31.0.0 Red Diamond
IR
338401
CloudBasic
08:29:34
12/01/2021
NDt93WWQwd089H7.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
0f330f518f4f71f0735cce4eaf1612d7
f34909417588543112974ebbc0fa8236a8a604c1
702554b4a0770d70bd5972318d2294ef2b26001595b574d122264b8c1793457c
Win32 Executable (generic) Net Framework (10011505/4) 50.01%
true
false
false
false
100
0
100
5
0
5
false
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_ndt93wwqwd089h7._f33cd8375d2498bf766815ce1165fc13564c2_00000000_08f8413b\Report.wer
false
D45D05768338987FADF5F584AA5DE670
DFD01FDCC2EEE689BE8B5807D1D3C9A9D61A35CE
BB55D09A3FAD477BEA8C4D771C3CC31FFB42EA8B0077308D0DF0419B41CB6194
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1F3C.tmp.WERInternalMetadata.xml
false
3E97BD38E1589EFB5BB6CC9BA303B87F
46EAA58DABFAFA259950D01ECB98D4CC49763A79
D6C8E1C6059E0F66A3CC067A29B5C1753DFBD0CBB5055F3CC3C19F1A5AC18DDA
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2037.tmp.xml
false
B3E4E32F415240BB43DBD960E8CF563E
44F6E16E88A28700C141DE4F3A42A6C1F7D55A9B
A40575B4966DC436B2197DC2360B5128E44B2642E2B9B0BE775E8F70D211505F
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\NDt93WWQwd089H7.exe.log
true
61CCF53571C9ABA6511D696CB0D32E45
A13A42A20EC14942F52DB20FB16A0A520F8183CE
3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
C:\Users\user\AppData\Local\Temp\holderwb.txt
false
F3B25701FE362EC84616A93A45CE9998
D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
C:\Users\user\AppData\Local\Temp\tmp7AE9.tmp
true
7A61294EA6F437E114F829A5548F7E73
64F62BB02AA77F5307134C73FACBE241300A3A43
D92E50D30E97CFC79485FB8A9F3731BCDD737A7B9E4230CC70B2604566DEF63A
C:\Users\user\AppData\Roaming\etUpjEKgKK.exe
true
0F330F518F4F71F0735CCE4EAF1612D7
F34909417588543112974EBBC0FA8236A8A604C1
702554B4A0770D70BD5972318D2294EF2B26001595B574D122264B8C1793457C
C:\Users\user\AppData\Roaming\pid.txt
false
50CF0763D8EB871776D4F28B39DEB564
A1805C1D24E78F77B61181D0D64561EE1EFE6638
245D17B28D73E10C5C842B53AF64338F46FB04A99773F82622A02198804E6DBA
C:\Users\user\AppData\Roaming\pidloc.txt
false
35484D514FB8402A3F706EC192EC94AF
9829A7D498C242FB2524BA550B0E0CF826490A5D
67C1AA10ED8D4385083CEE7E78A63735F2E01DECE93B1D60335813038091AF1B
104.16.155.36
192.168.2.1
whatismyipaddress.com
false
104.16.155.36
144.48.8.0.in-addr.arpa
true
unknown
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM_3
Yara detected HawkEye Keylogger
Yara detected MailPassView