36.0.0 Rainbow Opal
IR
756110
CloudBasic
16:42:18
29/11/2022
SHIPMENT DOCUMENTS.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
12dc06d3034a17be7a70a4aa45edce8d
9b68ae25498a12f19360dc0dc023af61ca9bfa9d
91826efe412b5c829801d1c52fbb43225cf1f0fc4cba201453ad877341c64b90
Win32 Executable (generic) Net Framework (10011505/4) 49.80%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
false
3DCF580A93972319E82CAFBC047D34D5
8528D2A1363E5DE77DC3B1142850E51EAD0F4B6B
40810E31F1B69075C727E6D557F9614D5880112895FF6F4DF1767E87AE5640D1
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
false
37EE5D1705C30E983C3B068D6F6F6004
94570FA7C66A5A4199A49647CBDFA69B85AACFFB
38E5CB69BAED0165FBE956D68D52E0B226806006A8952DE0D8C602B25D024684
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SHIPMENT DOCUMENTS.exe.log
true
69206D3AF7D6EFD08F4B4726998856D3
E778D4BF781F7712163CF5E2F5E7C15953E484CF
A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\cnWCiicEpxW.exe.log
false
69206D3AF7D6EFD08F4B4726998856D3
E778D4BF781F7712163CF5E2F5E7C15953E484CF
A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
C:\Users\user\AppData\Local\Temp\tmp2A80.tmp
true
D452BE05EEC71DF72B608581ADB5DCC8
36F9E125299B3DC5751091A6F91B9183E587229F
5646F4B081F4451AA51F15E1F1803831B170AD7251DB920F06E75269658C0466
C:\Users\user\AppData\Local\Temp\tmpC7C9.tmp
false
D452BE05EEC71DF72B608581ADB5DCC8
36F9E125299B3DC5751091A6F91B9183E587229F
5646F4B081F4451AA51F15E1F1803831B170AD7251DB920F06E75269658C0466
C:\Users\user\AppData\Roaming\cnWCiicEpxW.exe
true
12DC06D3034A17BE7A70A4AA45EDCE8D
9B68AE25498A12F19360DC0DC023AF61CA9BFA9D
91826EFE412B5C829801D1C52FBB43225CF1F0FC4CBA201453AD877341C64B90
199.79.62.12
3.232.242.170
52.20.78.240
mail.southernboilers.org
false
199.79.62.12
api.ipify.org.herokudns.com
false
52.20.78.240
windowsupdatebg.s.llnwi.net
false
178.79.242.0
api.ipify.org
false
unknown
http://127.0.0.1:HTTP/1.1
false
unknown
http://www.certplus.com/CRL/class3.crl0
false
unknown
http://www.e-me.lv/repository0
false
unknown
http://www.acabogacia.org/doc0
false
unknown
http://crl.chambersign.org/chambersroot.crl0
false
unknown
http://ocsp.suscerte.gob.ve0
false
unknown
http://www.postsignum.cz/crl/psrootqca2.crl02
false
unknown
http://mail.southernboilers.org
false
unknown
http://crl.dhimyotis.com/certignarootca.crl0
false
unknown
http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0
false
unknown
http://www.chambersign.org1
false
unknown
http://www.pkioverheid.nl/policies/root-policy0
false
unknown
http://repository.swisssign.com/0
false
unknown
http://www.fontbureau.com/designers
false
unknown
http://www.pki.admin.ch/polic
false
unknown
http://www.suscerte.gob.ve/lcr0#
false
unknown
http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0
false
unknown
http://crl.ssc.lt/root-c/cacrl.crl0
false
unknown
http://postsignum.ttc.cz/crl/psrootqca2.crl0
false
unknown
http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
false
unknown
http://ca.disig.sk/ca/crl/ca_disig.crl0
false
unknown
http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0
false
unknown
http://www.certplus.com/CRL/class3P.crl0
false
unknown
http://www.sajatypeworks.com
false
unknown
http://www.founder.com.cn/cn/cThe
false
unknown
http://www.suscerte.gob.ve/dpc0
false
unknown
http://www.certeurope.fr/reference/root2.crl0
false
unknown
http://www.certplus.com/CRL/class2.crl0
false
unknown
http://www.disig.sk/ca/crl/ca_disig.crl0
false
unknown
http://eca.hinet.net/repository/Certs/IssuedToThisCA.p7b05
false
unknown
http://www.defence.gov.au/pki0
false
unknown
http://www.galapagosdesign.com/DPlease
false
unknown
http://www.sk.ee/cps/0
false
unknown
http://www.globaltrust.info0=
false
unknown
http://www.anf.es
false
unknown
http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_1_0.pdf09
false
unknown
http://www.urwpp.deDPlease
false
unknown
http://www.zhongyicts.com.cn
false
unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
false
unknown
http://pki.registradores.org/normativa/index.htm0
false
unknown
http://cps.root-x1.letsencrypt.org0
false
unknown
http://policy.camerfirma.com0
false
unknown
http://www.ssc.lt/cps03
false
unknown
http://ocsp.pki.gva.es0
false
unknown
http://www.anf.es/es/address-direccion.html
false
unknown
https://www.anf.es/address/)1(0&
false
unknown
http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?
false
unknown
http://bvQtmz.com
false
unknown
http://ca.mtin.es/mtin/ocsp0
false
unknown
http://cps.letsencrypt.org0
false
unknown
http://crl.ssc.lt/root-b/cacrl.crl0
false
unknown
http://web.ncdc.gov.sa/crl/nrcacomb1.crl0
false
unknown
http://www.certicamara.com/dpc/0Z
false
unknown
http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G
false
unknown
http://crl.pki.wellsfargo.com/wsprca.crl0
false
unknown
https://wwww.certigna.fr/autorites/0m
false
unknown
http://www.dnie.es/dpc0
false
unknown
http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0
false
unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
false
unknown
http://ca.mtin.es/mtin/DPCyPoliticas0
false
unknown
https://www.anf.es/AC/ANFServerCA.crl0
false
unknown
http://www.globaltrust.info0
false
unknown
http://certificates.starfieldtech.com/repository/1604
false
unknown
http://acedicom.edicomgroup.com/doc0
false
unknown
http://www.certplus.com/CRL/class3TS.crl0
false
unknown
http://crl.microsoft.
false
unknown
https://crl.anf.es/AC/ANFServerCA.crl0
false
unknown
http://www.carterandcone.coml
false
unknown
http://www.certeurope.fr/reference/pc-root2.pdf0
false
unknown
https://9psarY6l5Bj.org
false
unknown
http://ac.economia.gob.mx/last.crl0G
false
unknown
http://www.fontbureau.com/designers/frere-jones.html
false
unknown
https://www.catcert.net/verarrel
false
unknown
http://www.disig.sk/ca0f
false
unknown
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
false
unknown
http://www.e-szigno.hu/RootCA.crl
false
unknown
http://www.sk.ee/juur/crl/0
false
unknown
http://crl.chambersign.org/chambersignroot.crl0
false
unknown
http://crl.xrampsecurity.com/XGCA.crl0
false
unknown
http://certs.oati.net/repository/OATICA2.crl0
false
unknown
http://crl.oces.trust2408.com/oces.crl0
false
unknown
http://www.quovadis.bm0
false
unknown
https://eca.hinet.net/repository0
false
unknown
http://crl.ssc.lt/root-a/cacrl.crl0
false
unknown
http://certs.oaticerts.com/repository/OATICA2.crl
false
unknown
http://www.trustdst.com/certificates/policy/ACES-index.html0
false
unknown
http://certs.oati.net/repository/OATICA2.crt0
false
unknown
http://www.accv.es00
false
unknown
http://www.pkioverheid.nl/policies/root-policy-G20
false
unknown
https://www.netlock.net/docs
false
unknown
http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
false
unknown
http://www.e-trust.be/CPS/QNcerts
false
unknown
http://ocsp.ncdc.gov.sa0
false
unknown
http://www.fontbureau.com/designersG
false
unknown
http://fedir.comsign.co.il/crl/ComSignCA.crl0
false
unknown
http://www.fontbureau.com/designers/?
false
unknown
http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0
false
unknown
http://web.ncdc.gov.sa/crl/nrcaparta1.crl
false
unknown
http://www.datev.de/zertifikat-policy-int0
false
unknown
http://www.founder.com.cn/cn/bThe
false
unknown
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Multi AV Scanner detection for submitted file
Tries to harvest and steal ftp login credentials
.NET source code references suspicious native API functions
Malicious sample detected (through community Yara rule)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Yara detected AntiVM3
Machine Learning detection for sample
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Sigma detected: Scheduled temp file as task from temp location
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)