31.0.0 Emerald
IR
356530
CloudBasic
09:37:21
23/02/2021
Quotation Reques.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
5a752fcd71acb65c618a829610b7b7e1
1e0608c292a70e30f75308255d6039a8ca373d8a
d96042b51f171f68a99d4568f311f267fe595df0add3851e162cbcee7f897edb
Win32 Executable (generic) Net Framework (10011505/4) 49.83%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Quotation Reques.exe.log
true
1DC1A2DCC9EFAA84EABF4F6D6066565B
B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
C:\Users\user\AppData\Local\Temp\tmp1923.tmp
true
1BF9853001A0DBB1C19F15A6EDE92E65
45EF1D7D64F2994F602A2C78AAD375C35315BD52
72F2B78F4787E9E88D4FF93F0585158549D64E309E310AE31A0C5DB83DC8680B
C:\Users\user\AppData\Roaming\ftkqUsB.exe
true
5A752FCD71ACB65C618A829610B7B7E1
1E0608C292A70E30F75308255D6039A8CA373D8A
D96042B51F171F68A99D4568F311F267FE595DF0ADD3851E162CBCEE7F897EDB
C:\Users\user\AppData\Roaming\ftkqUsB.exe:Zone.Identifier
true
187F488E27DB4AF347237FE461A079AD
6693BA299EC1881249D59262276A0D2CB21F8E64
255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
194.9.94.85
77.72.1.202
160.153.133.87
51.83.43.226
194.59.164.34
138.197.103.178
107.180.46.143
thisisauckland.com
true
77.72.1.202
www.buildermarketingprogram.com
false
208.97.149.17
sphenecouture.com
true
160.153.133.87
www.trainingkanban.com
true
51.83.43.226
www.ficuswildlife.com
true
138.197.103.178
www.dorteklarskov.com
true
194.9.94.85
gurumanindustries.com
true
194.59.164.34
mojavewellnessaz.com
true
107.180.46.143
www.vanjele.com
true
unknown
www.mojavewellnessaz.com
true
unknown
www.sphenecouture.com
true
unknown
www.diabetessurgeryturkey.com
true
unknown
www.xlkefu2.com
true
unknown
www.thisisauckland.com
true
unknown
www.gurumanindustries.com
true
unknown
www.topkids.asia
true
unknown
www.thedesailldada.com
true
unknown
.NET source code contains potential unpacker
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook