34.0.0 Boulder Opal
IR
626340
CloudBasic
21:31:28
13/05/2022
NEW ORDER.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
2ab185544e86862dab6a5e7a4413c49f
695efe1081e5b65894132e870f882b587ad4dfce
ae376c158f4f8a123ca19b3fe6c96a158c8f7f88257cf07de7987b33d376acb2
Win32 Executable (generic) Net Framework (10011505/4) 49.80%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NEW ORDER.exe.log
true
69206D3AF7D6EFD08F4B4726998856D3
E778D4BF781F7712163CF5E2F5E7C15953E484CF
A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
C:\Users\user\AppData\Local\Temp\tmp354B.tmp
true
27C0A47A8667AD260CA88339DC36059E
4539B9163F21FEE7DA3590850413B7B328F71358
B031F195C17D439382C9FBA518948E3DAF59044D179D306ECF68A7A3FCA0F321
C:\Users\user\AppData\Roaming\IrUpgWwdRBJK.exe
true
2AB185544E86862DAB6A5E7A4413C49F
695EFE1081E5B65894132E870F882B587AD4DFCE
AE376C158F4F8A123CA19B3FE6C96A158C8F7F88257CF07DE7987B33D376ACB2
166.62.10.145
mail.focuzauto.com
true
166.62.10.145
http://127.0.0.1:HTTP/1.1
false
unknown
http://www.fontbureau.com/designersG
false
unknown
http://mail.focuzauto.com
false
unknown
http://www.fontbureau.com/designers/?
false
unknown
http://www.founder.com.cn/cn/bThe
false
unknown
http://www.fontbureau.comessedm
false
unknown
http://www.fontbureau.com/designers?
false
unknown
http://www.founder.com.cn/cnt-bz
false
unknown
http://www.tiro.com
false
unknown
http://www.fontbureau.com/designers
false
unknown
http://www.founder.c
false
unknown
http://www.goodfont.co.kr
false
unknown
http://www.sajatypeworks.comuctT/
false
unknown
http://www.sajatypeworks.com
false
unknown
http://www.typography.netD
false
unknown
http://www.founder.com.cn/cn/cThe
false
unknown
http://www.galapagosdesign.com/staff/dennis.htm
false
unknown
http://fontfabrik.com
false
unknown
http://www.fonts.comic
false
unknown
http://www.fontbureau.com%
false
unknown
http://www.fontbureau.comcom
false
unknown
http://www.urwpp.de/
false
unknown
http://DynDns.comDynDNSnamejidpasswordPsi/Psi
false
unknown
http://www.fonts.comn
false
unknown
http://www.galapagosdesign.com/DPlease
false
unknown
https://uLakVAQ46zx.org
false
unknown
http://www.fontbureau.comrsiv
false
unknown
http://www.fonts.com
false
unknown
http://www.sandoll.co.kr
false
unknown
http://www.sandoll.co.krF
false
unknown
http://www.urwpp.deDPlease
false
unknown
http://www.urwpp.de
false
unknown
http://www.zhongyicts.com.cn
false
unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
false
unknown
http://www.sakkal.com
false
unknown
http://www.apache.org/licenses/LICENSE-2.0
false
unknown
http://www.fontbureau.com
false
unknown
http://www.fonts.comc
false
unknown
http://nSfkEw.com
false
unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
false
unknown
http://www.sandoll.co.krm
false
unknown
http://www.sandoll.co.kre
false
unknown
http://www.fontbureau.comtoo_
false
unknown
http://www.tiro.comtn
false
unknown
http://www.fontbureau.comd
false
unknown
http://www.fontbureau.comasva
false
unknown
http://www.carterandcone.coml
false
unknown
http://www.founder.com.cn/cn/
false
unknown
http://www.fontbureau.com/designers/cabarga.htmlN
false
unknown
http://www.founder.com.cn/cn
false
unknown
http://www.fontbureau.com/designers/frere-jones.html
false
unknown
http://www.fontbureau.com/designers/cabarga.html
false
unknown
http://www.fontbureau.comm
false
unknown
http://www.jiyu-kobo.co.jp/
false
unknown
http://www.sajatypeworks.coma-d
false
unknown
http://www.fontbureau.commA
false
unknown
http://www.fontbureau.como
false
unknown
http://www.fontbureau.com/designers8
false
unknown
http://www.fontbureau.comFf
false
unknown
http://www.fontbureau.comals
false
unknown
http://www.tiro.comc
false
unknown
http://www.founder.com.cn/cnu-e
false
unknown
Tries to steal Mail credentials (via file / registry access)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Multi AV Scanner detection for submitted file
Tries to harvest and steal ftp login credentials
Malicious sample detected (through community Yara rule)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Yara detected AntiVM3
Machine Learning detection for sample
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Snort IDS alert for network traffic
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)