36.0.0 Rainbow Opal
IR
715077
CloudBasic
16:00:10
03/10/2022
file.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
9916148f32a362eac0abbf128e88e96b
e7669eb27e338fb79b40002fb37b812e18d526fe
bfe1a292cb0e9b9ca09af660e8b90bdfb07592afe625855093bd2ff54fa430c3
Win32 Executable (generic) a (10002005/4) 99.96%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Temp\2BC9.exe
true
459C6ECD112648FF13D0FFA917A938BD
C03370C8348C6A8C91F17A0A976ADB8EE96DEBF4
E3D535FEF88C1A395F8F0D55B0585D63E257F5317528E00194A546238CF906C5
C:\Users\user\AppData\Local\Temp\4EE2.exe
true
7C1B6CA0476E2C572628034BDEAF5E3C
7F4E5707D53B145D6CECDEA22EF03E6B7357F0ED
F7BD62D5FEF5FCC2D29C3858DA9F25292A61206BA97BC9918A187EEFD873E768
C:\Users\user\AppData\Roaming\utitbii
true
9916148F32A362EAC0ABBF128E88E96B
E7669EB27E338FB79B40002FB37B812E18D526FE
BFE1A292CB0E9B9CA09AF660E8B90BDFB07592AFE625855093BD2FF54FA430C3
C:\Users\user\AppData\Roaming\utitbii:Zone.Identifier
true
187F488E27DB4AF347237FE461A079AD
6693BA299EC1881249D59262276A0D2CB21F8E64
255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
\Device\ConDrv
false
D482B032211F687CE639B61D98956FE4
5AB5C651B66450188CDDA5602CA3EFD2214AFF9E
C011C37ECB00F4CDC4857188F474F91D854846FF04844A265E4C4EBA60CA3786
115.88.24.202
175.126.109.15
5.135.247.111
84.224.193.200
87.250.250.50
138.36.3.134
211.53.230.67
181.167.134.24
23.106.124.18
175.119.10.231
thepokeway.nl
true
5.135.247.111
gayworld.at
true
115.88.24.202
disk.yandex.ru
false
87.250.250.50
http://ekcentric.com/tmp/
true
http://23.106.124.18/aptupdate.exe
true
23.106.124.18
http://www.autoitscript.com/autoit3/J
false
unknown
https://thepokeway.nl/upload/index.php
false
5.135.247.111
http://cracker.biz/tmp/
true
https://disk.yandex.ru/d/aS1IzKYGKL0Ctw
false
87.250.250.50
http://citnet.ru/tmp/
true
http://gayworld.at/tmp/
false
115.88.24.202
Maps a DLL or memory area into another process
Yara detected UAC Bypass using CMSTP
Multi AV Scanner detection for submitted file
Yara detected DanaBot stealer dll
Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Yara detected SmokeLoader
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
System process connects to network (likely due to code injection or exploit)
Deletes itself after installation
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Detected unpacking (changes PE section rights)
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Multi AV Scanner detection for dropped file
Checks if the current machine is a virtual machine (disk enumeration)
Snort IDS alert for network traffic