33.0.0 White Diamond
IR
483582
CloudBasic
09:29:55
15/09/2021
scan files 15-9-21.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
00e32d8a2cbd54e967bfc8f512086ecf
f51b70a2117089a87b0daf6f179a3b492acf58f2
36d409b61a0f456cb3e593338ebf2db1fae38ea645392d98030bc7e7a0eb9a3c
Win32 Executable (generic) Net Framework (10011505/4) 49.83%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\scan files 15-9-21.exe.log
true
FED34146BF2F2FA59DCF8702FCC8232E
B03BFEA175989D989850CF06FE5E7BBF56EAA00A
123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
172.67.196.84
35.237.65.63
34.98.99.30
84.34.147.60
www.getcenteredwithclay.com
true
99.83.154.118
www.nordiqueluxury.com
true
84.34.147.60
quickskiplondon.com
false
34.98.99.30
valorplanodesaudemaranhao.info
false
34.98.99.30
www.singularity.institute
true
172.67.196.84
www.municipiodeanton.net
false
35.237.65.63
www.valorplanodesaudemaranhao.info
true
unknown
www.everybankatm.com
true
unknown
www.parakhonskiy.com
true
unknown
www.lifewithbriana.com
true
unknown
www.actonetheatre.com
true
unknown
www.quickskiplondon.com
true
unknown
Sample uses process hollowing technique
Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Machine Learning detection for sample
Self deletion via cmd delete
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
System process connects to network (likely due to code injection or exploit)
.NET source code contains very large strings
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration