We are hiring! Windows Kernel Developer (Remote), apply here!
flash

Receipt.exe

Status: finished
Submission Time: 2022-10-03 13:18:14 +02:00
Malicious
Trojan
Evader
Nanocore

Comments

Tags

  • exe
  • NanoCore
  • RAT

Details

  • Analysis ID:
    714970
  • API (Web) ID:
    1082412
  • Analysis Started:
    2022-10-03 13:26:47 +02:00
  • Analysis Finished:
    2022-10-03 13:38:32 +02:00
  • MD5:
    59082912cb9d1d4ece0567b1354d0f34
  • SHA1:
    a3c3e88b6c905eaee872bb21916c792a3ec1d7e7
  • SHA256:
    7ef24f6499dd9fc7809783a98febc44c2dc25a3f74d02c9bf8ddbae0d3b781c6
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

malicious

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
100/100

malicious
14/39

malicious

URLs

Name Detection
https://www.newtonsoft.com/json
https://www.nuget.org/packages/Newtonsoft.Json.Bson
http://james.newtonking.com/projects/json
Click to see the 1 hidden entries
https://www.newtonsoft.com/jsonschema

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Receipt.exe.log
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe:Zone.Identifier
ASCII text, with CRLF line terminators
#
Click to see the 4 hidden entries
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mjzqitn5.ybc.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_twhdr2os.ade.ps1
very short file (no magic)
#