36.0.0 Rainbow Opal
IR
756313
CloudBasic
01:08:08
30/11/2022
qHpeBvr9cR.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
f5bea76ffac05afbe19274595801184e
93ef457bfcbc5f0860b1b7f6353ed6e9b0afd60e
40dcfb704112265b383679baa3064cd7355bd02119b117f396e1b0283342362c
Win32 Executable (generic) a (10002005/4) 99.96%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Temp\-ODfqI49
false
292F98D765C8712910776C89ADDE2311
E9F4CCB4577B3E6857C6116C9CBA0F3EC63878C5
9C63F8321526F04D4CD0CFE11EA32576D1502272FE8333536B9DEE2C3B49825E
C:\Users\user\AppData\Local\Temp\febcldoukq.exe
true
96E050F99502FE7C52FD9B0F10202578
9ACE01D602E21FF8BF364A3BB2F46BC7FD285A7B
C7207F58E7A5BAD6EFC38C7DDFDDBC3B32C28F6BBA01D4251A44F6BBDABE4BC3
C:\Users\user\AppData\Local\Temp\nsx95CC.tmp
false
3D3DFD7BB3B31CA9F6A9085FF03A933F
C445CD44742166B12BC976C54EB0422E7B377C73
74B5FDE9425C99AEB58669440FEE9206A57CAA8790635253E7F5C215973F4FB5
C:\Users\user\AppData\Local\Temp\rcibkfyfwn.yxq
false
9929DD1C8831360C68C176ADB59CA947
6CB9F8D296878B31DB696038EA01470613AEED9F
5F3B667FA88AAD6BA21374E37014E72C2AAD0317ED1DE2C1D6DE839A61F9F541
C:\Users\user\AppData\Local\Temp\uebzn.cef
false
28373E2B7E834278BBFC8597EA79A659
674506B6D8C29D724529B2154D2EDCABEC4DB4EB
C8BD6B365CE4C504FD875CC967B7B498E8D79A27E877DBF1B3128EAD638C1B57
192.185.217.47
206.233.197.135
155.159.61.221
162.214.129.149
www.patrickguarte.com
true
155.159.61.221
eufidelizo.com
true
192.185.217.47
www.lyonfinancialusa.com
true
206.233.197.135
www.afterdarksocial.club
true
162.214.129.149
www.eufidelizo.com
true
unknown
www.19t221013d.tokyo
true
unknown
http://www.lyonfinancialusa.com/henz/
true
206.233.197.135
https://ac.ecosia.org/autocomplete?q=
false
unknown
https://search.yahoo.com?fr=crmas_sfp
false
unknown
http://www.autoitscript.com/autoit3/J
false
unknown
https://duckduckgo.com/chrome_newtab
false
unknown
https://duckduckgo.com/ac/?q=
false
unknown
http://www.eufidelizo.com/henz/?ChMxG4C=wcp3urA+/rGtUuNVdXHur6CaD7Rg4XGXlvUWG7FdGjeYGPzd5j/g1Govvww0i9Uvwfj8E4D4P4OVv2O692MpWFmEiKCsF21Xzw==&8p08qr=2d0X
true
192.185.217.47
http://nsis.sf.net/NSIS_Error
false
unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico
false
unknown
http://www.patrickguarte.com/henz/?ChMxG4C=5p9Ov6C7qce51hIp6D8A72je8vUJddN77lLEFw6Ufibk2yN56suG3zROnD+rS7baXFO6PfoGYvZY6sqA3kYBdz817Owqh44+wA==&8p08qr=2d0X
true
155.159.61.221
https://search.yahoo.com?fr=crmas_sfpf
false
unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
false
unknown
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
false
unknown
http://www.patrickguarte.com/henz/
true
155.159.61.221
http://nsis.sf.net/NSIS_ErrorError
false
unknown
http://www.afterdarksocial.club/henz/
true
162.214.129.149
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
false
unknown
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
false
unknown
www.brennancorps.info/henz/
true
http://code.jquery.com/jquery-3.3.1.min.js
false
unknown
http://gmpg.org/xfn/11
false
unknown
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Uses netsh to modify the Windows network and firewall settings
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Machine Learning detection for sample
Queues an APC in another process (thread injection)
System process connects to network (likely due to code injection or exploit)
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Tries to harvest and steal browser information (history, passwords, etc)
Snort IDS alert for network traffic