31.0.0 Red Diamond
IR
321396
CloudBasic
10:35:20
21/11/2020
DOC04121993.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
710843b45a8e65c939d3ab4fb96d73e4
909799ac70c5a8a472b40579ff0c5bc982979676
d0ea8610ecee6c92c50af51c37a0a49f8550768609a08a5a2dcaf98bb06dcff3
Win32 Executable (generic) a (10002005/4) 99.66%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\STARTUP.vbs
true
863B251962DCEFF8DC4CF0794C51DBD7
639371523C3274C4B3CED14564213AE2AC5F67E7
A2755DC8A8AD6573A09C4E3CD83265747842802D9AA9CD7AF16939FCFF8B17BF
66.70.204.222
hybridgroupco.com
true
66.70.204.222
mail.hybridgroupco.com
true
unknown
.NET source code contains potential unpacker
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Delayed program exit found
Drops VBS files to the startup folder
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected AgentTesla