36.0.0 Rainbow Opal
IR
745001
CloudBasic
16:53:52
13/11/2022
U9M1w8FHBW.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
deab9f2826fa9d755e77a010c51effb8
a44e1cd6ca3c8c7bad9ad286ba9e19ab2a6e8190
b3dbb3902ed3e35a1f314f2b9385c2f020d4182cf0e93a9157cb0275548d72cc
Win64 Dynamic Link Library (generic) (102004/3) 86.43%
true
false
false
false
84
0
100
5
0
5
false
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
false
3DCF580A93972319E82CAFBC047D34D5
8528D2A1363E5DE77DC3B1142850E51EAD0F4B6B
40810E31F1B69075C727E6D557F9614D5880112895FF6F4DF1767E87AE5640D1
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
false
C5D574CB0C172F23F4FA0A6CD46F58FA
B31906B042211A40976D19F1D9733F5A5CA0BC06
C159ED77B959AC8C54DC9B7120E33F2E194DB6D34DD64C6F2D661C1582830866
172.105.115.71
188.165.79.151
196.44.98.190
174.138.33.49
36.67.23.59
103.41.204.169
85.214.67.203
83.229.80.93
198.199.70.22
93.104.209.107
186.250.48.5
209.239.112.82
175.126.176.79
128.199.242.164
178.238.225.252
46.101.98.60
190.145.8.4
82.98.180.154
103.71.99.57
87.106.97.83
103.254.12.236
103.85.95.4
202.134.4.210
165.22.254.236
78.47.204.80
118.98.72.86
139.59.80.108
104.244.79.94
37.44.244.177
51.75.33.122
160.16.143.191
103.56.149.105
85.25.120.45
139.196.72.155
115.178.55.22
103.126.216.86
128.199.217.206
114.79.130.68
103.224.241.74
210.57.209.142
202.28.34.99
80.211.107.116
54.37.228.122
218.38.121.17
185.148.169.10
195.77.239.39
178.62.112.199
62.171.178.147
64.227.55.231
https://172.105.115.71:8080/cwaajpktaow/wluuqgbutatftfws/jndwc/hjilgypgsuce/
false
unknown
https://172.105.115.71:8080/s.dll6
false
unknown
Creates an autostart registry key pointing to binary in C:\Windows
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Snort IDS alert for network traffic