34.0.0 Boulder Opal
IR
552910
CloudBasic
22:17:30
13/01/2022
14073.pdf.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
9a1ed8a91b684efc2fa60dc8d45b6f17
798e5f518a87e1f398050ab3f13afa96e42711c5
81cae546ba8f6dd7e3273f9ac9ef35e37c953e745a1d66d8aaf5a69a89555524
Win32 Executable (generic) Net Framework (10011505/4) 49.83%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\14073.pdf.exe.log
true
A9EFF9253CAF99EC8665E41D736DDAED
D95BB4ABC856D774DA4602A59DE252B4BF560530
DBC637B33F1F3CD1AB40AFED23F94C4571CA43621EBB52C5DC267DBDC52D4783
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\catch.exe.log
false
A9EFF9253CAF99EC8665E41D736DDAED
D95BB4ABC856D774DA4602A59DE252B4BF560530
DBC637B33F1F3CD1AB40AFED23F94C4571CA43621EBB52C5DC267DBDC52D4783
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
false
E4910040348AB3798965F5D1D8DC7D39
FBFADCE1AEE956A741D11AA3D37CE3B7C62FF8CF
D1F11E275D3484EB3BD67896F30438B0C3735D68E60699EC9254D1CED9EA63AD
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0z3esqt5.gbi.ps1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_33ap3gfh.1im.ps1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_afigv05e.qog.psm1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kphty4vv.0bw.ps1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qaumxzrj.pxk.psm1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vwn0wwih.u3v.psm1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\tmp380F.tmp
false
3922B7D05B5A397A345D85F6603B9E92
F0D16BBD95E83EA018F19E5D7AB37466390B09EC
E5C13A0E0797C5F3DCD6AF31DE1F1C8EF095BFD4F1A2A266FA39BF0E1FEDA23E
C:\Users\user\AppData\Local\Temp\tmp432F.tmp
true
3922B7D05B5A397A345D85F6603B9E92
F0D16BBD95E83EA018F19E5D7AB37466390B09EC
E5C13A0E0797C5F3DCD6AF31DE1F1C8EF095BFD4F1A2A266FA39BF0E1FEDA23E
C:\Users\user\AppData\Local\Temp\tmp5F2.tmp
false
3922B7D05B5A397A345D85F6603B9E92
F0D16BBD95E83EA018F19E5D7AB37466390B09EC
E5C13A0E0797C5F3DCD6AF31DE1F1C8EF095BFD4F1A2A266FA39BF0E1FEDA23E
C:\Users\user\AppData\Roaming\VIsRZvOkettN.exe
true
9A1ED8A91B684EFC2FA60DC8D45B6F17
798E5F518A87E1F398050AB3F13AFA96E42711C5
81CAE546BA8F6DD7E3273F9AC9EF35E37C953E745A1D66D8AAF5A69A89555524
C:\Users\user\AppData\Roaming\VIsRZvOkettN.exe:Zone.Identifier
true
187F488E27DB4AF347237FE461A079AD
6693BA299EC1881249D59262276A0D2CB21F8E64
255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\AppData\Roaming\catch\catch.exe
true
9A1ED8A91B684EFC2FA60DC8D45B6F17
798E5F518A87E1F398050AB3F13AFA96E42711C5
81CAE546BA8F6DD7E3273F9AC9EF35E37C953E745A1D66D8AAF5A69A89555524
C:\Users\user\AppData\Roaming\catch\catch.exe:Zone.Identifier
true
187F488E27DB4AF347237FE461A079AD
6693BA299EC1881249D59262276A0D2CB21F8E64
255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\AppData\Roaming\qzzk33fz.ae5\Chrome\Default\Cookies
false
3806E8153A55C1A2DA0B09461A9C882A
BD98AB2FB5E18FD94DC24BCE875087B5C3BB2F72
366E8B53CE8CC27C0980AC532C2E9D372399877931AB0CEA075C62B3CB0F82BE
C:\Users\user\Documents\20220113\PowerShell_transcript.414408.99XXTEOz.20220113221836.txt
false
CBB6CF211B9FB5A2179E244CAD6D21B3
110BA8997CFCBCF77E69DD5DFD98EBEDE0DFCD62
20198A79209A129FD320C8B2909548AC6D897861874744BEC6C79612D68C0B6E
C:\Users\user\Documents\20220113\PowerShell_transcript.414408.dpBaBVt0.20220113221936.txt
false
EC9E644977FBF8B96593C413F2630526
502376FE66668EF3B78718F3BCA7DA5F73259E55
82C8065A0C428A26C26CE4BA2FC2F3BEF6A89C5B873297BF6847DBAE7375045E
C:\Users\user\Documents\20220113\PowerShell_transcript.414408.wCeMqrw2.20220113221923.txt
false
13BD3324C75B1CAA8195790C162A4714
103FF6549995B1930FCD5BFD4B266DCF20DCAD03
1078D65F7188EA16C7976457A66721862A751F84FE7BE4E6B42111AD4ECB7088
208.91.199.224
us2.smtp.mailhostbox.com
false
208.91.199.224
smtp.tranpotescamdonic.us
false
unknown
Tries to steal Mail credentials (via file / registry access)
Sigma detected: Suspicious Double Extension
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Sigma detected: Suspicius Add Task From User AppData Temp
Yara detected AntiVM3
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Sigma detected: Powershell Defender Exclusion
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses an obfuscated file name to hide its real file extension (double extension)
Multi AV Scanner detection for dropped file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)