Loading ...

Play interactive tourEdit tour

Analysis Report POEA ADVISORY ON DELISTED AGENCIES.pdf.exe

Overview

General Information

Sample Name:POEA ADVISORY ON DELISTED AGENCIES.pdf.exe
Analysis ID:355200
MD5:afcc0c7f6fadf41949e66c9325b9f843
SHA1:c1562634e7d393b54606731becad8d4d11fcba39
SHA256:7dc65cb43a6491e7da09935a8e8d20c33873fc75e370b9a701aea0a660e85b80
Tags:exeNanoCoreRAT

Most interesting Screenshot:

Detection

NanoCore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Double Extension
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • POEA ADVISORY ON DELISTED AGENCIES.pdf.exe (PID: 2412 cmdline: 'C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe' MD5: AFCC0C7F6FADF41949E66C9325B9F843)
    • schtasks.exe (PID: 5592 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gVFZdFg' /XML 'C:\Users\user\AppData\Local\Temp\tmpF515.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • POEA ADVISORY ON DELISTED AGENCIES.pdf.exe (PID: 3492 cmdline: {path} MD5: AFCC0C7F6FADF41949E66C9325B9F843)
      • schtasks.exe (PID: 5580 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA223.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 1380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • POEA ADVISORY ON DELISTED AGENCIES.pdf.exe (PID: 5904 cmdline: 'C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe' 0 MD5: AFCC0C7F6FADF41949E66C9325B9F843)
    • schtasks.exe (PID: 5704 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gVFZdFg' /XML 'C:\Users\user\AppData\Local\Temp\tmp5650.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "c4cca249-81f6-4232-9f14-01569e09f5f0", "Group": "JANUARY", "Domain1": "shahzad73.casacam.net", "Domain2": "shahzad73.ddns.net", "Port": 9036, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4#=qs2bxKs15DbteFYTMsjthM8IIAMC9Avo9uFWUE1JbxpU=", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000012.00000002.327116738.0000000002E09000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
  • 0x31577:$a: NanoCore
  • 0x315d0:$a: NanoCore
  • 0x3160d:$a: NanoCore
  • 0x31686:$a: NanoCore
  • 0x315d9:$b: ClientPlugin
  • 0x31616:$b: ClientPlugin
  • 0x31f14:$b: ClientPlugin
  • 0x31f21:$b: ClientPlugin
  • 0x276fa:$e: KeepAlive
  • 0x31a61:$g: LogClientMessage
  • 0x319e1:$i: get_Connected
  • 0x219ad:$j: #=q
  • 0x219dd:$j: #=q
  • 0x21a19:$j: #=q
  • 0x21a41:$j: #=q
  • 0x21a71:$j: #=q
  • 0x21aa1:$j: #=q
  • 0x21ad1:$j: #=q
  • 0x21b01:$j: #=q
  • 0x21b1d:$j: #=q
  • 0x21b4d:$j: #=q
00000012.00000002.325925653.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000012.00000002.325925653.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000012.00000002.325925653.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    00000012.00000002.327064470.0000000002DD1000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 12 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.2e39798.3.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe75:$x1: NanoCore.ClientPluginHost
      • 0xe8f:$x2: IClientNetworkHost
      18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.2e39798.3.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe75:$x2: NanoCore.ClientPluginHost
      • 0x1261:$s3: PipeExists
      • 0x1136:$s4: PipeCreated
      • 0xeb0:$s5: IClientLoggingHost
      18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e20624.4.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xf7ad:$x1: NanoCore.ClientPluginHost
      • 0x287a1:$x1: NanoCore.ClientPluginHost
      • 0xf7da:$x2: IClientNetworkHost
      • 0x287ce:$x2: IClientNetworkHost
      18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e20624.4.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xf7ad:$x2: NanoCore.ClientPluginHost
      • 0x287a1:$x2: NanoCore.ClientPluginHost
      • 0x10888:$s4: PipeCreated
      • 0x2987c:$s4: PipeCreated
      • 0xf7c7:$s5: IClientLoggingHost
      • 0x287bb:$s5: IClientLoggingHost
      18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e20624.4.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        Click to see the 43 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, ProcessId: 3492, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: Scheduled temp file as task from temp locationShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gVFZdFg' /XML 'C:\Users\user\AppData\Local\Temp\tmpF515.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gVFZdFg' /XML 'C:\Users\user\AppData\Local\Temp\tmpF515.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe' , ParentImage: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, ParentProcessId: 2412, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gVFZdFg' /XML 'C:\Users\user\AppData\Local\Temp\tmpF515.tmp', ProcessId: 5592
        Sigma detected: Suspicious Double ExtensionShow sources
        Source: Process startedAuthor: Florian Roth (rule), @blu3_team (idea): Data: Command: {path}, CommandLine: {path}, CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, NewProcessName: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, OriginalFileName: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, ParentCommandLine: 'C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe' , ParentImage: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, ParentProcessId: 2412, ProcessCommandLine: {path}, ProcessId: 3492

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 00000012.00000002.327116738.0000000002E09000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "c4cca249-81f6-4232-9f14-01569e09f5f0", "Group": "JANUARY", "Domain1": "shahzad73.casacam.net", "Domain2": "shahzad73.ddns.net", "Port": 9036, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4#=qs2bxKs15DbteFYTMsjthM8IIAMC9Avo9uFWUE1JbxpU=", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000012.00000002.325925653.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.327064470.0000000002DD1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.327179644.0000000003DD9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.311283460.00000000042D9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.255992771.0000000004429000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.311591988.0000000004376000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e20624.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e1b7ee.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4389d68.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e20624.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45971d8.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4389d68.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45645b8.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45645b8.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e24c4d.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4474508.1.raw.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\gVFZdFg.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exeJoe Sandbox ML: detected
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7

        Compliance:

        barindex
        Uses 32bit PE filesShow sources
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

        Networking:

        barindex
        Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49704 -> 91.212.153.84:9036
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49706 -> 91.212.153.84:9036
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49707 -> 91.212.153.84:9036
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49708 -> 91.212.153.84:9036
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49709 -> 91.212.153.84:9036
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49710 -> 91.212.153.84:9036
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49711 -> 91.212.153.84:9036
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49712 -> 91.212.153.84:9036
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49713 -> 91.212.153.84:9036
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49714 -> 91.212.153.84:9036
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49715 -> 91.212.153.84:9036
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49716 -> 91.212.153.84:9036
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49717 -> 91.212.153.84:9036
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49718 -> 91.212.153.84:9036
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49719 -> 91.212.153.84:9036
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49720 -> 91.212.153.84:9036
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49721 -> 91.212.153.84:9036
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: shahzad73.ddns.net
        Source: Malware configuration extractorURLs: shahzad73.casacam.net
        Source: global trafficTCP traffic: 192.168.2.3:49704 -> 91.212.153.84:9036
        Source: Joe Sandbox ViewIP Address: 91.212.153.84 91.212.153.84
        Source: Joe Sandbox ViewASN Name: MYLOC-ASIPBackboneofmyLocmanagedITAGDE MYLOC-ASIPBackboneofmyLocmanagedITAGDE
        Source: unknownDNS traffic detected: queries for: shahzad73.casacam.net
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.206587822.00000000063F2000.00000004.00000001.sdmpString found in binary or memory: http://en.wB$
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.209891258.0000000006426000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.210240222.00000000063E6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com5
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.210240222.00000000063E6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.261954858.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comFB
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.209218281.00000000063E6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comFM
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.261954858.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.210240222.00000000063E6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comals
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.210240222.00000000063E6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomd
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.261954858.00000000063E0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgrito
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.210240222.00000000063E6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comue
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.210240222.00000000063E6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comueTF
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.205634366.00000000063E4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cned
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.205634366.00000000063E4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnemM
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.211063461.00000000063E6000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.207101535.00000000063E6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.207101535.00000000063E6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/5
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.207384617.00000000063E6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/M
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.207384617.00000000063E6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.207101535.00000000063E6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/_
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.207101535.00000000063E6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/es-e
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.207101535.00000000063E6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/i
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.207384617.00000000063E6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.207384617.00000000063E6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/5
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.207101535.00000000063E6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/o
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.207384617.00000000063E6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/q
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.207384617.00000000063E6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/va
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.207101535.00000000063E6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/vno
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.286188722.000000000C020000.00000002.00000001.sdmp, POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000012.00000002.325925653.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.327064470.0000000002DD1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.327179644.0000000003DD9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.311283460.00000000042D9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.255992771.0000000004429000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.311591988.0000000004376000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e20624.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e1b7ee.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4389d68.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e20624.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45971d8.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4389d68.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45645b8.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45645b8.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e24c4d.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4474508.1.raw.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000012.00000002.327116738.0000000002E09000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000012.00000002.325925653.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000012.00000002.325925653.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000012.00000002.327179644.0000000003DD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000008.00000002.311283460.00000000042D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000008.00000002.311283460.00000000042D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000003.300424422.0000000004893000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.255992771.0000000004429000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.255992771.0000000004429000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000008.00000002.311591988.0000000004376000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000008.00000002.311591988.0000000004376000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.2e39798.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e20624.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e1b7ee.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e1b7ee.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 8.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4389d68.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4389d68.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.2dfcd94.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e20624.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.3.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.48b6297.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45971d8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45971d8.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 8.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4389d68.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4389d68.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.3.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.489c23e.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45645b8.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45645b8.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45645b8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45645b8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e24c4d.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.3.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.48b6297.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.3.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.48b0869.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.3.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.489c23e.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4474508.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4474508.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Initial sample is a PE file and has a suspicious nameShow sources
        Source: initial sampleStatic PE information: Filename: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeCode function: 0_2_00F720500_2_00F72050
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeCode function: 0_2_01AACBBC0_2_01AACBBC
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeCode function: 0_2_01AAEB200_2_01AAEB20
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeCode function: 0_2_01AAEB300_2_01AAEB30
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeCode function: 8_2_00EB20508_2_00EB2050
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeCode function: 8_2_030BEB208_2_030BEB20
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeCode function: 8_2_030BEB308_2_030BEB30
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeCode function: 8_2_030BCBBC8_2_030BCBBC
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeCode function: 8_2_057FF0088_2_057FF008
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeCode function: 8_2_057FEFF78_2_057FEFF7
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeCode function: 18_2_008D205018_2_008D2050
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeCode function: 18_2_0529E47118_2_0529E471
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeCode function: 18_2_0529E48018_2_0529E480
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeCode function: 18_2_0529BBD418_2_0529BBD4
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeCode function: 18_2_053FF5F818_2_053FF5F8
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeCode function: 18_2_053F978818_2_053F9788
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeCode function: 18_2_053FA5D018_2_053FA5D0
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: gVFZdFg.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exeBinary or memory string: OriginalFilename vs POEA ADVISORY ON DELISTED AGENCIES.pdf.exe
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000000.200168393.0000000000F72000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameG vs POEA ADVISORY ON DELISTED AGENCIES.pdf.exe
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exeBinary or memory string: OriginalFilename vs POEA ADVISORY ON DELISTED AGENCIES.pdf.exe
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exeBinary or memory string: OriginalFilename vs POEA ADVISORY ON DELISTED AGENCIES.pdf.exe
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 00000012.00000002.327116738.0000000002E09000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000012.00000002.325925653.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000012.00000002.325925653.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000012.00000002.327179644.0000000003DD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000008.00000002.311283460.00000000042D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000008.00000002.311283460.00000000042D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000003.300424422.0000000004893000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.255992771.0000000004429000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.255992771.0000000004429000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000008.00000002.311591988.0000000004376000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000008.00000002.311591988.0000000004376000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.2e39798.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.2e39798.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e20624.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e20624.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e1b7ee.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e1b7ee.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e1b7ee.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 8.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4389d68.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4389d68.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 8.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4389d68.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.2dfcd94.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.2dfcd94.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e20624.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e20624.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 4.3.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.48b6297.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.3.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.48b6297.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45971d8.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45971d8.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 8.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4389d68.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4389d68.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.3.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.489c23e.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.3.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.489c23e.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45645b8.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45645b8.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45645b8.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45645b8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45645b8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e24c4d.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e24c4d.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.3.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.48b6297.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.3.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.48b0869.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.3.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.489c23e.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4474508.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4474508.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: gVFZdFg.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: classification engineClassification label: mal100.troj.evad.winEXE@15/11@17/1
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeFile created: C:\Users\user\AppData\Roaming\gVFZdFg.exeJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1380:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5596:120:WilError_01
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{c4cca249-81f6-4232-9f14-01569e09f5f0}
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeMutant created: \Sessions\1\BaseNamedObjects\uNbBKzF
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5528:120:WilError_01
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmpF515.tmpJump to behavior
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000000.200168393.0000000000F72000.00000002.00020000.sdmpBinary or memory string: select * from Goods where goods_name=@goods_name and goods_type_id=@goods_type_id and goods_code=@goods_code and specifications=@specifications and goods_wight=@goods_wight and goods_volume=@goods_volume and goods_note=@goods_note;SELECT * FROM Goods WHERE id=/select * from GoodsTypeIselect * from GoodsType where id=@idkUPDATE GoodsType SET goods_type=@goods_type where id=
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000000.200168393.0000000000F72000.00000002.00020000.sdmpBinary or memory string: INSERT INTO Client VALUES(@client_name,@client_address,@client_contacts,@client_phone,@client_note); DELETE FROM Client WHERE id=
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeFile read: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe 'C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gVFZdFg' /XML 'C:\Users\user\AppData\Local\Temp\tmpF515.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe {path}
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA223.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe 'C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe' 0
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gVFZdFg' /XML 'C:\Users\user\AppData\Local\Temp\tmp5650.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe {path}
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gVFZdFg' /XML 'C:\Users\user\AppData\Local\Temp\tmpF515.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess created: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe {path}Jump to behavior
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA223.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gVFZdFg' /XML 'C:\Users\user\AppData\Local\Temp\tmp5650.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeProcess created: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe {path}Jump to behavior
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeCode function: 0_2_01AAD4C0 push esp; retf 0_2_01AAD4C1
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeCode function: 0_2_01AADBE0 push eax; iretd 0_2_01AADBE1
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeCode function: 8_2_030BD4C0 push esp; retf 8_2_030BD4C1
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeCode function: 8_2_030BDBE0 push eax; iretd 8_2_030BDBE1
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeCode function: 8_2_057F4213 pushad ; retf 8_2_057F4219
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeCode function: 8_2_057F1DFC push eax; retf 8_2_057F4161
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeCode function: 8_2_057FFF58 push eax; mov dword ptr [esp], edx8_2_057FFF6C
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeCode function: 18_2_053F69F8 pushad ; retf 18_2_053F69F9
        Source: initial sampleStatic PE information: section name: .text entropy: 7.55881445378
        Source: initial sampleStatic PE information: section name: .text entropy: 7.55881445378
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exeFile created: C:\Users\user\AppData\Roaming\gVFZdFg.exeJump to dropped file

        Boot Survival: