36.0.0 Rainbow Opal
IR
753423
CloudBasic
19:53:07
24/11/2022
Payment_copy28476450.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
70e90926399154c2708801a73cf53d99
0eaff8f1cde17a392d9e7935bae96f21c91acc3c
c36de6d07a8ce4407cb59a275dbf8c04d05844903bb6d566f295ccd13a2d4ce6
Win32 Executable (generic) a (10002005/4) 99.96%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Temp\nsg6B4D.tmp
false
DAEA903CE6FBB92BF4BE14AEC7489613
21872C93628D5B4715A9876332090C3D0EE03E66
97CE6EB441A34EBEE7864B4B0E99939D7D773AC7FC416B27F1F72413061944B3
C:\Users\user\AppData\Local\Temp\ntwcyphb.r
false
B12381A247D8454C152B69D13B35EC05
347BDD9D8F6E96C6912DC56198BD5038969C41AC
1B9C40C7751E34B3A3DD0658B3F1DAC5AA39D85D50D3F02CDAA555220228193E
C:\Users\user\AppData\Local\Temp\stvrrcrc.d
false
8C23AB33C072F31910D8126FE29420D7
19752AC35C502F4CD5BB55D3DB4ACE8FD00C0767
0C6033793464A7C0D79F2A402CC4DCF821B8C633371B4D676BA18F21FCB3376F
C:\Users\user\AppData\Local\Temp\wcycejenv.exe
true
3182BEF520A1E9F52BE3755C25E4C3B0
1829DD90A63BF67DCEB3F6CC41C8AACE8E7E31AD
E7ECA366A9467420BA42645AAC451E02D0F009C6F6DFE3A47349510DE0BBFB96
C:\Users\user\AppData\Roaming\C79A3B\B52B3F.exe (copy)
true
3182BEF520A1E9F52BE3755C25E4C3B0
1829DD90A63BF67DCEB3F6CC41C8AACE8E7E31AD
E7ECA366A9467420BA42645AAC451E02D0F009C6F6DFE3A47349510DE0BBFB96
C:\Users\user\AppData\Roaming\C79A3B\B52B3F.lck
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\21c8026919fd094ab07ec3c180a9f210_d06ed635-68f6-4e9a-955c-4899f5f57b9a
false
884BB48A55DA67B4812805CB8905277D
6B3D33E00F5B9DEAE2826F80644CB4F6E78B7401
78877FA898F0B4C45C9C33AE941E40617AD7C8657A307DB62BC5691F92F4F60E
95.213.216.202
192.168.2.1
sempersim.su
true
95.213.216.202
http://sempersim.su/gl20/fre.php
true
95.213.216.202
http://kbfvzoboss.bid/alien/fre.php
true
http://nsis.sf.net/NSIS_Error
false
unknown
http://alphastand.win/alien/fre.php
true
http://nsis.sf.net/NSIS_ErrorError
false
unknown
http://alphastand.trade/alien/fre.php
true
http://alphastand.top/alien/fre.php
true
http://www.ibsensoftware.com/
false
unknown
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Multi AV Scanner detection for submitted file
Yara detected aPLib compressed binary
Tries to harvest and steal ftp login credentials
Malicious sample detected (through community Yara rule)
Tries to steal Mail credentials (via file registry)
Machine Learning detection for sample
Yara detected Lokibot
Executable has a suspicious name (potential lure to open the executable)
C2 URLs / IPs found in malware configuration
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Tries to harvest and steal browser information (history, passwords, etc)
Snort IDS alert for network traffic