36.0.0 Rainbow Opal
IR
756343
CloudBasic
02:20:08
30/11/2022
PrWP76ejHO.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
db102a67350060a1e967aef81118f18d
a3131a3df17a154e41c09973ca8a9aabac29929e
98420cf47e19574739cff3f1f74bd3c6c70e103d0b28040b64fd3c77588c7ee7
Win32 Executable (generic) a (10002005/4) 99.96%
true
false
false
false
100
0
100
5
0
5
false
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_iijhlev.exe_1f8fea7f532b19688b19ecb27f0cb421e50658_51a01df6_09cfc527\Report.wer
false
D3E58825370A9CACD63AA4E4D610D741
F7A585CCB546E6A648498538B0605EC204FBC0EE
1651821B53A4F9DD251C1953C1B72AE0B4011ACEAA488539FF2BD106CFE0394A
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_iijhlev.exe_1f8fea7f532b19688b19ecb27f0cb421e50658_51a01df6_13a3c518\Report.wer
false
881007555D6141EE38396F9FA7BF3A14
CDC7784DF7C4DD49A3EF5ABB10B752D256B78EB6
D7B254489920F804CF2FD39544563BE82347DADDA6984681709E507ED9724D4C
C:\ProgramData\Microsoft\Windows\WER\Temp\WER9E08.tmp.dmp
false
2D96E5A0275FABD6DC46BA6A86F9ABE5
3837483602ED6BBC97307DC18ECE9169540EBBE2
4C42A3E21ADFDCB82EAC0FFEDB79FBFA7E8BD9BFF72A9311FE18485FB3A0DDC1
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA2EB.tmp.WERInternalMetadata.xml
false
FBDCA69F879137AF87609249DF723473
2B2A5976AE858D96B32364F6BB0354CA49ACB58C
33F7BC8B7ECA2FF10E04ED46836350C0A1B74F9C45B9DB61816591B5977B1237
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA3E6.tmp.xml
false
4980E483DD65840DE2CF11A7BB98A8E9
0305346ED6363F22F7000210E8884CDDD94629D8
21DA4C57570B00D154DD236761AC94C1E7D347BCAD358645CAE3DBDF3A77122D
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB95.tmp.dmp
false
262A2F0165598CB8C1F089568D15DAC8
84BAB5E35242AA585E97DAFC3EFAE51723E8546A
F279E69F1224E8C691922D0B2D94300A1C600BFA8C19CCBF04B9C772CC774CFE
C:\ProgramData\Microsoft\Windows\WER\Temp\WERADE7.tmp.WERInternalMetadata.xml
false
99775E557955AA9043F52F99B06CBFF8
8EB88504C9A5828A9E6E48A7B4A2AFF8289E9F55
C05FE079520B71127C0B907EB55C0B959D6E915B6183DC51E5561D91E03E4144
C:\ProgramData\Microsoft\Windows\WER\Temp\WERAEE2.tmp.xml
false
8C38EA0ACD36EC05355658D475637FF4
3485C2B4747A68A67A90331589B86F03B5E20CD5
02F2D88DC261B7B05CF0DA2D91CD419B5FB6F8AF54D5B8B5CA8ED1B58879F860
C:\Users\user\AppData\Local\Temp\1x6VE38oK
false
4822E6A71C88A4AB8A27F90192B5A3B3
CC07E541426BFF64981CE6DE7D879306C716B6B9
A6E2CCBD736E5892E658020543F4DF20BB422253CAC06B37398AA4935987446E
C:\Users\user\AppData\Local\Temp\iscan.exe
true
2B4B3369E04DEDD66517641DB0F5A8AB
A5E482597F6F2D68250A4EB28911683E50FAC4DE
A4C4BF78E737CCADBABF71B57E5676A846D9ADFC5442344EDA8267325223B964
C:\Users\user\AppData\Local\Temp\mmbedbm.jl
false
AE2C848F5A91F0EEFBCFAECB3660089D
A280F4205AABBCADC444FD983207E41A5871784E
72B7C4D8E791EA9A4A34BA3626C1FF4BE294988650E960C7F7ED18CA90847098
C:\Users\user\AppData\Local\Temp\nsx4EFE.tmp
false
5D51FD4B6E844AE16602B13E24A93BF8
9F071B7B261C17DA0862C4029EB9530A9912EFB1
501989AB0623183D2CA2B4E4BCFC74B8C865A03E55899889B92E7D81957B25E0
C:\Users\user\AppData\Local\Temp\zxtnbfvzh.c
false
64C3C26CE45E8C154D7CA9FEBB385997
D606B7D8CD6E3046992ED26D869E47AFD2A390AE
A2F81AB67DA82F261E6979CAF0DF1E366499015C6ABABBD1A020601D4FB58185
C:\Users\user\AppData\Roaming\iidryiceixqa\iijhlev.exe
true
2B4B3369E04DEDD66517641DB0F5A8AB
A5E482597F6F2D68250A4EB28911683E50FAC4DE
A4C4BF78E737CCADBABF71B57E5676A846D9ADFC5442344EDA8267325223B964
195.110.124.133
50.87.143.200
194.58.112.174
81.88.48.71
inhomeyoga.com
true
195.110.124.133
t4yfrance.com
true
50.87.143.200
www.a8-group.com
true
194.58.112.174
fedefarmatour.online
true
81.88.48.71
www.fedefarmatour.online
true
unknown
www.t4yfrance.com
true
unknown
www.inhomeyoga.com
true
unknown
https://ac.ecosia.org/autocomplete?q=
false
unknown
https://search.yahoo.com?fr=crmas_sfp
false
unknown
http://www.fedefarmatour.online/dwdp/
true
81.88.48.71
https://duckduckgo.com/chrome_newtab
false
unknown
https://duckduckgo.com/ac/?q=
false
unknown
http://nsis.sf.net/NSIS_Error
false
unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico
false
unknown
https://search.yahoo.com?fr=crmas_sfpf
false
unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
false
unknown
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
false
unknown
http://www.t4yfrance.com/dwdp/
true
50.87.143.200
www.fedefarmatour.online/dwdp/
true
http://nsis.sf.net/NSIS_ErrorError
false
unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
false
unknown
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
false
unknown
http://www.a8-group.com/dwdp/
true
194.58.112.174
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Queues an APC in another process (thread injection)
System process connects to network (likely due to code injection or exploit)
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Antivirus detection for URL or domain
Uses ipconfig to lookup or modify the Windows network settings
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Tries to harvest and steal browser information (history, passwords, etc)