DAFDB19DFE4D888AEEBBB8FB48704F10C119E626A3255EB745649CF50

Function 00206DB0 Relevance: 6.1, APIs: 4, Instructions: 58COMMON

Download Yara Rule

APIs

#644.MSVBVM60(?,00206BA0,00000001,6D60EC2C,00000000,?,?,?,?,?,?,00011406), ref: 00206E07
#644.MSVBVM60(00000001,?,?,?,?,?,?,00011406), ref: 00206E12
#644.MSVBVM60(00000000,00000000,00000000,?,?,?,?,?,?,00011406), ref: 00206E24
#644.MSVBVM60(-00000004,00000000,00000000,00000004,?,?,?,?,?,?,00011406), ref: 00206E42

Memory Dump Source

Source File: 00000000.00000002.1375656335.0000000000130000.00000020.00000001.01000000.00000003.sdmp, Offset: 00010000, based on PE: true

Associated: 00000000.00000002.1375436874.0000000000010000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375462713.0000000000011000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375530743.000000000001E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375656335.000000000001F000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1376345270.000000000026E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1376345270.0000000000272000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1376574614.0000000000273000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000_tb4B9ni6vl.jbxd

Similarity

API ID: #644
String ID:
API String ID: 700137900-0
Opcode ID: 3d6b3a216c140c8b9bf10cf16ee8f287e9d222b8c92aeed291acc35493463c1e
Instruction ID: a1a38de030ae9f993939cb12c3a59f65072005312bf82dddf2f50ed0e89e8042
Opcode Fuzzy Hash: 3d6b3a216c140c8b9bf10cf16ee8f287e9d222b8c92aeed291acc35493463c1e
Instruction Fuzzy Hash: 6611E7B8D10304AFCB00EB78DD49EAA7BFDEB49700F00815AF501E3292D6B45D118BB1

Analysis Process: RegAsm.exePID: 7844, Parent PID: 7712COMMON

Execution Graph

Execution Coverage:	8.6%
Dynamic/Decrypted Code Coverage:	37.8%
Signature Coverage:	8.1%
Total number of Nodes:	37
Total number of Limit Nodes:	5

Executed Functions

Function 02207070 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 022070E7

Strings

D7/o, xrefs: 0220708A

Memory Dump Source

Source File: 00000002.00000002.3763699250.0000000002200000.00000040.00000800.00020000.00000000.sdmp, Offset: 02200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2200000_RegAsm.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID: D7/o
API String ID: 3662101638-3674712007
Opcode ID: e0826d01d2389598c65d30db1bd5ffd11120749d66ff5b7f07e13aa3ee1762c2
Instruction ID: 9165180e2afc10761ad91daaeca7561f790dc0165faf9a46d01ea339b48df103
Opcode Fuzzy Hash: e0826d01d2389598c65d30db1bd5ffd11120749d66ff5b7f07e13aa3ee1762c2
Instruction Fuzzy Hash: DA2159B2D00259CFCB14CF9AD484BEEFBF4AF48220F14841AE454A3240C778A944CF61

Function 02204A88 Relevance: 2.8, Strings: 2, Instructions: 266
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

D7/o, xrefs: 02204AA7
D7/o, xrefs: 02204AC7

Memory Dump Source

Source File: 00000002.00000002.3763699250.0000000002200000.00000040.00000800.00020000.00000000.sdmp, Offset: 02200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2200000_RegAsm.jbxd

Similarity

API ID:
String ID: D7/o$D7/o
API String ID: 0-3827964196
Opcode ID: d4aad1649123c743d4671d1e307f28bb5698aeb6a9fd9f94a3088003758e4f69
Instruction ID: a8a239a20f244fdcc81f3a18b849a4bd2a8bec554a965d19affeb88c9ef1f4e8
Opcode Fuzzy Hash: d4aad1649123c743d4671d1e307f28bb5698aeb6a9fd9f94a3088003758e4f69
Instruction Fuzzy Hash: 51B17F74E1020A8FDB14DFE9C8C179DBBF2BF88714F14C129E515A7299EB749845CB81

Function 02203E70 Relevance: 2.7, Strings: 2, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

D7/o, xrefs: 02203EAF
D7/o, xrefs: 02203E8F

Memory Dump Source

Source File: 00000002.00000002.3763699250.0000000002200000.00000040.00000800.00020000.00000000.sdmp, Offset: 02200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2200000_RegAsm.jbxd

Similarity

API ID:
String ID: D7/o$D7/o
API String ID: 0-3827964196
Opcode ID: 25d3da4a4668a267bf624e409057c7a3f687b005d7519d492bb488cc6dda95ab
Instruction ID: f9950dba8e3f4d3ba201106ca8b936a31b3744a03fcb8073e49c667f74f6f868
Opcode Fuzzy Hash: 25d3da4a4668a267bf624e409057c7a3f687b005d7519d492bb488cc6dda95ab
Instruction Fuzzy Hash: A5916C70E1020ACFDB14DFE9D9857AEFBF2BF88314F148129E414A7299EB749845CB81

Function 0220A6BD Relevance: 2.7, Instructions: 2733COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3763699250.0000000002200000.00000040.00000800.00020000.00000000.sdmp, Offset: 02200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2200000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 568567631c1e7d15d52ab0f8fede8f5f3cbe9d3a7da80d822924663d2c134502
Instruction ID: 98c5cb09901bcc422eaf672cf2c42e860f5f06b9983b4d41970db0c654fa4b43
Opcode Fuzzy Hash: 568567631c1e7d15d52ab0f8fede8f5f3cbe9d3a7da80d822924663d2c134502
Instruction Fuzzy Hash: F953F831C10B1A8ACB11EFA8C890699F7B1FF99300F51D79AE45977125FB70AAD4CB81

Function 0220D890 Relevance: 2.3, Instructions: 2287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3763699250.0000000002200000.00000040.00000800.00020000.00000000.sdmp, Offset: 02200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2200000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3029f5ba5df96ee2214b22958df3c16cd284a5301284040b9bb1fd2b91ec8f18
Instruction ID: c94e33745f88c4efabbe2f529ee83f5c6d1973e549e1005eaae19d3b97f71652
Opcode Fuzzy Hash: 3029f5ba5df96ee2214b22958df3c16cd284a5301284040b9bb1fd2b91ec8f18
Instruction Fuzzy Hash: 48332F31D1071A8EDB11EFA8C8806ADF7B1FF89300F15C69AD459B7265EB70AAC5CB41

Function 00445B79 Relevance: 1.5, APIs: 1, Instructions: 9
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL ref: 00445B79

Memory Dump Source

Source File: 00000002.00000002.3762739371.0000000000442000.00000040.80000000.00040000.00000000.sdmp, Offset: 00442000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_442000_RegAsm.jbxd

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 15c17c5efd1e4e0c98527a4d8d67195ebc9f1ff02e3a1a1ed02da13f8d6b031d
Instruction ID: e007aaf93056af3a4acd6733d2c36c7ee5bac758b90c0c71f72701d2c00de0c9
Opcode Fuzzy Hash: 15c17c5efd1e4e0c98527a4d8d67195ebc9f1ff02e3a1a1ed02da13f8d6b031d
Instruction Fuzzy Hash: 9BC040305044C6DBAF04C795C444EA87770B704388F1404959456D7552D774BA45D71F

Function 05C81130 Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3766067277.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c80000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd6d18558e44ad576a0cfcb277eeae8b8299ffa764ed0858827f10944085fdf9
Instruction ID: f230d72e9a2f082449d9d5ff206d11d7555fa4c428b7b5e3e74b50acc4aaeaed
Opcode Fuzzy Hash: fd6d18558e44ad576a0cfcb277eeae8b8299ffa764ed0858827f10944085fdf9
Instruction Fuzzy Hash: 9A322F30E107198FDB14EB69C8946ADB7B2FF89300F5586A9D409AB254EF70AA85CF50

Function 05C83A88 Relevance: .5, Instructions: 474COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3766067277.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c80000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0c1af3711c9881fb94f5f1f1c6c0e805570103eb84786f636e02cb9933bfcc9
Instruction ID: fe92619650b79b099189f374af111e602b9d1916b653c37b5cbd7827391de8ff
Opcode Fuzzy Hash: a0c1af3711c9881fb94f5f1f1c6c0e805570103eb84786f636e02cb9933bfcc9
Instruction Fuzzy Hash: EC029030B002159FDB14EB68D890A7EBBE2FF84704F148969D406EB355DB75ED42CB90

Function 05C8A6BA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 05C8A73E
GetCurrentThread.KERNEL32 ref: 05C8A77B
GetCurrentProcess.KERNEL32 ref: 05C8A7B8
GetCurrentThreadId.KERNEL32 ref: 05C8A811

Strings

D7/o, xrefs: 05C8A6DC

Memory Dump Source

Source File: 00000002.00000002.3766067277.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c80000_RegAsm.jbxd

Similarity

API ID: Current$ProcessThread
String ID: D7/o
API String ID: 2063062207-3674712007
Opcode ID: dafd2e3a24f597098121d6f2842a1fee345ea770bfad9051177831f202128f11
Instruction ID: afe90df47b426d46b67b442ab57be3646f9805dfc823e0b6d1b968fd13bd410a
Opcode Fuzzy Hash: dafd2e3a24f597098121d6f2842a1fee345ea770bfad9051177831f202128f11
Instruction Fuzzy Hash: BA5155B49007498FDB14DFAAD988BAEBBF1FF48314F248819E019A7350DB746A44CB65

Function 05C8A6C0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 05C8A73E
GetCurrentThread.KERNEL32 ref: 05C8A77B
GetCurrentProcess.KERNEL32 ref: 05C8A7B8
GetCurrentThreadId.KERNEL32 ref: 05C8A811

Strings

D7/o, xrefs: 05C8A6DC

Memory Dump Source

Source File: 00000002.00000002.3766067277.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c80000_RegAsm.jbxd

Similarity

API ID: Current$ProcessThread
String ID: D7/o
API String ID: 2063062207-3674712007
Opcode ID: 86d8c5616554e9b4168e2d52ae5d4b3d700a297733be6ba34311702913f8dbbe
Instruction ID: 407252cfdd9e3d3c25a4267af20cd47bee45d2569532603ba105a8eafc14833d
Opcode Fuzzy Hash: 86d8c5616554e9b4168e2d52ae5d4b3d700a297733be6ba34311702913f8dbbe
Instruction Fuzzy Hash: A15165B49007498FDB14DFAAD988BAEBBF1FF48314F248819E019A7350DB746A44CB65

Function 0220706A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 022070E7

Strings

D7/o, xrefs: 0220708A

Memory Dump Source

Source File: 00000002.00000002.3763699250.0000000002200000.00000040.00000800.00020000.00000000.sdmp, Offset: 02200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2200000_RegAsm.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID: D7/o
API String ID: 3662101638-3674712007
Opcode ID: 6ef532ed52d35b9d330b4047d22777375099476639c10d9d254d635f837fab62
Instruction ID: 836f313db17f755da1bb3ba26501d0b4dfc85515f90f8c97bc7f6e2ba2436c6b
Opcode Fuzzy Hash: 6ef532ed52d35b9d330b4047d22777375099476639c10d9d254d635f837fab62
Instruction Fuzzy Hash: D62148B2D00259CFCB14CF9AD884BEEFBF5AF48220F14842AE855A7250C778A944CF61

Function 05C8A900 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05C8A98F

Strings

D7/o, xrefs: 05C8A927

Memory Dump Source

Source File: 00000002.00000002.3766067277.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c80000_RegAsm.jbxd

Similarity

API ID: DuplicateHandle
String ID: D7/o
API String ID: 3793708945-3674712007
Opcode ID: 3a3f2cd52acfea1eb54016426446ac43078c476ab4f25ac7e090c88acb9e00f1
Instruction ID: 46f4ec1909210ebc41960f9c8c6c39d4df5e371657c0c8d391024fc41af5d4e8
Opcode Fuzzy Hash: 3a3f2cd52acfea1eb54016426446ac43078c476ab4f25ac7e090c88acb9e00f1
Instruction Fuzzy Hash: 9021D4B5D052489FDB10CF9AD984AEEBBF5FB48320F14841AE954A3310D374A944CF65

Function 05C8A908 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05C8A98F

Strings

D7/o, xrefs: 05C8A927

Memory Dump Source

Source File: 00000002.00000002.3766067277.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c80000_RegAsm.jbxd

Similarity

API ID: DuplicateHandle
String ID: D7/o
API String ID: 3793708945-3674712007
Opcode ID: d80339279ecd44af7e550ce2ab2eb0a53294e434b96c136ee823c9c2da5d99da
Instruction ID: 7ebad6cf988fba9388e6638e9852a07e7bac3260351333a3089b4fec0117e609
Opcode Fuzzy Hash: d80339279ecd44af7e550ce2ab2eb0a53294e434b96c136ee823c9c2da5d99da
Instruction Fuzzy Hash: CC21E3B59002489FDB10CF9AD984BEEFBF4FB48320F14841AE954A3310D374A944CFA5

Function 0213D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3763450196.000000000213D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0213D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_213d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34082570b0bc4489f125153085849690b8c0b100f8364ab44f0729a7f1ffb5b9
Instruction ID: 7696fb01a1767ccae6d627065d1ac74333c8cff7a34f619100f8d46ce158efb5
Opcode Fuzzy Hash: 34082570b0bc4489f125153085849690b8c0b100f8364ab44f0729a7f1ffb5b9
Instruction Fuzzy Hash: 402134B1644340DFDB16DF20E9C0B26BBA2FB84B14F24C56DD84A4B246C33AD847CA62

Function 0213D006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3763450196.000000000213D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0213D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_213d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3860dea56daf856edb53f0aa3dd63235f66e8a2a3fd6207865f101e13cbdcdb4
Instruction ID: bc9bcd779a3bc2215004fca89db8c730ec0a31dde96ecf853b43cb46520ac6b5
Opcode Fuzzy Hash: 3860dea56daf856edb53f0aa3dd63235f66e8a2a3fd6207865f101e13cbdcdb4
Instruction Fuzzy Hash: EE2180755483809FCB03CF24D994B11BF71EB46614F28C5EAD8498F267C33A985ACB62

Non-executed Functions

Function 022041B8 Relevance: 2.8, Strings: 2, Instructions: 281COMMON

Download Yara Rule

Strings

D7/o, xrefs: 022041F7
D7/o, xrefs: 022041D7

Memory Dump Source

Source File: 00000002.00000002.3763699250.0000000002200000.00000040.00000800.00020000.00000000.sdmp, Offset: 02200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2200000_RegAsm.jbxd

Similarity

API ID:
String ID: D7/o$D7/o
API String ID: 0-3827964196
Opcode ID: f6187b091ccd2257f98e6657ac7395b3517570275597bd137cad799d6a4a91f3
Instruction ID: fbd00be498e0d97932e2f43c3949604ad3cb1306a7ea822b58cdd5da79183ba6
Opcode Fuzzy Hash: f6187b091ccd2257f98e6657ac7395b3517570275597bd137cad799d6a4a91f3
Instruction Fuzzy Hash: 7DB17070E1020A8FDB10DFE9D88179EBBF2BF88314F14C129D915AB299EB749841CF81

Function 05C833A0 Relevance: .5, Instructions: 468COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3766067277.0000000005C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_5c80000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 244c89b6500123e86f82d863fad6dfd94d55aba67425bf0372212191bce1990c
Instruction ID: ee01d79afa35bffb1447a1cd4c3af0124d226ac69d8590f7c78cc861244deef2
Opcode Fuzzy Hash: 244c89b6500123e86f82d863fad6dfd94d55aba67425bf0372212191bce1990c
Instruction Fuzzy Hash: 41125F30A00259CFDB24EF69C854BADB7F2BF85704F209969D406AB355DB309D85CF90

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report tb4B9ni6vl.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\bb7e5d0cf2dfb2b59be71d56e848e059_9e146be9-c76a-4720-bcdb-53011b87bd06

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
tb4B9ni6vl.exe

Function 009B28B2 Relevance: 28.4, APIs: 10, Strings: 6, Instructions: 363
nativeCOMMON

Function 009B28EC Relevance: 26.6, APIs: 10, Strings: 5, Instructions: 369
nativethreadprocessCOMMON

Function 002058FB Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 153
nativememoryCOMMON

Function 0026C1F0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25
nativeCOMMON

Function 002062F0 Relevance: 186.2, APIs: 102, Strings: 4, Instructions: 674
librarymemoryloaderCOMMON

Function 0001B309 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31
COMMON

Function 0001AB7C Relevance: 59.6, APIs: 22, Strings: 12, Instructions: 134
COMMON

Function 02207070 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
COMMON

Function 02204A88 Relevance: 2.8, Strings: 2, Instructions: 266
COMMON

Function 02203E70 Relevance: 2.7, Strings: 2, Instructions: 238
COMMON

Function 00445B79 Relevance: 1.5, APIs: 1, Instructions: 9
memorynativeCOMMON

Function 05C8A6BA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129
threadCOMMON

Function 05C8A6C0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128
threadCOMMON

Function 0220706A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
COMMON

Function 05C8A900 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63
COMMON