34.0.0 Boulder Opal
IR
625379
CloudBasic
17:05:34
12/05/2022
SecuriteInfo.com.W32.AIDetect.malware2.8516.exe
default.jbs
Windows 10 64 bit 20H2 Native <b>physical Machine for testing VM-aware malware</b> (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
WINDOWS
90e91d605fb261fa827093074c0d7178
1737b52ca846659954692ac55235addf749e405b
4700f996868b461bae3a5b57efcd8719169d0c9acb400fa77d6a36787b37b0e1
Win32 Executable (generic) a (10002005/4) 99.96%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Temp\Aftapningers.unc
false
4F4AB714DFE3298940A65606E9D71F3D
ACAA9B62D1E2245695F551374C3B529AF49D378D
B9E09B4CE4FD0A5A9AF776CD64CDAD0C1B06FDA01B479E93B9B202B9F2927F4B
C:\Users\user\AppData\Local\Temp\Extracontinental91.lnk
false
7D6897C6C92B6D01EE66251C99676F53
B6FB27DA4E0570E15E6F0649F3BB51BCE7513333
B7C61310744BC6551E039639E78490EA1C0C39EDE8D501B7F558FF77AE531DB2
C:\Users\user\AppData\Local\Temp\nsz5764.tmp\System.dll
false
CFF85C549D536F651D4FB8387F1976F2
D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E
8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
\Device\ConDrv
false
9F754B47B351EF0FC32527B541420595
006C66220B33E98C725B73495FE97B3291CE14D9
0219D77348D2F0510025E188D4EA84A8E73F856DEB5E0878D673079D05840591
149.154.167.220
216.58.212.142
142.250.186.33
drive.google.com
false
216.58.212.142
api.telegram.org
false
149.154.167.220
googlehosted.l.googleusercontent.com
false
142.250.186.33
doc-04-bk-docs.googleusercontent.com
false
unknown
https://Yp7sE2ZThKzSHqA.com
false
unknown
http://127.0.0.1:HTTP/1.1
false
unknown
https://drive.google.com/5s(
false
unknown
https://api.telegram.org
false
unknown
https://api.telegram.org/bot5362707045:AAGBjkYF97cvI4xaEhJ1OrouiqS3umCPqqA/sendDocumentdocument-----
false
unknown
https://doc-04-bk-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/3q810s3jc95onm7rbud0rh2kvsckdceb/1652368050000/02385140022842422686/*/1o9xcx-d3Bxjd3qTkG604DI9J3fWxwqqB?e=download
false
142.250.186.33
https://doc-04-bk-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/3q810s3j
false
unknown
https://drive.google.com/
false
unknown
https://api.telegram.org/
false
unknown
https://doc-04-bk-docs.googleusercontent.com/R
false
unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
false
unknown
http://DynDns.comDynDNSnamejidpasswordPsi/Psi
false
unknown
https://api.ipify.org%t-
false
unknown
https://api.ipify.org%%startupfolder%
false
unknown
http://nsis.sf.net/NSIS_ErrorError
false
unknown
http://api.telegram.org
false
unknown
https://api.telegram.org/bot5362707045:AAGBjkYF97cvI4xaEhJ1OrouiqS3umCPqqA/sendDocument
false
149.154.167.220
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
false
unknown
http://yCCtaB.com
false
unknown
https://doc-04-bk-docs.googleusercontent.com/
false
unknown
https://doc-04-bk-docs.googleusercontent.com/_
false
unknown
Tries to steal Mail credentials (via file / registry access)
Found malware configuration
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Multi AV Scanner detection for submitted file
Tries to harvest and steal ftp login credentials
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Telegram RAT
Yara detected AgentTesla
Uses the Telegram API (likely for C&C communication)
C2 URLs / IPs found in malware configuration
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected GuLoader
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)