33.0.0 White Diamond
IR
483914
CloudBasic
16:12:52
15/09/2021
inquiry.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
e15248f30c0657187fbb03e46430f97a
42b284897791f02b6b076acf13f406ffd5a4b19a
9f2dc372685655a102ba02d121745b124d47ea7b90d0f697181fda747a26ae2e
Win32 Executable (generic) a (10002005/4) 99.96%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Roaming\dj2qhmgg.ty5\Chrome\Default\Cookies
false
EA7F9615D77815B5FFF7C15179C6C560
3D1D0BAC6633344E2B6592464EBB957D0D8DD48F
A5D1ABB57C516F4B3DF3D18950AD1319BA1A63F9A39785F8F0EACE0A482CAB17
149.154.167.220
api.telegram.org
false
149.154.167.220
Found malware configuration
Maps a DLL or memory area into another process
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Multi AV Scanner detection for submitted file
Tries to harvest and steal ftp login credentials
Yara detected Telegram RAT
Yara detected AgentTesla
Uses the Telegram API (likely for C&C communication)
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)