31.0.0 Emerald
IR
382651
CloudBasic
12:37:48
06/04/2021
ddff.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
ded56210e4491797f704b4b0525238d8
7a1ca12b56aee84bab41abb6cd4b6eb50a64ef21
422287b67dd187c3fae4472cdf654ef69354ab78ac094dee6711874c9e59f1f4
Win32 Executable (generic) a (10002005/4) 99.15%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Roaming\ifg4v0bb.jfl\Chrome\Default\Cookies
false
00681D89EDDB6AD25E6F4BD2E66C61C6
14B2FBFB460816155190377BBC66AB5D2A15F7AB
8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
\Device\ConDrv
false
9F754B47B351EF0FC32527B541420595
006C66220B33E98C725B73495FE97B3291CE14D9
0219D77348D2F0510025E188D4EA84A8E73F856DEB5E0878D673079D05840591
172.217.23.33
108.179.235.108
mail.gcclatinoamerica.com
true
108.179.235.108
googlehosted.l.googleusercontent.com
false
172.217.23.33
doc-0k-1c-docs.googleusercontent.com
false
unknown
C2 URLs / IPs found in malware configuration
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Installs a global keyboard hook
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: RegAsm connects to smtp port
Yara detected AgentTesla
Yara detected GuLoader