34.0.0 Boulder Opal
IR
541933
CloudBasic
08:41:10
18/12/2021
Ezd2mgg4EX.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
6c65ee8bd24f383e556c0daab80d0fcf
bb46aae89ea0ebd2dc395c19c493b70e15d65491
63182b1a23476536ec86e724c407f4680f349dd22442ad510c0024c23a9a5727
Win32 Executable (generic) a (10002005/4) 99.96%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\B637.exe.log
true
65CF801545098D915A06D8318D296A01
456149D5142C75C4CF74D4A11FF400F68315EBD0
32E502D76DBE4F89AEE586A740F8D1CBC112AA4A14D43B9914C785550CCA130F
C:\Users\user\AppData\Local\Temp\6516.exe
true
EC1105BE312FD184FFC9D7F272D64B87
3C6B70AB854CC46448B55D8A057698C4568A85E2
39CD27E2D57DB8BFEDFC31413679E5C4CB27274A45C0ACB98C0AD81905729CA5
C:\Users\user\AppData\Local\Temp\B637.exe
true
F2F8A2B12CB2E41FFBE135B6ED9B5B7C
F7133A7435BE0377A45D6A0BD0EF56BB0198E9BE
6D969631CE713FC809012F3AA8FD56CF9EF564CC1C43D5BA85F06FDDC749E4A1
C:\Users\user\AppData\Local\Temp\E5A.exe
true
BEF35F9066A40B684D7F6F611D3C93DB
E0CE13BAF97E3CE7F8F752B0CB137E42DFBEC23A
B28E2CCDEC5649A87F3D40926C47EA9FA7EC0C2E2DBAAC756F4C3C5C120E41BD
C:\Users\user\AppData\Local\Temp\Wamozart6.dat
false
B9D4D051E48D4E9AD194CEF9D1599C0E
251207FDE809001616B9982CF142884848A51718
5192A1C63E6BAC303A0766749559BBB25B7B3D442888D162976A0927F9E3F16C
C:\Users\user\AppData\Local\Temp\a.txt
false
6C3AA179406696C66ACF8DC984ABC7DF
7F66AB35CA41A3449382F9DA68864D64EC182F28
798DF5B3298985AE022F8C5A6714F7891EAA49B2E4B24E3A8B2329C04DD11C71
C:\Users\user\AppData\Local\Temp\nsd324C.tmp\System.dll
false
CFF85C549D536F651D4FB8387F1976F2
D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E
8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
C:\Users\user\AppData\Roaming\rdrbsia
true
6C65EE8BD24F383E556C0DAAB80D0FCF
BB46AAE89EA0EBD2DC395C19C493B70E15D65491
63182B1A23476536EC86E724C407F4680F349DD22442AD510C0024C23A9A5727
C:\Users\user\AppData\Roaming\rdrbsia:Zone.Identifier
true
187F488E27DB4AF347237FE461A079AD
6693BA299EC1881249D59262276A0D2CB21F8E64
255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
58.235.189.190
45.9.20.240
162.159.129.233
185.112.83.8
211.119.84.112
95.104.121.111
50.62.140.96
86.107.197.138
190.140.74.43
61.98.7.133
110.14.121.125
bastinscustomfab.com
true
50.62.140.96
cdn.discordapp.com
false
162.159.129.233
rcacademy.at
true
61.98.7.133
www.bastinscustomfab.com
true
unknown
Yara detected RedLine Stealer
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Detected unpacking (overwrites its own PE header)
Uses known network protocols on non-standard ports
Machine Learning detection for sample
Injects a PE file into a foreign processes
Yara detected SmokeLoader
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
System process connects to network (likely due to code injection or exploit)
Deletes itself after installation
Detected unpacking (changes PE section rights)
Antivirus detection for URL or domain
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Found many strings related to Crypto-Wallets (likely being stolen)
Checks if the current machine is a virtual machine (disk enumeration)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected GuLoader
Found malware configuration
Tries to steal Crypto Currency Wallets
Benign windows process drops PE files
.NET source code references suspicious native API functions
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
.NET source code contains method to dynamically call methods (often used by packers)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Multi AV Scanner detection for dropped file