31.0.0 Red Diamond
IR
338654
CloudBasic
17:55:33
12/01/2021
Doc#6620200947535257653.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
6618b8298100d5fb25d23b498a33d492
bd61a9c97e54b031ae4eaeb7f69f2006454e1edc
96cdf96daea9002d2dcf31e5d37b7df4942ef6085209df1f6b269b9baca3e40a
Win32 Executable (generic) Net Framework (10011505/4) 49.83%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Doc#6620200947535257653.exe.log
true
06F54CDBFEF62849AF5AE052722BD7B6
FB0250AAC2057D0B5BCE4CE130891E428F28DA05
4C039B93A728B546F49C47ED8B448D40A3553CDAABB147067AEE3958133CB446
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ffgfhfjftdghghrghse.exe.log
false
1249251E90A1C28AB8F7235F30056DEB
166BA6B64E9B0D9BA7B856334F7D7EC027030BA1
B5D65BF3581136CD5368BC47FA3972E06F526EED407BC6571D11D9CD4B5C4D83
C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
true
F2A47587431C466535F3C3D3427724BE
90DF719241CE04828F0DD4D31D683F84790515FF
23F4A2CCDCE499C524CF43793FDA8E773D809514B5471C02FA5E68F0CDA7A10B
C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe
false
0E362E7005823D0BEC3719B902ED6D62
590D860B909804349E0CDC2F1662B37BD62F7463
2D0DC6216F613AC7551A7E70A798C22AEE8EB9819428B1357E2B8C73BEF905AD
C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.txt
false
B5B35C7EF496B579817631AB19BD4129
8AB40C45DB592DD0E40434188014DDF18B4E4575
CD6C836759956A22FE8CFCBAD2A2959228693920AC2B6EF299EFD171328481E2
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
true
39EC59A244421131603478561DB4C0F3
C8B7BFE7FA5725FD160F3308604D977077E14E63
A10829EF59D2187128E2C0430494AA18A1CDDE6B78A068649B7DD686DAFFA5C1
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gjhgkuytgkgfgd.lnk
false
1937001F0ECE85E425FAF152B9D2C801
0911B6C7DED5C08535C7B6416F9A8E8C42E8F12F
F648B7E54C93822D5AE766AF44A1E8292E745A064A24BA68B14FEE32CD80EF5C
C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exe
true
6618B8298100D5FB25D23B498A33D492
BD61A9C97E54B031AE4EAEB7F69F2006454E1EDC
96CDF96DAEA9002D2DCF31E5D37B7DF4942EF6085209DF1F6B269B9BACA3E40A
C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exe:Zone.Identifier
true
187F488E27DB4AF347237FE461A079AD
6693BA299EC1881249D59262276A0D2CB21F8E64
255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
185.157.160.233
192.168.2.1
105.112.106.128
annapro.linkpc.net
false
105.112.106.128
.NET source code contains potential unpacker
Allocates memory in foreign processes
Binary contains a suspicious time stamp
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Writes to foreign memory regions
Detected Nanocore Rat
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected Nanocore RAT