34.0.0 Boulder Opal
IR
626596
CloudBasic
15:11:11
14/05/2022
DHL_29028263 documento de recibo de la compra,pdf.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
87a264aa9aec9ce66f4b092363dd5adc
64a0954e622afb6d5e2a0256f179d14f112ec723
eab5b352e41de89be099054e396f61a942401ab1518186496bc11be1c857242f
Win32 Executable (generic) Net Framework (10011505/4) 49.79%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL_29028263 documento de recibo de la compra,pdf.exe.log
true
3197B1D4714B56F2A6AC9E83761739AE
3B38010F0DF51C1D4D2C020138202DABB686741D
40586572180B85042FEFED9F367B43831C5D269751D9F3940BBC29B41E18E9F6
C:\Users\user\AppData\Roaming\window defender\window defender.exe
true
87A264AA9AEC9CE66F4B092363DD5ADC
64A0954E622AFB6D5E2A0256F179D14F112EC723
EAB5B352E41DE89BE099054E396F61A942401AB1518186496BC11BE1C857242F
C:\Users\user\AppData\Roaming\window defender\window defender.exe:Zone.Identifier
true
187F488E27DB4AF347237FE461A079AD
6693BA299EC1881249D59262276A0D2CB21F8E64
255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
37.0.14.197
37.0.14.197
true
https://github.com/syohex/java-simple-mine-sweeperC:
false
unknown
https://github.com/syohex/java-simple-mine-sweeper
false
unknown
Found malware configuration
Initial sample is a PE file and has a suspicious name
Writes to foreign memory regions
Increases the number of concurrent connection per server for Internet Explorer
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Contains functionality to hide user accounts
Contains functionality to steal e-mail passwords
Machine Learning detection for sample
Allocates memory in foreign processes
Binary or sample is protected by dotNetProtector
Contains functionality to steal Chrome passwords or cookies
Machine Learning detection for dropped file
Yara detected UACMe UAC Bypass tool
Executable has a suspicious name (potential lure to open the executable)
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Yara detected AveMaria stealer
Hides that the sample has been downloaded from the Internet (zone.identifier)
Contains functionality to inject threads in other processes
Multi AV Scanner detection for dropped file
Uses schtasks.exe or at.exe to add and modify task schedules