Loading ...

Play interactive tourEdit tour

Analysis Report Overdue.exe

Overview

General Information

Sample Name:Overdue.exe
Analysis ID:298752
MD5:305a8ccda43bb9498b600ab01229bce5
SHA1:fc95e3c7128d2cc11b6eea84b498ab3392c8e10c
SHA256:d7c413a17b18a3ce5b4fbc679ea4f141a31b77f4c13962bc7ad4f80a4df03cd9
Tags:exeNanoCoreRAT

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Overdue.exe (PID: 6656 cmdline: 'C:\Users\user\Desktop\Overdue.exe' MD5: 305A8CCDA43BB9498B600AB01229BCE5)
    • Overdue.exe (PID: 6764 cmdline: C:\Users\user\Desktop\Overdue.exe MD5: 305A8CCDA43BB9498B600AB01229BCE5)
  • dhcpmon.exe (PID: 7040 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 305A8CCDA43BB9498B600AB01229BCE5)
    • dhcpmon.exe (PID: 5336 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 305A8CCDA43BB9498B600AB01229BCE5)
    • dhcpmon.exe (PID: 204 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 305A8CCDA43BB9498B600AB01229BCE5)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["79.134.225.116"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.500187483.0000000002CD1000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000002.00000002.505293621.00000000057D0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xf7ad:$x1: NanoCore.ClientPluginHost
    • 0xf7da:$x2: IClientNetworkHost
    00000002.00000002.505293621.00000000057D0000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xf7ad:$x2: NanoCore.ClientPluginHost
    • 0x10888:$s4: PipeCreated
    • 0xf7c7:$s5: IClientLoggingHost
    00000002.00000002.505293621.00000000057D0000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000004.00000002.279749941.0000000003271000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        Click to see the 33 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.Overdue.exe.55e0000.4.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x1646:$x1: NanoCore.ClientPluginHost
        2.2.Overdue.exe.55e0000.4.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0x1646:$x2: NanoCore.ClientPluginHost
        • 0x1724:$s4: PipeCreated
        • 0x1660:$s5: IClientLoggingHost
        2.2.Overdue.exe.5440000.3.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xe75:$x1: NanoCore.ClientPluginHost
        • 0xe8f:$x2: IClientNetworkHost
        2.2.Overdue.exe.5440000.3.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xe75:$x2: NanoCore.ClientPluginHost
        • 0x1261:$s3: PipeExists
        • 0x1136:$s4: PipeCreated
        • 0xeb0:$s5: IClientLoggingHost
        2.2.Overdue.exe.57d0000.7.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xd9ad:$x1: NanoCore.ClientPluginHost
        • 0xd9da:$x2: IClientNetworkHost
        Click to see the 13 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Overdue.exe, ProcessId: 6764, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: dhcpmon.exe.204.7.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["79.134.225.116"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeVirustotal: Detection: 25%Perma Link
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 14%
        Multi AV Scanner detection for submitted fileShow sources
        Source: Overdue.exeVirustotal: Detection: 25%Perma Link
        Source: Overdue.exeReversingLabs: Detection: 14%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000002.00000002.500187483.0000000002CD1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.505293621.00000000057D0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.295307504.0000000004079000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.281680998.0000000004279000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.241089089.00000000038F9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.503718259.0000000003D19000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.295235323.0000000003071000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.497866784.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.294219128.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 204, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Overdue.exe PID: 6764, type: MEMORY
        Source: Yara matchFile source: 2.2.Overdue.exe.57d0000.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.Overdue.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.Overdue.exe.57d0000.7.raw.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: Overdue.exeJoe Sandbox ML: detected
        Source: 2.2.Overdue.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 7.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: global trafficTCP traffic: 192.168.2.7:49724 -> 79.134.225.116:50902
        Source: Joe Sandbox ViewASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.116
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.116
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.116
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.116
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.116
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.116
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.116
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.116
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.116
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.116
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.116
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.116
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.116
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.116
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.116
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.116
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.116
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.116
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.116
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.116
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.116
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.116
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.116
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.116
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.116
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.116
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.116
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.116
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.116
        Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.116
        Source: Overdue.exe, 00000002.00000002.503718259.0000000003D19000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000002.00000002.500187483.0000000002CD1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.505293621.00000000057D0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.295307504.0000000004079000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.281680998.0000000004279000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.241089089.00000000038F9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.503718259.0000000003D19000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.295235323.0000000003071000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.497866784.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.294219128.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 204, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Overdue.exe PID: 6764, type: MEMORY
        Source: Yara matchFile source: 2.2.Overdue.exe.57d0000.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.Overdue.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.Overdue.exe.57d0000.7.raw.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000002.00000002.505293621.00000000057D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000002.00000002.505075328.00000000055E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000007.00000002.295307504.0000000004079000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000002.281680998.0000000004279000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000002.281680998.0000000004279000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000002.504900231.0000000005440000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.241089089.00000000038F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.241089089.00000000038F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000002.503718259.0000000003D19000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000007.00000002.295235323.0000000003071000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000002.497866784.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000002.00000002.497866784.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000007.00000002.294219128.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000007.00000002.294219128.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 204, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 204, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: Overdue.exe PID: 6764, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: Overdue.exe PID: 6764, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 2.2.Overdue.exe.55e0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 2.2.Overdue.exe.5440000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 2.2.Overdue.exe.57d0000.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 2.2.Overdue.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 2.2.Overdue.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 7.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 2.2.Overdue.exe.57d0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: C:\Users\user\Desktop\Overdue.exeCode function: 0_2_05BC90A8 NtDeleteAtom,0_2_05BC90A8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_064E90A8 NtDeleteAtom,4_2_064E90A8
        Source: C:\Users\user\Desktop\Overdue.exeCode function: 0_2_04DAE6F00_2_04DAE6F0
        Source: C:\Users\user\Desktop\Overdue.exeCode function: 0_2_04DAE7000_2_04DAE700
        Source: C:\Users\user\Desktop\Overdue.exeCode function: 0_2_04DAC2340_2_04DAC234
        Source: C:\Users\user\Desktop\Overdue.exeCode function: 0_2_05BC5F400_2_05BC5F40
        Source: C:\Users\user\Desktop\Overdue.exeCode function: 0_2_05BC9A380_2_05BC9A38
        Source: C:\Users\user\Desktop\Overdue.exeCode function: 2_2_0131E4732_2_0131E473
        Source: C:\Users\user\Desktop\Overdue.exeCode function: 2_2_0131E4802_2_0131E480
        Source: C:\Users\user\Desktop\Overdue.exeCode function: 2_2_0131BBD42_2_0131BBD4
        Source: C:\Users\user\Desktop\Overdue.exeCode function: 2_2_062E02202_2_062E0220
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_056CE7004_2_056CE700
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_056CE6F04_2_056CE6F0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_056CC2344_2_056CC234
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_057684604_2_05768460
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_0576B7C04_2_0576B7C0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_057650C84_2_057650C8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_057652E84_2_057652E8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_05767CF84_2_05767CF8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_064E5F404_2_064E5F40
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_064E9A384_2_064E9A38
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_013EE4717_2_013EE471
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_013EE4807_2_013EE480
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_013EBBD47_2_013EBBD4
        Source: Overdue.exe, 00000000.00000002.240573894.00000000028F1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameexag vs Overdue.exe
        Source: Overdue.exe, 00000000.00000002.245070570.0000000005A80000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKedermister.dllT vs Overdue.exe
        Source: Overdue.exe, 00000000.00000000.233447948.0000000000494000.00000002.00020000.sdmpBinary or memory string: OriginalFilename1l2x.exe4 vs Overdue.exe
        Source: Overdue.exe, 00000002.00000002.500187483.0000000002CD1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs Overdue.exe
        Source: Overdue.exe, 00000002.00000002.500187483.0000000002CD1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoProtectClient.dllT vs Overdue.exe
        Source: Overdue.exe, 00000002.00000000.238847086.0000000000994000.00000002.00020000.sdmpBinary or memory string: OriginalFilename1l2x.exe4 vs Overdue.exe
        Source: Overdue.exe, 00000002.00000002.505550151.00000000066B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Overdue.exe
        Source: Overdue.exe, 00000002.00000002.503718259.0000000003D19000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs Overdue.exe
        Source: Overdue.exe, 00000002.00000002.503718259.0000000003D19000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Overdue.exe
        Source: Overdue.exeBinary or memory string: OriginalFilename1l2x.exe4 vs Overdue.exe
        Source: 00000002.00000002.505293621.00000000057D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000002.505293621.00000000057D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000002.00000002.505075328.00000000055E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000002.505075328.00000000055E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000007.00000002.295307504.0000000004079000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000002.281680998.0000000004279000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000002.281680998.0000000004279000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000002.504900231.0000000005440000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000002.504900231.0000000005440000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000000.00000002.241089089.00000000038F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.241089089.00000000038F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000002.503718259.0000000003D19000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000007.00000002.295235323.0000000003071000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000002.497866784.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000002.497866784.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000007.00000002.294219128.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000007.00000002.294219128.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 204, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 204, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: Overdue.exe PID: 6764, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: Overdue.exe PID: 6764, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 2.2.Overdue.exe.55e0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 2.2.Overdue.exe.55e0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 2.2.Overdue.exe.5440000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 2.2.Overdue.exe.5440000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 2.2.Overdue.exe.57d0000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 2.2.Overdue.exe.57d0000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 2.2.Overdue.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 2.2.Overdue.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 2.2.Overdue.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 7.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 7.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 2.2.Overdue.exe.57d0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 2.2.Overdue.exe.57d0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: Overdue.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: dhcpmon.exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: 2.2.Overdue.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 2.2.Overdue.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 2.2.Overdue.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: classification engineClassification label: mal100.troj.evad.winEXE@8/5@0/2
        Source: C:\Users\user\Desktop\Overdue.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Overdue.exe.logJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{bee6dd74-1c71-4cb4-802e-6e62255dc22e}
        Source: Overdue.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\Overdue.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: Overdue.exeVirustotal: Detection: 25%
        Source: Overdue.exeReversingLabs: Detection: 14%
        Source: C:\Users\user\Desktop\Overdue.exeFile read: C:\Users\user\Desktop\Overdue.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\Overdue.exe 'C:\Users\user\Desktop\Overdue.exe'
        Source: unknownProcess created: C:\Users\user\Desktop\Overdue.exe C:\Users\user\Desktop\Overdue.exe
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Users\user\Desktop\Overdue.exeProcess created: C:\Users\user\Desktop\Overdue.exe C:\Users\user\Desktop\Overdue.exeJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: Overdue.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: Overdue.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: Overdue.exe, 00000002.00000002.500187483.0000000002CD1000.00000004.00000001.sdmp, dhcpmon.exe, 00000007.00000002.295307504.0000000004079000.00000004.00000001.sdmp

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: Overdue.exe, FastResourceComparer.cs.Net Code: Object System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 0.2.Overdue.exe.400000.0.unpack, FastResourceComparer.cs.Net Code: Object System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 0.0.Overdue.exe.400000.0.unpack, FastResourceComparer.cs.Net Code: Object System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: dhcpmon.exe.2.dr, FastResourceComparer.cs.Net Code: Object System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 2.2.Overdue.exe.900000.1.unpack, FastResourceComparer.cs.Net Code: Object System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 2.2.Overdue.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 2.2.Overdue.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 2.0.Overdue.exe.900000.0.unpack, FastResourceComparer.cs.Net Code: Object System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 4.2.dhcpmon.exe.e60000.0.unpack, FastResourceComparer.cs.Net Code: Object System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 4.0.dhcpmon.exe.e60000.0.unpack, FastResourceComparer.cs.Net Code: Object System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 6.0.dhcpmon.exe.100000.0.unpack, FastResourceComparer.cs.Net Code: Object System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 6.2.dhcpmon.exe.100000.0.unpack, FastResourceComparer.cs.Net Code: Object System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 7.0.dhcpmon.exe.c10000.0.unpack, FastResourceComparer.cs.Net Code: Object System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Users\user\Desktop\Overdue.exeCode function: 2_2_0131E0F0 push edx; retf 2_2_0131E312
        Source: C:\Users\user\Desktop\Overdue.exeCode function: 2_2_0131E0D8 push ecx; retf 2_2_0131E0E2
        Source: C:\Users\user\Desktop\Overdue.exeCode function: 2_2_0131E373 push edx; retf 2_2_0131E37A
        Source: C:\Users\user\Desktop\Overdue.exeCode function: 2_2_0131E36F push edx; retf 2_2_0131E372
        Source: C:\Users\user\Desktop\Overdue.exeCode function: 2_2_0131E349 push edx; retf 2_2_0131E34A
        Source: C:\Users\user\Desktop\Overdue.exeCode function: 2_2_0131E471 push ebx; retf 2_2_0131E472
        Source: C:\Users\user\Desktop\Overdue.exeCode function: 2_2_01318A70 push ss; retf 2_2_01318B82
        Source: C:\Users\user\Desktop\Overdue.exeCode function: 2_2_01318A61 push ss; retf 2_2_01318A62
        Source: C:\Users\user\Desktop\Overdue.exeCode function: 2_2_0131EDB9 push esi; retf 2_2_0131EDBA
        Source: C:\Users\user\Desktop\Overdue.exeCode function: 2_2_0131ED89 push esi; retf 2_2_0131ED8A
        Source: C:\Users\user\Desktop\Overdue.exeCode function: 2_2_0131EDF3 push edi; retf 2_2_0131EDF6
        Source: C:\Users\user\Desktop\Overdue.exeCode function: 2_2_0131EDEF push edi; retf 2_2_0131EDF2
        Source: C:\Users\user\Desktop\Overdue.exeCode function: 2_2_013193D9 push ds; retf 2_2_013193DA
        Source: C:\Users\user\Desktop\Overdue.exeCode function: 2_2_0131F798 pushad ; retf 2_2_0131F79A
        Source: C:\Users\user\Desktop\Overdue.exeCode function: 2_2_01319660 push ds; retf 2_2_01319662
        Source: C:\Users\user\Desktop\Overdue.exeCode function: 2_2_013196C7 push ds; retf 2_2_013196CA
        Source: C:\Users\user\Desktop\Overdue.exeCode function: 2_2_01317A71 push cs; retf 2_2_01317A72
        Source: C:\Users\user\Desktop\Overdue.exeCode function: 2_2_01317A80 push cs; retf 2_2_01317C62
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_064E5145 push es; iretd 4_2_064E514C
        Source: initial sampleStatic PE information: section name: .text entropy: 7.73994436556
        Source: initial sampleStatic PE information: section name: .text entropy: 7.73994436556
        Source: 2.2.Overdue.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 2.2.Overdue.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: C:\Users\user\Desktop\Overdue.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\Overdue.exeFile opened: C:\Users\user\Desktop\Overdue.exe:Zone.Identifier read attributes | deleteJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion:

        barindex
        Yara detected AntiVM_3Show sources
        Source: Yara matchFile source: 00000004.00000002.279749941.0000000003271000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.279926645.00000000032BD000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.240573894.00000000028F1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.240610940.000000000293B000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 7040, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Overdue.exe PID: 6656, type: MEMORY
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: Overdue.exe, 00000000.00000002.240573894.00000000028F1000.00000004.00000001.sdmp, dhcpmon.exe, 00000004.00000002.279749941.0000000003271000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
        Source: Overdue.exe, 00000000.00000002.240573894.00000000028F1000.00000004.00000001.sdmp, dhcpmon.exe, 00000004.00000002.279749941.0000000003271000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
        Source: C:\Users\user\Desktop\Overdue.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeWindow / User API: threadDelayed 1273Jump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeWindow / User API: threadDelayed 8320Jump to behavior
        Source: C:\Users\user\Desktop\Overdue.exeWindow / User API: foregroundWindowGot 926Jump to behavior
        Source: C:\Users\user\Desktop\Overdue.exe TID: 6660Thread sleep time: -50954s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exe TID: 6728Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\Overdue.exe TID: 6828Thread sleep time: -15679732462653109s >= -30000sJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7044Thread sleep time: -51165s >= -30000sJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7112Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4460Thread sleep time: -922337203685477s >= -30000sJump to behavior