32.0.0 Black Diamond
IR
399489
CloudBasic
20:48:42
28/04/2021
PaymentNotification.vbs
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
f5b9f4ae6470dd78d53b60dcc6b32a5b
c12a160ff346463dfea1a2a5b015b0efd56a9645
3fb7c96dcb667562f755e56f05a892aa8326d0c905055f1ea75177e1785df46b
Text - UTF-16 (LE) encoded (2002/1) 64.44%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
false
61A03D15CF62612F50B74867090DBE79
15228F34067B4B107E917BEBAF17CC7C3C1280A8
F9E23DC21553DAA34C6EB778CD262831E466CE794F4BEA48150E8D70D3E6AF6D
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
false
2385F10651B284807BD523A237CC041B
3713F39B2654862821D05824635F768679E55A1E
17AAB987AABBEE866449DB169387D68BEF9976D9EC34A9F0300832A3FA71DFA5
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\Tmp.exe.log
false
D9626CB08EED6533EC63687FCD734977
E5FEB91EF568D36AD382D9566E2491DB1C90752E
C86F4B0BA418353A162E3EA9872BB66F0CF453710CBA93D8E3F27234E8B284F3
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\d4c6a6df7bab3dad31763de990c4ed82.exe.log
false
16AC5AEE0452F1A942D29BEDB3E8DE11
3D92E71A2595E14ED8899335B2DE9323BAA85A67
76F1FC9BA058F4F094A01D5F345B434070B7E35C9CFD4C20617FD9E6EC230CCE
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\codigo[1].txt
false
7D6452CD01754786FF61188733C7E4D4
893DDBA0E2B3E478750E349DB75BFCAB10D71361
C79CA848CAAFD9525FA6505C1EC7C6AE2AAF3ABAD4DCF73FC988DD769511B58A
C:\Users\user\AppData\Local\Temp\Tmp.exe
true
9B30598F8F05C46F8ABB22A4C2ABCC9E
73665A73C48C889AF51EC9C99D8432218676B0CD
2E5075A95C5663256555E292409149B4522F76FBE63BB48665213006C2D5CA2A
C:\Users\user\AppData\Local\Temp\holderwb.txt
false
F3B25701FE362EC84616A93A45CE9998
D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
C:\Users\user\AppData\Local\Temp\pgr.exe
true
A08F2FAC257ABBBDDDBBD4439F32CFD0
26D3ED4771B701A82F6AA32B747E27BB26E9864C
BFD5D84C4FED8F9D23F94FE32BB7EE415DBE632C2EBAAC642DBFDB73F89D0833
C:\Users\user\AppData\Local\Temp\tmp87E4.tmp.exe
true
6107D33B54A998C142311E55B3EC53D2
1C0B31C186FD413DC74E736A8BDEFBF4D0725EEC
01A31C21F7C70363B4A5CA56BECD789D96646A1F0FD5F755E77EB8E26AE95D6A
C:\Users\user\AppData\Local\Temp\tmpFB21.tmp.exe
true
5C0E9E0C72288F8B70BB68C0036ECB52
920C9ECF8EBD35A8D0FF53A67A9C5DB2F1C35F59
249026BE43AFFBDC61BE8DD1AAE8602668BA6BEE72E43D4760B2ACC7AB1526D4
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c06ef4ef423d882819c4e66285ec85.exe
true
A08F2FAC257ABBBDDDBBD4439F32CFD0
26D3ED4771B701A82F6AA32B747E27BB26E9864C
BFD5D84C4FED8F9D23F94FE32BB7EE415DBE632C2EBAAC642DBFDB73F89D0833
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d4c6a6df7bab3dad31763de990c4ed82.exe
true
08C62FEA3D61370C3CA97568656D8304
2EF6CE8EF54231434E46A51F8604DC72C6831246
52CA7E417C7A85F7E7337BE8DDD76A3B2508343DD63B4C274C34D9B513907BF5
C:\Users\user\AppData\Roaming\pid.txt
false
6E616E79D491BA42638558CAF0364003
74F5C11138CDB6F32822F4120E4F4F9D027D3EBB
23850EB82A923C694AFCFF74746BFEC1AF8099C034E73EFF71978FCEF7A23FD3
C:\Users\user\AppData\Roaming\pidloc.txt
false
3C9A412CE21ACF36264B3DA202706434
1D1F182C985DA55FABC80E25A5E8F4047B24EA3E
EDFF7D00050F7D79BA480C90741880859E5B1D31DE462FE0088D029315A39DB3
C:\Users\user\AppData\Roaming\servieda.exe
true
9B30598F8F05C46F8ABB22A4C2ABCC9E
73665A73C48C889AF51EC9C99D8432218676B0CD
2E5075A95C5663256555E292409149B4522F76FBE63BB48665213006C2D5CA2A
\Device\ConDrv
false
689E2126A85BF55121488295EE068FA1
09BAAA253A49D80C18326DFBCA106551EBF22DD6
D968A966EF474068E41256321F77807A042F1965744633D37A203A705662EC25
104.16.154.36
103.6.196.196
192.168.2.1
207.241.227.114
185.140.53.71
whatismyipaddress.com
false
104.16.154.36
ia601504.us.archive.org
false
207.241.227.114
neesoontat.com.my
true
103.6.196.196
81.189.14.0.in-addr.arpa
false
unknown
mail.neesoontat.com.my
false
unknown
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Changes the view of files in windows explorer (hidden files and folders)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to log keystrokes (.Net Source)
Drops PE files to the startup folder
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
May check the online IP address of the machine
Modifies the windows firewall
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Antivirus detection for dropped file
Benign windows process drops PE files
Detected HawkEye Rat
Detected njRat
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
VBScript performs obfuscated calls to suspicious functions
Yara detected AsyncRAT
Yara detected HawkEye Keylogger
Yara detected MailPassView
Yara detected Njrat