33.0.0 White Diamond
IR
502357
CloudBasic
20:33:12
13/10/2021
Factura de proforma.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
16f7045eebb451234ca8078222c5994c
99e8f263f9e34ad13cb8cd6af1bb816deffb5bde
ff344e635b268090aafdb8fa830e76c41f34d7cf9a9bf03ed4ede2705008bfef
Win32 Executable (generic) Net Framework (10011505/4) 49.83%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Factura de proforma.exe.log
false
832D6A22CE7798D72609B9C21B4AF152
B086DE927BFEE6039F5555CE53C397D1E59B4CA4
9E5EE72EF293C66406AF155572BF3B0CF9DA09CC1F60ED6524AAFD65553CE551
C:\Users\user\AppData\Local\Temp\tmpD689.tmp
true
1E44E6ADAE1C0CA0FD56FA664DDFE899
BED45CA5BDDB3ED71E73A72C6058ED5101440C3F
55CBE776A65A94D258CC0EA3911132969AED0F6979BE24A24BE4C4FB9F44E20A
C:\Users\user\AppData\Roaming\tskpCbAwtxoaw.exe
false
16F7045EEBB451234CA8078222C5994C
99E8F263F9E34AD13CB8CD6AF1BB816DEFFB5BDE
FF344E635B268090AAFDB8FA830E76C41F34D7CF9A9BF03ED4EDE2705008BFEF
C:\Users\user\AppData\Roaming\tskpCbAwtxoaw.exe:Zone.Identifier
false
187F488E27DB4AF347237FE461A079AD
6693BA299EC1881249D59262276A0D2CB21F8E64
255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
13.209.99.177
parking3.dnstool.net
true
13.209.99.177
www.festival-du-chanvre.com
true
unknown
www.aminobalm.com
true
unknown
www.palmonlae.space
true
unknown
www.new-post-vehicle-site.xyz
true
unknown
Sample uses process hollowing technique
Found malware configuration
Maps a DLL or memory area into another process
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Performs DNS queries to domains with low reputation
Modifies the prolog of user mode functions (user mode inline hooks)
.NET source code contains potential unpacker
Queues an APC in another process (thread injection)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses schtasks.exe or at.exe to add and modify task schedules