34.0.0 Boulder Opal
IR
526595
CloudBasic
19:37:50
22/11/2021
Sales Order List.exe
default.jbs
Windows 10 64 bit 20H2 Native <b>physical Machine for testing VM-aware malware</b> (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
WINDOWS
80bad0903ee7ec98805678673720cfd9
35aecf6fe3ac24adaf16c04b787e90ac4c845eb0
260e6b75d7616efd29c05151f1ce95bbab1aaf8703f86f62c4d9bc6d308a56b8
Win32 Executable (generic) a (10002005/4) 99.15%
true
false
false
false
100
0
100
5
0
5
false
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_images.exe_57d888b29fe7ab2cf088fdbce37499b180b0e399_39dd1f14_cce5b39a-312f-4d6a-a179-08e27df0d1ee\Report.wer
false
726233F268AF487916D11A48783A277B
73F09323FE011E46836EA48C0B6C6E2672FB532F
9A06535409A1A8800CCA715AA0EF99DFD56FC7142F838FFC69476DEE450F5C0C
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_images.exe_f17d4a87747d76beb8eb6ec81cef537fcdde6d7_39dd1f14_613b4565-8822-4610-a680-fd57c1b886b3\Report.wer
false
7DAB837A1A80EA790A9363618F28ADBD
1D59EAE9899B281C100E26112C3730F8A9A485F4
0CC025180D514E387C09D9E2050B162746A106E61E438BAC22A0E1F0FA190F45
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC437.tmp.dmp
false
A32CC57E95B135A03775F90374DC995B
083E228177F799BEE907FB1A4DE81B3D73E11341
8C0F7FFE3BC51283DAE224EE37C186A77279BE22F629C0D0838AD40AA10B57C8
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC7C2.tmp.WERInternalMetadata.xml
false
273081CE0FBE3E7A4B6A7FFF7CD15508
005B7C88175F36C015E2769ECDCBBDA0C2FF364B
816132BBE3824BC8C56BC8E56BCC19B1D4130B880CB176F5EBEBB2CDEBE1BD83
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC959.tmp.xml
false
8E8ACA891C0DAFDAD9B716CFCF16E35D
AFC2E8B7BC9F63788356F029B9CDC3B7BCE461B8
40452B4A0C70CA3D191252F5BAFAB4D45A1640943CB2C7284CE6EEA081B816AD
C:\ProgramData\Microsoft\Windows\WER\Temp\WERED6A.tmp.dmp
false
93DA37795E39DDBFC35B3FD49EFD3677
C8A82681CA147B3359C272635AF4600C3D626E17
653599677A687AF787EFD41ABC1131C435F0A387633B9ABF612C1FF8A13BA26A
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF0F5.tmp.WERInternalMetadata.xml
false
CF08123302862458DFB30EC779525E8E
EB9C1D4C31F4F91D7FDA061F6EB859F649EB82BD
8F2F9ABE5B08E3BB2F5D79D9C9942B72A820C49547F58FF0509CEBB7BA76733D
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF28C.tmp.xml
false
58F740B602AFA8D8CB8AA8499E07AC1D
42C251BD39F06CCC85A621E0FFECD604C17D27AE
FB4E46665816F4DA83ADE7D64B5AA3CBAD643AB9E5C6990B6382436F306BCD83
C:\ProgramData\images.exe
true
80BAD0903EE7EC98805678673720CFD9
35AECF6FE3AC24ADAF16C04B787E90AC4C845EB0
260E6B75D7616EFD29C05151F1CE95BBAB1AAF8703F86F62C4D9BC6D308A56B8
C:\ProgramData\images.exe:Zone.Identifier
true
187F488E27DB4AF347237FE461A079AD
6693BA299EC1881249D59262276A0D2CB21F8E64
255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\AppData\Local\Temp\~DF052E41D7F13B5154.TMP
false
6C4C01A4316CD9338DE51EC175EBF11D
8C5D5B07E0ED6AAC72705F516E25BEAEA891EFA0
95876F7C1242672418DB201C02D70276EE9CC4345394DEAD3500619A39DA28F0
C:\Users\user\AppData\Local\Temp\~DF9DCB19D0128ED2C8.TMP
false
6C4C01A4316CD9338DE51EC175EBF11D
8C5D5B07E0ED6AAC72705F516E25BEAEA891EFA0
95876F7C1242672418DB201C02D70276EE9CC4345394DEAD3500619A39DA28F0
C:\Windows\appcompat\Programs\Amcache.hve
false
DCE0352F52A581AE193E3739AEB94EF8
85D78703929E839540AAE2177A83D4CF3B6AE1FF
CC33452D33B55B127F0687AA6A986AD18D21ED02F66556C65C2532FF2B938445
C:\Windows\appcompat\Programs\Amcache.hve.LOG1
false
8984087B2EEE85640E7CF7DA8CCFC985
D7FDCAF6E0BFEE4A88F98EE76563B6775FEB4543
12147707FDFF3EBBD9180DF79A8C93918D7CCE69C73D26808CBE7B5E4358D451
142.250.186.46
142.250.185.161
192.168.11.1
93.184.220.29
drive.google.com
false
142.250.186.46
googlehosted.l.googleusercontent.com
false
142.250.185.161
doc-0k-48-docs.googleusercontent.com
false
unknown
Hides threads from debuggers
Found malware configuration
Yara detected Generic Dropper
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Tries to detect Any.run
Increases the number of concurrent connection per server for Internet Explorer
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Contains functionality to hide user accounts
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Allocates memory in foreign processes
Injects code into the Windows Explorer (explorer.exe)
Creates an undocumented autostart registry key
C2 URLs / IPs found in malware configuration
Yara detected AveMaria stealer
Hides that the sample has been downloaded from the Internet (zone.identifier)
GuLoader behavior detected
Multi AV Scanner detection for dropped file
Yara detected GuLoader