Play interactive tour

Edit tour

Analysis Report checklist pdf.exe

Overview

General Information

Sample Name:	checklist pdf.exe
Analysis ID:	323809
MD5:	33fb3c28df0f678c7c6ef72e7e748cb1
SHA1:	ab7fbfdaf59bf4d6c79bb7acf2b59dad316675f9
SHA256:	5295f63f8452d5ac0fc3577cb720949db21efe807059e0a74cadd4d9bbbc941f
Tags:	exeNanoCore
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM_3

Yara detected Nanocore RAT

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Contains functionality to log keystrokes (.Net Source)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

checklist pdf.exe (PID: 4728 cmdline: 'C:\Users\user\Desktop\checklist pdf.exe' MD5: 33FB3C28DF0F678C7C6EF72E7E748CB1)

schtasks.exe (PID: 6100 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\PUalpOJIfJW' /XML 'C:\Users\user\AppData\Local\Temp\tmpECD4.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

checklist pdf.exe (PID: 4648 cmdline: {path} MD5: 33FB3C28DF0F678C7C6EF72E7E748CB1)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.501688763.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000003.00000002.501688763.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000003.00000002.501688763.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000000.00000002.249652144.00000000039C9000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x130445:$x1: NanoCore.ClientPluginHost 0x130482:$x2: IClientNetworkHost 0x133fb5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.249652144.00000000039C9000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.249652144.00000000039C9000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1301ad:$a: NanoCore 0x1301bd:$a: NanoCore 0x1303f1:$a: NanoCore 0x130405:$a: NanoCore 0x130445:$a: NanoCore 0x13020c:$b: ClientPlugin 0x13040e:$b: ClientPlugin 0x13044e:$b: ClientPlugin 0x130333:$c: ProjectData 0x130d3a:$d: DESCrypto 0x138706:$e: KeepAlive 0x1366f4:$g: LogClientMessage 0x1328ef:$i: get_Connected 0x131070:$j: #=q 0x1310a0:$j: #=q 0x1310bc:$j: #=q 0x1310ec:$j: #=q 0x131108:$j: #=q 0x131124:$j: #=q 0x131154:$j: #=q 0x131170:$j: #=q
00000003.00000002.509908735.0000000005440000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000003.00000002.509908735.0000000005440000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000003.00000002.508000940.0000000004267000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000003.00000002.508000940.0000000004267000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3395:$a: NanoCore 0x33ee:$a: NanoCore 0x342b:$a: NanoCore 0x34a4:$a: NanoCore 0x16b4f:$a: NanoCore 0x16b64:$a: NanoCore 0x16b99:$a: NanoCore 0x2f5f3:$a: NanoCore 0x2f608:$a: NanoCore 0x2f63d:$a: NanoCore 0x33f7:$b: ClientPlugin 0x3434:$b: ClientPlugin 0x3d32:$b: ClientPlugin 0x3d3f:$b: ClientPlugin 0x1690b:$b: ClientPlugin 0x16926:$b: ClientPlugin 0x16956:$b: ClientPlugin 0x16b6d:$b: ClientPlugin 0x16ba2:$b: ClientPlugin 0x2f3af:$b: ClientPlugin 0x2f3ca:$b: ClientPlugin
00000000.00000002.250632075.0000000003BB3000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x56325:$x1: NanoCore.ClientPluginHost 0x56362:$x2: IClientNetworkHost 0x59e95:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.250632075.0000000003BB3000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.250632075.0000000003BB3000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x5608d:$a: NanoCore 0x5609d:$a: NanoCore 0x562d1:$a: NanoCore 0x562e5:$a: NanoCore 0x56325:$a: NanoCore 0x560ec:$b: ClientPlugin 0x562ee:$b: ClientPlugin 0x5632e:$b: ClientPlugin 0x56213:$c: ProjectData 0x12ae90:$c: ProjectData 0x56c1a:$d: DESCrypto 0x12bbb6:$d: DESCrypto 0x5e5e6:$e: KeepAlive 0x5c5d4:$g: LogClientMessage 0x587cf:$i: get_Connected 0x56f50:$j: #=q 0x56f80:$j: #=q 0x56f9c:$j: #=q 0x56fcc:$j: #=q 0x56fe8:$j: #=q 0x57004:$j: #=q
00000003.00000002.510380996.00000000059B0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000003.00000002.510380996.00000000059B0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000003.00000002.510380996.00000000059B0000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.248350217.0000000002A3E000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: checklist pdf.exe PID: 4728	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xdb826:$x1: NanoCore.ClientPluginHost 0xdb887:$x2: IClientNetworkHost 0xe0c8c:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xeebfe:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: checklist pdf.exe PID: 4728	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: checklist pdf.exe PID: 4728	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: checklist pdf.exe PID: 4728	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xdb32b:$a: NanoCore 0xdb347:$a: NanoCore 0xdb4a2:$a: NanoCore 0xdb4b1:$a: NanoCore 0xdb78a:$a: NanoCore 0xdb7b6:$a: NanoCore 0xdb826:$a: NanoCore 0xeb268:$a: NanoCore 0xeb27a:$a: NanoCore 0xeb2b6:$a: NanoCore 0xdb3d2:$b: ClientPlugin 0xdb4fb:$b: ClientPlugin 0xdb7bf:$b: ClientPlugin 0xdb82f:$b: ClientPlugin 0xeb283:$b: ClientPlugin 0xeb2bf:$b: ClientPlugin 0xdb648:$c: ProjectData 0xeb1b5:$c: ProjectData 0x1eb2eb:$c: ProjectData 0x1ed093:$c: ProjectData 0x51c5c0:$c: ProjectData
Process Memory Space: checklist pdf.exe PID: 4648	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xdf936:$x1: NanoCore.ClientPluginHost 0x2367c1:$x1: NanoCore.ClientPluginHost 0x2ad1bc:$x1: NanoCore.ClientPluginHost 0x2b2d7b:$x1: NanoCore.ClientPluginHost 0x2c3bcb:$x1: NanoCore.ClientPluginHost 0x3250ba:$x1: NanoCore.ClientPluginHost 0x3ca3fc:$x1: NanoCore.ClientPluginHost 0xdf997:$x2: IClientNetworkHost 0x2367e7:$x2: IClientNetworkHost 0x2ad1e2:$x2: IClientNetworkHost 0x2b2dc0:$x2: IClientNetworkHost 0x2c3c10:$x2: IClientNetworkHost 0x3250ff:$x2: IClientNetworkHost 0x3ca422:$x2: IClientNetworkHost 0xe4d9c:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xf2d0e:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: checklist pdf.exe PID: 4648	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: checklist pdf.exe PID: 4648	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xdf43b:$a: NanoCore 0xdf457:$a: NanoCore 0xdf5b2:$a: NanoCore 0xdf5c1:$a: NanoCore 0xdf89a:$a: NanoCore 0xdf8c6:$a: NanoCore 0xdf936:$a: NanoCore 0xef378:$a: NanoCore 0xef38a:$a: NanoCore 0xef3c6:$a: NanoCore 0x2366b3:$a: NanoCore 0x236754:$a: NanoCore 0x2367c1:$a: NanoCore 0x236882:$a: NanoCore 0x237753:$a: NanoCore 0x2377a6:$a: NanoCore 0x2377df:$a: NanoCore 0x237852:$a: NanoCore 0x2ad0ae:$a: NanoCore 0x2ad14f:$a: NanoCore 0x2ad1bc:$a: NanoCore
Click to see the 19 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.checklist pdf.exe.5440000.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
3.2.checklist pdf.exe.5440000.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
3.2.checklist pdf.exe.59b0000.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
3.2.checklist pdf.exe.59b0000.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
3.2.checklist pdf.exe.59b0000.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.checklist pdf.exe.59b0000.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
3.2.checklist pdf.exe.59b0000.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
3.2.checklist pdf.exe.59b0000.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.checklist pdf.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.2.checklist pdf.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
3.2.checklist pdf.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.2.checklist pdf.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
Click to see the 7 entries

Sigma Overview

System Summary:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\checklist pdf.exe, ProcessId: 4648, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\PUalpOJIfJW' /XML 'C:\Users\user\AppData\Local\Temp\tmpECD4.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\PUalpOJIfJW' /XML 'C:\Users\user\AppData\Local\Temp\tmpECD4.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\checklist pdf.exe' , ParentImage: C:\Users\user\Desktop\checklist pdf.exe, ParentProcessId: 4728, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\PUalpOJIfJW' /XML 'C:\Users\user\AppData\Local\Temp\tmpECD4.tmp', ProcessId: 6100

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\PUalpOJIfJW.exe

ReversingLabs: Detection: 37%

Multi AV Scanner detection for submitted file

Show sources

Source: checklist pdf.exe	Virustotal: Detection: 32%			Perma Link
Source: checklist pdf.exe	ReversingLabs: Detection: 37%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000003.00000002.501688763.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.249652144.00000000039C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.508000940.0000000004267000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.250632075.0000000003BB3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.510380996.00000000059B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: checklist pdf.exe PID: 4728, type: MEMORY
Source: Yara match	File source: Process Memory Space: checklist pdf.exe PID: 4648, type: MEMORY
Source: Yara match	File source: 3.2.checklist pdf.exe.59b0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.checklist pdf.exe.59b0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.checklist pdf.exe.400000.0.unpack, type: UNPACKEDPE

Source: 3.2.checklist pdf.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 3.2.checklist pdf.exe.59b0000.6.unpack	Avira: Label: TR/NanoCore.fadte

Source: C:\Users\user\Desktop\checklist pdf.exe

Code function: 4x nop then jmp 04B4C14Ch

0_2_04B4B3AC

Networking:

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: kingman1.ddns.net

Source: global traffic

TCP traffic: 192.168.2.5:49704 -> 194.5.98.129:4545

Source: Joe Sandbox View

ASN Name: DANILENKODE DANILENKODE

Source: unknown

DNS traffic detected: queries for: kingman1.ddns.net

Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: checklist pdf.exe, 00000000.00000003.236008822.0000000004E63000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coma
Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: checklist pdf.exe, 00000000.00000003.246990634.0000000004E50000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.coma
Source: checklist pdf.exe, 00000000.00000003.246990634.0000000004E50000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.come.comE
Source: checklist pdf.exe, 00000000.00000002.247712407.0000000000D27000.00000004.00000040.sdmp	String found in binary or memory: http://www.fonts.com
Source: checklist pdf.exe, 00000000.00000003.235767459.0000000004E5F000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.c&
Source: checklist pdf.exe, 00000000.00000003.235767459.0000000004E5F000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: checklist pdf.exe, 00000000.00000003.235767459.0000000004E5F000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnM1
Source: checklist pdf.exe, 00000000.00000003.235869978.0000000004E63000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnb-n
Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: checklist pdf.exe, 00000000.00000003.236732753.0000000004E5D000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/)
Source: checklist pdf.exe, 00000000.00000003.236619084.0000000004E57000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/E
Source: checklist pdf.exe, 00000000.00000003.236448569.0000000004E5D000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/H
Source: checklist pdf.exe, 00000000.00000003.236369930.0000000004E56000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/P
Source: checklist pdf.exe, 00000000.00000003.236517335.0000000004E5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/X
Source: checklist pdf.exe, 00000000.00000003.236732753.0000000004E5D000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
Source: checklist pdf.exe, 00000000.00000003.236517335.0000000004E5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/E
Source: checklist pdf.exe, 00000000.00000003.236517335.0000000004E5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0s
Source: checklist pdf.exe, 00000000.00000003.236517335.0000000004E5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: checklist pdf.exe, 00000000.00000003.236517335.0000000004E5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/H
Source: checklist pdf.exe, 00000000.00000003.236619084.0000000004E57000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/J
Source: checklist pdf.exe, 00000000.00000003.236517335.0000000004E5C000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/v
Source: checklist pdf.exe, 00000000.00000003.236448569.0000000004E5D000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/v
Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: checklist pdf.exe, 00000000.00000003.235981732.0000000004E64000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cna
Source: checklist pdf.exe	String found in binary or memory: https://api.coinmarketcap.com/v1/ticker/
Source: checklist pdf.exe	String found in binary or memory: https://coinmarketcap.com/api/

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to log keystrokes (.Net Source)

Show sources

Source: PUalpOJIfJW.exe.0.dr, Utilities/GlobalKeyboardHook.cs	.Net Code: Hook
Source: 0.0.checklist pdf.exe.2f0000.0.unpack, Utilities/GlobalKeyboardHook.cs	.Net Code: Hook
Source: 0.2.checklist pdf.exe.2f0000.0.unpack, Utilities/GlobalKeyboardHook.cs	.Net Code: Hook
Source: 3.2.checklist pdf.exe.a00000.1.unpack, Utilities/GlobalKeyboardHook.cs	.Net Code: Hook

Source: checklist pdf.exe, 00000003.00000002.508000940.0000000004267000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000003.00000002.501688763.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.249652144.00000000039C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.508000940.0000000004267000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.250632075.0000000003BB3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.510380996.00000000059B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: checklist pdf.exe PID: 4728, type: MEMORY
Source: Yara match	File source: Process Memory Space: checklist pdf.exe PID: 4648, type: MEMORY
Source: Yara match	File source: 3.2.checklist pdf.exe.59b0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.checklist pdf.exe.59b0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.checklist pdf.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000003.00000002.501688763.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.501688763.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.249652144.00000000039C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.249652144.00000000039C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.509908735.0000000005440000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000002.508000940.0000000004267000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.250632075.0000000003BB3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.250632075.0000000003BB3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000002.510380996.00000000059B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: checklist pdf.exe PID: 4728, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: checklist pdf.exe PID: 4728, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: checklist pdf.exe PID: 4648, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: checklist pdf.exe PID: 4648, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.2.checklist pdf.exe.5440000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.checklist pdf.exe.59b0000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.checklist pdf.exe.59b0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.checklist pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.2.checklist pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Source: C:\Users\user\Desktop\checklist pdf.exe	Code function: 0_2_066A1A36 NtQuerySystemInformation,	0_2_066A1A36
Source: C:\Users\user\Desktop\checklist pdf.exe	Code function: 0_2_066A1A05 NtQuerySystemInformation,	0_2_066A1A05
Source: C:\Users\user\Desktop\checklist pdf.exe	Code function: 3_2_052C136A NtQuerySystemInformation,	3_2_052C136A
Source: C:\Users\user\Desktop\checklist pdf.exe	Code function: 3_2_052C132F NtQuerySystemInformation,	3_2_052C132F

Source: C:\Users\user\Desktop\checklist pdf.exe	Code function: 0_2_04B414B0	0_2_04B414B0
Source: C:\Users\user\Desktop\checklist pdf.exe	Code function: 0_2_04B49CC1	0_2_04B49CC1
Source: C:\Users\user\Desktop\checklist pdf.exe	Code function: 0_2_04B4B3AC	0_2_04B4B3AC
Source: C:\Users\user\Desktop\checklist pdf.exe	Code function: 0_2_04B427E4	0_2_04B427E4
Source: C:\Users\user\Desktop\checklist pdf.exe	Code function: 0_2_04B44B30	0_2_04B44B30
Source: C:\Users\user\Desktop\checklist pdf.exe	Code function: 0_2_04B49CF8	0_2_04B49CF8
Source: C:\Users\user\Desktop\checklist pdf.exe	Code function: 0_2_04B4A1C7	0_2_04B4A1C7
Source: C:\Users\user\Desktop\checklist pdf.exe	Code function: 0_2_04B49D1C	0_2_04B49D1C
Source: C:\Users\user\Desktop\checklist pdf.exe	Code function: 3_2_01377ABE	3_2_01377ABE
Source: C:\Users\user\Desktop\checklist pdf.exe	Code function: 3_2_05268468	3_2_05268468
Source: C:\Users\user\Desktop\checklist pdf.exe	Code function: 3_2_05269068	3_2_05269068
Source: C:\Users\user\Desktop\checklist pdf.exe	Code function: 3_2_052623A0	3_2_052623A0
Source: C:\Users\user\Desktop\checklist pdf.exe	Code function: 3_2_05262FA8	3_2_05262FA8
Source: C:\Users\user\Desktop\checklist pdf.exe	Code function: 3_2_0526AEF8	3_2_0526AEF8
Source: C:\Users\user\Desktop\checklist pdf.exe	Code function: 3_2_0526912F	3_2_0526912F
Source: C:\Users\user\Desktop\checklist pdf.exe	Code function: 3_2_0526306F	3_2_0526306F

Source: checklist pdf.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PUalpOJIfJW.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: checklist pdf.exe	Binary or memory string: OriginalFilename vs checklist pdf.exe
Source: checklist pdf.exe, 00000000.00000002.247125807.00000000002F2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamez3 vs checklist pdf.exe
Source: checklist pdf.exe, 00000000.00000002.253340179.00000000065F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs checklist pdf.exe
Source: checklist pdf.exe, 00000000.00000002.253869691.0000000006800000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameB2B.exe4 vs checklist pdf.exe
Source: checklist pdf.exe, 00000000.00000002.254721885.0000000006FD0000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs checklist pdf.exe
Source: checklist pdf.exe, 00000000.00000002.254721885.0000000006FD0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs checklist pdf.exe
Source: checklist pdf.exe, 00000000.00000002.254226045.0000000006ED0000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs checklist pdf.exe
Source: checklist pdf.exe, 00000000.00000002.253421979.0000000006650000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMARCUS.dll4 vs checklist pdf.exe
Source: checklist pdf.exe	Binary or memory string: OriginalFilename vs checklist pdf.exe
Source: checklist pdf.exe, 00000003.00000002.510666524.0000000006600000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs checklist pdf.exe
Source: checklist pdf.exe, 00000003.00000002.509231793.00000000052B0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs checklist pdf.exe
Source: checklist pdf.exe, 00000003.00000002.501952278.0000000000A02000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamez3 vs checklist pdf.exe
Source: checklist pdf.exe, 00000003.00000002.509908735.0000000005440000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs checklist pdf.exe
Source: checklist pdf.exe, 00000003.00000002.510102364.00000000055B0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs checklist pdf.exe
Source: checklist pdf.exe, 00000003.00000002.508000940.0000000004267000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs checklist pdf.exe
Source: checklist pdf.exe, 00000003.00000002.508000940.0000000004267000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs checklist pdf.exe
Source: checklist pdf.exe	Binary or memory string: OriginalFilenamez3 vs checklist pdf.exe

Source: 00000003.00000002.501688763.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.501688763.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.249652144.00000000039C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.249652144.00000000039C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.509908735.0000000005440000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.509908735.0000000005440000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000003.00000002.508000940.0000000004267000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.250632075.0000000003BB3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.250632075.0000000003BB3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000002.510380996.00000000059B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000002.510380996.00000000059B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: checklist pdf.exe PID: 4728, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: checklist pdf.exe PID: 4728, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: checklist pdf.exe PID: 4648, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: checklist pdf.exe PID: 4648, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.2.checklist pdf.exe.5440000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.checklist pdf.exe.5440000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.checklist pdf.exe.59b0000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.checklist pdf.exe.59b0000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.checklist pdf.exe.59b0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.checklist pdf.exe.59b0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.checklist pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.2.checklist pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 3.2.checklist pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: checklist pdf.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: PUalpOJIfJW.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 3.2.checklist pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 3.2.checklist pdf.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 3.2.checklist pdf.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/4@23/2

Source: C:\Users\user\Desktop\checklist pdf.exe	Code function: 0_2_066A18BA AdjustTokenPrivileges,	0_2_066A18BA
Source: C:\Users\user\Desktop\checklist pdf.exe	Code function: 0_2_066A1883 AdjustTokenPrivileges,	0_2_066A1883
Source: C:\Users\user\Desktop\checklist pdf.exe	Code function: 3_2_052C112A AdjustTokenPrivileges,	3_2_052C112A
Source: C:\Users\user\Desktop\checklist pdf.exe	Code function: 3_2_052C10F3 AdjustTokenPrivileges,	3_2_052C10F3

Source: C:\Users\user\Desktop\checklist pdf.exe

File created: C:\Users\user\AppData\Roaming\PUalpOJIfJW.exe

Jump to behavior

Source: C:\Users\user\Desktop\checklist pdf.exe	Mutant created: \Sessions\1\BaseNamedObjects\kDLjLtOaX
Source: C:\Users\user\Desktop\checklist pdf.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6132:120:WilError_01
Source: C:\Users\user\Desktop\checklist pdf.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{4e4bd5d9-18d3-437e-8c11-5aa0bfb7769c}

Source: C:\Users\user\Desktop\checklist pdf.exe

File created: C:\Users\user\AppData\Local\Temp\tmpECD4.tmp

Jump to behavior

Source: checklist pdf.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\checklist pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Users\user\Desktop\checklist pdf.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\checklist pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: checklist pdf.exe	Virustotal: Detection: 32%
Source: checklist pdf.exe	ReversingLabs: Detection: 37%

Source: C:\Users\user\Desktop\checklist pdf.exe

File read: C:\Users\user\Desktop\checklist pdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\checklist pdf.exe 'C:\Users\user\Desktop\checklist pdf.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\PUalpOJIfJW' /XML 'C:\Users\user\AppData\Local\Temp\tmpECD4.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\checklist pdf.exe {path}
Source: C:\Users\user\Desktop\checklist pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\PUalpOJIfJW' /XML 'C:\Users\user\AppData\Local\Temp\tmpECD4.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process created: C:\Users\user\Desktop\checklist pdf.exe {path}	Jump to behavior

Source: C:\Users\user\Desktop\checklist pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\checklist pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: checklist pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\checklist pdf.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: checklist pdf.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: mscorrc.pdb source: checklist pdf.exe, 00000000.00000002.253340179.00000000065F0000.00000002.00000001.sdmp, checklist pdf.exe, 00000003.00000002.510102364.00000000055B0000.00000002.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: PUalpOJIfJW.exe.0.dr, SimpleTickerWindowsForms/SimpleTickerView.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.checklist pdf.exe.2f0000.0.unpack, SimpleTickerWindowsForms/SimpleTickerView.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.checklist pdf.exe.2f0000.0.unpack, SimpleTickerWindowsForms/SimpleTickerView.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.checklist pdf.exe.a00000.1.unpack, SimpleTickerWindowsForms/SimpleTickerView.cs	.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.checklist pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.checklist pdf.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\checklist pdf.exe	Code function: 0_2_00A628AC push cs; ret	0_2_00A629AA
Source: C:\Users\user\Desktop\checklist pdf.exe	Code function: 0_2_00A62C71 push es; ret	0_2_00A62C72
Source: C:\Users\user\Desktop\checklist pdf.exe	Code function: 0_2_04B4575F push ecx; iretd	0_2_04B45760
Source: C:\Users\user\Desktop\checklist pdf.exe	Code function: 3_2_01362BBD push cs; ret	3_2_01362BEA
Source: C:\Users\user\Desktop\checklist pdf.exe	Code function: 3_2_01362BEC push cs; ret	3_2_01362BEA

Source: initial sample	Static PE information: section name: .text entropy: 7.54197829505
Source: initial sample	Static PE information: section name: .text entropy: 7.54197829505

Source: 3.2.checklist pdf.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 3.2.checklist pdf.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Users\user\Desktop\checklist pdf.exe

File created: C:\Users\user\AppData\Roaming\PUalpOJIfJW.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\PUalpOJIfJW' /XML 'C:\Users\user\AppData\Local\Temp\tmpECD4.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\checklist pdf.exe

File opened: C:\Users\user\Desktop\checklist pdf.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match	File source: 00000000.00000002.248350217.0000000002A3E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: checklist pdf.exe PID: 4728, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: checklist pdf.exe, 00000000.00000002.249543827.0000000002D4D000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: checklist pdf.exe, 00000000.00000002.249543827.0000000002D4D000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAMEX1(R_
Source: checklist pdf.exe, 00000000.00000002.249543827.0000000002D4D000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: checklist pdf.exe, 00000000.00000002.249543827.0000000002D4D000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLLX1(R(X

Source: C:\Users\user\Desktop\checklist pdf.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\checklist pdf.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\checklist pdf.exe	Window / User API: threadDelayed 745			Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Window / User API: foregroundWindowGot 948			Jump to behavior

Source: C:\Users\user\Desktop\checklist pdf.exe TID: 5356	Thread sleep time: -41500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe TID: 5604	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe TID: 5456	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe TID: 5456	Thread sleep count: 194 > 30	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe TID: 5456	Thread sleep count: 745 > 30	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe TID: 2268	Thread sleep count: 316 > 30	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe TID: 5456	Thread sleep count: 83 > 30	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe TID: 4440	Thread sleep time: -220000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\checklist pdf.exe

Code function: 3_2_052C0DB6 GetSystemInfo,

3_2_052C0DB6

Source: checklist pdf.exe, 00000000.00000002.249543827.0000000002D4D000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: checklist pdf.exe, 00000000.00000002.249543827.0000000002D4D000.00000004.00000001.sdmp	Binary or memory string: VMware\|9(r
Source: checklist pdf.exe, 00000003.00000002.510666524.0000000006600000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: checklist pdf.exe, 00000000.00000002.249543827.0000000002D4D000.00000004.00000001.sdmp	Binary or memory string: VMWAREX1(riy
Source: checklist pdf.exe, 00000000.00000002.249543827.0000000002D4D000.00000004.00000001.sdmp	Binary or memory string: QEMUX1(rX
Source: checklist pdf.exe, 00000000.00000002.249543827.0000000002D4D000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIX1(r
Source: checklist pdf.exe, 00000000.00000002.249543827.0000000002D4D000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: checklist pdf.exe, 00000000.00000002.249543827.0000000002D4D000.00000004.00000001.sdmp	Binary or memory string: VMWARE\|9(r
Source: checklist pdf.exe, 00000000.00000002.249543827.0000000002D4D000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: checklist pdf.exe, 00000000.00000002.249543827.0000000002D4D000.00000004.00000001.sdmp	Binary or memory string: (r#"SOFTWARE\VMware, Inc.\VMware ToolsX1(rDy
Source: checklist pdf.exe, 00000003.00000002.510666524.0000000006600000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: checklist pdf.exe, 00000003.00000002.510666524.0000000006600000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: checklist pdf.exe, 00000000.00000002.249543827.0000000002D4D000.00000004.00000001.sdmp	Binary or memory string: vmwareX1(r{~
Source: checklist pdf.exe, 00000000.00000002.249543827.0000000002D4D000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: checklist pdf.exe, 00000000.00000002.249543827.0000000002D4D000.00000004.00000001.sdmp	Binary or memory string: VMware \|9(r
Source: checklist pdf.exe, 00000000.00000002.249543827.0000000002D4D000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: checklist pdf.exe, 00000000.00000002.249543827.0000000002D4D000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: checklist pdf.exe, 00000000.00000002.249543827.0000000002D4D000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: checklist pdf.exe, 00000000.00000002.249543827.0000000002D4D000.00000004.00000001.sdmp	Binary or memory string: (r&%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\X1(r
Source: checklist pdf.exe, 00000003.00000003.256504161.0000000001209000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: checklist pdf.exe, 00000003.00000002.510666524.0000000006600000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\checklist pdf.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\checklist pdf.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\checklist pdf.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

.NET source code references suspicious native API functions

Show sources

Source: PUalpOJIfJW.exe.0.dr, Utilities/GlobalKeyboardHook.cs	Reference to suspicious API methods: ('LoadLibrary', 'LoadLibrary@kernel32.dll')
Source: 0.0.checklist pdf.exe.2f0000.0.unpack, Utilities/GlobalKeyboardHook.cs	Reference to suspicious API methods: ('LoadLibrary', 'LoadLibrary@kernel32.dll')
Source: 0.2.checklist pdf.exe.2f0000.0.unpack, Utilities/GlobalKeyboardHook.cs	Reference to suspicious API methods: ('LoadLibrary', 'LoadLibrary@kernel32.dll')
Source: 3.2.checklist pdf.exe.a00000.1.unpack, Utilities/GlobalKeyboardHook.cs	Reference to suspicious API methods: ('LoadLibrary', 'LoadLibrary@kernel32.dll')
Source: 3.2.checklist pdf.exe.400000.0.unpack, u0023u003dqjryTBW16mUfo_ItH9KWoGQu003du003d.cs	Reference to suspicious API methods: ('#=qxG$Aklpbf6gyBfAqTMmORA==', 'OpenProcess@kernel32.dll'), ('#=qh7diH14jww3Fm9rMJ_jIfQ==', 'FindResourceEx@kernel32.dll')

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\checklist pdf.exe

Memory written: C:\Users\user\Desktop\checklist pdf.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\checklist pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\PUalpOJIfJW' /XML 'C:\Users\user\AppData\Local\Temp\tmpECD4.tmp'			Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Process created: C:\Users\user\Desktop\checklist pdf.exe {path}			Jump to behavior

Source: checklist pdf.exe, 00000003.00000003.256504161.0000000001209000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: checklist pdf.exe, 00000003.00000002.503557397.00000000017A0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: checklist pdf.exe, 00000003.00000002.503557397.00000000017A0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: checklist pdf.exe, 00000003.00000002.503557397.00000000017A0000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: checklist pdf.exe, 00000003.00000002.507713873.000000000343B000.00000004.00000001.sdmp	Binary or memory string: Program Manager0
Source: checklist pdf.exe, 00000003.00000002.503557397.00000000017A0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: checklist pdf.exe, 00000003.00000002.503557397.00000000017A0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\checklist pdf.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report checklist pdf.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection: