34.0.0 Boulder Opal
IR
532854
CloudBasic
18:52:20
02/12/2021
Dhl Document.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
d57a8c6be775cfda05331c6eade17990
355ef1430b4d4a13f3e052c5a90d753f2b3aa217
755a275609bd07b357f67e004658587babe3dcbf96803542fa31a0aa7c46ca2c
Win32 Executable (generic) Net Framework (10011505/4) 49.83%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Dhl Document.exe.log
true
D918C6A765EDB90D2A227FE23A3FEC98
8BA802AD8D740F114783F0DADC407CBFD2A209B3
AB0E9F716E31502A4C6786575C5E64DFD9D24AF99056BBE2640A2FA322CFF4D6
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
false
29076BED77EE82117C06813B958A7EB6
BF19365BB1A0F8ABB88CA851420FAE080CF6CCE6
D297ED450E3C37B1CC14DA2B8ADDBF91F5BE456F94BBDE04C5BC647ECB606FCB
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c34bfuwd.g5h.psm1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_grjwx1jg.2gk.ps1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\tmp99D5.tmp
true
56F79EA0543ABF6CA3076A9EBF4A996A
30478342707F00023433CC44170103E21F8AF9A3
81970EA7CC0AC18E7D9C123F82D461A7C759B4582D1142C82556F570A7BA6A42
C:\Users\user\AppData\Roaming\JAaohjCzCabuOZ.exe
true
D57A8C6BE775CFDA05331C6EADE17990
355EF1430B4D4A13F3E052C5A90D753F2B3AA217
755A275609BD07B357F67E004658587BABE3DCBF96803542FA31A0AA7C46CA2C
C:\Users\user\AppData\Roaming\JAaohjCzCabuOZ.exe:Zone.Identifier
false
187F488E27DB4AF347237FE461A079AD
6693BA299EC1881249D59262276A0D2CB21F8E64
255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\AppData\Roaming\f3glpbjl.kfl\Chrome\Default\Cookies
false
A7FE10DA330AD03BF22DC9AC76BBB3E4
1805CB7A2208BAEFF71DCB3FE32DB0CC935CF803
8D6B84A96429B5C672838BF431A47EC59655E561EBFBB4E63B46351D10A7AAD8
C:\Users\user\Documents\20211202\PowerShell_transcript.960781.syu29+yj.20211202185323.txt
false
A14F489B5B1730BD452EACA83B1F8F99
E848A15315E4B70BB3E9135C4670B78265D54970
4A6CF87095059407475048DD2372544158B1910028F30EA3069E820AA08C79CC
208.91.199.224
us2.smtp.mailhostbox.com
false
208.91.199.224
smtp.4plqroup.com
true
unknown
Tries to steal Mail credentials (via file / registry access)
Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Multi AV Scanner detection for submitted file
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Sigma detected: Suspicius Add Task From User AppData Temp
Yara detected AntiVM3
.NET source code contains potential unpacker
Sigma detected: Powershell Defender Exclusion
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Multi AV Scanner detection for dropped file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)