34.0.0 Boulder Opal
IR
553094
CloudBasic
10:19:33
14/01/2022
commercial invoice_010202201.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
acbc7357e4fb7d8d4874ecbeb0c5bd0f
f423fed0f335e5c31d7b799aba25469420fb6009
73f458d7e38ab748b7b7d3b3e680db9eb08d845c1b1b7c935a6ee453d8f03358
Win32 Executable (generic) a (10002005/4) 92.16%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Temp\5kowm48kjaiw3ht
false
A1416D83EED4E11BA25BBE6EC456D053
467523CD8AA55AC5F208D8B68CD8E660DBBE8C27
5FFDD6983009916C7C223BED9D3EC43625D2FAA9ACAC5EB77C94EB9E4E0F9B7C
C:\Users\user\AppData\Local\Temp\jfxtaknu
false
F12ECFF391B1023285050810BDC99341
58BA5DB0B7549E0322C27A4857ED770E19A62E0A
7D974A756128D4E8D74B20B947684264D6BB6ED85318E53AB78F40E3850642FA
C:\Users\user\AppData\Local\Temp\nshDF12.tmp
false
99AB8465F038C2DA8124E3F0F8BD78CE
993EB2793FD14428E5837D9AB2A0B4F42E8CF173
A67251D5421A9A027B490AB9ED4683BC1370EDD222C7DD2A697511781C75979C
C:\Users\user\AppData\Local\Temp\nshDF13.tmp\uajs.dll
true
85ABDE39747F6B521228F37BE34D4869
8B8F1C057D7369C6FEA384DAF46412F635DDF465
900E115C271F29C66454E91F168BE012C2AE5D307C86B70E8D595E0BADE388C6
118.67.131.217
23.227.38.74
198.54.117.211
199.59.243.200
2.57.90.16
109.106.254.15
89.17.204.228
www.friendschance.com
true
118.67.131.217
www.sfcshavedice.com
true
199.59.243.200
www.survival-hunter.com
true
89.17.204.228
parkingpage.namecheap.com
false
198.54.117.211
laraful.com
true
34.102.136.180
shops.myshopify.com
true
23.227.38.74
rxvendorpills.online
true
2.57.90.16
ludowinners.online
true
109.106.254.15
www.toposales.com
true
unknown
www.ludowinners.online
true
unknown
www.cloudtotaal.com
true
unknown
www.moldluck.com
true
unknown
www.laraful.com
true
unknown
www.rxvendorpills.online
true
unknown
www.controle-fiscal.com
true
unknown
www.answertitles.com
true
unknown
www.stardomfrokch.xyz
true
unknown
Sample uses process hollowing technique
Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Self deletion via cmd delete
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
Executable has a suspicious name (potential lure to open the executable)
C2 URLs / IPs found in malware configuration
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file