31.0.0 Red Diamond
IR
321450
CloudBasic
08:24:11
22/11/2020
QUOTATION REQUEST.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
4f4f697adc79894ceec42d5752b2790e
390de0e89b8c1c3d07dbd12dbb0149626453d12b
dc0cff9e3bc575333097988f46e46f1925cedf35329a749a642576601a45674c
Win32 Executable (generic) Net Framework (10011505/4) 50.01%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QUOTATION REQUEST.exe.log
true
6C42AAF2F2FABAD2BAB70543AE48CEDB
8552031F83C078FE1C035191A32BA43261A63DA9
51D07DD061EA9665DA070B95A4AC2AC17E20524E30BF6A0DA8381C2AF29CA967
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\lEmohP.exe.log
false
8C0458BB9EA02D50565175E38D577E35
F0B50702CD6470F3C17D637908F83212FDBDB2F2
C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
C:\Users\user\AppData\Local\Temp\tmpCA2.tmp
true
D155A8C3722582775D0A09941D62E98E
C9CE75D6052B7F44106E2F9368ABF53188820A5E
B43968CF5253F83119264249CE652A2E5185CA84849315690B7603553876346B
C:\Users\user\AppData\Roaming\GtVSibeZGs.exe
true
4F4F697ADC79894CEEC42D5752B2790E
390DE0E89B8C1C3D07DBD12DBB0149626453D12B
DC0CFF9E3BC575333097988F46E46F1925CEDF35329A749A642576601A45674C
C:\Users\user\AppData\Roaming\lEmohP\lEmohP.exe
true
2867A3817C9245F7CF518524DFD18F28
D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
C:\Windows\System32\drivers\etc\hosts
true
B24D295C1F84ECBFB566103374FB91C5
6A750D3F8B45C240637332071D34B403FA1FF55A
4DC7B65075FBC5B5421551F0CB814CAFDC8CACA5957D393C222EE388B6F405F4
\Device\ConDrv
false
1AEB3A784552CFD2AEDEDC1D43A97A4F
804286AB9F8B3DE053222826A69A7CDA3492411A
0BC438F4B1208E1390C12D375B6CBB08BF47599D1F24BD07799BB1DF384AA293
107.6.134.138
mail.hemetek.com
true
107.6.134.138
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the hosts file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Yara detected AntiVM_3