34.0.0 Boulder Opal
IR
527215
CloudBasic
14:35:55
23/11/2021
Doc0011222003.exe
default.jbs
Windows 10 64 bit 20H2 Native <b>physical Machine for testing VM-aware malware</b> (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
WINDOWS
e70022c5636db76b71c8b2c56552c60c
4589b37f02bb95d26bb2ba369c46c99268ce2985
0226b26f82ea7ab25ad85a4cfda530f7b28f91b1d57f8ca0361b7b03e8ce59bb
Win32 Executable (generic) a (10002005/4) 99.15%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\caspol.exe.log
false
B3AC9D09E3A47D5FD00C37E075A70ECB
AD14E6D0E07B00BD10D77A06D68841B20675680B
7A23C6E7CCD8811ECDF038D3A89D5C7D68ED37324BAE2D4954125D9128FA9432
C:\Users\user\AppData\Local\Temp\tmpF23C.tmp
true
497F298FC157762F192A7C42854C6FB6
04BEC630F5CC64EA17C0E3E780B3CCF15A35C6E0
3462CBE62FBB64FC53A0FCF97E43BAAFE9DD9929204F586A86AFE4B89D8048A6
C:\Users\user\AppData\Local\Temp\~DF17840D1CFFE91843.TMP
false
8BE47FF78C4F694E6577D8CB72B022C9
A32191D769A55B59B38A93EBEA848166EA27F0D6
A1005C0FAF60AA8C70AD16C4369E6D3FA2357687BC10EE55656363B01DDD633E
C:\Users\user\AppData\Local\Temp\~DF85AE3BC293E93740.TMP
false
8BE47FF78C4F694E6577D8CB72B022C9
A32191D769A55B59B38A93EBEA848166EA27F0D6
A1005C0FAF60AA8C70AD16C4369E6D3FA2357687BC10EE55656363B01DDD633E
C:\Users\user\AppData\Local\Temp\~DF8D75D8181C79D5C9.TMP
false
8BE47FF78C4F694E6577D8CB72B022C9
A32191D769A55B59B38A93EBEA848166EA27F0D6
A1005C0FAF60AA8C70AD16C4369E6D3FA2357687BC10EE55656363B01DDD633E
C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\run.dat
true
68FA889EAA7BD7261D43798E3A69D469
7BB929B4F0BDBF04279044430673D375E5AA227A
C19803F4888437D8C3F525DF3503D92186C0038C99E1CA2FFF06AB95C86396B1
C:\Users\user\AppData\Roaming\11389406-0377-47ED-98C7-D564E683C6EB\task.dat
false
F781103B538E4159A8F01E3BE09B1F8D
27992585DE22A095BABCFD75E8F96710DD921C37
BEA91983791C26C19AA411B2870E89AFC250EAF9855B6E1CE7BEA02B74E7F368
C:\Users\user\AppData\Roaming\MAGTTEKNIK\PEGASUS.exe
true
E70022C5636DB76B71C8B2C56552C60C
4589B37F02BB95D26BB2BA369C46C99268CE2985
0226B26F82EA7AB25AD85A4CFDA530F7B28F91B1D57F8CA0361B7B03E8CE59BB
\Device\ConDrv
false
B08826036A3E81B44E7D8C1284381013
96CF7E6BC1B55C69CE33BEC3B78FFF4EB8839B87
E7AD5092F56BB2ACA26262C361FE5F83171D21AB134D4E5D2EF47E9BF641B549
142.250.181.225
172.217.168.14
142.250.185.161
142.250.186.174
194.147.140.112
142.250.184.206
79.134.225.122
docs.google.com
false
172.217.168.14
abdul2u.ddns.net
true
194.147.140.112
drive.google.com
false
142.250.184.206
googlehosted.l.googleusercontent.com
false
142.250.181.225
doc-00-68-docs.googleusercontent.com
false
unknown
doc-04-3g-docs.googleusercontent.com
false
unknown
Hides threads from debuggers
Found malware configuration
Tries to detect Any.run
Malicious sample detected (through community Yara rule)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sigma detected: NanoCore
Sigma detected: Suspicius Add Task From User AppData Temp
Detected Nanocore Rat
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
GuLoader behavior detected
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Yara detected Nanocore RAT
Yara detected GuLoader