36.0.0 Rainbow Opal
IR
764037
CloudBasic
10:52:09
09/12/2022
q3oUuJIXkc.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
2239a58cc93fd94dc2806ce7f6af0a0b
f09eb7d69bc7440d3d45e14267236a78ac789fcb
682abd62b6e3c0e8ca57f079cd96f2d3848752eaf7002bdf57bfb512bd242811
Win32 Executable (generic) a (10002005/4) 99.96%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\cred64[1].dll
true
2B62E02B3581980EE5A1DDA42FA4F3FE
5C36BFA4A4973E8F694D5C077E7312B1C991AEDF
8C46C2AF1CB25BFA8FBBF9D683D72D30DDB2E5D0ECC6BBA997B24714CF2B8C91
C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe
true
2239A58CC93FD94DC2806CE7F6AF0A0B
F09EB7D69BC7440D3D45E14267236A78AC789FCB
682ABD62B6E3C0E8CA57F079CD96F2D3848752EAF7002BDF57BFB512BD242811
C:\Users\user\AppData\Local\Temp\03bd543fce\gntuud.exe:Zone.Identifier
true
187F488E27DB4AF347237FE461A079AD
6693BA299EC1881249D59262276A0D2CB21F8E64
255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\AppData\Local\Temp\853321935212
false
BC1FA342F0AE360EA815BF64C71D503E
929ACB54CBF1E6B6C495A8768F694804FA0ECED1
5722B2526976E9C37277C435D09080C9CEBA052922B306A694D4EA0CCB1ABDFA
C:\Users\user\AppData\Roaming\c33e9ad058e5d3\cred64.dll
true
2B62E02B3581980EE5A1DDA42FA4F3FE
5C36BFA4A4973E8F694D5C077E7312B1C991AEDF
8C46C2AF1CB25BFA8FBBF9D683D72D30DDB2E5D0ECC6BBA997B24714CF2B8C91
\Device\ConDrv
false
509B054634B6DE74F111C3E646BC80FD
99B4C0F39144A92FE42E22473A2A2552FB16BD13
07C7C151ADD6D955F3C876359C0E2A3A3FB0C519DD1E574413F0B68B345D8C36
85.209.135.109
192.168.2.4
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
false
unknown
http://85.209.135.109/jg94cVd30f/index.phpj
false
unknown
https://sectigo.com/CPS0
false
unknown
http://85.209.135.109/jg94cVd30f/index.php
false
unknown
http://ocsp.sectigo.com0
false
unknown
http://85.209.135.109/jg94cVd30f/index.phpF
false
unknown
http://85.209.135.109/jg94cVd30f/index.php?scr=1
false
unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
false
unknown
http://85.209.135.109/jg94cVd30f/index.phpb
false
unknown
http://85.209.135.109/jg94cVd30f/index.php58e5d3
false
unknown
http://85.209.135.109/jg94cVd30f/index.phpd3
false
unknown
http://85.209.135.109/jg94cVd30f/index.phpz
false
unknown
85.209.135.109/jg94cVd30f/index.php
true
http://85.209.135.109/jg94cVd30f/index.phpv
false
unknown
http://85.209.135.109/jg94cVd30f/index.phpR
false
unknown
http://85.209.135.109/jg94cVd30f/index.php0
false
unknown
Hides threads from debuggers
Tries to steal Mail credentials (via file / registry access)
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Overwrites code with function prologues
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Yara detected Amadeys stealer DLL
Multi AV Scanner detection for submitted file
Tries to harvest and steal ftp login credentials
Yara detected Amadey bot
System process connects to network (likely due to code injection or exploit)
Tries to evade analysis by execution special instruction (VM detection)
Tries to detect virtualization through RDTSC time measurements
Creates an undocumented autostart registry key
C2 URLs / IPs found in malware configuration
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to steal Instant Messenger accounts or passwords
PE file contains section with special chars