36.0.0 Rainbow Opal
IR
736964
CloudBasic
12:38:55
03/11/2022
U8RYIwIvfK.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
6f53598b9c19b30a0cf3ff0432301708
4bd8e67e468adfbfddd9e5a1e47fdf318bf9a31b
6d3397c687aea5017b90a5e96adc6fbfb0429d56a8b2ead1f1d4273994952379
Win32 Executable (generic) Net Framework (10011505/4) 49.83%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\U8RYIwIvfK.exe.log
true
31E089E21A2AEB18A2A23D3E61EB2167
E873A8FC023D1C6D767A0C752582E3C9FD67A8B0
2DCCE5D76F242AF36DB3D670C006468BEEA4C58A6814B2684FE44D45E7A3F836
50.115.174.192
34.102.136.180
tgc8x.tk
true
50.115.174.192
mercydm.mobi
false
34.102.136.180
www.mercydm.mobi
true
unknown
https://tgc8x.tk/tt/BLACKDEV.txt
true
50.115.174.192
https://tgc8x.tk/tt/ptrr.txt
true
50.115.174.192
www.ept-egy.com/zx85/
true
http://www.autoitscript.com/autoit3/J
false
unknown
https://tgc8x.tk
true
unknown
http://www.mercydm.mobi/zx85/?Sl=JSAN+BGUWbFIio0Y6cR2moHwDIFZVOq3R3uV7C0AfntmXLYJvKIE34aC+rLPWCkZ7Yk0ST8b/A==&7ntH=U0D8yn_PIXqTt
false
34.102.136.180
https://tgc8x.tk4
true
unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
false
unknown
http://tgc8x.tk
true
unknown
https://tgc8x.tkD8
true
unknown
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Writes to foreign memory regions
Multi AV Scanner detection for submitted file
Yara detected FormBook
.NET source code references suspicious native API functions
Malicious sample detected (through community Yara rule)
Machine Learning detection for sample
Allocates memory in foreign processes
Modifies the prolog of user mode functions (user mode inline hooks)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
System process connects to network (likely due to code injection or exploit)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Snort IDS alert for network traffic