31.0.0 Emerald
IR
355858
CloudBasic
08:16:38
22/02/2021
CHEQUE COPY RECEIPT.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
403180100f3d966d4ea44c84d039a6d0
4b1af3fd502ad953024cb152c5a6d472fd0307c7
18ca07a540dbd6da66851f88c11ad7683486e33f5c2512fe5c4837c44f8f4bc3
Win32 Executable (generic) a (10002005/4) 99.96%
true
false
false
false
100
0
100
5
0
5
false
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
true
403180100F3D966D4EA44C84D039A6D0
4B1AF3FD502AD953024CB152C5A6D472FD0307C7
18CA07A540DBD6DA66851F88C11AD7683486E33F5C2512FE5C4837C44F8F4BC3
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
true
187F488E27DB4AF347237FE461A079AD
6693BA299EC1881249D59262276A0D2CB21F8E64
255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CHEQUE COPY RECEIPT.exe.log
true
69206D3AF7D6EFD08F4B4726998856D3
E778D4BF781F7712163CF5E2F5E7C15953E484CF
A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
C:\Users\user\AppData\Local\Temp\9mqal9z8w5l9du.dll
true
524D2FC0515E13C4101D1BAA1BAC0B33
2F035F68B3E69295B2AA664F5A87AF3EEF7D0779
6EF18EA8431521E2D1720FB2634BE322628C95873A91BDBAA656C2031FD591B4
C:\Users\user\AppData\Local\Temp\nscD29E.tmp\System.dll
false
FCCFF8CB7A1067E23FD2E2B63971A8E1
30E2A9E137C1223A78A0F7B0BF96A1C361976D91
6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E
C:\Users\user\AppData\Local\Temp\nsfF3F1.tmp\System.dll
false
FCCFF8CB7A1067E23FD2E2B63971A8E1
30E2A9E137C1223A78A0F7B0BF96A1C361976D91
6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E
C:\Users\user\AppData\Local\Temp\nsmD23F.tmp
false
BAFB51AF8D8FF08D01E2C763A5CDC87D
026DC8B1A11688CC135AF98FB4EFE7CD95743955
FB17C53CF1546570005A12AB4F3B38FBF6D5E9E54732D97C4BC9FEB40ED0D21D
C:\Users\user\AppData\Local\Temp\nsqF603.tmp
false
C3EE4DAA11E8DE8826566576CD5E1F6C
880EF4E0E5EA3EA3EF5C115E5E159C02CFA54FCA
D643061A0EF3D42B1B7AD8B00A677C5A431E19FDEFCEC9BCD1D52BA225ACBF87
C:\Users\user\AppData\Local\Temp\nsu1979.tmp
false
C3EE4DAA11E8DE8826566576CD5E1F6C
880EF4E0E5EA3EA3EF5C115E5E159C02CFA54FCA
D643061A0EF3D42B1B7AD8B00A677C5A431E19FDEFCEC9BCD1D52BA225ACBF87
C:\Users\user\AppData\Local\Temp\nsvF3B2.tmp
false
BAFB51AF8D8FF08D01E2C763A5CDC87D
026DC8B1A11688CC135AF98FB4EFE7CD95743955
FB17C53CF1546570005A12AB4F3B38FBF6D5E9E54732D97C4BC9FEB40ED0D21D
C:\Users\user\AppData\Local\Temp\oonrzjdqx.im
false
8B62F2C193687E33B28430F6132F4D2D
7794A9B612177B7AED06580622CF0B7163241867
5F68BA0AF0A904A8DFE28F0D947F64ECF94E01FF89419D4AAF6864DA8C7AA094
C:\Users\user\AppData\Local\Temp\tmpE682.tmp
true
419B9BAF87B2D10BE7542CC9C964DE83
78452D57F42AD197A0414E7904E90C775F013AA8
30D414E1ACE9688F68A91CD57B3FFEE2817D9DD83419F5CFD2CD2EBE547080A8
C:\Users\user\AppData\Local\Temp\tmpEA6B.tmp
false
5C2F41CFC6F988C859DA7D727AC2B62A
68999C85FC7E37BAB9216E0099836D40D4545C1C
98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
false
0FBED11864C03FDED0E70014DCF84578
453723D938A03252F705B0A104986FE4C5CA7056
70F5E49EE3091777827ED661B63842061220C899A708860986E9AA1BD87C5004
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
true
4343B3F60A47270C9117192785044AD8
6F48A2C7B2E9E66E29C7A3F19711AAFD1B3C2179
7D8DE47DB830173F7E731C8685049C906288A9A8C9C7B7175D7DFFEE3655D242
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
false
EB9DA02003EBF142462BBB7ED1224454
81A21F66CEF1CC55D2E8F0F5EB9AE0AB4AF830F1
627FE62D0626FBE390F5A97884D85D612E1B3FF7831AFF8834B541259A8BA39B
192.168.2.1
185.150.24.55
chinomso.duckdns.org
true
185.150.24.55
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Nanocore RAT