36.0.0 Rainbow Opal
IR
753427
CloudBasic
20:11:10
24/11/2022
file.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
44c87d3bc316eefe4dcbf66afed72abc
96bde412ef761b4d53506ae4ed2999bc9dcaf137
731e22be2a6b39304919dc24b750a720b23a0f1ed996a9b74cf0b088de6144b1
Win32 Executable (generic) a (10002005/4) 99.53%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Temp\B87E.exe
true
1BD9FB4ADE498938E6432D6C5D1E23A5
909ECEC41F837A402EE4EF43D8B9F6B06A5A8AAF
12B8B5BFDE4092B4248ACCC682098222420EE6A0B6DFE89EB268F7FCF8CF00FB
C:\Users\user\AppData\Local\Temp\EBC4.exe
true
F06F222962C48BB7D822AC0FCD14CFD2
0866BE2E6D97E71DEF6DCED9FE5DC7623558DCAD
F687250C7F49AAFF9787D9202CD13F5E159220D9AE613B335ED72A76FADFA03F
C:\Users\user\AppData\Local\Temp\Tdryuqayh.tmp
true
D8CA174A8F3F0C225429E1BE1CB6D304
0F2E738B1A35B6072E1D23894468E45FA7DEE750
3D63AD175A34E4C89EA6ECA4A1161BB5DD514A5E58302707EDC03473EB1F656E
C:\Users\user\AppData\Roaming\gfgsrbs
true
44C87D3BC316EEFE4DCBF66AFED72ABC
96BDE412EF761B4D53506AE4ED2999BC9DCAF137
731E22BE2A6B39304919DC24B750A720B23A0F1ED996A9B74CF0B088DE6144B1
C:\Users\user\AppData\Roaming\gfgsrbs:Zone.Identifier
true
187F488E27DB4AF347237FE461A079AD
6693BA299EC1881249D59262276A0D2CB21F8E64
255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
178.31.176.42
109.102.255.230
5.135.247.111
211.40.39.251
211.171.233.129
192.168.2.1
123.253.32.170
95.107.163.44
211.53.230.67
190.140.74.43
thepokeway.nl
true
5.135.247.111
freeshmex.at
true
190.140.74.43
http://piratia.su/tmp/
true
https://thepokeway.nl/upload/index.php
false
5.135.247.111
http://cracker.biz/tmp/
true
http://freeshmex.at/tmp/
true
190.140.74.43
http://123.253.32.170/root2.exe
true
123.253.32.170
http://piratia-life.ru/tmp/
false
Maps a DLL or memory area into another process
Yara detected UAC Bypass using CMSTP
Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Yara detected SmokeLoader
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
System process connects to network (likely due to code injection or exploit)
Deletes itself after installation
Machine Learning detection for dropped file
Detected unpacking (changes PE section rights)
C2 URLs / IPs found in malware configuration
Antivirus detection for URL or domain
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Checks if the current machine is a virtual machine (disk enumeration)