34.0.0 Boulder Opal
IR
624865
CloudBasic
07:44:26
12/05/2022
Sursdep.vbs
default.jbs
Windows 10 64 bit 20H2 Native <b>physical Machine for testing VM-aware malware</b> (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
WINDOWS
434578c759bef1db26fa7b3165ac84ad
df84b67b8df35a4ab8770b9f3c3f370e26b7763a
5439ae4fe11fe9f6f264fc0d4617eefa997719d9b65be8745d3632b2203e3557
Visual Basic Script (13500/0) 100.00%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\L2D128LW\json[1].json
false
47096F34F74DDE89FF6F38E323E0E323
CA048B136C51E50D2DA739F2D4CCE3854163B856
4468D39B0C7A727B59A06219530A2CDDAF10CDB936A3BD458011CC7318E3261E
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
false
677C4E3A07935751EA3B092A5E23232F
0BB391E66C6AE586907E9A8F1EE6CA114ACE02CD
D05D82E08469946C832D1493FA05D9E44926911DB96A89B76C2A32AC1CBC931F
C:\Users\user\AppData\Local\Temp\Enrico-7173724.jpg
false
2035133F43BD5B5A804CD3A0A5C3F9B9
5A346BA97BEEA851340EBB967AEA55888D46A518
7D5936A3C2234CE4193E383F8B6978B6E8AD4E6D7F79909CA44E4BF577FF58A8
C:\Users\user\AppData\Local\Temp\RES7D4D.tmp
false
4FFF8102A330685E16EFAD46D9F1FBEE
ED6E7E0454D224008382D1E90F3225E44DE463C4
6BAC3706C76D32EC8EF833F37FE8BAE7EA59B3530066EA5311EA39D05226356E
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tyw0l1xf.1ml.ps1
false
D17FE0A3F47BE24A6453E9EF58C94641
6AB83620379FC69F80C0242105DDFFD7D98D5D9D
96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vtamk3f2.xsd.psm1
false
D17FE0A3F47BE24A6453E9EF58C94641
6AB83620379FC69F80C0242105DDFFD7D98D5D9D
96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\s4baywn2\CSC830A8A9781A546AA96F69D4E597CA095.TMP
false
5710D03C0F07309729FE2417F1AFEA73
65C014E79F0D574109A546C4CCA9BCDA29294B88
E64678EB4682BA7103B357A32135FF9965BFE91B7CB3A5B9412E894E1A4492D7
C:\Users\user\AppData\Local\Temp\s4baywn2\s4baywn2.0.cs
false
56B3B782DBCC5028A8050646F2177FB1
8B819399A5BC15644D6B81D5438A7B78E34662FC
A4DC022E81A07FEDD233869623B65353C72084C6C7971DA2F4A222F2C2223A3A
C:\Users\user\AppData\Local\Temp\s4baywn2\s4baywn2.cmdline
false
8349586BCBD2F1DC8B5A5B6072BEE5A9
F05EE0F29B8FC160F8FE0D6AB7A8856E5C297891
96EC93945FD90F4335CEBBFE4046C602083AF9127F897FFEA1EF8E35D5688167
C:\Users\user\AppData\Local\Temp\s4baywn2\s4baywn2.dll
false
16E91BBB016E0998A4B0CEBA8CE4BD46
15281511A26CACC852F0EC66BE1548D85719D136
12045C54701B42A700494352283FAC2326DCD0C526A78F28E28D4363743C7347
C:\Users\user\AppData\Local\Temp\s4baywn2\s4baywn2.out
false
38D0C0D60E91F32A6E45AFB46A2B7CC8
37786C1E0C5C3BB37390317DE7E983ABDDEC7BB8
A5A2957A1E83D03D70211C8C5F3B15325191E826243394A0B593928FA40F8AF7
94.130.249.123
162.159.129.233
178.237.33.50
geoplugin.net
false
178.237.33.50
cdn.discordapp.com
false
162.159.129.233
http://nuget.org/NuGet.exe
false
unknown
https://cdn.discordapp.com/h
false
unknown
http://geoplugin.net/json.gph
false
unknown
https://cdn.discordapp.com/attachments/973448455970238517/973448761017765938/tur4256ase7_ewATiEi255.bin
false
162.159.129.233
http://pesterbdd.com/images/Pester.png
true
unknown
http://www.apache.org/licenses/LICENSE-2.0.html
false
unknown
https://go.micro
false
unknown
https://cdn.discordapp.com/attachments/973448455970238517/973448761017765938/tur4256ase7_ewATiEi255.
false
unknown
https://contoso.com/License
false
unknown
https://contoso.com/Icon
false
unknown
https://cdn.discordapp.com/
false
unknown
https://github.com/Pester/Pester
false
unknown
http://geoplugin.net/json.gp
false
178.237.33.50
http://geoplugin.net/json.gpn.net/json.gp
false
unknown
http://geoplugin.net/json.gp0(
false
unknown
https://cdn.discordapp.com/attachments/973448911232585778/973449155060047882/Enrico-7173724.jpgA
false
unknown
http://geoplugin.net/
false
unknown
https://aka.ms/pscore6lB
false
unknown
http://crl.microsoft.coX
false
unknown
https://contoso.com/
false
unknown
https://nuget.org/nuget.exe
false
unknown
http://geoplugin.net/json.gposp)
false
unknown
https://cdn.discordapp.com/attachments/973448911232585778/973449155060047882/Enrico-7173724.jpg2
false
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
false
unknown
https://cdn.discordapp.com/attachments/973448911232585778/973449155060047882/Enrico-7173724.jpg
false
162.159.129.233
Found malware configuration
Writes to foreign memory regions
Tries to detect Any.run
Wscript starts Powershell (via cmd or directly)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Encrypted powershell cmdline option found
Very long command line found
Yara detected Remcos RAT
C2 URLs / IPs found in malware configuration
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Yara detected MSILDownloaderGeneric
Yara detected GuLoader