31.0.0 Emerald
IR
383916
CloudBasic
12:22:43
08/04/2021
TRENWATR.EXE
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
4c8c4125a16387f16558e841a704c718
a550ec500bfa00f45ac799b9e5f4868a30892e23
5aaae83a4b166e0cb4a3a5841c6b92c39c66b2c8dabbe9e304c7865237c9ad5b
Win32 Executable (generic) Net Framework (10011505/4) 49.83%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TRENWATR.EXE.log
true
1DC1A2DCC9EFAA84EABF4F6D6066565B
B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\outlook.exe.log
false
1DC1A2DCC9EFAA84EABF4F6D6066565B
B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
C:\Users\user\AppData\Roaming\outlook\outlook.exe
true
4C8C4125A16387F16558E841A704C718
A550EC500BFA00F45AC799B9E5F4868A30892E23
5AAAE83A4B166E0CB4A3A5841C6B92C39C66B2C8DABBE9E304C7865237C9AD5B
C:\Users\user\AppData\Roaming\outlook\outlook.exe:Zone.Identifier
true
187F488E27DB4AF347237FE461A079AD
6693BA299EC1881249D59262276A0D2CB21F8E64
255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Moves itself to temp directory
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3