31.0.0 Red Diamond
IR
339042
CloudBasic
10:15:43
13/01/2021
order-181289654312464648.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
28da42c2cd57e51cb8ea7df263802924
81c980f2cda9b42b0b8bf50c7128cc88afd942fd
2d564ae361eb499ca493273e9fcfb88546105c88293c7633a7e1580a435cee9f
Win32 Executable (generic) Net Framework (10011505/4) 49.83%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fdexedxfuuyytwq.exe.log
false
1249251E90A1C28AB8F7235F30056DEB
166BA6B64E9B0D9BA7B856334F7D7EC027030BA1
B5D65BF3581136CD5368BC47FA3972E06F526EED407BC6571D11D9CD4B5C4D83
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\order-181289654312464648.exe.log
true
06F54CDBFEF62849AF5AE052722BD7B6
FB0250AAC2057D0B5BCE4CE130891E428F28DA05
4C039B93A728B546F49C47ED8B448D40A3553CDAABB147067AEE3958133CB446
C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
true
F2A47587431C466535F3C3D3427724BE
90DF719241CE04828F0DD4D31D683F84790515FF
23F4A2CCDCE499C524CF43793FDA8E773D809514B5471C02FA5E68F0CDA7A10B
C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe
false
0E362E7005823D0BEC3719B902ED6D62
590D860B909804349E0CDC2F1662B37BD62F7463
2D0DC6216F613AC7551A7E70A798C22AEE8EB9819428B1357E2B8C73BEF905AD
C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.txt
false
EACC6D9F7D6EFE25CB48137E7064F313
1E767634BE3B749B6549F3101A09E2715859558B
DBDFB40802DF3D9FA9923C7186586AEAB2985126EFB203E78A7CE2B53546F6D8
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
false
32D0AAE13696FF7F8AF33B2D22451028
EF80C4E0DB2AE8EF288027C9D3518E6950B583A4
5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
true
9DCCFC1428F275A4E2429AFEA104655B
4C4AAC284536CFB553FEBE32DF9D4C8DAEB47741
F8026D5E1B4CA4035C68C75F13026580B0A5B39CC6663D238FC92FD2D139D359
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
false
4E5E92E2369688041CC82EF9650EDED2
15E44F2F3194EE232B44E9684163B6F66472C862
F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
false
7E8F4A764B981D5B82D1CC49D341E9C6
D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fdcgjhjyuyihdastagghejh.lnk
false
FB516F578D9499D6DB698AE541F8FCCB
E26C9B2F619BCD1216E1C17689392BAF50E202C9
7EA8400005E701A3C980DE2BAB4EE042A927863E50689A81F79BAEE90CCF72EA
C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exe
true
28DA42C2CD57E51CB8EA7DF263802924
81C980F2CDA9B42B0B8BF50C7128CC88AFD942FD
2D564AE361EB499CA493273E9FCFB88546105C88293C7633A7E1580A435CEE9F
C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exe:Zone.Identifier
true
187F488E27DB4AF347237FE461A079AD
6693BA299EC1881249D59262276A0D2CB21F8E64
255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
192.168.2.1
185.157.162.81
185.157.161.86
nanopc.linkpc.net
false
185.157.161.86
.NET source code contains potential unpacker
Allocates memory in foreign processes
Binary contains a suspicious time stamp
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Writes to foreign memory regions
Detected Nanocore Rat
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: NanoCore
Yara detected Nanocore RAT