31.0.0 Emerald
IR
383962
CloudBasic
13:11:12
08/04/2021
gzU8odwaPalRTGB.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
bc0859493d8419f5ffe0468d23938256
70c3b42db2fc29bb0de21db911b85adf600fb9f2
64f1791681e261b0e652130f8f7fca8e1098a4c03fee49652a14d682681f85cf
Win32 Executable (generic) Net Framework (10011505/4) 49.80%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gzU8odwaPalRTGB.exe.log
true
1DC1A2DCC9EFAA84EABF4F6D6066565B
B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
C:\Users\user\AppData\Local\Temp\tmpDFE8.tmp
true
43D09D99A1183D27D8BD6C31F7FB6416
647674277B12D074FFE749E4CA879985ABA38A5E
53CE83C8B03890F5037D9B9CA3EF2B1438760AD61C5BD90020C82EE7C02AA6EA
C:\Users\user\AppData\Roaming\fgEePtnFJH.exe
true
BC0859493D8419F5FFE0468D23938256
70C3B42DB2FC29BB0DE21DB911B85ADF600FB9F2
64F1791681E261B0E652130F8F7FCA8E1098A4C03FEE49652A14D682681F85CF
C:\Users\user\AppData\Roaming\fgEePtnFJH.exe:Zone.Identifier
true
187F488E27DB4AF347237FE461A079AD
6693BA299EC1881249D59262276A0D2CB21F8E64
255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
162.0.213.203
154.203.184.76
www.novergi.com
true
162.0.213.203
www.realsults.com
true
154.203.184.76
www.primarewards.net
true
unknown
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook