36.0.0 Rainbow Opal
IR
755940
CloudBasic
10:40:48
29/11/2022
SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
55d6460392408d1325c18b69a91c28e3
405847d03be406a0025eda76852dfd46420a8d7a
d1e9780a620ddf149c2aed319388bca7ed690c2a58c9ffc8f60b1c4515115dc9
Win32 Executable (generic) Net Framework (10011505/4) 49.80%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FqJXaFxwEj.exe.log
false
FED34146BF2F2FA59DCF8702FCC8232E
B03BFEA175989D989850CF06FE5E7BBF56EAA00A
123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.CrypterX-gen.22126.16591.exe.log
true
FED34146BF2F2FA59DCF8702FCC8232E
B03BFEA175989D989850CF06FE5E7BBF56EAA00A
123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
false
84C44110AE1D79E1CAF451F6E381CEE6
1A92B2ABA0161D4DD3C807D665E08E25C8DD6E99
D0024E0C27DC567BD3601940C8653CED465C588B384F4D9794338015D5E83D1B
C:\Users\user\AppData\Local\Temp\17089-7
false
5F02C426BCF0D3E3DC81F002F9125663
EA50920666E30250E4BE05194FA7B3F44967BE94
DF93CD763CFEC79473D0DCF58C77D45C99D246CE347652BF215A97D8D1267EFA
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_44oebsyr.ko3.ps1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4searmeq.c02.psm1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ab3likgp.3hk.ps1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kuw1e3h0.ro1.psm1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\tmp4724.tmp
true
936AEB32A643A82E85DFCB00D9B2AA81
B9EAB79BC7BF79BB7097BA973F1DED9D0917D91F
BC771042757EC4CFD44ACEF348DB5FB4069AC67AFB5D63C67D89D05F69B29012
C:\Users\user\AppData\Local\Temp\tmp8C7A.tmp
false
936AEB32A643A82E85DFCB00D9B2AA81
B9EAB79BC7BF79BB7097BA973F1DED9D0917D91F
BC771042757EC4CFD44ACEF348DB5FB4069AC67AFB5D63C67D89D05F69B29012
C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe
true
55D6460392408D1325C18B69A91C28E3
405847D03BE406A0025EDA76852DFD46420A8D7A
D1E9780A620DDF149C2AED319388BCA7ED690C2A58C9FFC8F60B1C4515115DC9
C:\Users\user\AppData\Roaming\FqJXaFxwEj.exe:Zone.Identifier
true
187F488E27DB4AF347237FE461A079AD
6693BA299EC1881249D59262276A0D2CB21F8E64
255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
103.193.185.8
www.somethingyourselves.com
true
103.193.185.8
www.alrt.info
false
80.92.205.131
https://duckduckgo.com/chrome_newtab
false
unknown
http://www.apache.org/licenses/LICENSE-2.0
false
unknown
http://www.fontbureau.com
false
unknown
http://www.fontbureau.com/designersG
false
unknown
http://www.sajatypeworks.comiv
false
unknown
https://duckduckgo.com/ac/?q=
false
unknown
http://www.fontbureau.com/designers/?
false
unknown
http://www.founder.com.cn/cn/bThe
false
unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico
false
unknown
http://www.fontbureau.com/designers?
false
unknown
http://www.founder.com.c
false
unknown
https://search.yahoo.com?fr=crmas_sfpf
false
unknown
http://www.somethingyourselves.com/n2hm/?bN=9gwJr9Ib0rEc+KDTQOrHkeZIL+750DWB0cIboGlmlHlNjyJ/Euut2Sz1G3s+yPgqLfhiB/VwLZOXrNsbN5gXgWVJl9cnSs3fxA==&TpfpO=3fCD1To0u
true
103.193.185.8
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
false
unknown
http://www.tiro.com
false
unknown
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
false
unknown
http://www.fontbureau.com/designers
false
unknown
http://www.goodfont.co.kr
false
unknown
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
false
unknown
http://www.carterandcone.coml
false
unknown
http://www.sajatypeworks.com
false
unknown
http://www.typography.netD
false
unknown
https://ac.ecosia.org/autocomplete?q=
false
unknown
https://search.yahoo.com?fr=crmas_sfp
false
unknown
http://www.fontbureau.com/designers/cabarga.htmlN
false
unknown
http://www.founder.com.cn/cn/cThe
false
unknown
http://www.galapagosdesign.com/staff/dennis.htm
false
unknown
http://fontfabrik.com
false
unknown
http://www.founder.com.cn/cn
false
unknown
http://www.fontbureau.com/designers/frere-user.html
false
unknown
www.madamkikkiey.net/n2hm/
true
http://www.jiyu-kobo.co.jp/
false
unknown
http://www.fontbureau.como
false
unknown
http://www.galapagosdesign.com/DPlease
false
unknown
http://www.fontbureau.com/designers8
false
unknown
http://www.fonts.com
false
unknown
http://www.sandoll.co.kr
false
unknown
http://www.urwpp.deDPlease
false
unknown
http://www.zhongyicts.com.cn
false
unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
false
unknown
http://www.sajatypeworks.come
false
unknown
http://www.sakkal.com
false
unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
false
unknown
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Machine Learning detection for sample
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
System process connects to network (likely due to code injection or exploit)
Sigma detected: Scheduled temp file as task from temp location
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Antivirus detection for URL or domain
Adds a directory exclusion to Windows Defender
Multi AV Scanner detection for dropped file
Uses schtasks.exe or at.exe to add and modify task schedules
Tries to harvest and steal browser information (history, passwords, etc)