33.0.0 White Diamond
IR
502129
CloudBasic
16:30:06
13/10/2021
Payment Confirmation.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
98ffc3c812e6cec919ebd286973e2002
b0d1a65445a7923870ad23ec4d80f592e808c987
014d0ece0d472eaea73698d634308303ddb9f227f39d339a66416c3cb744d2c1
Win32 Executable (generic) a (10002005/4) 99.96%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Temp\jkajud1yvpgnu8q
false
D1F72710AC133640BEEE60FCF6237F37
E5153D750F3C97EA0227BFE83BE3B6E98F4A1B50
B8C3F629761EF0C1FADBE9111356C7F82947BE6CECD42F2C5238E0A6101D0A1A
C:\Users\user\AppData\Local\Temp\nsp1E48.tmp\nawgsdqut.dll
false
D4233FEFC9328CC30B0EF014BEB2F51B
302180A5EDB1FD653D7884BB60172E6EDFBBEAC4
1827A3002964434B0ACFF1359241948E334148D3413312CFEA326CAE8F269758
52.206.159.80
45.91.80.182
172.105.103.207
62.210.5.81
34.102.136.180
94.73.147.156
82.98.134.154
3.223.115.185
propage.beatstars.com
false
52.206.159.80
www.thesewhitevvalls.com
true
172.105.103.207
chinaopedia.com
true
45.91.80.182
playstarexch.com
false
34.102.136.180
HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com
false
3.223.115.185
anadolu.academy
true
94.73.147.156
elliotpioneer.com
false
34.102.136.180
pflvcllbpf.hellomyai.com
true
134.122.133.171
www.unasolucioendesa.com
true
82.98.134.154
www.atp-cayenne.com
true
62.210.5.81
carts-amazon.com
false
34.102.136.180
www.anadolu.academy
true
unknown
www.playstarexch.com
true
unknown
www.lumberjackguitarloops.com
true
unknown
www.altitudebc.com
true
unknown
www.elliotpioneer.com
true
unknown
www.6233v.com
true
unknown
www.carts-amazon.com
true
unknown
www.chinaopedia.com
true
unknown
Sample uses process hollowing technique
Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Machine Learning detection for sample
Self deletion via cmd delete
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Detected unpacking (changes PE section rights)
Modifies the context of a thread in another process (thread injection)
Executable has a suspicious name (potential lure to open the executable)
C2 URLs / IPs found in malware configuration
Multi AV Scanner detection for domain / URL