34.0.0 Boulder Opal
IR
552997
CloudBasic
03:36:23
14/01/2022
nji3Lg1ot6
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
8eddcc35719034649f6947b2b08bcdf3
5506b69b4584f43232f45299192a540ec0197998
0d072a60b433f330d2ba97d75eae7af07e9d75bc6ed5b1065287661d05e82ab6
Win32 Executable (generic) a (10002005/4) 92.16%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Temp\nsx7FAE.tmp
false
8644B9AA55DCA97B4841D7C3878444C7
1B7CD31D5C9509868830982D39D9A3F75B7E3AD4
C41772CB8BD860959A61F832E221F9DC634BEBD8FE4CD141E45321E348EB4181
C:\Users\user\AppData\Local\Temp\nsx7FAF.tmp\mtmmtvzho.dll
false
D62257B9F46BB3ECC454D94B80E839E8
A33070571B7909CEB589F9CCEB8591EE2DAE5C9F
9679F0E8F63974D80F953B8212B2668C27EC9762CDCF6ACBFD4FDF4B6D189F23
C:\Users\user\AppData\Local\Temp\pawgjsvu
false
2CF23E8F99E539C2CFA7DF0709FFE950
B0DEF49E4CA1DE39D60696FFEC5EC6ECB9399D3C
C71C94E4AA37C19EE3E62E4F20D03CE4950D9B7BCA8755B3729CBDB7897B6FDE
C:\Users\user\AppData\Local\Temp\zn2eyxxq9ww5zrdhr
false
A75D055E6FABC0D24984208FC2BD8877
F4071D8B3141A30FC0D70787D174B8E31C6131FC
6497E85685A07951F80AE543BB730D7714717596140569E4D5C9388F2E6CBE59
192.168.2.1
172.67.173.57
23.227.38.74
50.31.177.38
www.mnbvending.com
false
199.59.243.200
www.alibabasdeli.com
true
172.67.173.57
nanasyhogar.com
true
50.31.177.38
shops.myshopify.com
true
23.227.38.74
www.nanasyhogar.com
true
unknown
www.gigasupplies.com
true
unknown
Sample uses process hollowing technique
Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Machine Learning detection for sample
Modifies the prolog of user mode functions (user mode inline hooks)
Self deletion via cmd delete
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration