36.0.0 Rainbow Opal
IR
756154
CloudBasic
18:31:34
29/11/2022
SIEM_PO00938467648.vbs
default.jbs
Windows 10 64 bit 20H2 Native <b>physical Machine for testing VM-aware malware</b> (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
WINDOWS
633811bccf3fe62978ce41a04b653083
bc81307b5c229094617e7cb8cdcaec55eaddad36
b5e4225737f935940fa23989440d5ea2c123c8affde25d6d7224e2b4abab5608
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
false
677C4E3A07935751EA3B092A5E23232F
0BB391E66C6AE586907E9A8F1EE6CA114ACE02CD
D05D82E08469946C832D1493FA05D9E44926911DB96A89B76C2A32AC1CBC931F
C:\Users\user\AppData\Local\Temp\0j5ctfzr\0j5ctfzr.0.cs
false
5CB0DD0B77A3DA8C76FA25C6482E90D5
309AAF2851C84D34E8C8FC38B102721126D3E145
4A5B247BE5F2AD1BF7CB3E184F7F687B5D59C7DE795FD1EAF69B7B0E2F4F716E
C:\Users\user\AppData\Local\Temp\0j5ctfzr\0j5ctfzr.cmdline
true
5782379115A5C7704ACCE3E9383AF816
60D28D5DDD965175CB39C6BB0DF5AC1A224BCEC0
7604F449D890B1488ACFB0DDACABA6E1E24A51097835E4B47A35B507657EBD7B
C:\Users\user\AppData\Local\Temp\0j5ctfzr\0j5ctfzr.dll
true
CA1B80C27B39A8FF11303A0A90CB8ACC
3558A01472147CD4D7509DDEFA51F9E4F437172B
FFE5482B92E9206F567B6F96DB1FDE3117BE892D717769DF78197A52198486F6
C:\Users\user\AppData\Local\Temp\0j5ctfzr\0j5ctfzr.out
false
419D835EDD086DBCD1FB8CAFE131A363
F02C01889D4EB029501F2842FED63BEE75A32AAC
C95EF9EFF8E1F8076E9C103BD88E939445D3E45956155401AF076E08F81C1D24
C:\Users\user\AppData\Local\Temp\0j5ctfzr\CSC3A80B568F8BB4D66897E5CE811419E16.TMP
false
1A68EE12BE04A630C8BF56D4F7473ED0
ED9048C3B8B4013A63E612FF08CD59512E49A3FD
B37612CBD66EF7BDD73717ADB5C978216B44420DED73796AD570D0FE6DD8D24D
C:\Users\user\AppData\Local\Temp\RES7743.tmp
false
F4BF383029179F79AE0437C25B9B88AC
51A35E88821784CBC14768F2F96D9A4AFD88DDB0
CD999401D357C7AB4F043A403294A91E994DA74376E032E0CD0A5F9DD8618A91
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ch5v15x.nhz.ps1
false
D17FE0A3F47BE24A6453E9EF58C94641
6AB83620379FC69F80C0242105DDFFD7D98D5D9D
96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_casrbuj4.tcb.psm1
false
D17FE0A3F47BE24A6453E9EF58C94641
6AB83620379FC69F80C0242105DDFFD7D98D5D9D
96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
\Device\ConDrv
false
9F754B47B351EF0FC32527B541420595
006C66220B33E98C725B73495FE97B3291CE14D9
0219D77348D2F0510025E188D4EA84A8E73F856DEB5E0878D673079D05840591
162.240.62.179
52.20.78.240
185.31.121.136
api.ipify.org.herokudns.com
false
52.20.78.240
qwedft.gq
false
162.240.62.179
ftp.mcmprint.net
true
185.31.121.136
api.ipify.org
false
unknown
https://api.ipify.org/
false
52.20.78.240
http://kmbImL.com
false
unknown
http://127.0.0.1:HTTP/1.1
false
unknown
http://nuget.org/NuGet.exe
false
unknown
https://api.ipify.org
false
unknown
http://pesterbdd.com/images/Pester.png
false
unknown
https://aka.ms/pscore6lB
false
unknown
http://www.apache.org/licenses/LICENSE-2.0.html
false
unknown
https://api.ipify.orgftp://ftp.mcmprint.netklogz
true
unknown
http://qwedft.gq/Akkant/VUUby127.xsn
false
162.240.62.179
https://contoso.com/
false
unknown
https://nuget.org/nuget.exe
false
unknown
https://contoso.com/License
false
unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www
false
unknown
http://DynDns.comDynDNSnamejidpasswordPsi/Psi
false
unknown
https://contoso.com/Icon
false
unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
false
unknown
https://ZK1g7ahAv5q7aIVR.comXy
false
unknown
https://ZK1g7ahAv5q7aIVR.com
false
unknown
https://github.com/Pester/Pester
false
unknown
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Wscript starts Powershell (via cmd or directly)
Multi AV Scanner detection for submitted file
Potential malicious VBS script found (suspicious strings)
Tries to harvest and steal ftp login credentials
Malicious sample detected (through community Yara rule)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Sigma detected: Dot net compiler compiles file from suspicious location
Very long command line found
May check the online IP address of the machine
Potential evasive VBS script found (use of timer() function in loop)
Obfuscated command line found
Machine Learning detection for dropped file
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected GuLoader
Snort IDS alert for network traffic
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)