Play interactive tour

Edit tour

Analysis Report POEA ADVISORY ON DELISTED AGENCIES.pdf.exe

Overview

General Information

Sample Name:	POEA ADVISORY ON DELISTED AGENCIES.pdf.exe
Analysis ID:	355200
MD5:	afcc0c7f6fadf41949e66c9325b9f843
SHA1:	c1562634e7d393b54606731becad8d4d11fcba39
SHA256:	7dc65cb43a6491e7da09935a8e8d20c33873fc75e370b9a701aea0a660e85b80
Tags:	exeNanoCoreRAT
Most interesting Screenshot:

Detection

NanoCore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Sigma detected: Suspicious Double Extension

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Nanocore RAT

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Uses an obfuscated file name to hide its real file extension (double extension)

Uses schtasks.exe or at.exe to add and modify task schedules

Antivirus or Machine Learning detection for unpacked file

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

POEA ADVISORY ON DELISTED AGENCIES.pdf.exe (PID: 2412 cmdline: 'C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe' MD5: AFCC0C7F6FADF41949E66C9325B9F843)

schtasks.exe (PID: 5592 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gVFZdFg' /XML 'C:\Users\user\AppData\Local\Temp\tmpF515.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

POEA ADVISORY ON DELISTED AGENCIES.pdf.exe (PID: 3492 cmdline: {path} MD5: AFCC0C7F6FADF41949E66C9325B9F843)

schtasks.exe (PID: 5580 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA223.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 1380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

POEA ADVISORY ON DELISTED AGENCIES.pdf.exe (PID: 5904 cmdline: 'C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe' 0 MD5: AFCC0C7F6FADF41949E66C9325B9F843)

schtasks.exe (PID: 5704 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gVFZdFg' /XML 'C:\Users\user\AppData\Local\Temp\tmp5650.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

POEA ADVISORY ON DELISTED AGENCIES.pdf.exe (PID: 2592 cmdline: {path} MD5: AFCC0C7F6FADF41949E66C9325B9F843)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "c4cca249-81f6-4232-9f14-01569e09f5f0", "Group": "JANUARY", "Domain1": "shahzad73.casacam.net", "Domain2": "shahzad73.ddns.net", "Port": 9036, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4#=qs2bxKs15DbteFYTMsjthM8IIAMC9Avo9uFWUE1JbxpU=", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000012.00000002.327116738.0000000002E09000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x31577:$a: NanoCore 0x315d0:$a: NanoCore 0x3160d:$a: NanoCore 0x31686:$a: NanoCore 0x315d9:$b: ClientPlugin 0x31616:$b: ClientPlugin 0x31f14:$b: ClientPlugin 0x31f21:$b: ClientPlugin 0x276fa:$e: KeepAlive 0x31a61:$g: LogClientMessage 0x319e1:$i: get_Connected 0x219ad:$j: #=q 0x219dd:$j: #=q 0x21a19:$j: #=q 0x21a41:$j: #=q 0x21a71:$j: #=q 0x21aa1:$j: #=q 0x21ad1:$j: #=q 0x21b01:$j: #=q 0x21b1d:$j: #=q 0x21b4d:$j: #=q
00000012.00000002.325925653.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000012.00000002.325925653.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000012.00000002.325925653.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000012.00000002.327064470.0000000002DD1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000012.00000002.327179644.0000000003DD9000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000012.00000002.327179644.0000000003DD9000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x435cd:$a: NanoCore 0x43626:$a: NanoCore 0x43663:$a: NanoCore 0x436dc:$a: NanoCore 0x56d87:$a: NanoCore 0x56d9c:$a: NanoCore 0x56dd1:$a: NanoCore 0x6fd7b:$a: NanoCore 0x6fd90:$a: NanoCore 0x6fdc5:$a: NanoCore 0x4362f:$b: ClientPlugin 0x4366c:$b: ClientPlugin 0x43f6a:$b: ClientPlugin 0x43f77:$b: ClientPlugin 0x56b43:$b: ClientPlugin 0x56b5e:$b: ClientPlugin 0x56b8e:$b: ClientPlugin 0x56da5:$b: ClientPlugin 0x56dda:$b: ClientPlugin 0x6fb37:$b: ClientPlugin 0x6fb52:$b: ClientPlugin
00000008.00000002.311283460.00000000042D9000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b495:$x1: NanoCore.ClientPluginHost 0x5b4d2:$x2: IClientNetworkHost 0x5f005:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000008.00000002.311283460.00000000042D9000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000008.00000002.311283460.00000000042D9000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x5b1fd:$a: NanoCore 0x5b20d:$a: NanoCore 0x5b441:$a: NanoCore 0x5b455:$a: NanoCore 0x5b495:$a: NanoCore 0x5b25c:$b: ClientPlugin 0x5b45e:$b: ClientPlugin 0x5b49e:$b: ClientPlugin 0x5b383:$c: ProjectData 0x5bd8a:$d: DESCrypto 0x63756:$e: KeepAlive 0x61744:$g: LogClientMessage 0x5d93f:$i: get_Connected 0x5c0c0:$j: #=q 0x5c0f0:$j: #=q 0x5c10c:$j: #=q 0x5c13c:$j: #=q 0x5c158:$j: #=q 0x5c174:$j: #=q 0x5c1a4:$j: #=q 0x5c1c0:$j: #=q
00000004.00000003.300424422.0000000004893000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1ba2:$a: NanoCore 0x1bc7:$a: NanoCore 0x1c20:$a: NanoCore 0x11dbd:$a: NanoCore 0x11de3:$a: NanoCore 0x11e3f:$a: NanoCore 0x1ec94:$a: NanoCore 0x1eced:$a: NanoCore 0x1ed20:$a: NanoCore 0x1ef4c:$a: NanoCore 0x1efc8:$a: NanoCore 0x1f5e1:$a: NanoCore 0x1f72a:$a: NanoCore 0x1fbfe:$a: NanoCore 0x1fee5:$a: NanoCore 0x1fefc:$a: NanoCore 0x23285:$a: NanoCore 0x2463f:$a: NanoCore 0x24689:$a: NanoCore 0x252e3:$a: NanoCore 0x2a8c8:$a: NanoCore
00000000.00000002.255992771.0000000004429000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x14b745:$x1: NanoCore.ClientPluginHost 0x232185:$x1: NanoCore.ClientPluginHost 0x14b782:$x2: IClientNetworkHost 0x2321c2:$x2: IClientNetworkHost 0x14f2b5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x235cf5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.255992771.0000000004429000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.255992771.0000000004429000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x14b4ad:$a: NanoCore 0x14b4bd:$a: NanoCore 0x14b6f1:$a: NanoCore 0x14b705:$a: NanoCore 0x14b745:$a: NanoCore 0x231eed:$a: NanoCore 0x231efd:$a: NanoCore 0x232131:$a: NanoCore 0x232145:$a: NanoCore 0x232185:$a: NanoCore 0x14b50c:$b: ClientPlugin 0x14b70e:$b: ClientPlugin 0x14b74e:$b: ClientPlugin 0x231f4c:$b: ClientPlugin 0x23214e:$b: ClientPlugin 0x23218e:$b: ClientPlugin 0x97b05:$c: ProjectData 0x14b633:$c: ProjectData 0x232073:$c: ProjectData 0x14c03a:$d: DESCrypto 0x232a7a:$d: DESCrypto
00000008.00000002.311591988.0000000004376000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x23ef5:$x1: NanoCore.ClientPluginHost 0x23f32:$x2: IClientNetworkHost 0x27a65:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000008.00000002.311591988.0000000004376000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000008.00000002.311591988.0000000004376000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x23c5d:$a: NanoCore 0x23c6d:$a: NanoCore 0x23ea1:$a: NanoCore 0x23eb5:$a: NanoCore 0x23ef5:$a: NanoCore 0x23cbc:$b: ClientPlugin 0x23ebe:$b: ClientPlugin 0x23efe:$b: ClientPlugin 0x23de3:$c: ProjectData 0x247ea:$d: DESCrypto 0x2c1b6:$e: KeepAlive 0x2a1a4:$g: LogClientMessage 0x2639f:$i: get_Connected 0x24b20:$j: #=q 0x24b50:$j: #=q 0x24b6c:$j: #=q 0x24b9c:$j: #=q 0x24bb8:$j: #=q 0x24bd4:$j: #=q 0x24c04:$j: #=q 0x24c20:$j: #=q
Click to see the 12 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.2e39798.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.2e39798.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e20624.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x287a1:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287ce:$x2: IClientNetworkHost
18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e20624.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x287a1:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x2987c:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287bb:$s5: IClientLoggingHost
18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e20624.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e1b7ee.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5d7:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d604:$x2: IClientNetworkHost
18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e1b7ee.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5d7:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e6b2:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d5f1:$s5: IClientLoggingHost
18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e1b7ee.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e1b7ee.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d58d:$a: NanoCore 0x2d5a2:$a: NanoCore 0x2d5d7:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d349:$b: ClientPlugin 0x2d364:$b: ClientPlugin
8.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4389d68.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
8.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4389d68.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
8.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4389d68.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4389d68.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.2dfcd94.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.2dfcd94.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e20624.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e20624.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e20624.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.3.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.48b6297.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3831:$x1: NanoCore.ClientPluginHost 0x386a:$x2: IClientNetworkHost
4.3.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.48b6297.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3831:$x2: NanoCore.ClientPluginHost 0x394c:$s4: PipeCreated 0x384b:$s5: IClientLoggingHost
0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45971d8.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xc3fad:$x1: NanoCore.ClientPluginHost 0xc3fea:$x2: IClientNetworkHost 0xc7b1d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45971d8.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45971d8.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xc3d15:$a: NanoCore 0xc3d25:$a: NanoCore 0xc3f59:$a: NanoCore 0xc3f6d:$a: NanoCore 0xc3fad:$a: NanoCore 0xc3d74:$b: ClientPlugin 0xc3f76:$b: ClientPlugin 0xc3fb6:$b: ClientPlugin 0xc3e9b:$c: ProjectData 0xc48a2:$d: DESCrypto 0xcc26e:$e: KeepAlive 0xca25c:$g: LogClientMessage 0xc6457:$i: get_Connected 0xc4bd8:$j: #=q 0xc4c08:$j: #=q 0xc4c24:$j: #=q 0xc4c54:$j: #=q 0xc4c70:$j: #=q 0xc4c8c:$j: #=q 0xc4cbc:$j: #=q 0xc4cd8:$j: #=q
8.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4389d68.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
8.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4389d68.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4389d68.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
4.3.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.489c23e.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
4.3.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.489c23e.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45645b8.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45645b8.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45645b8.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45645b8.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45645b8.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0xf6bcd:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0xf6c0a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xfa73d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45645b8.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45645b8.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xf6935:$a: NanoCore 0xf6945:$a: NanoCore 0xf6b79:$a: NanoCore 0xf6b8d:$a: NanoCore 0xf6bcd:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0xf6994:$b: ClientPlugin 0xf6b96:$b: ClientPlugin 0xf6bd6:$b: ClientPlugin 0x1007b:$c: ProjectData 0xf6abb:$c: ProjectData 0x10a82:$d: DESCrypto 0xf74c2:$d: DESCrypto 0x1844e:$e: KeepAlive
18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e24c4d.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x24178:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x241a5:$x2: IClientNetworkHost
18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e24c4d.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x24178:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x25253:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x24192:$s5: IClientLoggingHost
18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e24c4d.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
4.3.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.48b6297.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x13a8:$a: NanoCore 0x13f2:$a: NanoCore 0x204c:$a: NanoCore 0x7631:$a: NanoCore 0x76ab:$a: NanoCore 0x11c40:$a: NanoCore 0x11d2a:$a: NanoCore 0x12ba1:$a: NanoCore 0x1bd4b:$a: NanoCore 0x1bdac:$a: NanoCore 0x1bdef:$a: NanoCore 0x1be2f:$a: NanoCore 0x1c06b:$a: NanoCore 0x1c10b:$a: NanoCore 0x1c8e3:$a: NanoCore 0x1ced6:$a: NanoCore 0x1d027:$a: NanoCore 0x1de81:$a: NanoCore 0x1e0e8:$a: NanoCore 0x1e0fd:$a: NanoCore 0x1e11c:$a: NanoCore
4.3.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.48b0869.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x142b:$a: NanoCore 0x1484:$a: NanoCore 0x14b7:$a: NanoCore 0x16e3:$a: NanoCore 0x175f:$a: NanoCore 0x1d78:$a: NanoCore 0x1ec1:$a: NanoCore 0x2395:$a: NanoCore 0x267c:$a: NanoCore 0x2693:$a: NanoCore 0x5a1c:$a: NanoCore 0x6dd6:$a: NanoCore 0x6e20:$a: NanoCore 0x7a7a:$a: NanoCore 0xd05f:$a: NanoCore 0xd0d9:$a: NanoCore 0x1766e:$a: NanoCore 0x17758:$a: NanoCore 0x185cf:$a: NanoCore 0x21779:$a: NanoCore 0x217da:$a: NanoCore
4.3.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.489c23e.0.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15a56:$a: NanoCore 0x15aaf:$a: NanoCore 0x15ae2:$a: NanoCore 0x15d0e:$a: NanoCore 0x15d8a:$a: NanoCore 0x163a3:$a: NanoCore 0x164ec:$a: NanoCore 0x169c0:$a: NanoCore 0x16ca7:$a: NanoCore 0x16cbe:$a: NanoCore 0x1a047:$a: NanoCore 0x1b401:$a: NanoCore 0x1b44b:$a: NanoCore 0x1c0a5:$a: NanoCore 0x2168a:$a: NanoCore 0x21704:$a: NanoCore 0x2bc99:$a: NanoCore 0x2bd83:$a: NanoCore
0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4474508.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10023d:$x1: NanoCore.ClientPluginHost 0x1e6c7d:$x1: NanoCore.ClientPluginHost 0x10027a:$x2: IClientNetworkHost 0x1e6cba:$x2: IClientNetworkHost 0x103dad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1ea7ed:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4474508.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4474508.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfffa5:$a: NanoCore 0xfffb5:$a: NanoCore 0x1001e9:$a: NanoCore 0x1001fd:$a: NanoCore 0x10023d:$a: NanoCore 0x1e69e5:$a: NanoCore 0x1e69f5:$a: NanoCore 0x1e6c29:$a: NanoCore 0x1e6c3d:$a: NanoCore 0x1e6c7d:$a: NanoCore 0x100004:$b: ClientPlugin 0x100206:$b: ClientPlugin 0x100246:$b: ClientPlugin 0x1e6a44:$b: ClientPlugin 0x1e6c46:$b: ClientPlugin 0x1e6c86:$b: ClientPlugin 0x4c5fd:$c: ProjectData 0x10012b:$c: ProjectData 0x1e6b6b:$c: ProjectData 0x100b32:$d: DESCrypto 0x1e7572:$d: DESCrypto
Click to see the 43 entries

Sigma Overview

System Summary:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, ProcessId: 3492, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gVFZdFg' /XML 'C:\Users\user\AppData\Local\Temp\tmpF515.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gVFZdFg' /XML 'C:\Users\user\AppData\Local\Temp\tmpF515.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe' , ParentImage: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, ParentProcessId: 2412, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gVFZdFg' /XML 'C:\Users\user\AppData\Local\Temp\tmpF515.tmp', ProcessId: 5592

Sigma detected: Suspicious Double Extension

Show sources

Source: Process started

Author: Florian Roth (rule), @blu3_team (idea): Data: Command: {path}, CommandLine: {path}, CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, NewProcessName: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, OriginalFileName: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, ParentCommandLine: 'C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe' , ParentImage: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, ParentProcessId: 2412, ProcessCommandLine: {path}, ProcessId: 3492

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000012.00000002.327116738.0000000002E09000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "c4cca249-81f6-4232-9f14-01569e09f5f0", "Group": "JANUARY", "Domain1": "shahzad73.casacam.net", "Domain2": "shahzad73.ddns.net", "Port": 9036, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4#=qs2bxKs15DbteFYTMsjthM8IIAMC9Avo9uFWUE1JbxpU=", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000012.00000002.325925653.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.327064470.0000000002DD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.327179644.0000000003DD9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.311283460.00000000042D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.255992771.0000000004429000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.311591988.0000000004376000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e20624.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e1b7ee.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4389d68.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e20624.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45971d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4389d68.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45645b8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45645b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e24c4d.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4474508.1.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\gVFZdFg.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe

Joe Sandbox ML: detected

Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.400000.0.unpack

Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

Uses 32bit PE files

Show sources

Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49704 -> 91.212.153.84:9036
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49706 -> 91.212.153.84:9036
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49707 -> 91.212.153.84:9036
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49708 -> 91.212.153.84:9036
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49709 -> 91.212.153.84:9036
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49710 -> 91.212.153.84:9036
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49711 -> 91.212.153.84:9036
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49712 -> 91.212.153.84:9036
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49713 -> 91.212.153.84:9036
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49714 -> 91.212.153.84:9036
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49715 -> 91.212.153.84:9036
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49716 -> 91.212.153.84:9036
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49717 -> 91.212.153.84:9036
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49718 -> 91.212.153.84:9036
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49719 -> 91.212.153.84:9036
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49720 -> 91.212.153.84:9036
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49721 -> 91.212.153.84:9036

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: shahzad73.ddns.net
Source: Malware configuration extractor	URLs: shahzad73.casacam.net

Source: global traffic

TCP traffic: 192.168.2.3:49704 -> 91.212.153.84:9036

Source: Joe Sandbox View

IP Address: 91.212.153.84 91.212.153.84

Source: Joe Sandbox View

ASN Name: MYLOC-ASIPBackboneofmyLocmanagedITAGDE MYLOC-ASIPBackboneofmyLocmanagedITAGDE

Source: unknown

DNS traffic detected: queries for: shahzad73.casacam.net

Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.206587822.00000000063F2000.00000004.00000001.sdmp	String found in binary or memory: http://en.wB$
Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.209891258.0000000006426000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.210240222.00000000063E6000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com5
Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.210240222.00000000063E6000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comF
Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.261954858.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comFB
Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.209218281.00000000063E6000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comFM
Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.261954858.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.coma
Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.210240222.00000000063E6000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comals
Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.210240222.00000000063E6000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comcomd
Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.261954858.00000000063E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comgrito
Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.210240222.00000000063E6000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comue
Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.210240222.00000000063E6000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comueTF
Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.205634366.00000000063E4000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cned
Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.205634366.00000000063E4000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnemM
Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.211063461.00000000063E6000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.207101535.00000000063E6000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.207101535.00000000063E6000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/5
Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.207384617.00000000063E6000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/M
Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.207384617.00000000063E6000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.207101535.00000000063E6000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/_
Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.207101535.00000000063E6000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/es-e
Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.207101535.00000000063E6000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/i
Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.207384617.00000000063E6000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.207384617.00000000063E6000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/5
Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.207101535.00000000063E6000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/o
Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.207384617.00000000063E6000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/q
Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.207384617.00000000063E6000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/va
Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000003.207101535.00000000063E6000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/vno
Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.286188722.000000000C020000.00000002.00000001.sdmp, POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000002.262105618.00000000064D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000012.00000002.325925653.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.327064470.0000000002DD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.327179644.0000000003DD9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.311283460.00000000042D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.255992771.0000000004429000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.311591988.0000000004376000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e20624.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e1b7ee.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4389d68.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e20624.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45971d8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4389d68.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45645b8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45645b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e24c4d.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4474508.1.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000012.00000002.327116738.0000000002E09000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000002.325925653.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000002.325925653.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000012.00000002.327179644.0000000003DD9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.311283460.00000000042D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000002.311283460.00000000042D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000003.300424422.0000000004893000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.255992771.0000000004429000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.255992771.0000000004429000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.311591988.0000000004376000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000002.311591988.0000000004376000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.2e39798.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e20624.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e1b7ee.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e1b7ee.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4389d68.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4389d68.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.2dfcd94.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e20624.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.3.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.48b6297.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45971d8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45971d8.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4389d68.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4389d68.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.3.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.489c23e.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45645b8.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45645b8.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45645b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45645b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e24c4d.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.3.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.48b6297.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.3.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.48b0869.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.3.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.489c23e.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4474508.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4474508.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe

Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe	Code function: 0_2_00F72050
Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe	Code function: 0_2_01AACBBC
Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe	Code function: 0_2_01AAEB20
Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe	Code function: 0_2_01AAEB30
Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe	Code function: 8_2_00EB2050
Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe	Code function: 8_2_030BEB20
Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe	Code function: 8_2_030BEB30
Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe	Code function: 8_2_030BCBBC
Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe	Code function: 8_2_057FF008
Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe	Code function: 8_2_057FEFF7
Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe	Code function: 18_2_008D2050
Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe	Code function: 18_2_0529E471
Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe	Code function: 18_2_0529E480
Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe	Code function: 18_2_0529BBD4
Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe	Code function: 18_2_053FF5F8
Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe	Code function: 18_2_053F9788
Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe	Code function: 18_2_053FA5D0

Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: gVFZdFg.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe	Binary or memory string: OriginalFilename vs POEA ADVISORY ON DELISTED AGENCIES.pdf.exe
Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000000.200168393.0000000000F72000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameG vs POEA ADVISORY ON DELISTED AGENCIES.pdf.exe
Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe	Binary or memory string: OriginalFilename vs POEA ADVISORY ON DELISTED AGENCIES.pdf.exe
Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe	Binary or memory string: OriginalFilename vs POEA ADVISORY ON DELISTED AGENCIES.pdf.exe

Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000012.00000002.327116738.0000000002E09000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000012.00000002.325925653.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000012.00000002.325925653.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000012.00000002.327179644.0000000003DD9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000002.311283460.00000000042D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000002.311283460.00000000042D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000003.300424422.0000000004893000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.255992771.0000000004429000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.255992771.0000000004429000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000002.311591988.0000000004376000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000002.311591988.0000000004376000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.2e39798.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.2e39798.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e20624.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e20624.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e1b7ee.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e1b7ee.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e1b7ee.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4389d68.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4389d68.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4389d68.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.2dfcd94.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.2dfcd94.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e20624.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e20624.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.3.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.48b6297.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.3.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.48b6297.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45971d8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45971d8.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4389d68.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4389d68.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.3.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.489c23e.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.3.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.489c23e.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45645b8.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45645b8.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45645b8.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45645b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.45645b8.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e24c4d.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.3e24c4d.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.3.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.48b6297.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.3.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.48b0869.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.3.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.489c23e.0.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4474508.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.4474508.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: gVFZdFg.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@15/11@17/1

Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe

File created: C:\Users\user\AppData\Roaming\gVFZdFg.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1380:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5596:120:WilError_01
Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{c4cca249-81f6-4232-9f14-01569e09f5f0}
Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe	Mutant created: \Sessions\1\BaseNamedObjects\uNbBKzF
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5528:120:WilError_01

Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe

File created: C:\Users\user\AppData\Local\Temp\tmpF515.tmp

Jump to behavior

Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000000.200168393.0000000000F72000.00000002.00020000.sdmp	Binary or memory string: select * from Goods where goods_name=@goods_name and goods_type_id=@goods_type_id and goods_code=@goods_code and specifications=@specifications and goods_wight=@goods_wight and goods_volume=@goods_volume and goods_note=@goods_note;SELECT * FROM Goods WHERE id=/select * from GoodsTypeIselect * from GoodsType where id=@idkUPDATE GoodsType SET goods_type=@goods_type where id=
Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe, 00000000.00000000.200168393.0000000000F72000.00000002.00020000.sdmp	Binary or memory string: INSERT INTO Client VALUES(@client_name,@client_address,@client_contacts,@client_phone,@client_note); DELETE FROM Client WHERE id=

Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe

File read: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe 'C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gVFZdFg' /XML 'C:\Users\user\AppData\Local\Temp\tmpF515.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe {path}
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA223.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe 'C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe' 0
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gVFZdFg' /XML 'C:\Users\user\AppData\Local\Temp\tmp5650.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe {path}
Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gVFZdFg' /XML 'C:\Users\user\AppData\Local\Temp\tmpF515.tmp'
Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe	Process created: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe {path}
Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpA223.tmp'
Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gVFZdFg' /XML 'C:\Users\user\AppData\Local\Temp\tmp5650.tmp'
Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe	Process created: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe {path}

Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: POEA ADVISORY ON DELISTED AGENCIES.pdf.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe	Code function: 0_2_01AAD4C0 push esp; retf
Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe	Code function: 0_2_01AADBE0 push eax; iretd
Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe	Code function: 8_2_030BD4C0 push esp; retf
Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe	Code function: 8_2_030BDBE0 push eax; iretd
Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe	Code function: 8_2_057F4213 pushad ; retf
Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe	Code function: 8_2_057F1DFC push eax; retf
Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe	Code function: 8_2_057FFF58 push eax; mov dword ptr [esp], edx
Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe	Code function: 18_2_053F69F8 pushad ; retf

Source: initial sample	Static PE information: section name: .text entropy: 7.55881445378
Source: initial sample	Static PE information: section name: .text entropy: 7.55881445378

Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 18.2.POEA ADVISORY ON DELISTED AGENCIES.pdf.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Users\user\Desktop\POEA ADVISORY ON DELISTED AGENCIES.pdf.exe

File created: C:\Users\user\AppData\Roaming\gVFZdFg.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\gVFZdFg' /XML 'C:\Users\user\AppData\Local\Temp\tmpF515.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report POEA ADVISORY ON DELISTED AGENCIES.pdf.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection: