Edit tour

Windows Analysis Report
rOLZ579082-GHJ678992-PLRZ9000W029W00.exe

Overview

General Information

Sample name:	rOLZ579082-GHJ678992-PLRZ9000W029W00.exe
Analysis ID:	1544766
MD5:	e38004414de6dde9350bb396dbee11e9
SHA1:	f176f657829861a5734668ce574a91b625da57d3
SHA256:	f5f0157aa26d0065a29b169008f4c5aac3c319d0dbd8010a6f8c8db3837f63d1
Tags:	exeuser-Porcupine
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

AI detected suspicious sample

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

PE file contains an invalid checksum

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses SMTP (mail sending)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

rOLZ579082-GHJ678992-PLRZ9000W029W00.exe (PID: 6556 cmdline: "C:\Users\user\Desktop\rOLZ579082-GHJ678992-PLRZ9000W029W00.exe" MD5: E38004414DE6DDE9350BB396DBEE11E9)

RegSvcs.exe (PID: 7112 cmdline: "C:\Users\user\Desktop\rOLZ579082-GHJ678992-PLRZ9000W029W00.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "cp8nl.hyperhost.ua", "Username": "absach@genesio.top", "Password": "@qwerty90123        "}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.2932585654.00000000026CE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.2932585654.00000000026F9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.2931647950.0000000000392000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.2931647950.0000000000392000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.2932585654.0000000002681000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.2932585654.0000000002681000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 7112	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7112	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.RegSvcs.exe.390000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
4.2.RegSvcs.exe.390000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
4.2.RegSvcs.exe.390000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x33e4f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x33ec1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x33f4b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33fdd:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x34047:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x340b9:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x3414f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x341df:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 185.174.175.187, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 7112, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49736

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 4.2.RegSvcs.exe.390000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "cp8nl.hyperhost.ua", "Username": "absach@genesio.top", "Password": "@qwerty90123 "}

Multi AV Scanner detection for submitted file

Source: rOLZ579082-GHJ678992-PLRZ9000W029W00.exe

ReversingLabs: Detection: 23%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: rOLZ579082-GHJ678992-PLRZ9000W029W00.exe

Joe Sandbox ML: detected

Source: rOLZ579082-GHJ678992-PLRZ9000W029W00.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: global traffic

TCP traffic: 192.168.2.4:49736 -> 185.174.175.187:587

Source: Joe Sandbox View

IP Address: 185.174.175.187 185.174.175.187

Source: Joe Sandbox View

ASN Name: ITLDC-NLUA ITLDC-NLUA

Source: global traffic

TCP traffic: 192.168.2.4:49736 -> 185.174.175.187:587

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: cp8nl.hyperhost.ua

Source: RegSvcs.exe, 00000004.00000002.2932585654.00000000026D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cp8nl.hyperhost.ua
Source: RegSvcs.exe, 00000004.00000002.2932585654.00000000026D6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2934424598.0000000005A70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: RegSvcs.exe, 00000004.00000002.2934424598.0000000005A70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: RegSvcs.exe, 00000004.00000002.2932585654.00000000026D6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2934424598.0000000005A70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: RegSvcs.exe, 00000004.00000002.2932585654.00000000026D6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2934424598.0000000005A70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: RegSvcs.exe, 00000004.00000002.2932585654.00000000026D6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2934424598.0000000005A70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: RegSvcs.exe, 00000004.00000002.2931647950.0000000000392000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: RegSvcs.exe, 00000004.00000002.2932585654.00000000026D6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2934424598.0000000005A70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.2.RegSvcs.exe.390000.0.unpack, type: UNPACKEDPE

Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00C54A98	4_2_00C54A98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00C53E80	4_2_00C53E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00C5CEA0	4_2_00C5CEA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00C5C0BC	4_2_00C5C0BC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00C541C8	4_2_00C541C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_00C5A632	4_2_00C5A632

Source: rOLZ579082-GHJ678992-PLRZ9000W029W00.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 4.2.RegSvcs.exe.390000.0.unpack, type: UNPACKEDPE

Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/1@1/1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\rOLZ579082-GHJ678992-PLRZ9000W029W00.exe

File created: C:\Users\user\AppData\Local\Temp\lustring

Jump to behavior

Source: rOLZ579082-GHJ678992-PLRZ9000W029W00.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\rOLZ579082-GHJ678992-PLRZ9000W029W00.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\rOLZ579082-GHJ678992-PLRZ9000W029W00.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: rOLZ579082-GHJ678992-PLRZ9000W029W00.exe

ReversingLabs: Detection: 23%

Source: C:\Users\user\Desktop\rOLZ579082-GHJ678992-PLRZ9000W029W00.exe

File read: C:\Users\user\Desktop\rOLZ579082-GHJ678992-PLRZ9000W029W00.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\rOLZ579082-GHJ678992-PLRZ9000W029W00.exe "C:\Users\user\Desktop\rOLZ579082-GHJ678992-PLRZ9000W029W00.exe"
Source: C:\Users\user\Desktop\rOLZ579082-GHJ678992-PLRZ9000W029W00.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\rOLZ579082-GHJ678992-PLRZ9000W029W00.exe"
Source: C:\Users\user\Desktop\rOLZ579082-GHJ678992-PLRZ9000W029W00.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\rOLZ579082-GHJ678992-PLRZ9000W029W00.exe"	Jump to behavior

Source: C:\Users\user\Desktop\rOLZ579082-GHJ678992-PLRZ9000W029W00.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOLZ579082-GHJ678992-PLRZ9000W029W00.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOLZ579082-GHJ678992-PLRZ9000W029W00.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOLZ579082-GHJ678992-PLRZ9000W029W00.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOLZ579082-GHJ678992-PLRZ9000W029W00.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOLZ579082-GHJ678992-PLRZ9000W029W00.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOLZ579082-GHJ678992-PLRZ9000W029W00.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOLZ579082-GHJ678992-PLRZ9000W029W00.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOLZ579082-GHJ678992-PLRZ9000W029W00.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOLZ579082-GHJ678992-PLRZ9000W029W00.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rOLZ579082-GHJ678992-PLRZ9000W029W00.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: C:\Users\user\Desktop\rOLZ579082-GHJ678992-PLRZ9000W029W00.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: rOLZ579082-GHJ678992-PLRZ9000W029W00.exe

Static file information: File size 1156309 > 1048576

Source: rOLZ579082-GHJ678992-PLRZ9000W029W00.exe

Static PE information: real checksum: 0xa2135 should be: 0x122b7b

Source: C:\Users\user\Desktop\rOLZ579082-GHJ678992-PLRZ9000W029W00.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\rOLZ579082-GHJ678992-PLRZ9000W029W00.exe

API/Special instruction interceptor: Address: 3E8D844

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1300			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 6041			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99873	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98969	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98859	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98750	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98531	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98422	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98094	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97766	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97641	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97516	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96953	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96844	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96719	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96609	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96495	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96391	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96281	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96172	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96062	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: RegSvcs.exe, 00000004.00000002.2934424598.0000000005A70000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllXs<

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\rOLZ579082-GHJ678992-PLRZ9000W029W00.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\rOLZ579082-GHJ678992-PLRZ9000W029W00.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 591008

Jump to behavior

Source: C:\Users\user\Desktop\rOLZ579082-GHJ678992-PLRZ9000W029W00.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\rOLZ579082-GHJ678992-PLRZ9000W029W00.exe"

Jump to behavior

Source: rOLZ579082-GHJ678992-PLRZ9000W029W00.exe

Binary or memory string: @3PDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 4.2.RegSvcs.exe.390000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2932585654.00000000026CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2932585654.00000000026F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2931647950.0000000000392000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2932585654.0000000002681000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7112, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 4.2.RegSvcs.exe.390000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2931647950.0000000000392000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2932585654.0000000002681000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7112, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 4.2.RegSvcs.exe.390000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2932585654.00000000026CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2932585654.00000000026F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2931647950.0000000000392000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2932585654.0000000002681000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7112, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	212 Process Injection	1 Disable or Modify Tools	2 OS Credential Dumping	211 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	121 Virtualization/Sandbox Evasion	1 Credentials in Registry	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	212 Process Injection	Security Account Manager	121 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Data from Local System	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	124 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
rOLZ579082-GHJ678992-PLRZ9000W029W00.exe	24%	ReversingLabs	Win32.Trojan.Generic
rOLZ579082-GHJ678992-PLRZ9000W029W00.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://account.dyn.com/	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
cp8nl.hyperhost.ua	185.174.175.187	true	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#	RegSvcs.exe, 00000004.00000002.2932585654.00000000026D6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2934424598.0000000005A70000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://sectigo.com/CPS0	RegSvcs.exe, 00000004.00000002.2932585654.00000000026D6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2934424598.0000000005A70000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://account.dyn.com/	RegSvcs.exe, 00000004.00000002.2931647950.0000000000392000.00000040.80000000.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.sectigo.com0	RegSvcs.exe, 00000004.00000002.2932585654.00000000026D6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000004.00000002.2934424598.0000000005A70000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://cp8nl.hyperhost.ua	RegSvcs.exe, 00000004.00000002.2932585654.00000000026D6000.00000004.00000800.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.174.175.187	cp8nl.hyperhost.ua	Ukraine		21100	ITLDC-NLUA	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1544766
Start date and time:	2024-10-29 18:01:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	rOLZ579082-GHJ678992-PLRZ9000W029W00.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/1@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 6 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: rOLZ579082-GHJ678992-PLRZ9000W029W00.exe

Simulations

Behavior and APIs

Time	Type	Description
13:02:52	API Interceptor	36x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
185.174.175.187	rPGI786687-7688Q21-SWYPPJIK89900.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.BackDoor.SpyBotNET.62.1543.28282.exe	Get hash	malicious	AgentTesla	Browse
	rPDG8838EHU0309-XYSUJ288399-PQSHXII399.exe	Get hash	malicious	AgentTesla	Browse
	MBD573792309-CGO7238929273-XDG02823929.exe	Get hash	malicious	AgentTesla	Browse
	rSCV6239027-FLPEW828938-X2YUSJPPID20DK.exe	Get hash	malicious	AgentTesla	Browse
	z1RFT798549034687-HJW90789-VXT9KGUINUII.exe	Get hash	malicious	AgentTesla	Browse
	rDFO68936OF-WVHU0780-FUIKTU4678G.exe	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.FileRepMalware.14031.20391.exe	Get hash	malicious	AgentTesla	Browse
	MJI5380328-PQX82938839039-HW7V89292999.exe	Get hash	malicious	AgentTesla	Browse
	rMBP0835T67-H7D67889677-VFD899U8889990998Y.exe	Get hash	malicious	AgentTesla	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
cp8nl.hyperhost.ua	rPGI786687-7688Q21-SWYPPJIK89900.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	SecuriteInfo.com.BackDoor.SpyBotNET.62.1543.28282.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	rPDG8838EHU0309-XYSUJ288399-PQSHXII399.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	MBD573792309-CGO7238929273-XDG02823929.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	rSCV6239027-FLPEW828938-X2YUSJPPID20DK.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	z1RFT798549034687-HJW90789-VXT9KGUINUII.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	rDFO68936OF-WVHU0780-FUIKTU4678G.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	SecuriteInfo.com.FileRepMalware.14031.20391.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	MJI5380328-PQX82938839039-HW7V89292999.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	rMBP0835T67-H7D67889677-VFD899U8889990998Y.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ITLDC-NLUA	rPGI786687-7688Q21-SWYPPJIK89900.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	SecuriteInfo.com.BackDoor.SpyBotNET.62.1543.28282.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	ekte.exe	Get hash	malicious	FormBook	Browse	185.174.173.22
	rPDG8838EHU0309-XYSUJ288399-PQSHXII399.exe	Get hash	malicious	AgentTesla	Browse	185.174.175.187
	DHL TRACKING NUMBER.com.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	217.12.218.219
	EKTEDIR.exe	Get hash	malicious	FormBook	Browse	185.174.173.22
	UUNbg1gvrR.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	217.12.218.219
	Quote101024.doc	Get hash	malicious	VIP Keylogger	Browse	217.12.218.219
	99HGuuYvKA.exe	Get hash	malicious	AgentTesla	Browse	185.174.173.22
	sse5JV1aR1.exe	Get hash	malicious	FormBook	Browse	185.174.173.22

Process:	C:\Users\user\Desktop\rOLZ579082-GHJ678992-PLRZ9000W029W00.exe
File Type:	data
Category:	dropped
Size (bytes):	242688
Entropy (8bit):	6.650859951959103
Encrypted:	false
SSDEEP:	3072:22dAOUxqGiM2zU6trLYd84y5V43ELshjIK4YMIyy+yPNHe88X7Cm1Z5S:22uO8ixJdYd8niHcHYMIyy+yPkX7C9
MD5:	27FC605521BFB7E0381EE041B9B2C0D4
SHA1:	600D790FCD8B48A0F9E27228702EBACF45A1E70A
SHA-256:	B3E66A7E11F2169CEFE757A2BE7E27BE57C1A0F2627CEA3799DAF83DC3725D13
SHA-512:	BC367CF83DC47DECDBF431E9F47057C8CD96FB68310079A8A6FC344FB610DD07C8926BD425FCF3931C1E762E43DEC98177EA519E38829D5559070498AE97000F
Malicious:	false
Reputation:	low
Preview:	ub.UOXQHKHWD..KR.8MULXQH.HWDFCKR88MULXQHOHWDFCKR88MULXQHOHWD.CKR6'.[L.X.n.V..b.:QKm%>76:.%w''-%=L./0l$&o!9d...rUW)0bU\BkHWDFCKRh}MU.YRH{.."FCKR88MU.XSIDI\DF.HR80MULXQH.TDFcKR8.NULX.HOhWDFAKR<8MULXQHKHWDFCKR8.IULZQHOHWDDC..88]ULHQHOHGDFSKR88MU\XQHOHWDFCKRp.NU.XQHO.TD.FKR88MULXQHOHWDFCKR88IU@XQHOHWDFCKR88MULXQHOHWDFCKR88MULXQHOHWDFCKR88MULXQHOhWDNCKR88MULXQHGhWD.CKR88MULXQHa<2<2CKR..NULxQHO.TDFAKR88MULXQHOHWDfCK2.J>'/XQH.MWDF.HR8>MUL.RHOHWDFCKR88MU.XQ.a:2() KR48MULXUHOJWDF.HR88MULXQHOHWD.CK.88MULXQHOHWDFCKR..NULXQH.HWDDCNRh.OU.kPHLHWDGCKT88MULXQHOHWDFCKR88MULXQHOHWDFCKR88MULXQHOHWDFCKR%....v.5iN$D.t._.V..B..1..I.^.C,....\.....a6M.q8.Z\|..F...6.Z=AL....w(\5H+.%.7,.Q....uv0...TV.7.../z.&Q`.j....n....G;....7..[W {-(!$f.% "9;.:.TLXQH........Q@..a[^V{Z/.....*5....1HWD"CKRJ8MU-XQH.HWD)CKRV8MU2XQH1HWD.CKRx8MU{XQHjHWD+CKR.8MU2XQH.5XK..;K..ULXQHz..t....g.b..~>.).${...\....T..G?.1.....C.3..X.<Be..U9>IPN_UKCuY....s:<IPN_UKCuY....s...u..>...9..88MULX.HO.WDF..R.8MU.X.H..WDF.R.8.U...H

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.3046380578113155
TrID:	Win32 Executable (generic) a (10002005/4) 95.11% AutoIt3 compiled script executable (510682/80) 4.86% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	rOLZ579082-GHJ678992-PLRZ9000W029W00.exe
File size:	1'156'309 bytes
MD5:	e38004414de6dde9350bb396dbee11e9
SHA1:	f176f657829861a5734668ce574a91b625da57d3
SHA256:	f5f0157aa26d0065a29b169008f4c5aac3c319d0dbd8010a6f8c8db3837f63d1
SHA512:	3a31c43f0f89141ce31df77d85b9dbdc0b8c980256797c58198bdf65e2cc36f7bd442dfc49e5a80b4ded0304e5bac8de99202a6cbab7cc244a0b356ac59fa535
SSDEEP:	24576:6fmMv6Ckr7Mny5Qc/D6/XpKTeGUeUwsqOn:63v+7/5Qc/uXMJhBY
TLSH:	F635CE12B2C680F2ED6336B11D37F3269A357D190236CC8FAFA53A768E32141563675E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-...i...i...i.....9.k...`.:.w...`.,.....`.+.P...N%..c...N%..H...i...d...`. ./...w.:.k...w.;.h...i.8.h...`.>.h...Richi..........

File Icon


Icon Hash:	2c921a29238ccd4c

Static PE Info

General

Entrypoint:	0x416310
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x4B93CF87 [Sun Mar 7 16:08:39 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	aaaa8913c89c8aa4a5d93f06853894da

Entrypoint Preview

Instruction
call 00007F2114FBFA3Ch
jmp 00007F2114FB380Eh
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push edi
push esi
mov esi, dword ptr [ebp+0Ch]
mov ecx, dword ptr [ebp+10h]
mov edi, dword ptr [ebp+08h]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F2114FB399Ah
cmp edi, eax
jc 00007F2114FB3B3Ah
cmp ecx, 00000100h
jc 00007F2114FB39B1h
cmp dword ptr [004A94E0h], 00000000h
je 00007F2114FB39A8h
push edi
push esi
and edi, 0Fh
and esi, 0Fh
cmp edi, esi
pop esi
pop edi
jne 00007F2114FB399Ah
pop esi
pop edi
pop ebp
jmp 00007F2114FB3DFAh
test edi, 00000003h
jne 00007F2114FB39A7h
shr ecx, 02h
and edx, 03h
cmp ecx, 08h
jc 00007F2114FB39BCh
rep movsd
jmp dword ptr [00416494h+edx*4]
nop
mov eax, edi
mov edx, 00000003h
sub ecx, 04h
jc 00007F2114FB399Eh
and eax, 03h
add ecx, eax
jmp dword ptr [004163A8h+eax*4]
jmp dword ptr [004164A4h+ecx*4]
nop
jmp dword ptr [00416428h+ecx*4]
nop
mov eax, E4004163h
arpl word ptr [ecx+00h], ax
or byte ptr [ecx+eax*2+00h], ah
and edx, ecx
mov al, byte ptr [esi]
mov byte ptr [edi], al
mov al, byte ptr [esi+01h]
mov byte ptr [edi+01h], al
mov al, byte ptr [esi+02h]
shr ecx, 02h
mov byte ptr [edi+02h], al
add esi, 03h
add edi, 03h
cmp ecx, 08h
jc 00007F2114FB395Eh

Rich Headers

Programming Language:

[ASM] VS2008 SP1 build 30729
[ C ] VS2008 SP1 build 30729
[C++] VS2008 SP1 build 30729
[ C ] VS2005 build 50727
[IMP] VS2005 build 50727
[ASM] VS2008 build 21022
[RES] VS2008 build 21022
[LNK] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8cd3c	0x154	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xab000	0x12ac8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x82000	0x840	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x80017	0x80200	6c20c6bf686768b6f134f5bd508171bc	False	0.5602991615853659	data	6.634688230255595	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x82000	0xd95c	0xda00	f979966509a93083729d23cdfd2a6f2d	False	0.36256450688073394	data	4.880040824124099	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x90000	0x1a518	0x6800	e5d77411f751d28c6eee48a743606795	False	0.1600060096153846	data	2.2017649896261107	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xab000	0x12ac8	0x12c00	44a7c9b56bdda85725656717d1507557	False	0.15942708333333333	data	3.801227199599993	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xab448	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xab570	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xab698	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xab7c0	0xfc08	Device independent bitmap graphic, 150 x 208 x 32, image size 62400, resolution 3779 x 3779 px/m	English	Great Britain	0.1332920024798512
RT_MENU	0xbb3c8	0x50	data	English	Great Britain	0.9
RT_DIALOG	0xbb418	0xfc	data	English	Great Britain	0.6507936507936508
RT_STRING	0xbb518	0x530	data	English	Great Britain	0.33960843373493976
RT_STRING	0xbba48	0x690	data	English	Great Britain	0.26964285714285713
RT_STRING	0xbc0d8	0x43a	data	English	Great Britain	0.3733826247689464
RT_STRING	0xbc518	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xbcb18	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xbd178	0x388	data	English	Great Britain	0.377212389380531
RT_STRING	0xbd500	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	United States	0.502906976744186
RT_GROUP_ICON	0xbd658	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xbd670	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0xbd688	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0xbd6a0	0x14	data	English	Great Britain	1.25
RT_VERSION	0xbd6b8	0x19c	data	English	Great Britain	0.5339805825242718
RT_MANIFEST	0xbd858	0x26c	ASCII text, with CRLF line terminators	English	United States	0.5145161290322581

Imports

DLL	Import
WSOCK32.dll	__WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv
VERSION.dll	VerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy
MPR.dll	WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
WININET.dll	InternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
PSAPI.DLL	EnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
USERENV.dll	CreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
KERNEL32.dll	HeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, MultiByteToWideChar, WideCharToMultiByte, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, lstrcmpiW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, GetProcessHeap, OutputDebugStringW, GetLocalTime, CompareStringW, CompareStringA, InterlockedIncrement, InterlockedDecrement, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetComputerNameW, GetWindowsDirectoryW, GetSystemDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ResumeThread, GetStartupInfoW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetModuleFileNameA, HeapReAlloc, HeapCreate, SetHandleCount, GetFileType, GetStartupInfoA, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, LCMapStringA, RtlUnwind, SetFilePointer, GetTimeZoneInformation, GetTimeFormatA, GetDateFormatA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetTickCount, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, GetModuleHandleA, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CreateFileA, SetEndOfFile, EnumResourceNamesW, SetEnvironmentVariableA
USER32.dll	SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, CopyImage, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, PeekMessageW, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, MoveWindow, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, GetMenuItemID, TranslateMessage, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, UnregisterHotKey, CharLowerBuffW, MonitorFromRect, keybd_event, LoadImageW, GetWindowLongW
GDI32.dll	DeleteObject, GetObjectW, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, PolyDraw, BeginPath, Rectangle, GetDeviceCaps, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, SetViewportOrgEx
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, RegEnumKeyExW, CloseServiceHandle, UnlockServiceDatabase, LockServiceDatabase, OpenSCManagerW, InitiateSystemShutdownExW, AdjustTokenPrivileges, RegCloseKey, RegQueryValueExW, RegOpenKeyExW, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, SetSecurityDescriptorDacl, CopySid, LogonUserW, GetTokenInformation, GetAclInformation, GetAce, AddAce, GetSecurityDescriptorDacl
SHELL32.dll	DragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, StringFromCLSID, IIDFromString, StringFromIID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize
OLEAUT32.dll	SafeArrayAllocData, SafeArrayAllocDescriptorEx, SysAllocString, OleLoadPicture, SafeArrayGetVartype, SafeArrayDestroyData, SafeArrayAccessData, VarR8FromDec, VariantTimeToSystemTime, VariantClear, VariantCopy, VariantInit, SafeArrayDestroyDescriptor, LoadRegTypeLib, GetActiveObject, SafeArrayUnaccessData

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 29, 2024 18:02:53.693169117 CET	49736	587	192.168.2.4	185.174.175.187
Oct 29, 2024 18:02:53.698625088 CET	587	49736	185.174.175.187	192.168.2.4
Oct 29, 2024 18:02:53.698724031 CET	49736	587	192.168.2.4	185.174.175.187
Oct 29, 2024 18:02:54.670732021 CET	587	49736	185.174.175.187	192.168.2.4
Oct 29, 2024 18:02:54.672415018 CET	49736	587	192.168.2.4	185.174.175.187
Oct 29, 2024 18:02:54.677962065 CET	587	49736	185.174.175.187	192.168.2.4
Oct 29, 2024 18:02:54.918013096 CET	587	49736	185.174.175.187	192.168.2.4
Oct 29, 2024 18:02:54.926179886 CET	49736	587	192.168.2.4	185.174.175.187
Oct 29, 2024 18:02:54.931672096 CET	587	49736	185.174.175.187	192.168.2.4
Oct 29, 2024 18:02:55.173388958 CET	587	49736	185.174.175.187	192.168.2.4
Oct 29, 2024 18:02:55.185347080 CET	49736	587	192.168.2.4	185.174.175.187
Oct 29, 2024 18:02:55.190803051 CET	587	49736	185.174.175.187	192.168.2.4
Oct 29, 2024 18:02:55.438575029 CET	587	49736	185.174.175.187	192.168.2.4
Oct 29, 2024 18:02:55.438600063 CET	587	49736	185.174.175.187	192.168.2.4
Oct 29, 2024 18:02:55.438616037 CET	587	49736	185.174.175.187	192.168.2.4
Oct 29, 2024 18:02:55.438632965 CET	587	49736	185.174.175.187	192.168.2.4
Oct 29, 2024 18:02:55.438663006 CET	49736	587	192.168.2.4	185.174.175.187
Oct 29, 2024 18:02:55.439666033 CET	587	49736	185.174.175.187	192.168.2.4
Oct 29, 2024 18:02:55.439692974 CET	49736	587	192.168.2.4	185.174.175.187
Oct 29, 2024 18:02:55.457372904 CET	49736	587	192.168.2.4	185.174.175.187
Oct 29, 2024 18:02:55.462778091 CET	587	49736	185.174.175.187	192.168.2.4
Oct 29, 2024 18:02:55.703121901 CET	587	49736	185.174.175.187	192.168.2.4
Oct 29, 2024 18:02:55.719317913 CET	49736	587	192.168.2.4	185.174.175.187
Oct 29, 2024 18:02:55.724692106 CET	587	49736	185.174.175.187	192.168.2.4
Oct 29, 2024 18:02:55.965152025 CET	587	49736	185.174.175.187	192.168.2.4
Oct 29, 2024 18:02:55.966147900 CET	49736	587	192.168.2.4	185.174.175.187
Oct 29, 2024 18:02:55.971673012 CET	587	49736	185.174.175.187	192.168.2.4
Oct 29, 2024 18:02:56.214587927 CET	587	49736	185.174.175.187	192.168.2.4
Oct 29, 2024 18:02:56.214857101 CET	49736	587	192.168.2.4	185.174.175.187
Oct 29, 2024 18:02:56.220242023 CET	587	49736	185.174.175.187	192.168.2.4
Oct 29, 2024 18:02:56.488490105 CET	587	49736	185.174.175.187	192.168.2.4
Oct 29, 2024 18:02:56.488871098 CET	49736	587	192.168.2.4	185.174.175.187
Oct 29, 2024 18:02:56.494313955 CET	587	49736	185.174.175.187	192.168.2.4
Oct 29, 2024 18:02:56.734293938 CET	587	49736	185.174.175.187	192.168.2.4
Oct 29, 2024 18:02:56.734565973 CET	49736	587	192.168.2.4	185.174.175.187
Oct 29, 2024 18:02:56.740009069 CET	587	49736	185.174.175.187	192.168.2.4
Oct 29, 2024 18:02:56.999838114 CET	587	49736	185.174.175.187	192.168.2.4
Oct 29, 2024 18:02:57.001315117 CET	49736	587	192.168.2.4	185.174.175.187
Oct 29, 2024 18:02:57.006694078 CET	587	49736	185.174.175.187	192.168.2.4
Oct 29, 2024 18:02:57.246604919 CET	587	49736	185.174.175.187	192.168.2.4
Oct 29, 2024 18:02:57.247342110 CET	49736	587	192.168.2.4	185.174.175.187
Oct 29, 2024 18:02:57.247442007 CET	49736	587	192.168.2.4	185.174.175.187
Oct 29, 2024 18:02:57.247442007 CET	49736	587	192.168.2.4	185.174.175.187
Oct 29, 2024 18:02:57.247442007 CET	49736	587	192.168.2.4	185.174.175.187
Oct 29, 2024 18:02:57.253109932 CET	587	49736	185.174.175.187	192.168.2.4
Oct 29, 2024 18:02:57.253119946 CET	587	49736	185.174.175.187	192.168.2.4
Oct 29, 2024 18:02:57.253128052 CET	587	49736	185.174.175.187	192.168.2.4
Oct 29, 2024 18:02:57.253137112 CET	587	49736	185.174.175.187	192.168.2.4
Oct 29, 2024 18:02:57.556453943 CET	587	49736	185.174.175.187	192.168.2.4
Oct 29, 2024 18:02:57.603060961 CET	49736	587	192.168.2.4	185.174.175.187

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 29, 2024 18:02:53.644998074 CET	55460	53	192.168.2.4	1.1.1.1
Oct 29, 2024 18:02:53.656836987 CET	53	55460	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 29, 2024 18:02:53.644998074 CET	192.168.2.4	1.1.1.1	0x13f0	Standard query (0)	cp8nl.hyperhost.ua	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 29, 2024 18:02:53.656836987 CET	1.1.1.1	192.168.2.4	0x13f0	No error (0)	cp8nl.hyperhost.ua		185.174.175.187	A (IP address)	IN (0x0001)	false

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Oct 29, 2024 18:02:54.670732021 CET	587	49736	185.174.175.187	192.168.2.4	220-cp8nl.hyperhost.ua ESMTP Exim 4.98 #2 Tue, 29 Oct 2024 19:02:54 +0200 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Oct 29, 2024 18:02:54.672415018 CET	49736	587	192.168.2.4	185.174.175.187	EHLO 927537
Oct 29, 2024 18:02:54.918013096 CET	587	49736	185.174.175.187	192.168.2.4	250-cp8nl.hyperhost.ua Hello 927537 [173.254.250.72] 250-SIZE 52428800 250-LIMITS MAILMAX=1000 RCPTMAX=50000 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-STARTTLS 250 HELP
Oct 29, 2024 18:02:54.926179886 CET	49736	587	192.168.2.4	185.174.175.187	STARTTLS
Oct 29, 2024 18:02:55.173388958 CET	587	49736	185.174.175.187	192.168.2.4	220 TLS go ahead

Target ID:	0
Start time:	13:02:00
Start date:	29/10/2024
Path:	C:\Users\user\Desktop\rOLZ579082-GHJ678992-PLRZ9000W029W00.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\rOLZ579082-GHJ678992-PLRZ9000W029W00.exe"
Imagebase:	0x400000
File size:	1'156'309 bytes
MD5 hash:	E38004414DE6DDE9350BB396DBEE11E9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	13:02:51
Start date:	29/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\rOLZ579082-GHJ678992-PLRZ9000W029W00.exe"
Imagebase:	0x2c0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2932585654.00000000026CE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2932585654.00000000026F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2931647950.0000000000392000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2931647950.0000000000392000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2932585654.0000000002681000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2932585654.0000000002681000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	11.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	4
Total number of Limit Nodes:	0

Executed Functions

Function 00C5CEA0 Relevance: 2.3, Instructions: 2316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2932354878.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fab8c9aae2edb05f84321a9801e5f62d632925cf03147bb7d06627bf13fcc547
Instruction ID: f5bdbbe45faacbcbb7233a04b1257774e008c0149a42e63dadb25a4d961cd884
Opcode Fuzzy Hash: fab8c9aae2edb05f84321a9801e5f62d632925cf03147bb7d06627bf13fcc547
Instruction Fuzzy Hash: A8332E35D107198ECB15DF68C8806ADF7B1FF99300F14C79AE459A7225EB70AAC5CB81

Function 00C54A98 Relevance: .3, Instructions: 266
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.2932354878.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbe55b03a9f95fd7ed142d2215ee79933c214fd764172a20888072cff6a04ae7
Instruction ID: d59822d37f117bb546d613208f18b0117306a03dd03c232deb6c69a8600062cf
Opcode Fuzzy Hash: bbe55b03a9f95fd7ed142d2215ee79933c214fd764172a20888072cff6a04ae7
Instruction Fuzzy Hash: 69B17074E00209CFDF18CFA9C88579DBBF2AF88359F148129D815E7254EB7499C9CB85

Function 00C53E80 Relevance: .2, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.2932354878.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56ae7424daa6e0c02ca17f8097eb1677712e46a12caabdad435e5b566874f8ca
Instruction ID: bc814e61108c3ca56a4036696799a21775fd817db027520bff98bc09947bdd1c
Opcode Fuzzy Hash: 56ae7424daa6e0c02ca17f8097eb1677712e46a12caabdad435e5b566874f8ca
Instruction Fuzzy Hash: 30918174E00209CFDF14CFA9C98579EBBF2AF88305F248129E815E7294DB7499C9CB85

Function 00C5FDA0 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 00C5FE61

Memory Dump Source

Source File: 00000004.00000002.2932354878.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c50000_RegSvcs.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 7d99a12b902af79b45743c5beeb18fd0b7c884fdee948be01a90a119d9125cf5
Instruction ID: 1702c785af8d71b976a1df072cf6157c904211c186dbd363436d902ba606158c
Opcode Fuzzy Hash: 7d99a12b902af79b45743c5beeb18fd0b7c884fdee948be01a90a119d9125cf5
Instruction Fuzzy Hash: FA4138B8900309CFCB14CF99C449A9ABBF5FB88314F24C459D419AB361D3B4A886CFA4

Function 00A0D006 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2931955900.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a0d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5084e79217ff4804a68ec6f9f4199d64467148b20662f9569eeb8a5a5fdfc3af
Instruction ID: 40ee66d4b90f563bd61a2ef0aab019963b2743c1e7899102e0cbbc1faa3b410f
Opcode Fuzzy Hash: 5084e79217ff4804a68ec6f9f4199d64467148b20662f9569eeb8a5a5fdfc3af
Instruction Fuzzy Hash: 52216B7650D3C49FCB13CF64D990711BF71AB56314F28C5DBD8898B2A3C23A981ACB62

Function 00A0D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2931955900.0000000000A0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A0D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_a0d000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4ed01c441dbf2daa1973c50dc23c58101f48b55e8c3eeabd97830c14b8f14dd
Instruction ID: 0006c6083f4b99d2e12163c7922132b72e17a4c8b9f8a17522927169e2b0f085
Opcode Fuzzy Hash: a4ed01c441dbf2daa1973c50dc23c58101f48b55e8c3eeabd97830c14b8f14dd
Instruction Fuzzy Hash: AD210472604208DFDB14DF54E9C0B26BFA5FB84314F24C66DE84E4B296C37AD847CA62

Non-executed Functions

Function 00C5C0BC Relevance: 1.2, Instructions: 1250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2932354878.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2518e9fbd473486fa87d764c011f1280c030311da2ce932ee934975c9fa53b4
Instruction ID: 731e706d90008948cd96a0e9cb7f0ab2960254514a10bcbe7482fbaf59afcd06
Opcode Fuzzy Hash: a2518e9fbd473486fa87d764c011f1280c030311da2ce932ee934975c9fa53b4
Instruction Fuzzy Hash: 41D2E731D10B5A8ECB15EF68C884699F7B1FF99300F51D79AE4586B121EB70AAC4CF81

Function 00C5A632 Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2932354878.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba0505c313b9b1aae9c68760506c0963c39c6414d400bb146b881b687731e031
Instruction ID: f42d5db55399ede16e7d3ff437110b120cf0c5f99a58d33d2ac2df42e651a974
Opcode Fuzzy Hash: ba0505c313b9b1aae9c68760506c0963c39c6414d400bb146b881b687731e031
Instruction Fuzzy Hash: 5D02D231D14B198ACB10EF68C884A99F7B1FF99300F51D69AE45C6B121EB70AAD4CF81

Function 00C541C8 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2932354878.0000000000C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c50000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0431a9537475d732e4c63708f31501491270a091ad97b55e5da16fd52dd5305d
Instruction ID: 41cf250cf500a67b8f5d4fbb6951cccb622c18e0198db9cb400f05ddabf98661
Opcode Fuzzy Hash: 0431a9537475d732e4c63708f31501491270a091ad97b55e5da16fd52dd5305d
Instruction Fuzzy Hash: 38B15074E00219CFDF14CFA9C88579DBBF2AF88319F148129E815E7264EB7499C9CB45

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report rOLZ579082-GHJ678992-PLRZ9000W029W00.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\lustring

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
rOLZ579082-GHJ678992-PLRZ9000W029W00.exe

Function 00C54A98 Relevance: .3, Instructions: 266
COMMON

Function 00C53E80 Relevance: .2, Instructions: 238
COMMON

Function 00C5FDA0 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON