32.0.0 Black Diamond
IR
433266
CloudBasic
15:00:21
11/06/2021
Purchase_Order.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
4aa8159742becd97f9ecdda33798b065
775aee28c33102de8c4bdd45dd09821b717b8678
65c6621762bb1bb1589a4a58d4ab2d3fa7c02e581b217b86ed2ff51227d7565b
Win32 Executable (generic) Net Framework (10011505/4) 49.83%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Purchase_Order.exe.log
true
394E646B019FF472CE37EE76A647A27F
BD5872D88EE9CD2299B5F0E462C53D9E7040D6DA
2295A0B1F6ACD75FB5D038ADE65725EDF3DDF076107AEA93E4A864E35974AE2A
156.241.53.127
213.186.33.5
160.16.235.37
172.67.155.26
34.102.136.180
45.140.167.161
184.168.131.241
162.241.253.69
151.101.0.119
104.21.64.212
mexicobeachselfstorage.com
true
162.241.253.69
td-balancer-euw2-6-109.wixdns.net
true
35.246.6.109
www.trainup-wall.com
true
45.140.167.161
www.a-prime-india-demataccount.zone
true
172.67.155.26
www.gorditasdemaiz.com
true
151.101.0.119
www.cgjanvier.com
true
156.241.53.127
paolograssino.com
true
160.16.235.37
www.stays.travel
false
91.195.240.94
toolbnbapp.com
false
34.102.136.180
www.prltoday.com
true
213.186.33.5
www.culturalinterface.net
true
104.21.64.212
tylerrucarean.com
false
34.102.136.180
flockuplabs.com
true
184.168.131.241
www.flockuplabs.com
true
unknown
www.paolograssino.com
true
unknown
www.toolbnbapp.com
true
unknown
www.homeanddesignstudio.com
true
unknown
www.mexicobeachselfstorage.com
true
unknown
www.tylerrucarean.com
true
unknown
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Process Start Without DLL
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook