36.0.0 Rainbow Opal
IR
756323
CloudBasic
01:23:15
30/11/2022
Lc8xQv8iZY.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
30571d64c9a9ed267159fa941a20840c
bfb81d8a7c94781b3bd939bd17d500ae61b2ff70
85d6c9eac93fb8818d37dc15110ebd060b3e9df48043ee6bcf349df6aed047c5
Win32 Executable (generic) a (10002005/4) 99.96%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Temp\-ODfqI49
false
5F02C426BCF0D3E3DC81F002F9125663
EA50920666E30250E4BE05194FA7B3F44967BE94
DF93CD763CFEC79473D0DCF58C77D45C99D246CE347652BF215A97D8D1267EFA
C:\Users\user\AppData\Local\Temp\hvbvmxm.exe
true
1EEBBBD92B2C0C60F896FF8DCBCEDCAA
1291CC58A5664B1ACD50D9FD8E0580C519190477
01B2D4443C383F07CCF3EA521AE9502527EEEDF352B92B90A382121B03992EC3
C:\Users\user\AppData\Local\Temp\ijamguwvje.h
false
00815375B1B0AEF8D5F1C54050813CF2
E007F2C7D30FBD16A35A97E91B1B4719F46D28BB
2C6C3495127AE142AAA4577D73B6C1EE3502B2C76BEE20EBF54CEA2C86404E63
C:\Users\user\AppData\Local\Temp\nsaAF5F.tmp
false
0092575B985AE1E77D23EC215EE09C05
122945BC6AC3866DDF76ECF99127D9648F5024A6
27BE4D2BA04D732C15B4916F2758D13928D2D31377228E575B61D8DA7A509CBD
C:\Users\user\AppData\Local\Temp\ocoimqmpj.ep
false
ADD9CD4EACD9591A07875B761C8D1640
2047C17A31A7E83850DEF3CA6310572957E5D0B2
0AF1AFDA6F616BEB76513577272E0E36EFB99CF8A3718B7725D60C9D88DFBC0B
192.185.217.47
206.233.197.135
155.159.61.221
154.22.100.62
162.214.129.149
2.57.90.16
192.185.35.86
www.patrickguarte.com
true
155.159.61.221
brennancorps.info
true
2.57.90.16
lopezmodeling.com
true
192.185.35.86
www.foxwhistle.com
true
154.22.100.62
eufidelizo.com
true
192.185.217.47
www.lyonfinancialusa.com
true
206.233.197.135
www.afterdarksocial.club
true
162.214.129.149
www.eufidelizo.com
true
unknown
www.brennancorps.info
true
unknown
www.19t221013d.tokyo
true
unknown
www.lopezmodeling.com
true
unknown
http://www.lyonfinancialusa.com/henz/
true
206.233.197.135
http://www.autoitscript.com/autoit3/J
false
unknown
https://duckduckgo.com/chrome_newtab
false
unknown
http://www.lopezmodeling.com/henz/
true
192.185.35.86
https://duckduckgo.com/ac/?q=
false
unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico
false
unknown
https://search.yahoo.com?fr=crmas_sfpf
false
unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
false
unknown
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
false
unknown
http://www.brennancorps.info/henz/
true
2.57.90.16
http://nsis.sf.net/NSIS_ErrorError
false
unknown
http://www.afterdarksocial.club/henz/
true
162.214.129.149
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
false
unknown
www.brennancorps.info/henz/
true
http://gmpg.org/xfn/11
false
unknown
http://www.brennancorps.info/henz/?4hq=P4ST2IJPckjMYpRf2FLdq0axEROKy7OOggEf6mHPhnME1yGBMW0egmkxYDI06dmXm7z7OVgXWzJ+YqSrULYkiycbwQA+qKMVmQ==&o8=wR-h28Gxg
true
2.57.90.16
http://www.foxwhistle.com/henz/
true
154.22.100.62
https://ac.ecosia.org/autocomplete?q=
false
unknown
https://search.yahoo.com?fr=crmas_sfp
false
unknown
http://nsis.sf.net/NSIS_Error
false
unknown
http://www.eufidelizo.com/henz/?4hq=wcp3urA+/rGtUuNVdXHur6CaD7Rg4XGXlvUWG7FdGjeYGPzd5j/g1Govvww0i9Uvwfj8E4D4P4OVv2O692M0flOUm4qON1Jqzg==&o8=wR-h28Gxg
true
192.185.217.47
https://hm.baidu.com/hm.js?d0766413c666e394f861185086d7f52f
false
unknown
http://www.lopezmodeling.com/henz/?4hq=dpH6BKfQQ0cm5Imeo72RAP4DEbjLNfLp0vSyI4bn1RZjePkdeS9augOMgWVykt+ztx1R3MJW/gsn5nuFARzMtUktTfqb4tJ3+A==&o8=wR-h28Gxg
true
192.185.35.86
http://206.119.101.137/ak_Address/Address.js
false
unknown
http://www.patrickguarte.com/henz/
true
155.159.61.221
http://www.patrickguarte.com/henz/?4hq=5p9Ov6C7qce51hIp6D8A72je8vUJddN77lLEFw6Ufibk2yN56suG3zROnD+rS7baXFO6PfoGYvZY6sqA3kYcUTUl/8YIp7EDwQ==&o8=wR-h28Gxg
true
155.159.61.221
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
false
unknown
http://code.jquery.com/jquery-3.3.1.min.js
false
unknown
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Machine Learning detection for sample
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Queues an APC in another process (thread injection)
System process connects to network (likely due to code injection or exploit)
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Tries to harvest and steal browser information (history, passwords, etc)
Snort IDS alert for network traffic