33.0.0 White Diamond
IR
483902
CloudBasic
15:57:45
15/09/2021
KAF-PR-21-F-3089_pdf.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
b5fdcd6723e679c54a5f8652c59bc52a
fc83546ee73bea22ea563b9644700abef62d0ef2
245e18b14a6b231f2a89b812dace828478aa24419d600e2ac8c7acd989320e1a
Win32 Executable (generic) Net Framework (10011505/4) 49.83%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\KAF-PR-21-F-3089_pdf.exe.log
true
FED34146BF2F2FA59DCF8702FCC8232E
B03BFEA175989D989850CF06FE5E7BBF56EAA00A
123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\xepul.exe.log
false
FED34146BF2F2FA59DCF8702FCC8232E
B03BFEA175989D989850CF06FE5E7BBF56EAA00A
123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
false
D870AAB255908226597A55FDDCA56A4D
D20084BBAECE1137AF71EB674DF33217A48FAF99
E73BF0C4B86A420C5DB2D76C3A478CDAD96979BF86293D127F0DB6228630DFC9
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0mq00lhn.rw5.ps1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2apcq0hy.cen.psm1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pk23tghi.cbd.ps1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y2gl204v.y0q.psm1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\tmp12EF.tmp
false
A9DF567399D0A17B6D2674C2AAA16A82
32D4C4CDD0A61F6689C2D2DF421F0654BC75838F
A960454156D58DFD7F2DB473C0E5F2B80AAA8DF27524B32ED560F141F6BB92B5
C:\Users\user\AppData\Local\Temp\tmp56.tmp
true
A9DF567399D0A17B6D2674C2AAA16A82
32D4C4CDD0A61F6689C2D2DF421F0654BC75838F
A960454156D58DFD7F2DB473C0E5F2B80AAA8DF27524B32ED560F141F6BB92B5
C:\Users\user\AppData\Local\Temp\tmpDA79.tmp
false
A9DF567399D0A17B6D2674C2AAA16A82
32D4C4CDD0A61F6689C2D2DF421F0654BC75838F
A960454156D58DFD7F2DB473C0E5F2B80AAA8DF27524B32ED560F141F6BB92B5
C:\Users\user\AppData\Roaming\OgRWrNP.exe
true
B5FDCD6723E679C54A5F8652C59BC52A
FC83546EE73BEA22EA563B9644700ABEF62D0EF2
245E18B14A6B231F2A89B812DACE828478AA24419D600E2AC8C7ACD989320E1A
C:\Users\user\AppData\Roaming\OgRWrNP.exe:Zone.Identifier
true
187F488E27DB4AF347237FE461A079AD
6693BA299EC1881249D59262276A0D2CB21F8E64
255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\AppData\Roaming\xepul\xepul.exe
true
B5FDCD6723E679C54A5F8652C59BC52A
FC83546EE73BEA22EA563B9644700ABEF62D0EF2
245E18B14A6B231F2A89B812DACE828478AA24419D600E2AC8C7ACD989320E1A
C:\Users\user\AppData\Roaming\xepul\xepul.exe:Zone.Identifier
true
187F488E27DB4AF347237FE461A079AD
6693BA299EC1881249D59262276A0D2CB21F8E64
255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\Documents\20210915\PowerShell_transcript.364339.AB9Havin.20210915155857.txt
false
4DBA287E69CA781EABCEBAA75D840CCA
CACD2BA30D6CE673B33937F6AFD216B4E920FCD1
B0499CB5F938D4DC8F1C94F7824BA9C2C5F0511B5DC0B47CDDA24EBEFA3EA8CA
C:\Users\user\Documents\20210915\PowerShell_transcript.364339.Qr4P5N31.20210915155948.txt
false
044A21D42F0E230437D210E46F50D243
20567911976918166DA228AA08703754F137789D
C20B95C46A1383F2A5909FB8E1EA9363CFDF59A520DC8EE26ABE976F7534DDEB
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Multi AV Scanner detection for submitted file
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Yara detected AntiVM3
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Sigma detected: Powershell Defender Exclusion
.NET source code contains very large array initializations
.NET source code contains very large strings
Machine Learning detection for dropped file
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)