31.0.0 Emerald
IR
383967
CloudBasic
13:20:10
08/04/2021
PO#560.zip.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
225f5938273f006356fd813e46e3fcef
347cd34fd095ae8f843ee436dde5043bba8fb192
69a395d24a3536ef7698ae036596bed55856d4777356946f498faec3f1395f8d
Win32 Executable (generic) Net Framework (10011505/4) 49.83%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO#560.zip.exe.log
true
FED34146BF2F2FA59DCF8702FCC8232E
B03BFEA175989D989850CF06FE5E7BBF56EAA00A
123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
151.101.1.211
50.118.194.26
185.53.177.14
www.new123movies.pro
true
185.53.177.14
dualstack.sni.bigcartel.map.fastly.net
true
151.101.1.211
www.talllensphotography.com
true
50.118.194.26
www.turningtecc.com
true
unknown
www.mymoxypets.com
true
unknown
.NET source code contains method to dynamically call methods (often used by packers)
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses an obfuscated file name to hide its real file extension (double extension)
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook