Loading ...

Play interactive tourEdit tour

Analysis Report Notificare de expediere a serviciului de curierat FAN.exe

Overview

General Information

Sample Name:Notificare de expediere a serviciului de curierat FAN.exe
Analysis ID:286337
MD5:7db1b44f6ea4adad2beaad9b5417d399
SHA1:fbe1384292e70c016b56d113e77cc6f1e7eed77c
SHA256:80f7cf5c13b590c2c2827174cb3d856e19afd61a439af498d5f812c909382abe
Tags:exe

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.645957801.0000000005720000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xf7ad:$x1: NanoCore.ClientPluginHost
  • 0xf7da:$x2: IClientNetworkHost
00000004.00000002.645957801.0000000005720000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xf7ad:$x2: NanoCore.ClientPluginHost
  • 0x10888:$s4: PipeCreated
  • 0xf7c7:$s5: IClientLoggingHost
00000004.00000002.645957801.0000000005720000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000004.00000002.644187483.0000000003F57000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000004.00000002.644187483.0000000003F57000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x33c5:$a: NanoCore
      • 0x341e:$a: NanoCore
      • 0x345b:$a: NanoCore
      • 0x34d4:$a: NanoCore
      • 0x16b7f:$a: NanoCore
      • 0x16b94:$a: NanoCore
      • 0x16bc9:$a: NanoCore
      • 0x2f63b:$a: NanoCore
      • 0x2f650:$a: NanoCore
      • 0x2f685:$a: NanoCore
      • 0x3427:$b: ClientPlugin
      • 0x3464:$b: ClientPlugin
      • 0x3d62:$b: ClientPlugin
      • 0x3d6f:$b: ClientPlugin
      • 0x1693b:$b: ClientPlugin
      • 0x16956:$b: ClientPlugin
      • 0x16986:$b: ClientPlugin
      • 0x16b9d:$b: ClientPlugin
      • 0x16bd2:$b: ClientPlugin
      • 0x2f3f7:$b: ClientPlugin
      • 0x2f412:$b: ClientPlugin
      Click to see the 17 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.Notificare de expediere a serviciului de curierat FAN.exe.5720000.5.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xf7ad:$x1: NanoCore.ClientPluginHost
      • 0xf7da:$x2: IClientNetworkHost
      4.2.Notificare de expediere a serviciului de curierat FAN.exe.5720000.5.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xf7ad:$x2: NanoCore.ClientPluginHost
      • 0x10888:$s4: PipeCreated
      • 0xf7c7:$s5: IClientLoggingHost
      4.2.Notificare de expediere a serviciului de curierat FAN.exe.5720000.5.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        4.2.Notificare de expediere a serviciului de curierat FAN.exe.5310000.4.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xe75:$x1: NanoCore.ClientPluginHost
        • 0xe8f:$x2: IClientNetworkHost
        4.2.Notificare de expediere a serviciului de curierat FAN.exe.5310000.4.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xe75:$x2: NanoCore.ClientPluginHost
        • 0x1261:$s3: PipeExists
        • 0x1136:$s4: PipeCreated
        • 0xeb0:$s5: IClientLoggingHost
        Click to see the 7 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exe, ProcessId: 2616, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: Scheduled temp file as task from temp locationShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LokanUXWYenty' /XML 'C:\Users\user\AppData\Local\Temp\tmpED10.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LokanUXWYenty' /XML 'C:\Users\user\AppData\Local\Temp\tmpED10.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exe' , ParentImage: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exe, ParentProcessId: 3184, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LokanUXWYenty' /XML 'C:\Users\user\AppData\Local\Temp\tmpED10.tmp', ProcessId: 6756

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\LokanUXWYenty.exeVirustotal: Detection: 25%Perma Link
        Source: C:\Users\user\AppData\Roaming\LokanUXWYenty.exeReversingLabs: Detection: 27%
        Multi AV Scanner detection for submitted fileShow sources
        Source: Notificare de expediere a serviciului de curierat FAN.exeVirustotal: Detection: 25%Perma Link
        Source: Notificare de expediere a serviciului de curierat FAN.exeReversingLabs: Detection: 27%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000004.00000002.645957801.0000000005720000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.644187483.0000000003F57000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.639330802.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.383673607.0000000004321000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Notificare de expediere a serviciului de curierat FAN.exe PID: 3184, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Notificare de expediere a serviciului de curierat FAN.exe PID: 2616, type: MEMORY
        Source: Yara matchFile source: 4.2.Notificare de expediere a serviciului de curierat FAN.exe.5720000.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.Notificare de expediere a serviciului de curierat FAN.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.Notificare de expediere a serviciului de curierat FAN.exe.5720000.5.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\LokanUXWYenty.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: Notificare de expediere a serviciului de curierat FAN.exeJoe Sandbox ML: detected
        Source: 4.2.Notificare de expediere a serviciului de curierat FAN.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_05B3FB78
        Source: global trafficTCP traffic: 192.168.2.3:49726 -> 194.5.98.4:2010
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.4
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.4
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.4
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.4
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.4
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.4
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.4
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.4
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.4
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.4
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.4
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.4
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.4
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.4
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.4
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.4
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.4
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.4
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.4
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.4
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.4
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.4
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.4
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.4
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.4
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.4
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.4
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.4
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.4
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.4
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.4
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.4
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.4
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.4
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.4
        Source: unknownTCP traffic detected without corresponding DNS query: 194.5.98.4
        Source: Notificare de expediere a serviciului de curierat FAN.exe, 00000000.00000002.382271609.000000000125B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
        Source: Notificare de expediere a serviciului de curierat FAN.exe, 00000004.00000002.645957801.0000000005720000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000004.00000002.645957801.0000000005720000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.644187483.0000000003F57000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.639330802.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.383673607.0000000004321000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Notificare de expediere a serviciului de curierat FAN.exe PID: 3184, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Notificare de expediere a serviciului de curierat FAN.exe PID: 2616, type: MEMORY
        Source: Yara matchFile source: 4.2.Notificare de expediere a serviciului de curierat FAN.exe.5720000.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.Notificare de expediere a serviciului de curierat FAN.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.Notificare de expediere a serviciului de curierat FAN.exe.5720000.5.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000004.00000002.645957801.0000000005720000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000002.644187483.0000000003F57000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000002.639330802.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000002.639330802.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.383673607.0000000004321000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.383673607.0000000004321000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000002.645613193.0000000005310000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: Notificare de expediere a serviciului de curierat FAN.exe PID: 3184, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: Notificare de expediere a serviciului de curierat FAN.exe PID: 3184, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: Notificare de expediere a serviciului de curierat FAN.exe PID: 2616, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: Notificare de expediere a serviciului de curierat FAN.exe PID: 2616, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.2.Notificare de expediere a serviciului de curierat FAN.exe.5720000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.Notificare de expediere a serviciului de curierat FAN.exe.5310000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.Notificare de expediere a serviciului de curierat FAN.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.Notificare de expediere a serviciului de curierat FAN.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.2.Notificare de expediere a serviciului de curierat FAN.exe.5720000.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeCode function: 0_2_05AB149E NtQuerySystemInformation,0_2_05AB149E
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeCode function: 0_2_05AB1471 NtQuerySystemInformation,0_2_05AB1471
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeCode function: 4_2_052714C2 NtQuerySystemInformation,4_2_052714C2
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeCode function: 4_2_05271487 NtQuerySystemInformation,4_2_05271487
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeCode function: 0_2_00B7BC620_2_00B7BC62
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeCode function: 0_2_055077080_2_05507708
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeCode function: 0_2_05500B280_2_05500B28
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeCode function: 0_2_055076B00_2_055076B0
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeCode function: 0_2_055015500_2_05501550
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeCode function: 0_2_055069360_2_05506936
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeCode function: 0_2_055085DA0_2_055085DA
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeCode function: 0_2_055085E80_2_055085E8
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeCode function: 0_2_055088380_2_05508838
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeCode function: 0_2_055018D00_2_055018D0
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeCode function: 0_2_055018C10_2_055018C1
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeCode function: 0_2_05501B120_2_05501B12
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeCode function: 0_2_05500B190_2_05500B19
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeCode function: 0_2_05501B200_2_05501B20
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeCode function: 0_2_055076FA0_2_055076FA
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeCode function: 0_2_05B357DF0_2_05B357DF
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeCode function: 0_2_05B3B7580_2_05B3B758
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeCode function: 0_2_00B720500_2_00B72050
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeCode function: 3_2_000ABC623_2_000ABC62
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeCode function: 3_2_000A20503_2_000A2050
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeCode function: 4_2_008EBC624_2_008EBC62
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeCode function: 4_2_051583184_2_05158318
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeCode function: 4_2_05158F184_2_05158F18
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeCode function: 4_2_051523A04_2_051523A0
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeCode function: 4_2_05152FA84_2_05152FA8
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeCode function: 4_2_0515ABE84_2_0515ABE8
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeCode function: 4_2_0515306F4_2_0515306F
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeCode function: 4_2_05158FDF4_2_05158FDF
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeCode function: 4_2_008E20504_2_008E2050
        Source: Notificare de expediere a serviciului de curierat FAN.exe, 00000000.00000002.382271609.000000000125B000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs Notificare de expediere a serviciului de curierat FAN.exe
        Source: Notificare de expediere a serviciului de curierat FAN.exe, 00000000.00000002.385189272.00000000055E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Notificare de expediere a serviciului de curierat FAN.exe
        Source: Notificare de expediere a serviciului de curierat FAN.exe, 00000000.00000003.374585137.00000000012BB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameEminem.dll< vs Notificare de expediere a serviciului de curierat FAN.exe
        Source: Notificare de expediere a serviciului de curierat FAN.exe, 00000000.00000002.387414068.0000000006250000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Notificare de expediere a serviciului de curierat FAN.exe
        Source: Notificare de expediere a serviciului de curierat FAN.exe, 00000000.00000002.387414068.0000000006250000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Notificare de expediere a serviciului de curierat FAN.exe
        Source: Notificare de expediere a serviciului de curierat FAN.exe, 00000000.00000002.385929877.00000000059F0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameButterFly.dll< vs Notificare de expediere a serviciului de curierat FAN.exe
        Source: Notificare de expediere a serviciului de curierat FAN.exe, 00000000.00000002.381915789.0000000000C0C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamefXmx.exe4 vs Notificare de expediere a serviciului de curierat FAN.exe
        Source: Notificare de expediere a serviciului de curierat FAN.exe, 00000000.00000002.386620650.0000000006150000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Notificare de expediere a serviciului de curierat FAN.exe
        Source: Notificare de expediere a serviciului de curierat FAN.exe, 00000003.00000002.380455627.000000000013C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamefXmx.exe4 vs Notificare de expediere a serviciului de curierat FAN.exe
        Source: Notificare de expediere a serviciului de curierat FAN.exe, 00000004.00000000.381115123.000000000097C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamefXmx.exe4 vs Notificare de expediere a serviciului de curierat FAN.exe
        Source: Notificare de expediere a serviciului de curierat FAN.exe, 00000004.00000002.645957801.0000000005720000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs Notificare de expediere a serviciului de curierat FAN.exe
        Source: Notificare de expediere a serviciului de curierat FAN.exe, 00000004.00000002.645957801.0000000005720000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Notificare de expediere a serviciului de curierat FAN.exe
        Source: Notificare de expediere a serviciului de curierat FAN.exe, 00000004.00000002.641824684.0000000002F11000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs Notificare de expediere a serviciului de curierat FAN.exe
        Source: Notificare de expediere a serviciului de curierat FAN.exe, 00000004.00000002.646418299.0000000005EE0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Notificare de expediere a serviciului de curierat FAN.exe
        Source: Notificare de expediere a serviciului de curierat FAN.exe, 00000004.00000002.645484897.00000000052A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Notificare de expediere a serviciului de curierat FAN.exe
        Source: Notificare de expediere a serviciului de curierat FAN.exe, 00000004.00000002.645397067.0000000005260000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Notificare de expediere a serviciului de curierat FAN.exe
        Source: Notificare de expediere a serviciului de curierat FAN.exeBinary or memory string: OriginalFilenamefXmx.exe4 vs Notificare de expediere a serviciului de curierat FAN.exe
        Source: 00000004.00000002.645957801.0000000005720000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000002.645957801.0000000005720000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000004.00000002.644187483.0000000003F57000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000002.639330802.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000002.639330802.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.383673607.0000000004321000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.383673607.0000000004321000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000002.645613193.0000000005310000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000002.645613193.0000000005310000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: Process Memory Space: Notificare de expediere a serviciului de curierat FAN.exe PID: 3184, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: Notificare de expediere a serviciului de curierat FAN.exe PID: 3184, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: Notificare de expediere a serviciului de curierat FAN.exe PID: 2616, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: Notificare de expediere a serviciului de curierat FAN.exe PID: 2616, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.2.Notificare de expediere a serviciului de curierat FAN.exe.5720000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.Notificare de expediere a serviciului de curierat FAN.exe.5720000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 4.2.Notificare de expediere a serviciului de curierat FAN.exe.5310000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.Notificare de expediere a serviciului de curierat FAN.exe.5310000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 4.2.Notificare de expediere a serviciului de curierat FAN.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.Notificare de expediere a serviciului de curierat FAN.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 4.2.Notificare de expediere a serviciului de curierat FAN.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.2.Notificare de expediere a serviciului de curierat FAN.exe.5720000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.Notificare de expediere a serviciului de curierat FAN.exe.5720000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: Notificare de expediere a serviciului de curierat FAN.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: LokanUXWYenty.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: Notificare de expediere a serviciului de curierat FAN.exe, SecurityZone.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: LokanUXWYenty.exe.0.dr, SecurityZone.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 0.2.Notificare de expediere a serviciului de curierat FAN.exe.b70000.0.unpack, SecurityZone.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 0.0.Notificare de expediere a serviciului de curierat FAN.exe.b70000.0.unpack, SecurityZone.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 3.2.Notificare de expediere a serviciului de curierat FAN.exe.a0000.0.unpack, SecurityZone.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 3.0.Notificare de expediere a serviciului de curierat FAN.exe.a0000.0.unpack, SecurityZone.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: classification engineClassification label: mal100.troj.evad.winEXE@8/5@0/2
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeCode function: 0_2_05AB108A AdjustTokenPrivileges,0_2_05AB108A
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeCode function: 0_2_05AB1053 AdjustTokenPrivileges,0_2_05AB1053
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeCode function: 4_2_05271282 AdjustTokenPrivileges,4_2_05271282
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeCode function: 4_2_0527124B AdjustTokenPrivileges,4_2_0527124B
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeFile created: C:\Users\user\AppData\Roaming\LokanUXWYenty.exeJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{06c820a6-9062-49c3-a472-0ed60e3a6261}
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeMutant created: \Sessions\1\BaseNamedObjects\LLFwmsPZIt
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6796:120:WilError_01
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeFile created: C:\Users\user\AppData\Local\Temp\tmpED10.tmpJump to behavior
        Source: Notificare de expediere a serviciului de curierat FAN.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: Notificare de expediere a serviciului de curierat FAN.exeVirustotal: Detection: 25%
        Source: Notificare de expediere a serviciului de curierat FAN.exeReversingLabs: Detection: 27%
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeFile read: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exe 'C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LokanUXWYenty' /XML 'C:\Users\user\AppData\Local\Temp\tmpED10.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exe C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exe
        Source: unknownProcess created: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exe C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exe
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LokanUXWYenty' /XML 'C:\Users\user\AppData\Local\Temp\tmpED10.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess created: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exe C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess created: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exe C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
        Source: Notificare de expediere a serviciului de curierat FAN.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
        Source: Notificare de expediere a serviciului de curierat FAN.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: mscorrc.pdb source: Notificare de expediere a serviciului de curierat FAN.exe, 00000000.00000002.385189272.00000000055E0000.00000002.00000001.sdmp, Notificare de expediere a serviciului de curierat FAN.exe, 00000004.00000002.645484897.00000000052A0000.00000002.00000001.sdmp

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: 4.2.Notificare de expediere a serviciului de curierat FAN.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 4.2.Notificare de expediere a serviciului de curierat FAN.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeCode function: 0_2_0550902D push ebx; ret 0_2_0550902E
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeCode function: 0_2_05B3399A push edi; retf 0_2_05B339A1
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeCode function: 4_2_012774AC push ecx; ret 4_2_012774AD
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeCode function: 4_2_01279D34 push 780127CBh; retf 4_2_01279D39
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeCode function: 4_2_012774B8 push ebp; ret 4_2_012774B9
        Source: initial sampleStatic PE information: section name: .text entropy: 7.29097673336
        Source: initial sampleStatic PE information: section name: .text entropy: 7.29097673336
        Source: 4.2.Notificare de expediere a serviciului de curierat FAN.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 4.2.Notificare de expediere a serviciului de curierat FAN.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeFile created: \notificare de expediere a serviciului de curierat fan.exeJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeFile created: \notificare de expediere a serviciului de curierat fan.exeJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeFile created: \notificare de expediere a serviciului de curierat fan.exeJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeFile created: C:\Users\user\AppData\Roaming\LokanUXWYenty.exeJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\LokanUXWYenty' /XML 'C:\Users\user\AppData\Local\Temp\tmpED10.tmp'
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion:

        barindex
        Yara detected AntiVM_3Show sources
        Source: Yara matchFile source: 00000000.00000002.383380288.0000000003321000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.383427562.000000000335E000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Notificare de expediere a serviciului de curierat FAN.exe PID: 3184, type: MEMORY
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: Notificare de expediere a serviciului de curierat FAN.exe, 00000000.00000002.383380288.0000000003321000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
        Source: Notificare de expediere a serviciului de curierat FAN.exe, 00000000.00000002.383380288.0000000003321000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeWindow / User API: threadDelayed 411Jump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeWindow / User API: threadDelayed 1293Jump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exeWindow / User API: foregroundWindowGot 827Jump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exe TID: 3228Thread sleep time: -51223s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exe TID: 2940Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\Notificare de expediere a serviciului de curierat FAN.exe TID: 5896Thread sleep time: -1844674407370954s >= -30000sJump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed