36.0.0 Rainbow Opal
IR
756294
CloudBasic
00:09:06
30/11/2022
file.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
1cf06beb83d2bd1afd1b9b62994e7549
88bd7da7668fb669b5503696ee0a9c0f2dbeceb7
4dc0de570728f75f844c7afb84ac6c809ef4620dac3b12a884ff9916f5b5b0ee
Win32 Executable (generic) a (10002005/4) 99.96%
true
false
false
false
100
0
100
5
0
5
false
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_c7d966c262eae458e8625727f886cf5c34890_82810a17_123adcc3\Report.wer
false
D7A37DE7937004741090755840C56D79
08CE77055D65D3FB07F4642E33D2F2FE9FA7F068
E9915E6CFE487068FD5A96B376F5EE8D9DAAE0D1E992844CF29320ED14B2E658
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3392.tmp.dmp
false
52C8A7752FFF58EDBB70514842507A1C
3EC49B493F90C8EFA19791C3B209ED0E12571597
D764C68A2933F74A24F55FC5A5F2196F21F480B45050B2453DE8A4E3414AA7B5
C:\ProgramData\Microsoft\Windows\WER\Temp\WER497D.tmp.WERInternalMetadata.xml
false
42BF5C06FE5E8831D8CE69305340AD29
C7520BAB8F0C88EFBC5978AD7935EC96D2302F64
DB24A8015F5D0F08788DCF361FB862360309BF58424A46B40F171A6823F55AA0
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5054.tmp.xml
false
D4368A447707DE8D83F7436078D8256F
FDF53267338C0952A6E2DD6068F84231CD8EEAA8
2E04AD13C67C592A218330DD8EE0FAA5CE495AD4CA411ED5B137B7BBF20702EC
C:\Users\user\AppData\Local\Temp\5AF.exe
true
C81AB83835C2669DBE57C43DB54571B7
C06EE015340CBDFAA7AF2E820A8EE166179B09E2
727AC1966886E3D083330FCDE19D79C445DE9FE2A0E306F9FEB94D28BE54F776
C:\Users\user\AppData\Local\Temp\ADCA.exe
true
2479739C5D062ECB325147623241F007
4394B6D2CA4ED82A5F2D70D10CD05CFA3B35AB2C
728DE9789AF5F2EBC9AC2FAC80FEE25B186BC5B3ACB960650934377F0C77726D
C:\Users\user\AppData\Local\Temp\Serpodtudpwhhta.dll
true
AA90603343B982D2D28D56CCE94C696E
8E1ED433C2958BDA927279C0D47C4C4B7C39290C
07F50A84E6567DF42216C4F1C640AEAC436B19340CCCB82B21EFAB2E1F9F3FB1
C:\Users\user\AppData\Roaming\dfhwrav
true
1CF06BEB83D2BD1AFD1B9B62994E7549
88BD7DA7668FB669B5503696EE0A9C0F2DBECEB7
4DC0DE570728F75F844C7AFB84AC6C809EF4620DAC3B12A884FF9916F5B5B0EE
C:\Users\user\AppData\Roaming\dfhwrav:Zone.Identifier
true
187F488E27DB4AF347237FE461A079AD
6693BA299EC1881249D59262276A0D2CB21F8E64
255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
5.135.247.111
201.124.230.1
192.168.2.1
123.253.32.170
211.59.14.90
200.46.66.71
187.212.179.75
thepokeway.nl
true
5.135.247.111
dowe.at
true
200.46.66.71
http://www.autoitscript.com/autoit3/J
false
unknown
http://piratia.su/tmp/
true
http://newhorizonswv.com/tmp/
true
https://thepokeway.nl/upload/index.php
false
5.135.247.111
http://cracker.biz/tmp/
true
http://123.253.32.170/root2.exe
true
123.253.32.170
http://piratia-life.ru/tmp/
false
http://dowe.at/tmp/
true
200.46.66.71
http://xisac.com/tmp/
true
Maps a DLL or memory area into another process
Yara detected UAC Bypass using CMSTP
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Yara detected SmokeLoader
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
System process connects to network (likely due to code injection or exploit)
Deletes itself after installation
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Detected unpacking (changes PE section rights)
C2 URLs / IPs found in malware configuration
Antivirus detection for URL or domain
Creates a thread in another existing process (thread injection)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Checks if the current machine is a virtual machine (disk enumeration)