36.0.0 Rainbow Opal
IR
755440
CloudBasic
18:44:48
28/11/2022
PO-09784893 xlsx.vbs
default.jbs
Windows 10 64 bit 20H2 Native <b>physical Machine for testing VM-aware malware</b> (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
WINDOWS
bfa859d9ad7b23d3606ea13f525065a7
a1b3e395dc20bcdaa866b953a08a48d0079bace2
ec51e9ad23c469e82059bd497873749017e80e136053a25c7a752ffa18bf2002
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
false
677C4E3A07935751EA3B092A5E23232F
0BB391E66C6AE586907E9A8F1EE6CA114ACE02CD
D05D82E08469946C832D1493FA05D9E44926911DB96A89B76C2A32AC1CBC931F
C:\Users\user\AppData\Local\Temp\RESB964.tmp
false
2706F0D7F5DABC5A1CC721DBA692F1EB
CC65CD85D89F680C17DB16BE8E8CB58530E2EF11
620588E2053D963D41915EB65D5215C2F00626406C8BEABFDA33BB1EC8552DF8
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_azl1colp.uti.ps1
false
D17FE0A3F47BE24A6453E9EF58C94641
6AB83620379FC69F80C0242105DDFFD7D98D5D9D
96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nvcwr2p1.jka.psm1
false
D17FE0A3F47BE24A6453E9EF58C94641
6AB83620379FC69F80C0242105DDFFD7D98D5D9D
96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\u5h0ocqr\CSC31BB2AFB2CA9494684B4A57A653EBF6B.TMP
false
CF76A035E6CF5E68BABD2B2B1AD6E4C7
C1514CC6A2B7B4FFBD8F7EEBAD9E480571779443
1B0111D7F6316C3A023E61C0D21FF50A1D0FEC547E255F95FFBF1BE1A9112F6F
C:\Users\user\AppData\Local\Temp\u5h0ocqr\u5h0ocqr.0.cs
false
5275A510067D1ABB9D22D3925B1C219F
41B1A3E7A0EE598898BFDC2E5BFDF6A2D34E6D64
F44938B9BA94A2465515FD9EA6D319016294EAFA6EDC89A5D2E736195C3FA649
C:\Users\user\AppData\Local\Temp\u5h0ocqr\u5h0ocqr.cmdline
true
D434ED867F2BEDFD239B64F88AD3C65A
1E6F95BCE2D835E04769E0927CF7421589BCAE6C
D7682C0718ABFC7CE651D1D5D895036778C92A950C16A93065526AA52B508C27
C:\Users\user\AppData\Local\Temp\u5h0ocqr\u5h0ocqr.dll
false
CD3E785DA5D5237AA385B4CD2972B654
BA6615966F40545F716E729813BDC07F1D6A767F
5D2C059FED935989F937445329E7925092739DEFD1321AF96DFC48597DB599C6
C:\Users\user\AppData\Local\Temp\u5h0ocqr\u5h0ocqr.out
false
598DEDC2D4A52EA0EB3A1B60A9C9598E
7B6AB880BAB1FD92B78F4EEDE77E7B47E9E7B2E9
E1094BEB4B40ABBF826AA1549999F7482D93D3222BE8C13A4424E6F6BFC5C665
\Device\ConDrv
false
9F754B47B351EF0FC32527B541420595
006C66220B33E98C725B73495FE97B3291CE14D9
0219D77348D2F0510025E188D4EA84A8E73F856DEB5E0878D673079D05840591
192.185.145.188
185.31.121.136
ftp.mcmprint.net
false
185.31.121.136
b3solutionscws.com
false
192.185.145.188
http://b3solutionscws.com/wp-admin/includes/yyXYRRIJkuolPn153.fla
false
192.185.145.188
http://127.0.0.1:HTTP/1.1
false
unknown
http://nuget.org/NuGet.exe
false
unknown
http://pesterbdd.com/images/Pester.png
false
unknown
http://www.apache.org/licenses/LICENSE-2.0.html
false
unknown
https://go.micro
false
unknown
ftp://ftp.mcmprint.netnoffice
true
unknown
https://contoso.com/
false
unknown
https://nuget.org/nuget.exe
false
unknown
https://contoso.com/License
false
unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
false
unknown
http://DynDns.comDynDNSnamejidpasswordPsi/Psi
false
unknown
https://contoso.com/Icon
false
unknown
http://OowQOv.com
false
unknown
http://hWFpSCunbgPMSZDs.net
false
unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
false
unknown
https://github.com/Pester/Pester
false
unknown
https://aka.ms/pscore6lBPl
false
unknown
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Wscript starts Powershell (via cmd or directly)
Potential malicious VBS script found (suspicious strings)
Tries to harvest and steal ftp login credentials
Malicious sample detected (through community Yara rule)
Yara detected AgentTesla
Sigma detected: Dot net compiler compiles file from suspicious location
Very long command line found
Potential evasive VBS script found (use of timer() function in loop)
Obfuscated command line found
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected GuLoader
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)