34.0.0 Boulder Opal
IR
553114
CloudBasic
10:37:50
14/01/2022
DHLExpress.xlsx
defaultwindowsofficecookbook.jbs
Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
WINDOWS
2b9a745d1c8ffca624c71ca72c0534dd
ec28b316b4fab0a9432b013a550f3bbdbff69b92
2174bb3aa9e77eecd21ad4b0fdd340a034db7c815da7a7c9d51d288777984718
Generic OLE2 / Multistream Compound File (8008/1) 100.00%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\vbc[1].exe
true
C41D37A926A42F0916F43B89455F3A26
567843F9ACB112A58DF453619718DDCC37193102
BDAAE5A1A9B92E3E85FA026AE9F6B375EDA1EB75A31FA122B204418FF83FC36C
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\10742059.png
false
C19636DBD6A1B9428BCB8758E04F5FC7
BD5F5490EB4FDFB9A8161A6F77B6440520136473
C7F22E5E13D15601B865F0DE1FDAB380218CE085DAB19B0A2F28ACA4A670A88E
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\23270DBD.jpeg
false
22FEC44258BA0E3A910FC2A009CEE2AB
BF6749433E0DBCDA3627C342549C8A8AB3BF51EB
5CD7EA78DE365089DDDF47770CDECF82E1A6195C648F0DB38D5DCAC26B5C4FA5
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\317B23B8.png
false
5EB99F38CB355D8DAD5E791E2A0C9922
83E61CDD048381C86E3C3EFD19EB9DAFE743ADBA
5DAC97FDBD2C2D5DFDD60BF45F498BB6B218D8BFB97D0609738D5E250EBBB7E0
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3A2963D3.png
false
66EF10508ED9AE9871D59F267FBE15AA
E40FDB09F7FDA69BD95249A76D06371A851F44A6
461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\437A1A86.jpeg
false
22FEC44258BA0E3A910FC2A009CEE2AB
BF6749433E0DBCDA3627C342549C8A8AB3BF51EB
5CD7EA78DE365089DDDF47770CDECF82E1A6195C648F0DB38D5DCAC26B5C4FA5
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\448D1084.png
false
66EF10508ED9AE9871D59F267FBE15AA
E40FDB09F7FDA69BD95249A76D06371A851F44A6
461BABBDFFDCC6F4CD3E3C2C97B50DDAC4800B90DDBA35F1E00E16C149A006FD
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\4CA26EB5.png
false
5EB99F38CB355D8DAD5E791E2A0C9922
83E61CDD048381C86E3C3EFD19EB9DAFE743ADBA
5DAC97FDBD2C2D5DFDD60BF45F498BB6B218D8BFB97D0609738D5E250EBBB7E0
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\64631AC.emf
false
C83ECE6E0B59AC851A82241402A51A41
F014959AEE5BFF9CC3996C48415E8ECCD8F8EAEC
8583B98B6895C632832E21C0E6D6FD13767FF4C2014774EF19ECAEF40AAA5835
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6C08BD32.png
false
C19636DBD6A1B9428BCB8758E04F5FC7
BD5F5490EB4FDFB9A8161A6F77B6440520136473
C7F22E5E13D15601B865F0DE1FDAB380218CE085DAB19B0A2F28ACA4A670A88E
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AADABCCF.png
false
9513E5EF8DDC8B0D9C23C4DFD4AEECA2
E7FC283A9529AA61F612EC568F836295F943C8EC
88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AFEA009A.png
false
9513E5EF8DDC8B0D9C23C4DFD4AEECA2
E7FC283A9529AA61F612EC568F836295F943C8EC
88A52F8A0BDE5931DB11729D197431148EE9223B2625D8016AEF0B1A510EFF4C
C:\Users\user\AppData\Local\Temp\jtaloweyv
false
ECD8AE105045A49E5D745912BE918F85
F53682628EB96EFE043C53816992D0C987D2EAD8
8B50D5DE2714C79B933CA396C476C3EF64C9AF54103B84770129B8E9C296F538
C:\Users\user\AppData\Local\Temp\k1qxhyjx69ne
false
CC57BBA82419A6654DADAAE08D8E24D7
F4BC5DDA505973E0588F5585090F7131A4FA3994
27D5525EAE2CF9F97B3DE742FC80E5C9F3D98E08F2F39AE2441AA731E78DA4B1
C:\Users\user\AppData\Local\Temp\nsuBDB5.tmp
false
EE69E8C348862C61A900C3DB30115DE4
367CD663493393F2C5C904EF2F04C0F4FCA7CC2E
CDF19D29DA7C4DE93ABAC7DE9607CDC082640E77F5A40E3C6E047E3C2EA034D2
C:\Users\user\AppData\Local\Temp\nsuBDB6.tmp\vdobpgi.dll
false
6E3F986661F09E764A88ABE64646C73D
7F5B76469B40A31C5794F6EEDCA9A74DD3523678
9F96210741E320DEBCA4CA44718D8593AD9C279865076E5B89C00EC4EEC29E12
C:\Users\user\AppData\Local\Temp\~DF7B5C07060C74ADB0.TMP
false
BF619EAC0CDF3F68D496EA9344137E8B
5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\AppData\Local\Temp\~DFE331969069BCDF1E.TMP
false
2B9A745D1C8FFCA624C71CA72C0534DD
EC28B316B4FAB0A9432B013A550F3BBDBFF69B92
2174BB3AA9E77EECD21AD4B0FDD340A034DB7C815DA7A7C9D51D288777984718
C:\Users\user\AppData\Local\Temp\~DFE36B8A4AA29EFAFC.TMP
false
BF619EAC0CDF3F68D496EA9344137E8B
5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\AppData\Local\Temp\~DFFD99C5C606B2616A.TMP
false
BF619EAC0CDF3F68D496EA9344137E8B
5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\Desktop\~$DHLExpress.xlsx
true
797869BB881CFBCDAC2064F92B26E46F
61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
C:\Users\Public\vbc.exe
true
C41D37A926A42F0916F43B89455F3A26
567843F9ACB112A58DF453619718DDCC37193102
BDAAE5A1A9B92E3E85FA026AE9F6B375EDA1EB75A31FA122B204418FF83FC36C
172.67.178.13
156.67.74.112
34.102.136.180
3.64.163.50
172.67.207.77
103.167.92.57
lauraimoveis.com
true
156.67.74.112
heigray.xyz
false
34.102.136.180
searakloset.com
false
34.102.136.180
www.chiplorain.com
true
3.64.163.50
www.louisesshop.com
true
172.67.207.77
www.atlantahousingsolutions.com
true
172.67.178.13
www.heigray.xyz
true
unknown
www.searakloset.com
true
unknown
www.lauraimoveis.com
true
unknown
Sample uses process hollowing technique
Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Maps a DLL or memory area into another process
Sigma detected: EQNEDT32.EXE connecting to internet
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Performs DNS queries to domains with low reputation
Injects a PE file into a foreign processes
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: Execution from Suspicious Folder
Office equation editor drops PE file
Queues an APC in another process (thread injection)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
Sigma detected: File Dropped By EQNEDT32EXE
C2 URLs / IPs found in malware configuration
Antivirus detection for URL or domain
Drops PE files to the user root directory