31.0.0 Emerald
IR
356564
CloudBasic
10:16:15
23/02/2021
REQUEST FOR QUOTATION.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
1d229f76672a250bd0c2ff84417d63e3
907889ef592995b2e923bc367ad5fe5fb3ab8275
65dbaf77c991e5737ecf9041dea34a7e9eca1e38925ff69340435a3cff1314a3
Win32 Executable (generic) Net Framework (10011505/4) 49.79%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\REQUEST FOR QUOTATION.exe.log
true
1DC1A2DCC9EFAA84EABF4F6D6066565B
B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
C:\Users\user\AppData\Local\Temp\DB1
true
81DB1710BB13DA3343FC0DF9F00BE49F
9B1F17E936D28684FFDFA962340C8872512270BB
9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
C:\Users\user\AppData\Local\Temp\tmp9ADB.tmp
true
72D8891C3265016E7AC805C2FC365122
99876B512556D50D92BC71E253042B372FA3F6DF
23230404E6FBCD9B342DBCBBB0DFD357F40E4FBCC0A9A3600C088E657161B4C8
C:\Users\user\AppData\Roaming\8LM54D1A\8LMlogim.jpeg
false
BF53111F720BA060D72C938DD168979F
71D1E62E498858889495387A3E29B8F91AC6FEAB
F86DCE5E8A94F57295455EA6F3DAA99FE580324F381F45A5D154A4E9C1258E5A
C:\Users\user\AppData\Roaming\8LM54D1A\8LMlogrg.ini
false
4AADF49FED30E4C9B3FE4A3DD6445EBE
1E332822167C6F351B99615EADA2C30A538FF037
75034BEB7BDED9AEAB5748F4592B9E1419256CAEC474065D43E531EC5CC21C56
C:\Users\user\AppData\Roaming\8LM54D1A\8LMlogri.ini
true
D63A82E5D81E02E399090AF26DB0B9CB
91D0014C8F54743BBA141FD60C9D963F869D76C9
EAECE2EBA6310253249603033C744DD5914089B0BB26BDE6685EC9813611BAAE
C:\Users\user\AppData\Roaming\8LM54D1A\8LMlogrv.ini
true
3CB0736DD1A981F8FF17BB1F9E4A260D
843AF6BD0D61C5E87340E9E84BF18640475F5223
88D88AACF3DEDD2568BCEE741F9EFE90D86B6958A00D870B914F13A2AAB920FC
C:\Users\user\AppData\Roaming\JzXynzIhLqqy.exe
true
1D229F76672A250BD0C2FF84417D63E3
907889EF592995B2E923BC367AD5FE5FB3AB8275
65DBAF77C991E5737ECF9041DEA34A7E9ECA1E38925FF69340435A3CFF1314A3
C:\Users\user\AppData\Roaming\JzXynzIhLqqy.exe:Zone.Identifier
true
187F488E27DB4AF347237FE461A079AD
6693BA299EC1881249D59262276A0D2CB21F8E64
255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
192.168.2.1
204.11.56.48
166.62.28.109
premiumnetworkstore.com
true
166.62.28.109
www.internationalsoccerteams.com
true
204.11.56.48
www.kenapa5-and.com
true
unknown
www.premiumnetworkstore.com
true
unknown
www.stickleyrep.com
true
unknown
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Detected FormBook malware
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Steal Google chrome login data
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook