31.0.0 Emerald
IR
355753
CloudBasic
19:09:11
21/02/2021
256ec8f8f67b59c5e085b0bb63afcd13.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
0bbcc2e64e3edf053ed4af2c0bafb0eb
c006b8d2ec4b92f441815b20f1bdadf98eab1b4d
52d01903f7c366e01359a00ea771ca1f71d4e1bb54731290bc62c3a218f5af80
Win32 Executable (generic) Net Framework (10011505/4) 49.80%
true
false
false
false
100
0
100
5
0
5
false
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
true
0BBCC2E64E3EDF053ED4AF2C0BAFB0EB
C006B8D2EC4B92F441815B20F1BDADF98EAB1B4D
52D01903F7C366E01359A00EA771CA1F71D4E1BB54731290BC62C3A218F5AF80
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
true
187F488E27DB4AF347237FE461A079AD
6693BA299EC1881249D59262276A0D2CB21F8E64
255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\256ec8f8f67b59c5e085b0bb63afcd13.exe.log
true
61CCF53571C9ABA6511D696CB0D32E45
A13A42A20EC14942F52DB20FB16A0A520F8183CE
3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log
false
61CCF53571C9ABA6511D696CB0D32E45
A13A42A20EC14942F52DB20FB16A0A520F8183CE
3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
C:\Users\user\AppData\Local\Temp\tmp98F0.tmp
true
B78304EA0D7AFCCEFC8CFF617158D17C
76DD98BBFE885893DC19059C139EDCB829DFA21E
B80490FC583697FD68F2B7D0986C9F3BA3944BDB9AEA7F17C826E26BF1749C7F
C:\Users\user\AppData\Local\Temp\tmpA082.tmp
false
5C2F41CFC6F988C859DA7D727AC2B62A
68999C85FC7E37BAB9216E0099836D40D4545C1C
98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
true
5BF06D5C11AE13FC9970936540EB0703
54B778FC0BA984A04D47CB1E5C6E8252E9BE3FF9
39974C521C78E35079501265DF5A694586DAB94A7EE52F6E923756C5AFE5F3F0
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
false
90C08D85024FAD583545EC9562AA4A7E
FB6483F47BEC7ED49479D276986B4B789D9725AD
28D29127F67EA98D32833FAC5491366FEC57805EAFF2B15A8AB9AF2555EADCA3
79.134.225.105
cloudhost.myfirewall.org
true
79.134.225.105
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses schtasks.exe or at.exe to add and modify task schedules
Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected Nanocore RAT