32.0.0 Black Diamond
IR
403611
CloudBasic
08:52:50
04/05/2021
SWIFT 00395_IMG.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
f19e6012ff248b9b380bb420080258ce
317ee43a8116aae39f3de3279620ecff4ac05b2c
069a900aaa6ab5e4b9279cf5bd47e7123c37787f87ac58d6e64383685371ba52
Win32 Executable (generic) a (10002005/4) 99.96%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Temp\jckq5d4hbdkbi4n7hsr
false
15CC53488B015D163FB7808642F0A958
241D3F4B3A4DBAE6783412C331BFE79B1220CD50
6E500AA94D17CBB6F903CF22A47C6059AD36B5015DE9BA07941CE02B3A264E6F
C:\Users\user\AppData\Local\Temp\nspD9BF.tmp\3bypcf8qb.dll
false
71D2D0B499C40F82A6CDD1ECDC4DF303
AE42E7A68B3AFFC5F56238FC46FB2FAAAD75B890
0C3C61BA24BB070C77191B1134E337148EA90E9814083FFB84EDF58EE497A2EF
C:\Users\user\AppData\Local\Temp\nsuD98F.tmp
false
EC467E63A6C53D106AE28D0E5630276F
B278A9CD1CF6C0BEF644B81DC939AD64EF7F930F
3DFC9C64A13A26D570BF2B769887E300EF0957250AF59429DC5D299AC9457682
C:\Users\user\AppData\Local\Temp\u2xvckwaqaki
false
E7ED75D329D3408CAF4BEACA7A5A33CE
42AAA9974E8D2840B3DFB31C0247D64D42F2F63A
553FB898A08BE847845D40293E8A680BE663F537E5A457ED26127D758F02FCD4
3.34.109.201
45.192.92.174
103.20.212.182
180.150.102.39
80.237.133.185
34.102.136.180
85.233.160.23
184.168.131.241
60.205.226.138
crickescore.com
true
103.20.212.182
dns.sxl.cn
false
60.205.226.138
www.seroungift.com
true
3.34.109.201
boxj66.com
true
212.95.146.158
theboundless.life
true
184.168.131.241
szzyhjj.com
true
45.192.92.174
1800quilts.com
false
34.102.136.180
fwd3.hosts.co.uk
true
85.233.160.23
northernbackflow.com
false
34.102.136.180
carboncuriosity.com
false
34.102.136.180
www.puzed.net
true
180.150.102.39
www.makeoverfurn.com
true
80.237.133.185
www.northernbackflow.com
true
unknown
www.centerplans.com
true
unknown
www.boxj66.com
true
unknown
www.crickescore.com
true
unknown
www.theboundless.life
true
unknown
www.thebestcoffeeshops.com
true
unknown
www.1800quilts.com
true
unknown
www.xiangyuwenhua.com
true
unknown
www.carboncuriosity.com
true
unknown
www.szzyhjj.com
true
unknown
www.amwajcare.com
true
unknown
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Found malware configuration
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook