31.0.0 Red Diamond
IR
336532
CloudBasic
09:25:12
06/01/2021
DHL_file 187652345643476245.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
303e92008ea45abde4fc35d8d176015d
29ff646c7c04a2be614bdbe87f73df87add78dda
c4dbec4c0df381cee21c2ba0d6105b0f7310c8f108e66e078df0ad4803148fb6
Win32 Executable (generic) Net Framework (10011505/4) 49.83%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL_file 187652345643476245.exe.log
true
06F54CDBFEF62849AF5AE052722BD7B6
FB0250AAC2057D0B5BCE4CE130891E428F28DA05
4C039B93A728B546F49C47ED8B448D40A3553CDAABB147067AEE3958133CB446
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\watchprcss.exe.log
false
1249251E90A1C28AB8F7235F30056DEB
166BA6B64E9B0D9BA7B856334F7D7EC027030BA1
B5D65BF3581136CD5368BC47FA3972E06F526EED407BC6571D11D9CD4B5C4D83
C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
true
F2A47587431C466535F3C3D3427724BE
90DF719241CE04828F0DD4D31D683F84790515FF
23F4A2CCDCE499C524CF43793FDA8E773D809514B5471C02FA5E68F0CDA7A10B
C:\Users\user\AppData\Local\Temp\watchprcss.exe
false
0E362E7005823D0BEC3719B902ED6D62
590D860B909804349E0CDC2F1662B37BD62F7463
2D0DC6216F613AC7551A7E70A798C22AEE8EB9819428B1357E2B8C73BEF905AD
C:\Users\user\AppData\Local\Temp\watchprcss.txt
false
6D53BAE6990F1C3A4F4D9729A9F99D73
AE73ED5B42B48B09A728BC716F690ABDE5EFDE28
CAA78D20B309DFB63A791BBEB7396CF8632C02839D432751A670EE233257665B
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
true
33EE0B6F6D13E4D20830C3D041CA8765
E5BF757840F0F7FD17E548BB901B03037AB1DCF8
3610AFA3FFB6D11775498D942115542E0A80D0CF644D6DD6849BDD0506095165
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\demiusda.lnk
false
74F0FF8019BFD75A8B5FCAFE358F46AF
CEE790BEE58C06B1093988D86E1162309435D362
7D9DD5D1A15A1F7DD748116AA608DEC866F46CDBF2DE363EBAF16D3D66A23CF3
C:\Users\user\AppData\Roaming\demiusda.exe
true
303E92008EA45ABDE4FC35D8D176015D
29FF646C7C04A2BE614BDBE87F73DF87ADD78DDA
C4DBEC4C0DF381CEE21C2BA0D6105B0F7310C8F108E66E078DF0AD4803148FB6
C:\Users\user\AppData\Roaming\demiusda.exe:Zone.Identifier
true
187F488E27DB4AF347237FE461A079AD
6693BA299EC1881249D59262276A0D2CB21F8E64
255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
185.157.160.233
192.168.2.1
105.112.113.90
annapro.linkpc.net
false
105.112.113.90
.NET source code contains potential unpacker
Allocates memory in foreign processes
Binary contains a suspicious time stamp
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Writes to foreign memory regions
Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Yara detected AntiVM_3
Yara detected Nanocore RAT