32.0.0 Black Diamond
IR
443952
CloudBasic
09:23:23
04/07/2021
UMUNNA1.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
88fd4cf81a72a7a8642b4e248626bd28
10f58d151e0ce590c27d2a9c33a2c5f8fdbf518b
6bad2fb94eb774403450fc90c697e457c2d260eb0b20a96f15ee82cef6f74d86
Win32 Executable (generic) Net Framework (10011505/4) 50.01%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\UMUNNA1.exe.log
true
61CCF53571C9ABA6511D696CB0D32E45
A13A42A20EC14942F52DB20FB16A0A520F8183CE
3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
C:\Users\user\AppData\Local\Temp\holderwb.txt
false
F3B25701FE362EC84616A93A45CE9998
D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
C:\Users\user\AppData\Roaming\pid.txt
false
86B48B560A92D18429BCFCA2C70EE733
FF4FCD352B70C29F1B65C7D1702239A5C4A5F323
A4E95083AD6163AB0961E8E0D2CAECEB402A089352E21A0C32233EF4C0423AEB
C:\Users\user\AppData\Roaming\pidloc.txt
false
50673E82D6FA82ACA184725D2179FECF
B8D39FD729EA7B7326DF24F7C0BB7BDFCD7E502A
CC8D872DC806A06A10A241DC2534578DE60294F478713E565D979F45CB3B5B30
104.16.155.36
192.168.2.1
155.254.17.54
bigcountrywater.com
true
155.254.17.54
whatismyipaddress.com
false
104.16.155.36
123.105.12.0.in-addr.arpa
false
unknown
ftp.bigcountrywater.com
true
unknown
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Antivirus / Scanner detection for submitted sample
Detected HawkEye Rat
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected HawkEye Keylogger
Yara detected MailPassView