31.0.0 Emerald
IR
356529
CloudBasic
09:35:52
23/02/2021
Booking Confirmation.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
78d9eadc9fcc580239b360ffa2c2220f
2bc313ca573a9be005aa8d22e96601c10dcd5041
e836c2aecd7a2ae83a5bb088780d9e7b8cd6c3a7ff6b9c3f1261bfd1f53dbef7
Win32 Executable (generic) Net Framework (10011505/4) 49.80%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Booking Confirmation.exe.log
true
E5FA1A53BA6D70E18192AF6AF7CFDBFA
1C076481F11366751B8DA795C98A54DE8D1D82D5
1D7BAA6D3EB5A504FD4652BC01A0864DEE898D35D9E29D03EB4A60B0D6405D83
81.169.149.11
156.227.187.201
185.175.200.247
www.localmoversuae.com
true
156.227.187.201
www.praktijkinfinity.online
true
185.175.200.247
buehne.cloud
true
81.169.149.11
merzigomusic.com
true
34.102.136.180
www.buehne.cloud
true
unknown
www.merzigomusic.com
true
unknown
.NET source code contains potential unpacker
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook