31.0.0 Red Diamond
IR
339499
CloudBasic
07:58:25
14/01/2021
B6LNCKjOGt5EmFQ.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
80d255a6a5ec339e15d6fec3c0fef666
bca665ff5a6a7084df2d424c0ed7fff3e141acbc
3e48d983e3315501931c646f896a8189637f5b9d21c453b051cd17f2584ee3c4
Win32 Executable (generic) Net Framework (10011505/4) 50.01%
true
false
false
false
100
0
100
5
0
5
false
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_pictures.exe_c756fdb369d16caee6eb4c4fc55eace42746ab1_00000000_1a3a4dea\Report.wer
false
241EF4951F1724F8D1314BBFBB87465D
6BCBF070048674493FEBB07C204D05E998129610
8EB667042376D717A87470D2AE0D383656CFB70BFE687BCCC80676683A25DB1D
C:\ProgramData\Microsoft\Windows\WER\Temp\WER23EC.tmp.WERInternalMetadata.xml
false
752C895F9DCD8F46A421ED01FC3D9137
A0E2791563BE980CE3A52637CA0E67A5CA39AA77
3EBD2A9B184072C0007CA004F0623800CA3884EDCE089E48F0FD80B57373B6D5
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2525.tmp.xml
false
B3C65F177C1DEC134F2D225E3A86BB21
83F25E548BD0226D94AC22C57E582CBDEED12DFF
B83847FA914868ED4AE188E38B5B9859232C7FA721DD1E979AA8476C683D2A8A
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\B6LNCKjOGt5EmFQ.exe.log
true
FED34146BF2F2FA59DCF8702FCC8232E
B03BFEA175989D989850CF06FE5E7BBF56EAA00A
123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
C:\Users\user\AppData\Local\Temp\LOGO AND PICTURES.exe
true
D9001138C5119D936B70BF77E136AFBE
CFA2DBFF8527715EAAD00E91BD8955A8FFFC1224
9AE5EF3FD4FEEA105C1ED3F1E69FD4FA328E8F29F1937097280F7EEE7F8D749E
C:\Users\user\AppData\Local\Temp\PO2345714382021.exe
true
9B79DE8E3AD21F14E71E55CFA6AE4727
3C2066345874FEBAFE281BBDE952D4F32D2ED53A
56BD25ACDB97CE17F8351B926C48A4F63E348C40F6C5913219B0745D99F6B31D
C:\Users\user\AppData\Local\Temp\PO456724392021.exe
true
F38E2D474C075EFF35B4EF81FDACA650
13F869037C80BE3CD4736C5F67431161C79E5970
F9EE81B7DEF0B0008CEF43847FB9BA520C0B57A49E7A71B47FF8D6EE1FEC4298
C:\Users\user\AppData\Local\Temp\Pictures.exe
true
25146E9C5ECD498DD17BA01E6CFAEB24
4171900E4D1291C7A7CDB33ADC655ECB12334A4F
5207F3D079A52017E7977296C9EBA782D3D5EAE5ADEC94FA38ACDD88C184496D
C:\Users\user\AppData\Local\Temp\holderwb.txt
false
F3B25701FE362EC84616A93A45CE9998
D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
C:\Users\user\AppData\Local\Temp\tmpDAC4.tmp
true
AC43371F9BD7E88C08D426F7689595BE
E8FCA4BB37D5B2178D6FE2E4C99390CA78DC3C3E
35EB8CB95831F8879793C40A8870F74F6F685C0F9CB711779382C609B7CDCDD8
C:\Users\user\AppData\Roaming\TcVfsyyjYuQ.exe
true
80D255A6A5EC339E15D6FEC3C0FEF666
BCA665FF5A6A7084DF2D424C0ED7FFF3E141ACBC
3E48D983E3315501931C646F896A8189637F5B9D21C453B051CD17F2584EE3C4
C:\Users\user\AppData\Roaming\pid.txt
false
405075699F065E43581F27D67BB68478
1A20CF59F0584ADA3DEEFF6C1C5B4C11C691AEC0
7666197A246DDED3B8238775F3CEDF8350A2858A8117E744A703987DD55AA497
C:\Users\user\AppData\Roaming\pidloc.txt
false
46833127CC4C64CFB8650EE775DC5D9D
F2B43FDAEAC18E55085436E55D9C30E2FD240386
6F0942DBA73C781461E1E322E13537AB0F0EBE49D8C3DBD6CF9C23FC91404CBC
C:\Users\user\Documents\Matiex Keylogger\Screenshot.png
false
D9C9360766149464EAE529F4C0E8A50C
54E9BD21B7435FA52E9737B54AE1DE152B68C91C
CA710E0EE8D9F14410F4FC9CB3B37086F33E2FC250CF1A140C24B0A8400D6C43
104.16.154.36
131.186.161.70
192.168.2.1
199.193.7.228
172.67.188.154
whatismyipaddress.com
false
104.16.154.36
freegeoip.app
false
172.67.188.154
smtp.privateemail.com
false
199.193.7.228
checkip.dyndns.com
false
131.186.161.70
checkip.dyndns.org
true
unknown
94.197.2.0.in-addr.arpa
true
unknown
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Antivirus detection for dropped file
Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM_3
Yara detected HawkEye Keylogger
Yara detected MailPassView
Yara detected Matiex Keylogger