31.0.0 Red Diamond
IR
339443
CloudBasic
03:36:51
14/01/2021
sample2.bin
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
b0f2d519ccae5bf1435264e0979770ce
212da7b3ed9c89d83941f6bb0dba889fa24f8f6a
a4fdc26d6b70eaf0a62cca36286412901f48881eae616d38b96d8ae0cb0f29c7
Win32 Executable (generic) Net Framework (10011505/4) 49.83%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\nwama.exe.log
false
C6F9162A813BFA011E86162EBFC31D27
0E0D4813EEA11780E84BB0DF4EC7E4ABD95E182D
103C0E7E2CC42883AB3C546D495E92986E093838B7B33CAA6FDEC29005FB68F4
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\sample2.exe.log
true
C6F9162A813BFA011E86162EBFC31D27
0E0D4813EEA11780E84BB0DF4EC7E4ABD95E182D
103C0E7E2CC42883AB3C546D495E92986E093838B7B33CAA6FDEC29005FB68F4
C:\Users\user\AppData\Local\Temp\nwama\nwama.exe
true
B0F2D519CCAE5BF1435264E0979770CE
212DA7B3ED9C89D83941F6BB0DBA889FA24F8F6A
A4FDC26D6B70EAF0A62CCA36286412901F48881EAE616D38B96D8AE0CB0F29C7
C:\Users\user\AppData\Local\Temp\nwama\nwama.exe:Zone.Identifier
true
187F488E27DB4AF347237FE461A079AD
6693BA299EC1881249D59262276A0D2CB21F8E64
255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\AppData\Roaming\1b4bluf2.tug.zip
false
535BCBE2A74CFC076571E4D66FD063DA
4F9BD7425ED0B967D816538A89B916B61265694A
9AF280DBB1847681C487FA67A7D0A4FA5E672883D1E9C8BC310AFEAB79F3B6F8
C:\Users\user\AppData\Roaming\1b4bluf2.tug\Chrome\Default\Cookies
false
A7FE10DA330AD03BF22DC9AC76BBB3E4
1805CB7A2208BAEFF71DCB3FE32DB0CC935CF803
8D6B84A96429B5C672838BF431A47EC59655E561EBFBB4E63B46351D10A7AAD8
C:\Users\user\AppData\Roaming\j0jrvzzu.5ob.zip
false
8322041C86EA6665C4EE21EA7F53B761
2EEE1280B95080FFA5463A9D1DA9914D07DC135E
1234B9AC16387AEAD74BF68107E1814A73D9DB83D1A40D3E12A37285097CE84F
C:\Users\user\AppData\Roaming\j0jrvzzu.5ob\Chrome\Default\Cookies
false
A7FE10DA330AD03BF22DC9AC76BBB3E4
1805CB7A2208BAEFF71DCB3FE32DB0CC935CF803
8D6B84A96429B5C672838BF431A47EC59655E561EBFBB4E63B46351D10A7AAD8
C:\Users\user\AppData\Roaming\y2nzgw3x.tiq.zip
false
ECA5AA866F8DCF612B56EE50A2EFB2A4
12046CB3FB5A2E112603EB67C7D7413D6DBCE0CA
A23A81E9C35EF744F8D3F5FBCAB2DFFCDCB5231090BC0D4502A4776E33C55301
C:\Users\user\AppData\Roaming\y2nzgw3x.tiq\Chrome\Default\Cookies
false
A7FE10DA330AD03BF22DC9AC76BBB3E4
1805CB7A2208BAEFF71DCB3FE32DB0CC935CF803
8D6B84A96429B5C672838BF431A47EC59655E561EBFBB4E63B46351D10A7AAD8
208.91.198.143
192.168.2.1
us2.smtp.mailhostbox.com
false
208.91.198.143
.NET source code contains potential unpacker
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Yara detected AgentTesla
Yara detected AntiVM_3