34.0.0 Boulder Opal
IR
532705
CloudBasic
16:26:02
02/12/2021
Bank payment swift message.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
8cf71f83b169db6428ce1345eacec7e1
50cde0ed5ae88e15fc6a190216f767c61014261f
7c04ed79e657827d9ed17fc6f50e51a5818bf9b7db804691dee2470d5371162e
Win32 Executable (generic) Net Framework (10011505/4) 49.83%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Bank payment swift message.exe.log
true
D918C6A765EDB90D2A227FE23A3FEC98
8BA802AD8D740F114783F0DADC407CBFD2A209B3
AB0E9F716E31502A4C6786575C5E64DFD9D24AF99056BBE2640A2FA322CFF4D6
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\kprUEGC.exe.log
false
8C0458BB9EA02D50565175E38D577E35
F0B50702CD6470F3C17D637908F83212FDBDB2F2
C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
C:\Users\user\AppData\Roaming\kprUEGC\kprUEGC.exe
true
2867A3817C9245F7CF518524DFD18F28
D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
C:\Windows\System32\drivers\etc\hosts
true
6EB47C1CF858E25486E42440074917F2
6A63F93A95E1AE831C393A97158C526A4FA0FAAE
9B13A3EA948A1071A81787AAC1930B89E30DF22CE13F8FF751F31B5D83E79FFB
\Device\ConDrv
false
1AEB3A784552CFD2AEDEDC1D43A97A4F
804286AB9F8B3DE053222826A69A7CDA3492411A
0BC438F4B1208E1390C12D375B6CBB08BF47599D1F24BD07799BB1DF384AA293
103.6.196.179
scsgroups.com
true
103.6.196.179
mail.scsgroups.com
true
unknown
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Found malware configuration
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Modifies the hosts file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Executable has a suspicious name (potential lure to open the executable)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)