33.0.0 White Diamond
IR
502374
CloudBasic
20:56:10
13/10/2021
Fu94e0b1TR
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
6429aa83e4bc083b4f0b3f44b0d7950f
0ead59881f054284f611accb61451ed1ffc818fc
96c57ae661562e958e01bb0b490c09a0a51bb367931620223174963de88bdfcb
Win32 Executable (generic) Net Framework (10011505/4) 49.83%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Fu94e0b1TR.exe.log
false
832D6A22CE7798D72609B9C21B4AF152
B086DE927BFEE6039F5555CE53C397D1E59B4CA4
9E5EE72EF293C66406AF155572BF3B0CF9DA09CC1F60ED6524AAFD65553CE551
64.190.62.111
172.65.227.72
fbc7888164e64afca05b80bb89630439.pacloudflare.com
true
172.65.227.72
www.rjtherealest.com
false
74.208.236.145
www.shacksolid.com
true
64.190.62.111
fis.photos
true
192.0.78.24
www.apricitee.com
true
unknown
www.fis.photos
true
unknown
www.instatechnovelz.com
true
unknown
www.brondairy.com
true
unknown
Sample uses process hollowing technique
Found malware configuration
Uses netstat to query active network connections and open ports
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Maps a DLL or memory area into another process
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Self deletion via cmd delete
.NET source code contains potential unpacker
Queues an APC in another process (thread injection)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration