34.0.0 Boulder Opal
IR
625008
CloudBasic
10:39:32
12/05/2022
aSsc9zh1ex.exe
default.jbs
Windows 10 64 bit 20H2 Native <b>physical Machine for testing VM-aware malware</b> (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
WINDOWS
d5e55a57372bcad45fbb260105179caf
9b1935a927c072dd31017362ff1739bf1ea2aaf7
3c27c2aa1bc826faa65ab4038eb385cabd6db50108410e6f674d455aa1dc5532
Win32 Executable (generic) a (10002005/4) 99.96%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Temp\AEGISIIINVHelper.dll
false
00B917A158BB5BF0D6BFF7D6B3C81B12
24A9B80C8EC794ADA4C8BAF717CFAB98459AC1DE
947BE059906893C09F222CB2868631638A219FB905A47E16A311BA5ADEB4B300
C:\Users\user\AppData\Local\Temp\AsSQLHelper.dll
false
0B849C073801DCE25301ECA0146D534B
5BB9251CA83FE96C8F52B35637E674A629ED1468
3F77E9EF8843DE3DA37037F21BCF6D7E990085D2BDC5B3F05E71AB5EBE5288BB
C:\Users\user\AppData\Local\Temp\CoverDes.exe.manifest
false
9B48061E7B9FC35CD2624F2B9102549E
9DA640A8AF809549031916AB143026FAAF3B1E74
84839C6E85F9B73AA6B0F331A9EAADF7409B7B36E30BA0B04E31680069103E43
C:\Users\user\AppData\Local\Temp\Strepera.wad
false
0CAED7F18389A6CC24391E0400C2BE47
59288CED440D46970090F25983B409BB25F43BBF
E8C48296D444C8EDBF6169CA9E3C5334B0813BFC684C2E99BFD61C692A3784F1
C:\Users\user\AppData\Local\Temp\emblem-default-symbolic.symbolic.png
false
A83F8C904AFA9E3F6A50D263747CF6DF
7B9D99B950518FCAF5AC59350823D2B20E82956F
F57C0B31EC836E26EB609F259CFA68DDA95F09685784423B61075DAE4BBA5BF6
C:\Users\user\AppData\Local\Temp\face-crying.png
false
473EE416AF2C1AE05AA7D5D004C9B3D2
EEC352E25F562C0386D5C92384A70B3005D40D6F
2C48F1719BBC825592FB0929E31DCFE66578665D28099087EA98EF261688DC18
C:\Users\user\AppData\Local\Temp\nso8B47.tmp\System.dll
false
CFF85C549D536F651D4FB8387F1976F2
D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E
8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
C:\Users\user\AppData\Local\Temp\wxbase30u_xml_gcc_custom.dll
false
6D01A897D44DD4D25D7E1264407210FD
332C3ADE84D0C1E5BE298C037F9FE222620343B2
DD8289A21902F458B861C08A2F54D23F1E214B37BB89E73D4108303B490F7644
41.203.18.177
68.65.122.211
23.227.38.74
3.64.163.50
192.64.117.165
203.170.86.89
93.184.220.29
www.intelios.xyz
true
3.64.163.50
herbalsfixng.xyz
true
192.64.117.165
schnellekreditfinanz.com
true
68.65.122.211
www.fungismartgrid.com
true
41.203.18.177
barsam.com.au
true
203.170.86.89
shops.myshopify.com
true
23.227.38.74
www.kbcoastalproperties.com
true
unknown
www.sura.ooo
true
unknown
www.shantelleketodietofficial.site
true
unknown
www.threads34.store
true
unknown
www.taakyif.com
true
unknown
www.schnellekreditfinanz.com
true
unknown
www.hokasneakeruse.xyz
true
unknown
www.perrobravostudio.com
true
unknown
www.reionsbank.com
true
unknown
www.nelvashop.com
true
unknown
www.rnrr.xyz
true
unknown
www.ayanaslifeinmalaysia.com
true
unknown
www.thebeautystore.store
true
unknown
www.herbalsfixng.xyz
true
unknown
www.gpusforfun.com
true
unknown
www.liesdevocalist.store
true
unknown
https://api.msn.com/v1/news/Feed/Windows?
false
unknown
https://powerpoint.office.comeu
false
unknown
http://ocsp.sectigo.com0
false
unknown
http://barsam.com.au/bin_QuCucbUMda229.bin?
false
unknown
https://api.msn.com:443/v1/news/Feed/Windows?
false
unknown
http://inference.location.live.com11111111-1111-1111-1111-111111111111https://partnernext-inference.
false
unknown
https://android.notify.windows.com/iOSG
false
unknown
http://barsam.com.au/bin_QuCucbUMda229.bin
true
203.170.86.89
https://excel.office.com
false
unknown
http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3O//DTD
false
unknown
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
false
unknown
http://schemas.micro
false
unknown
http://www.gopher.ftp://ftp.
false
unknown
http://www.intelios.xyz/wn19/?jZf=QQL+SjwgUyPYxJnw2qa+Hze/zpoAw1vY2ZXVt5QHdkoKCL+B47r8V4uCmI0quTqEBnpn&1biX=C2MPnN
true
3.64.163.50
http://www.threads34.store/wn19/?jZf=rv1HgXCmNvTRWnk0t/PWMZTArWSxwY6VToXu23C5wd0SYVqo5hbnUnFufPtPTohMYlmc&k0=p8cH
true
23.227.38.74
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
false
unknown
https://www.msn.com/en-us/news/us/texas-gov-abbott-sends-miles-of-cars-along-border-to-deter-migrant
false
unknown
https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
false
unknown
https://sectigo.com/CPS0C
false
unknown
http://barsam.com.au/bin_QuCucbUMda229.bing
false
unknown
www.shantelleketodietofficial.site/wn19/
true
http://www.nelvashop.com/wn19/?jZf=74kz/+Omydv/tJV+ps5/T47bI5nxKh+DjdkrvIsUcwHn/m5f3NJjyQUUG1A7gP1GNjyQ&k0=p8cH
true
23.227.38.74
https://www.msn.com/en-us/news/politics/graham-tries-t
false
unknown
https://assets.msn.com/weathermapdata/1/static/svg/72/MostlySunnyDay.svg
false
unknown
https://word.office.com
false
unknown
https://www.msn.com/en-us/tv/celebrity/tarek-el-moussa-tests-positive-for-covid-19-shuts-down-filmin
false
unknown
http://www.herbalsfixng.xyz/wn19/?jZf=/aPRIOivZv/SK3yyBSrwMHS3aEcDnGoJdVwaw0Jv+PFvpIBjQ3dFVdba2CvjMIDrv82h&1biX=C2MPnN
true
192.64.117.165
https://www.msn.com/en-us/news/technology/facebook-oversight-board-reviewing-xcheck-system-for-vips/
false
unknown
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
false
unknown
http://nsis.sf.net/NSIS_ErrorError
false
unknown
http://www.foreca.com
false
unknown
https://word.office.com-C
false
unknown
https://outlook.com
false
unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppf
false
unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppe
false
unknown
http://www.fungismartgrid.com/wn19/?jZf=NS202dJbEEETcB12VfvBfMMdjzaMJ2P7TP19ar/APX8BBmPLqx20W3tmhoszgkcRlb4O&1biX=C2MPnN
true
41.203.18.177
https://api.msn.com/v1/news/Feed/Windows?activityId=5696A836803C42E0B53F7BB2770E5342&timeOut=10000&o
false
unknown
https://aka.ms/odirmO
false
unknown
https://wns.windows.com/).dlll
false
unknown
https://android.notify.windows.com/iOS
false
unknown
https://api.msn.com:443/v1/news/Feed/Windows?Microsoft
false
unknown
http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
false
unknown
https://api.msn.com/
false
unknown
https://windows.msn.com:443/shell
false
unknown
https://www.msn.com/en-us/news/crime/charges-man-snapped-killed-4-then-left-bodies-in-field/ar-AAOGa
false
unknown
http://www.schnellekreditfinanz.com/wn19/?jZf=VPEU4GtrlSiNcAkb3jQiBQiB6wsnkRv+1lt8CI/dwo4hrc1cBv2ecJ2q6A5CexHOXEVq&1biX=C2MPnN
true
68.65.122.211
https://www.msn.com:443/en-us/feed
false
unknown
http://crl3.d
false
unknown
https://www.msn.com/en-us/music/celebrity/the-voice-ariana-grande-and-john-legend-walk-off-when-blak
false
unknown
Sample uses process hollowing technique
Found malware configuration
Maps a DLL or memory area into another process
Tries to detect Any.run
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Performs DNS queries to domains with low reputation
Modifies the prolog of user mode functions (user mode inline hooks)
Self deletion via cmd delete
Queues an APC in another process (thread injection)
System process connects to network (likely due to code injection or exploit)
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Tries to resolve many domain names, but no domain seems valid
Yara detected GuLoader
Snort IDS alert for network traffic