36.0.0 Rainbow Opal
IR
756116
CloudBasic
16:49:16
29/11/2022
SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
fe1aa7fa995970ebb34465d5dc0d8ce1
7505b261cc9df8c6ab8f10e035cf8d8319043cdb
655b12a219d0f0e39a84fe44483e25411be852ce2bb0d451a1cb1a9a670f70b8
Win32 Executable (generic) Net Framework (10011505/4) 49.80%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.CrypterX-gen.16043.3621.exe.log
true
69206D3AF7D6EFD08F4B4726998856D3
E778D4BF781F7712163CF5E2F5E7C15953E484CF
A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\nrQtAokXKaSn.exe.log
false
69206D3AF7D6EFD08F4B4726998856D3
E778D4BF781F7712163CF5E2F5E7C15953E484CF
A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
C:\Users\user\AppData\Local\Temp\tmp152E.tmp
true
03051B1F18A035DE03D059366AC0473E
155345324D235531556DDFE9F16B9C056D4C9505
92BF6136677687B06E7E22A50F24B0DD8B0B5FA6C3A89DA9516AAC6259ACA56D
C:\Users\user\AppData\Local\Temp\tmpCC0B.tmp
false
03051B1F18A035DE03D059366AC0473E
155345324D235531556DDFE9F16B9C056D4C9505
92BF6136677687B06E7E22A50F24B0DD8B0B5FA6C3A89DA9516AAC6259ACA56D
C:\Users\user\AppData\Roaming\nrQtAokXKaSn.exe
true
FE1AA7FA995970EBB34465D5DC0D8CE1
7505B261CC9DF8C6AB8F10E035CF8D8319043CDB
655B12A219D0F0E39A84FE44483E25411BE852CE2BB0D451A1CB1A9A670F70B8
3.232.242.170
111.118.212.38
52.20.78.240
api.ipify.org.herokudns.com
false
52.20.78.240
strictfacilityservices.com
true
111.118.212.38
api.ipify.org
false
unknown
mail.strictfacilityservices.com
true
unknown
http://127.0.0.1:HTTP/1.1
false
unknown
http://www.fontbureau.com/designersG
false
unknown
http://www.fontbureau.com/designers/?
false
unknown
http://UrUbMY.com
false
unknown
http://www.founder.com.cn/cn/bThe
false
unknown
http://www.fontbureau.com/designers?
false
unknown
http://www.jiyu-kobo.co.jp/s-P
false
unknown
http://www.fontbureau.comdH-u
false
unknown
http://www.jiyu-kobo.co.jp/jp/&-c
false
unknown
http://strictfacilityservices.com
false
unknown
http://www.tiro.com
false
unknown
http://www.jiyu-kobo.co.jp/Y001
false
unknown
https://api.ipify.orgmail.strictfacilityservices.comaccounts
false
unknown
http://www.fontbureau.com/designers
false
unknown
http://www.galapagosdesign.com/staff/dennis.htm/
false
unknown
http://www.goodfont.co.kr
false
unknown
http://www.carterandcone.com
false
unknown
http://www.galapagosdesign.com/staff/dennis.htm2
false
unknown
http://www.jiyu-kobo.co.jp/--
false
unknown
http://www.sajatypeworks.com
false
unknown
http://www.typography.netD
false
unknown
http://www.founder.com.cn/cn/cThe
false
unknown
http://www.galapagosdesign.com/staff/dennis.htm
false
unknown
https://api.ipify.org
false
unknown
http://fontfabrik.com
false
unknown
http://www.fontbureau.comgrita
false
unknown
http://www.fontbureau.coms-P
false
unknown
http://www.ascendercorp.com/typedesigners.html/
false
unknown
http://www.fontbureau.comd--
false
unknown
http://www.fontbureau.comB.TTF
false
unknown
http://www.founder.com.cn/cn/d
false
unknown
http://www.fontbureau.comrsiv_-l
false
unknown
http://DynDns.comDynDNSnamejidpasswordPsi/Psi
false
unknown
http://www.galapagosdesign.com/DPlease
false
unknown
http://www.fontbureau.comasF;-
false
unknown
http://www.fontbureau.comml-Y
false
unknown
http://www.fonts.com
false
unknown
http://www.sandoll.co.kr
false
unknown
http://www.carterandcone.com%(
false
unknown
http://www.urwpp.deDPlease
false
unknown
http://www.urwpp.de
false
unknown
http://www.zhongyicts.com.cn
false
unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
false
unknown
http://www.sakkal.com
false
unknown
http://www.fontbureau.com.TTF
false
unknown
http://www.fontbureau.comalsd
false
unknown
https://api.ipify.org/
false
52.20.78.240
http://www.jiyu-kobo.co.jp/H-u
false
unknown
http://www.apache.org/licenses/LICENSE-2.0
false
unknown
http://www.fontbureau.com
false
unknown
http://www.galapagosdesign.com/
false
unknown
http://www.fontbureau.comF
false
unknown
http://mail.strictfacilityservices.com
false
unknown
http://www.jiyu-kobo.co.jp/P
false
unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
false
unknown
http://www.jiyu-kobo.co.jp/;-
false
unknown
http://www.fontbureau.comdf
false
unknown
http://www.fontbureau.comcomt
false
unknown
http://www.jiyu-kobo.co.jp/jp/
false
unknown
http://www.fontbureau.comd
false
unknown
http://www.carterandcone.coml
false
unknown
http://www.urwpp.deeg
false
unknown
http://www.fontbureau.com/designers/cabarga.htmlN
false
unknown
http://www.fontbureau.comd&-c
false
unknown
http://www.founder.com.cn/cn
false
unknown
http://www.fontbureau.com/designers/frere-jones.html
false
unknown
http://www.fontbureau.comoitu
false
unknown
http://www.jiyu-kobo.co.jp/t
false
unknown
http://www.fontbureau.com/designers/cabarga.html
false
unknown
http://www.jiyu-kobo.co.jp/
false
unknown
http://www.zhongyicts.com.cno.
false
unknown
http://www.fontbureau.com/designers8
false
unknown
http://www.jiyu-kobo.co.jp/&-c
false
unknown
http://www.jiyu-kobo.co.jp/jp/--
false
unknown
http://www.jiyu-kobo.co.jp/_-l
false
unknown
http://www.fontbureau.comE.TTF
false
unknown
https://OPBeIPZ8XbJqLOvY6X.net
false
unknown
Installs a global keyboard hook
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Multi AV Scanner detection for submitted file
Tries to harvest and steal ftp login credentials
.NET source code references suspicious native API functions
Malicious sample detected (through community Yara rule)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Yara detected AntiVM3
Machine Learning detection for sample
May check the online IP address of the machine
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Sigma detected: Scheduled temp file as task from temp location
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)
Snort IDS alert for network traffic
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)