Loading ...

Play interactive tourEdit tour

Analysis Report DES_ Holdings Ltd - products listing.exe

Overview

General Information

Sample Name:DES_ Holdings Ltd - products listing.exe
Analysis ID:336710
MD5:f88e81d7f208b4ebca34ae5f1f032d0f
SHA1:4da7041d786ebc59dfb33eec1196c1ae2cc94f89
SHA256:9fd3eec622da8536e22c164bbd05d80dada1003fadd07fd4800ced6c0579812c
Tags:exeNanoCoreRAT

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara signature match

Classification

Startup

  • System is w10x64
  • DES_ Holdings Ltd - products listing.exe (PID: 6520 cmdline: 'C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exe' MD5: F88E81D7F208B4EBCA34AE5F1F032D0F)
    • schtasks.exe (PID: 976 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UgJYJdoaOfKgTb' /XML 'C:\Users\user\AppData\Local\Temp\tmp933B.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["212.83.46.26"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.610060366.00000000063E0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xf7ad:$x1: NanoCore.ClientPluginHost
  • 0xf7da:$x2: IClientNetworkHost
0000000B.00000002.610060366.00000000063E0000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xf7ad:$x2: NanoCore.ClientPluginHost
  • 0x10888:$s4: PipeCreated
  • 0xf7c7:$s5: IClientLoggingHost
0000000B.00000002.610060366.00000000063E0000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000B.00000002.605354131.00000000030F1000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      0000000B.00000002.610010923.0000000006340000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe75:$x1: NanoCore.ClientPluginHost
      • 0xe8f:$x2: IClientNetworkHost
      Click to see the 9 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      11.2.DES_ Holdings Ltd - products listing.exe.6340000.4.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe75:$x1: NanoCore.ClientPluginHost
      • 0xe8f:$x2: IClientNetworkHost
      11.2.DES_ Holdings Ltd - products listing.exe.6340000.4.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe75:$x2: NanoCore.ClientPluginHost
      • 0x1261:$s3: PipeExists
      • 0x1136:$s4: PipeCreated
      • 0xeb0:$s5: IClientLoggingHost
      11.2.DES_ Holdings Ltd - products listing.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      11.2.DES_ Holdings Ltd - products listing.exe.400000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xff05:$x1: NanoCore Client.exe
      • 0x1018d:$x2: NanoCore.ClientPluginHost
      • 0x117c6:$s1: PluginCommand
      • 0x117ba:$s2: FileCommand
      • 0x1266b:$s3: PipeExists
      • 0x18422:$s4: PipeCreated
      • 0x101b7:$s5: IClientLoggingHost
      11.2.DES_ Holdings Ltd - products listing.exe.400000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        Click to see the 7 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exe, ProcessId: 4812, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: Scheduled temp file as task from temp locationShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UgJYJdoaOfKgTb' /XML 'C:\Users\user\AppData\Local\Temp\tmp933B.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UgJYJdoaOfKgTb' /XML 'C:\Users\user\AppData\Local\Temp\tmp933B.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exe' , ParentImage: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exe, ParentProcessId: 6520, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UgJYJdoaOfKgTb' /XML 'C:\Users\user\AppData\Local\Temp\tmp933B.tmp', ProcessId: 976

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: DES_ Holdings Ltd - products listing.exe.4812.11.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["212.83.46.26"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\UgJYJdoaOfKgTb.exeReversingLabs: Detection: 13%
        Multi AV Scanner detection for submitted fileShow sources
        Source: DES_ Holdings Ltd - products listing.exeVirustotal: Detection: 30%Perma Link
        Source: DES_ Holdings Ltd - products listing.exeReversingLabs: Detection: 13%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000B.00000002.610060366.00000000063E0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.605354131.00000000030F1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.602980109.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.608557876.0000000004139000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: DES_ Holdings Ltd - products listing.exe PID: 4812, type: MEMORY
        Source: Yara matchFile source: 11.2.DES_ Holdings Ltd - products listing.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.DES_ Holdings Ltd - products listing.exe.63e0000.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.DES_ Holdings Ltd - products listing.exe.63e0000.5.raw.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\UgJYJdoaOfKgTb.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: DES_ Holdings Ltd - products listing.exeJoe Sandbox ML: detected
        Source: 11.2.DES_ Holdings Ltd - products listing.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 11.2.DES_ Holdings Ltd - products listing.exe.63e0000.5.unpackAvira: Label: TR/NanoCore.fadte
        Source: DES_ Holdings Ltd - products listing.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: DES_ Holdings Ltd - products listing.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorIPs: 212.83.46.26
        Source: global trafficTCP traffic: 192.168.2.7:49708 -> 212.83.46.26:4021
        Source: Joe Sandbox ViewASN Name: TTMDE TTMDE
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: unknownTCP traffic detected without corresponding DNS query: 212.83.46.26
        Source: DES_ Holdings Ltd - products listing.exe, 0000000B.00000002.610060366.00000000063E0000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000B.00000002.610060366.00000000063E0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.605354131.00000000030F1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.602980109.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.608557876.0000000004139000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: DES_ Holdings Ltd - products listing.exe PID: 4812, type: MEMORY
        Source: Yara matchFile source: 11.2.DES_ Holdings Ltd - products listing.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.DES_ Holdings Ltd - products listing.exe.63e0000.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.DES_ Holdings Ltd - products listing.exe.63e0000.5.raw.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 0000000B.00000002.610060366.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000002.610010923.0000000006340000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000002.602980109.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000002.602980109.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000002.608557876.0000000004139000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: DES_ Holdings Ltd - products listing.exe PID: 4812, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: DES_ Holdings Ltd - products listing.exe PID: 4812, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.DES_ Holdings Ltd - products listing.exe.6340000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.DES_ Holdings Ltd - products listing.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.DES_ Holdings Ltd - products listing.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.DES_ Holdings Ltd - products listing.exe.63e0000.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.DES_ Holdings Ltd - products listing.exe.63e0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeCode function: 11_2_017EE471
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeCode function: 11_2_017EE480
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeCode function: 11_2_017EBBD4
        Source: DES_ Holdings Ltd - products listing.exe, 00000000.00000000.227595219.000000000096E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIClientChannelSink.exe4 vs DES_ Holdings Ltd - products listing.exe
        Source: DES_ Holdings Ltd - products listing.exe, 0000000B.00000002.610060366.00000000063E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs DES_ Holdings Ltd - products listing.exe
        Source: DES_ Holdings Ltd - products listing.exe, 0000000B.00000002.610060366.00000000063E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs DES_ Holdings Ltd - products listing.exe
        Source: DES_ Holdings Ltd - products listing.exe, 0000000B.00000002.609929125.00000000062D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs DES_ Holdings Ltd - products listing.exe
        Source: DES_ Holdings Ltd - products listing.exe, 0000000B.00000002.605354131.00000000030F1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs DES_ Holdings Ltd - products listing.exe
        Source: DES_ Holdings Ltd - products listing.exe, 0000000B.00000002.610212602.0000000006C70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs DES_ Holdings Ltd - products listing.exe
        Source: DES_ Holdings Ltd - products listing.exe, 0000000B.00000000.288113052.0000000000D3E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIClientChannelSink.exe4 vs DES_ Holdings Ltd - products listing.exe
        Source: DES_ Holdings Ltd - products listing.exeBinary or memory string: OriginalFilenameIClientChannelSink.exe4 vs DES_ Holdings Ltd - products listing.exe
        Source: DES_ Holdings Ltd - products listing.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 0000000B.00000002.610060366.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000002.610060366.00000000063E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000B.00000002.610010923.0000000006340000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000002.610010923.0000000006340000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0000000B.00000002.602980109.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000002.602980109.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000002.608557876.0000000004139000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: DES_ Holdings Ltd - products listing.exe PID: 4812, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: DES_ Holdings Ltd - products listing.exe PID: 4812, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.DES_ Holdings Ltd - products listing.exe.6340000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.DES_ Holdings Ltd - products listing.exe.6340000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.DES_ Holdings Ltd - products listing.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.DES_ Holdings Ltd - products listing.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.DES_ Holdings Ltd - products listing.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.DES_ Holdings Ltd - products listing.exe.63e0000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.DES_ Holdings Ltd - products listing.exe.63e0000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.DES_ Holdings Ltd - products listing.exe.63e0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.DES_ Holdings Ltd - products listing.exe.63e0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 11.2.DES_ Holdings Ltd - products listing.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 11.2.DES_ Holdings Ltd - products listing.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 11.2.DES_ Holdings Ltd - products listing.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: classification engineClassification label: mal100.troj.evad.winEXE@6/5@0/2
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeFile created: C:\Users\user\AppData\Roaming\UgJYJdoaOfKgTb.exeJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeMutant created: \Sessions\1\BaseNamedObjects\hEBKLHOBXbQI
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4472:120:WilError_01
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{3b0a05ab-e8be-49ea-960f-63681280e339}
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeFile created: C:\Users\user\AppData\Local\Temp\tmp933B.tmpJump to behavior
        Source: DES_ Holdings Ltd - products listing.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: DES_ Holdings Ltd - products listing.exeVirustotal: Detection: 30%
        Source: DES_ Holdings Ltd - products listing.exeReversingLabs: Detection: 13%
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeFile read: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exe 'C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UgJYJdoaOfKgTb' /XML 'C:\Users\user\AppData\Local\Temp\tmp933B.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exe C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exe
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UgJYJdoaOfKgTb' /XML 'C:\Users\user\AppData\Local\Temp\tmp933B.tmp'
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess created: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exe C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exe
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
        Source: DES_ Holdings Ltd - products listing.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: DES_ Holdings Ltd - products listing.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: 11.2.DES_ Holdings Ltd - products listing.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 11.2.DES_ Holdings Ltd - products listing.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: initial sampleStatic PE information: section name: .text entropy: 7.45520893226
        Source: initial sampleStatic PE information: section name: .text entropy: 7.45520893226
        Source: 11.2.DES_ Holdings Ltd - products listing.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 11.2.DES_ Holdings Ltd - products listing.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeFile created: \des_ holdings ltd - products listing.exe
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeFile created: \des_ holdings ltd - products listing.exe
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeFile created: C:\Users\user\AppData\Roaming\UgJYJdoaOfKgTb.exeJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UgJYJdoaOfKgTb' /XML 'C:\Users\user\AppData\Local\Temp\tmp933B.tmp'

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeFile opened: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exe:Zone.Identifier read attributes | delete
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeWindow / User API: threadDelayed 4518
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeWindow / User API: threadDelayed 4984
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeWindow / User API: foregroundWindowGot 1253
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeWindow / User API: foregroundWindowGot 416
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exe TID: 6524Thread sleep time: -52026s >= -30000s
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exe TID: 6540Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exe TID: 6604Thread sleep time: -18446744073709540s >= -30000s
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: DES_ Holdings Ltd - products listing.exe, 0000000B.00000002.610212602.0000000006C70000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
        Source: DES_ Holdings Ltd - products listing.exe, 0000000B.00000002.610212602.0000000006C70000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
        Source: DES_ Holdings Ltd - products listing.exe, 0000000B.00000002.610212602.0000000006C70000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
        Source: DES_ Holdings Ltd - products listing.exe, 0000000B.00000003.375375617.0000000001478000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: DES_ Holdings Ltd - products listing.exe, 0000000B.00000002.610212602.0000000006C70000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess information queried: ProcessInformation
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeMemory allocated: page read and write | page guard

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Injects a PE file into a foreign processesShow sources
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeMemory written: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exe base: 400000 value starts with: 4D5A
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UgJYJdoaOfKgTb' /XML 'C:\Users\user\AppData\Local\Temp\tmp933B.tmp'
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeProcess created: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exe C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exe
        Source: DES_ Holdings Ltd - products listing.exe, 0000000B.00000002.605168447.0000000001BC0000.00000002.00000001.sdmpBinary or memory string: uProgram Manager
        Source: DES_ Holdings Ltd - products listing.exe, 0000000B.00000002.608493846.00000000036BA000.00000004.00000001.sdmpBinary or memory string: Program Manager
        Source: DES_ Holdings Ltd - products listing.exe, 0000000B.00000002.605168447.0000000001BC0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: DES_ Holdings Ltd - products listing.exe, 0000000B.00000002.605168447.0000000001BC0000.00000002.00000001.sdmpBinary or memory string: Progman
        Source: DES_ Holdings Ltd - products listing.exe, 0000000B.00000002.606374110.000000000331C000.00000004.00000001.sdmpBinary or memory string: Program Manager|$
        Source: DES_ Holdings Ltd - products listing.exe, 0000000B.00000002.605168447.0000000001BC0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeQueries volume information: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exe VolumeInformation
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeQueries volume information: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exe VolumeInformation
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000B.00000002.610060366.00000000063E0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.605354131.00000000030F1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.602980109.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.608557876.0000000004139000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: DES_ Holdings Ltd - products listing.exe PID: 4812, type: MEMORY
        Source: Yara matchFile source: 11.2.DES_ Holdings Ltd - products listing.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.DES_ Holdings Ltd - products listing.exe.63e0000.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.DES_ Holdings Ltd - products listing.exe.63e0000.5.raw.unpack, type: UNPACKEDPE

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: DES_ Holdings Ltd - products listing.exe, 0000000B.00000002.610060366.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: DES_ Holdings Ltd - products listing.exe, 0000000B.00000002.605354131.00000000030F1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000B.00000002.610060366.00000000063E0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.605354131.00000000030F1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.602980109.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.608557876.0000000004139000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: DES_ Holdings Ltd - products listing.exe PID: 4812, type: MEMORY
        Source: Yara matchFile source: 11.2.DES_ Holdings Ltd - products listing.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.DES_ Holdings Ltd - products listing.exe.63e0000.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.DES_ Holdings Ltd - products listing.exe.63e0000.5.raw.unpack, type: UNPACKEDPE

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsScheduled Task/Job1Scheduled Task/Job1Process Injection112Masquerading1Input Capture11Security Software Discovery111Remote ServicesInput Capture11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsScheduled Task/Job1Virtualization/Sandbox Evasion3LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol1SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing12Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        DES_ Holdings Ltd - products listing.exe31%VirustotalBrowse
        DES_ Holdings Ltd - products listing.exe13%ReversingLabsWin32.Trojan.Wacatac
        DES_ Holdings Ltd - products listing.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Roaming\UgJYJdoaOfKgTb.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Roaming\UgJYJdoaOfKgTb.exe13%ReversingLabsWin32.Trojan.Wacatac

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        11.2.DES_ Holdings Ltd - products listing.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        11.2.DES_ Holdings Ltd - products listing.exe.63e0000.5.unpack100%AviraTR/NanoCore.fadteDownload File

        Domains

        No Antivirus matches

        URLs

        No Antivirus matches

        Domains and IPs

        Contacted Domains

        No contacted domains info

        Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public

        IPDomainCountryFlagASNASN NameMalicious
        212.83.46.26
        unknownGermany
        47447TTMDEtrue

        Private

        IP
        127.0.0.1

        General Information

        Joe Sandbox Version:31.0.0 Red Diamond
        Analysis ID:336710
        Start date:06.01.2021
        Start time:17:51:49
        Joe Sandbox Product:CloudBasic
        Overall analysis duration:0h 7m 26s
        Hypervisor based Inspection enabled:false
        Report type:light
        Sample file name:DES_ Holdings Ltd - products listing.exe
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
        Number of analysed new started processes analysed:26
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • HDC enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Detection:MAL
        Classification:mal100.troj.evad.winEXE@6/5@0/2
        EGA Information:Failed
        HDC Information:
        • Successful, ratio: 0.9% (good quality ratio 0.4%)
        • Quality average: 30.8%
        • Quality standard deviation: 34.5%
        HCA Information:
        • Successful, ratio: 100%
        • Number of executed functions: 0
        • Number of non-executed functions: 0
        Cookbook Comments:
        • Adjust boot time
        • Enable AMSI
        • Found application associated with file extension: .exe
        Warnings:
        Show All
        • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
        • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtProtectVirtualMemory calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.

        Simulations

        Behavior and APIs

        TimeTypeDescription
        17:52:58API Interceptor1297x Sleep call for process: DES_ Holdings Ltd - products listing.exe modified

        Joe Sandbox View / Context

        IPs

        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
        212.83.46.26DES_ Holdings Ltd - products listing.exeGet hashmaliciousBrowse

          Domains

          No context

          ASN

          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
          TTMDEDES_ Holdings Ltd - products listing.exeGet hashmaliciousBrowse
          • 212.83.46.26
          https://wearemondaymorning.com/?email=alabdullaah@qcb.gov.qaGet hashmaliciousBrowse
          • 91.216.248.23
          https://u5827342.ct.sendgrid.net/ls/click?upn=ZYh6DIqA4xFmr84ZswpQ4c7ONXu2767hYXZwjBnWOY1JkdxAPQD-2Fy87STH2Xf5tCCv1Cfr7SK5QugA1gtf5hkg-3D-3Dr4Nw_DjWowFHgGKgaKR9KzEYTR3nC3p1AWGbaYDP6e93ZAEhNXUTlygFT7vEfeXJ-2FNinzoSEU8wjkiLZ-2Bj7exG0PiN7C92INCv5B1zQa4g83-2Ba0GFHBdwZkJ1voppTs162kZzXHlYGblxkHafYbaoPEnOE3v4nRdYqpT6uzb2BlJNElCCZ2m51yxYwgCwRvlrdJPPvzbuawtl4F-2B3DK6fR-2B-2BXI9P5zbvVuxMdWkFA2kHjw8I-3DGet hashmaliciousBrowse
          • 185.88.212.176
          http://particulares-personas.casacam.netGet hashmaliciousBrowse
          • 86.106.131.146
          1.12.2018.jsGet hashmaliciousBrowse
          • 62.113.241.182
          LAZZARO - DICHIARAZIONE NUOVO DI FABBRICA FT.610.vbsGet hashmaliciousBrowse
          • 185.212.44.165
          2018-12-10-Dridex-retrieved-by-Ursnif-infected-host.exeGet hashmaliciousBrowse
          • 185.158.251.55
          430#U0437.jsGet hashmaliciousBrowse
          • 86.105.5.133
          dropper.vbsGet hashmaliciousBrowse
          • 185.212.47.162
          24Faktura-2018_10_03_PDF.exeGet hashmaliciousBrowse
          • 86.105.5.133
          ttcv.exeGet hashmaliciousBrowse
          • 62.113.206.33
          968.exeGet hashmaliciousBrowse
          • 185.212.44.188
          bDFXsuH7Y.exeGet hashmaliciousBrowse
          • 185.212.44.197
          http://demo2.aurorapro.co/Download/US_us/Invoice-for-you&amp;data=02|01||447072d204914f25042208d6077443fb|1a407a2d76754d178692b3ac285306e4|0|0|636704593269411757&amp;sdata=1bJ9B7e/nHSkZxTPSrTtNw1nYhl4ZkhcBHYLd4Noe44=&amp;reserved=0Get hashmaliciousBrowse
          • 62.113.194.2
          Magnoliaenergyservices_Inquiry.docGet hashmaliciousBrowse
          • 185.212.44.114
          Magnoliaenergyservices_Inquiry.docGet hashmaliciousBrowse
          • 185.212.44.114
          Don_Callahan_Statement.docGet hashmaliciousBrowse
          • 185.212.44.114
          dana.exeGet hashmaliciousBrowse
          • 185.212.44.188
          Request.docGet hashmaliciousBrowse
          • 185.212.44.192
          Request.docGet hashmaliciousBrowse
          • 185.212.44.192

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DES_ Holdings Ltd - products listing.exe.log
          Process:C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exe
          File Type:ASCII text, with CRLF line terminators
          Category:modified
          Size (bytes):1314
          Entropy (8bit):5.350128552078965
          Encrypted:false
          SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
          MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
          SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
          SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
          SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
          Malicious:true
          Reputation:high, very likely benign file
          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
          C:\Users\user\AppData\Local\Temp\tmp933B.tmp
          Process:C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exe
          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):1663
          Entropy (8bit):5.1803883907180115
          Encrypted:false
          SSDEEP:24:2dH4+SEqC/dp7hdMlNMFpdU/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB2tn:cbhH7MlNQ8/rydbz9I3YODOLNdq3u
          MD5:E4794214782243EDC33DF293621136FA
          SHA1:7C776E3B82E32C04FCB5779A47A106CAFEAE92AA
          SHA-256:B5FBE1899DB293730EA34618001AEFE03ED3EE1A0503139FD16A03C2CEC619EC
          SHA-512:8B63BA348E0ECC6636475E60FFDC569A0318713A8BD9E5B1F25387C13BF0702A3F5222517818500D74238E00C05ACC726E2891C45354069A8A98C62ED5A11F42
          Malicious:true
          Reputation:low
          Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAv
          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
          Process:C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exe
          File Type:ISO-8859 text, with no line terminators
          Category:dropped
          Size (bytes):8
          Entropy (8bit):3.0
          Encrypted:false
          SSDEEP:3:NJb:Hb
          MD5:C2C6E1222E610AA323D9597E281A2D56
          SHA1:C220F2C305C40E82E42F9BC50F16272FB84E3310
          SHA-256:FAEAECD3D06E9B34911353BD30297341151A746A311795B35EC8DB1D2267D167
          SHA-512:8C6A750FF8A56055249346B73AB380E15CD7C3205C1D2C6F95BF2A25096F44FADFD848779A2743B6E20583F205D56A6D23E7DE3FFDABAD956395B9B674C22996
          Malicious:true
          Reputation:low
          Preview: .1.....H
          C:\Users\user\AppData\Roaming\UgJYJdoaOfKgTb.exe
          Process:C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exe
          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
          Category:dropped
          Size (bytes):1043968
          Entropy (8bit):7.356839656807373
          Encrypted:false
          SSDEEP:24576:SVTJysf9VhvhSCH0+W5AGl5qPim5PpmmAWB:Af31Uf5if5PXv
          MD5:F88E81D7F208B4EBCA34AE5F1F032D0F
          SHA1:4DA7041D786EBC59DFB33EEC1196C1AE2CC94F89
          SHA-256:9FD3EEC622DA8536E22C164BBD05D80DADA1003FADD07FD4800CED6C0579812C
          SHA-512:A794F4663C05A52321938EFFD29BFFF27214F400F3F838C94210D63729EE506C453C230DF0D2BDC57814EFF398049D865AE893980D9BDB070D0B608D9282FD62
          Malicious:true
          Antivirus:
          • Antivirus: Joe Sandbox ML, Detection: 100%
          • Antivirus: ReversingLabs, Detection: 13%
          Reputation:low
          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....e._..............P......8........... ........@.. .......................@............@.....................................W........6................... ....................................................... ............... ..H............text...$.... ...................... ..`.rsrc....6.......6..................@..@.reloc....... ......................@..B........................H...........@............I..............................................0..#.......+.&...(....(..........(.....o.....*..................0..........+.&..8......8.....+5..ia.+...`a...kYE................M......+......&...+......+...eYE................)...7...?...H...b...w..........+.+....+...(......8y.....(.......8j.....(......8\......8T.......8K.....(....+.(....85.....81........&+..8......8........8....*...0..........+.&...+C..ja.+..._a8......jX+T.e(.....+...fYE........O...e..
          C:\Users\user\AppData\Roaming\UgJYJdoaOfKgTb.exe:Zone.Identifier
          Process:C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exe
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):26
          Entropy (8bit):3.95006375643621
          Encrypted:false
          SSDEEP:3:ggPYV:rPYV
          MD5:187F488E27DB4AF347237FE461A079AD
          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
          Malicious:true
          Reputation:high, very likely benign file
          Preview: [ZoneTransfer]....ZoneId=0

          Static File Info

          General

          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
          Entropy (8bit):7.356839656807373
          TrID:
          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
          • Win32 Executable (generic) a (10002005/4) 49.78%
          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
          • Generic Win/DOS Executable (2004/3) 0.01%
          • DOS Executable Generic (2002/1) 0.01%
          File name:DES_ Holdings Ltd - products listing.exe
          File size:1043968
          MD5:f88e81d7f208b4ebca34ae5f1f032d0f
          SHA1:4da7041d786ebc59dfb33eec1196c1ae2cc94f89
          SHA256:9fd3eec622da8536e22c164bbd05d80dada1003fadd07fd4800ced6c0579812c
          SHA512:a794f4663c05a52321938effd29bfff27214f400f3f838c94210d63729ee506c453c230df0d2bdc57814eff398049d865ae893980d9bdb070d0b608d9282fd62
          SSDEEP:24576:SVTJysf9VhvhSCH0+W5AGl5qPim5PpmmAWB:Af31Uf5if5PXv
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....e._..............P......8........... ........@.. .......................@............@................................

          File Icon

          Icon Hash:00a275154a880000

          Static PE Info

          General

          Entrypoint:0x4ed31e
          Entrypoint Section:.text
          Digitally signed:false
          Imagebase:0x400000
          Subsystem:windows gui
          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Time Stamp:0x5FF565C2 [Wed Jan 6 07:24:50 2021 UTC]
          TLS Callbacks:
          CLR (.Net) Version:v4.0.30319
          OS Version Major:4
          OS Version Minor:0
          File Version Major:4
          File Version Minor:0
          Subsystem Version Major:4
          Subsystem Version Minor:0
          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

          Entrypoint Preview

          Instruction
          jmp dword ptr [00402000h]
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al
          add byte ptr [eax], al

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0xed2c40x57.text
          IMAGE_DIRECTORY_ENTRY_RESOURCE0xee0000x13600.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x1020000xc.reloc
          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x20000xeb3240xeb400False0.697449314227data7.45520893226IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          .rsrc0xee0000x136000x13600False0.208543346774data4.32755744619IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .reloc0x1020000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

          Resources

          NameRVASizeTypeLanguageCountry
          RT_ICON0xee1600x10828data
          RT_ICON0xfe9880x25b5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
          RT_GROUP_ICON0x100f400x22data
          RT_VERSION0x100f640x346data
          RT_MANIFEST0x1012ac0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

          Imports

          DLLImport
          mscoree.dll_CorExeMain

          Version Infos

          DescriptionData
          Translation0x0000 0x04b0
          LegalCopyrightSaga 2019 (C)
          Assembly Version4.0.31.4
          InternalNameIClientChannelSink.exe
          FileVersion4.0.31.4
          CompanyName
          LegalTrademarks
          Comments
          ProductNamePANCHAYAT
          ProductVersion4.0.31.4
          FileDescriptionPANCHAYAT
          OriginalFilenameIClientChannelSink.exe

          Network Behavior

          Network Port Distribution

          TCP Packets

          TimestampSource PortDest PortSource IPDest IP
          Jan 6, 2021 17:53:10.111084938 CET497084021192.168.2.7212.83.46.26
          Jan 6, 2021 17:53:10.151746035 CET402149708212.83.46.26192.168.2.7
          Jan 6, 2021 17:53:10.699081898 CET497084021192.168.2.7212.83.46.26
          Jan 6, 2021 17:53:10.739984035 CET402149708212.83.46.26192.168.2.7
          Jan 6, 2021 17:53:11.409092903 CET497084021192.168.2.7212.83.46.26
          Jan 6, 2021 17:53:11.449992895 CET402149708212.83.46.26192.168.2.7
          Jan 6, 2021 17:53:15.481971025 CET497144021192.168.2.7212.83.46.26
          Jan 6, 2021 17:53:15.522370100 CET402149714212.83.46.26192.168.2.7
          Jan 6, 2021 17:53:16.074491978 CET497144021192.168.2.7212.83.46.26
          Jan 6, 2021 17:53:16.115080118 CET402149714212.83.46.26192.168.2.7
          Jan 6, 2021 17:53:16.665894032 CET497144021192.168.2.7212.83.46.26
          Jan 6, 2021 17:53:16.707134008 CET402149714212.83.46.26192.168.2.7
          Jan 6, 2021 17:53:20.717137098 CET497194021192.168.2.7212.83.46.26
          Jan 6, 2021 17:53:20.757800102 CET402149719212.83.46.26192.168.2.7
          Jan 6, 2021 17:53:21.262439966 CET497194021192.168.2.7212.83.46.26
          Jan 6, 2021 17:53:21.303704977 CET402149719212.83.46.26192.168.2.7
          Jan 6, 2021 17:53:21.809355021 CET497194021192.168.2.7212.83.46.26
          Jan 6, 2021 17:53:21.849813938 CET402149719212.83.46.26192.168.2.7
          Jan 6, 2021 17:53:41.284243107 CET497534021192.168.2.7212.83.46.26
          Jan 6, 2021 17:53:41.325028896 CET402149753212.83.46.26192.168.2.7
          Jan 6, 2021 17:53:41.826730967 CET497534021192.168.2.7212.83.46.26
          Jan 6, 2021 17:53:41.867628098 CET402149753212.83.46.26192.168.2.7
          Jan 6, 2021 17:53:42.373560905 CET497534021192.168.2.7212.83.46.26
          Jan 6, 2021 17:53:42.414251089 CET402149753212.83.46.26192.168.2.7
          Jan 6, 2021 17:53:46.454283953 CET497554021192.168.2.7212.83.46.26
          Jan 6, 2021 17:53:49.467911005 CET497554021192.168.2.7212.83.46.26
          Jan 6, 2021 17:53:49.508497953 CET402149755212.83.46.26192.168.2.7
          Jan 6, 2021 17:53:50.014904976 CET497554021192.168.2.7212.83.46.26
          Jan 6, 2021 17:53:50.055160046 CET402149755212.83.46.26192.168.2.7
          Jan 6, 2021 17:53:54.063577890 CET497564021192.168.2.7212.83.46.26
          Jan 6, 2021 17:53:54.104882002 CET402149756212.83.46.26192.168.2.7
          Jan 6, 2021 17:53:54.609143019 CET497564021192.168.2.7212.83.46.26
          Jan 6, 2021 17:53:54.649852991 CET402149756212.83.46.26192.168.2.7
          Jan 6, 2021 17:53:55.155965090 CET497564021192.168.2.7212.83.46.26
          Jan 6, 2021 17:53:55.196655035 CET402149756212.83.46.26192.168.2.7
          Jan 6, 2021 17:54:14.578449965 CET497624021192.168.2.7212.83.46.26
          Jan 6, 2021 17:54:14.618778944 CET402149762212.83.46.26192.168.2.7
          Jan 6, 2021 17:54:15.141961098 CET497624021192.168.2.7212.83.46.26
          Jan 6, 2021 17:54:15.182620049 CET402149762212.83.46.26192.168.2.7
          Jan 6, 2021 17:54:15.688868999 CET497624021192.168.2.7212.83.46.26
          Jan 6, 2021 17:54:15.729763985 CET402149762212.83.46.26192.168.2.7
          Jan 6, 2021 17:54:19.800349951 CET497634021192.168.2.7212.83.46.26
          Jan 6, 2021 17:54:19.841017008 CET402149763212.83.46.26192.168.2.7
          Jan 6, 2021 17:54:20.345871925 CET497634021192.168.2.7212.83.46.26
          Jan 6, 2021 17:54:20.386894941 CET402149763212.83.46.26192.168.2.7
          Jan 6, 2021 17:54:20.909408092 CET497634021192.168.2.7212.83.46.26
          Jan 6, 2021 17:54:20.950213909 CET402149763212.83.46.26192.168.2.7
          Jan 6, 2021 17:54:24.964709997 CET497644021192.168.2.7212.83.46.26
          Jan 6, 2021 17:54:25.005273104 CET402149764212.83.46.26192.168.2.7
          Jan 6, 2021 17:54:25.517765999 CET497644021192.168.2.7212.83.46.26
          Jan 6, 2021 17:54:25.558191061 CET402149764212.83.46.26192.168.2.7
          Jan 6, 2021 17:54:26.064696074 CET497644021192.168.2.7212.83.46.26
          Jan 6, 2021 17:54:26.105319977 CET402149764212.83.46.26192.168.2.7
          Jan 6, 2021 17:54:45.255342007 CET497684021192.168.2.7212.83.46.26
          Jan 6, 2021 17:54:45.296133995 CET402149768212.83.46.26192.168.2.7
          Jan 6, 2021 17:54:45.800730944 CET497684021192.168.2.7212.83.46.26
          Jan 6, 2021 17:54:45.841567039 CET402149768212.83.46.26192.168.2.7
          Jan 6, 2021 17:54:46.347635984 CET497684021192.168.2.7212.83.46.26
          Jan 6, 2021 17:54:46.388117075 CET402149768212.83.46.26192.168.2.7
          Jan 6, 2021 17:54:50.399077892 CET497694021192.168.2.7212.83.46.26
          Jan 6, 2021 17:54:50.440547943 CET402149769212.83.46.26192.168.2.7
          Jan 6, 2021 17:54:50.941751957 CET497694021192.168.2.7212.83.46.26
          Jan 6, 2021 17:54:50.982470989 CET402149769212.83.46.26192.168.2.7
          Jan 6, 2021 17:54:51.488678932 CET497694021192.168.2.7212.83.46.26
          Jan 6, 2021 17:54:51.531482935 CET402149769212.83.46.26192.168.2.7
          Jan 6, 2021 17:54:55.537494898 CET497704021192.168.2.7212.83.46.26
          Jan 6, 2021 17:54:55.578629017 CET402149770212.83.46.26192.168.2.7
          Jan 6, 2021 17:54:56.082842112 CET497704021192.168.2.7212.83.46.26
          Jan 6, 2021 17:54:56.123642921 CET402149770212.83.46.26192.168.2.7
          Jan 6, 2021 17:54:56.629757881 CET497704021192.168.2.7212.83.46.26
          Jan 6, 2021 17:54:56.670499086 CET402149770212.83.46.26192.168.2.7
          Jan 6, 2021 17:55:15.890100956 CET497744021192.168.2.7212.83.46.26
          Jan 6, 2021 17:55:15.930814981 CET402149774212.83.46.26192.168.2.7
          Jan 6, 2021 17:55:16.445079088 CET497744021192.168.2.7212.83.46.26
          Jan 6, 2021 17:55:16.485426903 CET402149774212.83.46.26192.168.2.7
          Jan 6, 2021 17:55:16.992007971 CET497744021192.168.2.7212.83.46.26
          Jan 6, 2021 17:55:17.032809973 CET402149774212.83.46.26192.168.2.7
          Jan 6, 2021 17:55:21.040476084 CET497754021192.168.2.7212.83.46.26
          Jan 6, 2021 17:55:21.081031084 CET402149775212.83.46.26192.168.2.7
          Jan 6, 2021 17:55:21.586123943 CET497754021192.168.2.7212.83.46.26
          Jan 6, 2021 17:55:21.626566887 CET402149775212.83.46.26192.168.2.7
          Jan 6, 2021 17:55:22.132986069 CET497754021192.168.2.7212.83.46.26
          Jan 6, 2021 17:55:22.173580885 CET402149775212.83.46.26192.168.2.7
          Jan 6, 2021 17:55:26.183592081 CET497764021192.168.2.7212.83.46.26
          Jan 6, 2021 17:55:26.224164009 CET402149776212.83.46.26192.168.2.7
          Jan 6, 2021 17:55:26.727159977 CET497764021192.168.2.7212.83.46.26
          Jan 6, 2021 17:55:26.768723011 CET402149776212.83.46.26192.168.2.7
          Jan 6, 2021 17:55:27.274094105 CET497764021192.168.2.7212.83.46.26
          Jan 6, 2021 17:55:27.315253019 CET402149776212.83.46.26192.168.2.7

          Code Manipulations

          Statistics

          Behavior

          Click to jump to process

          System Behavior

          General

          Start time:17:52:37
          Start date:06/01/2021
          Path:C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exe
          Wow64 process (32bit):true
          Commandline:'C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exe'
          Imagebase:0x870000
          File size:1043968 bytes
          MD5 hash:F88E81D7F208B4EBCA34AE5F1F032D0F
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:.Net C# or VB.NET
          Reputation:low

          General

          Start time:17:53:04
          Start date:06/01/2021
          Path:C:\Windows\SysWOW64\schtasks.exe
          Wow64 process (32bit):true
          Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\UgJYJdoaOfKgTb' /XML 'C:\Users\user\AppData\Local\Temp\tmp933B.tmp'
          Imagebase:0xa20000
          File size:185856 bytes
          MD5 hash:15FF7D8324231381BAD48A052F85DF04
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          General

          Start time:17:53:05
          Start date:06/01/2021
          Path:C:\Windows\System32\conhost.exe
          Wow64 process (32bit):false
          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Imagebase:0x7ff774ee0000
          File size:625664 bytes
          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:high

          General

          Start time:17:53:05
          Start date:06/01/2021
          Path:C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exe
          Wow64 process (32bit):true
          Commandline:C:\Users\user\Desktop\DES_ Holdings Ltd - products listing.exe
          Imagebase:0xc40000
          File size:1043968 bytes
          MD5 hash:F88E81D7F208B4EBCA34AE5F1F032D0F
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:.Net C# or VB.NET
          Yara matches:
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.610060366.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.610060366.00000000063E0000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.610060366.00000000063E0000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.605354131.00000000030F1000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.610010923.0000000006340000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.610010923.0000000006340000.00000004.00000001.sdmp, Author: Florian Roth
          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.602980109.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.602980109.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.602980109.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.608557876.0000000004139000.00000004.00000001.sdmp, Author: Joe Security
          • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.608557876.0000000004139000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
          Reputation:low

          Disassembly

          Code Analysis

          Reset < >