31.0.0 Red Diamond
IR
321193
CloudBasic
15:34:21
20/11/2020
ORDER.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
bb942c948639f5c88fb33d5e4b7d7728
3cf9d798266aacc9bfdaf1c2d0a5eda2b6d069ea
5cfd185a582c4a6811966fb1585769fa8c17d67a969c72e1135f8de537d106d4
Win32 Executable (generic) Net Framework (10011505/4) 49.80%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ORDER.exe.log
true
6C42AAF2F2FABAD2BAB70543AE48CEDB
8552031F83C078FE1C035191A32BA43261A63DA9
51D07DD061EA9665DA070B95A4AC2AC17E20524E30BF6A0DA8381C2AF29CA967
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\kprUEGC.exe.log
false
6C42AAF2F2FABAD2BAB70543AE48CEDB
8552031F83C078FE1C035191A32BA43261A63DA9
51D07DD061EA9665DA070B95A4AC2AC17E20524E30BF6A0DA8381C2AF29CA967
C:\Users\user\AppData\Local\Temp\tmp871F.tmp
false
4053FC2B2E317FEBE143C11AD6E6F358
DC51CAEB255C2B5B980BDF25571F19DAFDC70807
83FD4AE9CEE6A842DCF3CC995E74DA61AC503DCDC5AC60F78F38F18F544A8124
C:\Users\user\AppData\Local\Temp\tmpAEAC.tmp
false
4053FC2B2E317FEBE143C11AD6E6F358
DC51CAEB255C2B5B980BDF25571F19DAFDC70807
83FD4AE9CEE6A842DCF3CC995E74DA61AC503DCDC5AC60F78F38F18F544A8124
C:\Users\user\AppData\Local\Temp\tmpFCB1.tmp
true
4053FC2B2E317FEBE143C11AD6E6F358
DC51CAEB255C2B5B980BDF25571F19DAFDC70807
83FD4AE9CEE6A842DCF3CC995E74DA61AC503DCDC5AC60F78F38F18F544A8124
C:\Users\user\AppData\Roaming\SpHLicuA.exe
true
BB942C948639F5C88FB33D5E4B7D7728
3CF9D798266AACC9BFDAF1C2D0A5EDA2B6D069EA
5CFD185A582C4A6811966FB1585769FA8C17D67A969C72E1135F8DE537D106D4
C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
true
BB942C948639F5C88FB33D5E4B7D7728
3CF9D798266AACC9BFDAF1C2D0A5EDA2B6D069EA
5CFD185A582C4A6811966FB1585769FA8C17D67A969C72E1135F8DE537D106D4
C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe:Zone.Identifier
true
187F488E27DB4AF347237FE461A079AD
6693BA299EC1881249D59262276A0D2CB21F8E64
255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Windows\System32\drivers\etc\hosts
true
B24D295C1F84ECBFB566103374FB91C5
6A750D3F8B45C240637332071D34B403FA1FF55A
4DC7B65075FBC5B5421551F0CB814CAFDC8CACA5957D393C222EE388B6F405F4
192.168.2.1
54.235.142.93
68.233.236.158
elb097307-934924932.us-east-1.elb.amazonaws.com
false
54.235.142.93
vasudeva.in
true
68.233.236.158
mail.vasudeva.in
true
unknown
api.ipify.org
false
unknown
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Modifies the hosts file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Yara detected AntiVM_3