34.0.0 Boulder Opal
IR
626539
CloudBasic
11:39:31
14/05/2022
Raeue.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
47d09683fc102a85a7dea2516ca81fa3
f64cc824abd8804458c3f31f06c16d0bec9338dd
848ce511daf9046ab1ab3bed080d5c20bdeb3fd0bebc016fc3af70b892ebb5c9
Win32 Executable (generic) Net Framework (10011505/4) 49.83%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Raeue.exe.log
true
F4C7B39CFF5A2F242F694D97216F9E9C
3905274915EFA33D4BAC01AE14829AAA5C5C044C
E300E29CDE7B77AADAD24A0157E5252EF754E842D21291AAE34D891E4DB15456
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Tyovqojh.exe.log
false
91F948D29B57F0086ED4AB9F8447B315
632D82F2FC4181137657F593BB7850A9F01A3EF3
8D5276512C4BC5AA67979A8CC3CB3441DD9B837CA821037D49ECBF03CAE1B983
C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exe
true
47D09683FC102A85A7DEA2516CA81FA3
F64CC824ABD8804458C3F31F06C16D0BEC9338DD
848CE511DAF9046AB1AB3BED080D5C20BDEB3FD0BEBC016FC3AF70B892EBB5C9
C:\Users\user\AppData\Roaming\Iqbhgo\Tyovqojh.exe:Zone.Identifier
true
187F488E27DB4AF347237FE461A079AD
6693BA299EC1881249D59262276A0D2CB21F8E64
255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\AppData\Roaming\Microsoft\microsoft.exe
false
D621FD77BD585874F9686D3A76462EF1
ABCAE05EE61EE6292003AABD8C80583FA49EDDA2
2CA7CF7146FB8209CF3C6CECB1C5AA154C61E046DC07AFA05E8158F2C0DDE2F6
C:\Users\user\AppData\Roaming\gxhyyeyp.j44\Chrome\Default\Cookies
false
00681D89EDDB6AD25E6F4BD2E66C61C6
14B2FBFB460816155190377BBC66AB5D2A15F7AB
8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
192.168.2.1
216.246.112.22
metalindus.cl
true
216.246.112.22
mail.metalindus.cl
true
unknown
http://127.0.0.1:HTTP/1.1
false
unknown
https://sectigo.com/CPS0
false
unknown
https://github.com/mgravell/protobuf-neti
false
unknown
https://stackoverflow.com/q/14436606/23354
false
unknown
https://github.com/mgravell/protobuf-netJ
false
unknown
http://mail.metalindus.cl
false
unknown
https://api.ipify.org%appdata
false
unknown
https://stackoverflow.com/q/11564914/23354;
false
unknown
https://stackoverflow.com/q/2152978/23354
false
unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
false
unknown
http://DynDns.comDynDNSnamejidpasswordPsi/Psi
false
unknown
https://github.com/mgravell/protobuf-net
false
unknown
http://pz3rRFNMLjA.org
false
unknown
http://rfQUKE.com
false
unknown
https://api.ipify.org%
false
unknown
http://crt.comodoca
false
unknown
http://metalindus.cl
false
unknown
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Found malware configuration
Creates multiple autostart registry keys
Writes to foreign memory regions
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Multi AV Scanner detection for submitted file
Tries to harvest and steal ftp login credentials
.NET source code references suspicious native API functions
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Contains functionality to register a low level keyboard hook
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Sigma detected: MSBuild connects to smtp port
Machine Learning detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Multi AV Scanner detection for dropped file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)