Loading ...

Play interactive tourEdit tour

Analysis Report Quotation_Request.pdf.exe

Overview

General Information

Sample Name:Quotation_Request.pdf.exe
Analysis ID:381954
MD5:79cd8383f51372c9f0721289f6470889
SHA1:41b082acc2c9725da7c20ff93dc26df2ab06d1aa
SHA256:08ecce1fb89755fa576a2c1c855bbb0f701ef20c791f56dc0c675fb2a8163691
Tags:exeNanoCore
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Double Extension
Yara detected AntiVM3
Yara detected Nanocore RAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Quotation_Request.pdf.exe (PID: 6812 cmdline: 'C:\Users\user\Desktop\Quotation_Request.pdf.exe' MD5: 79CD8383F51372C9F0721289F6470889)
    • schtasks.exe (PID: 7156 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\mgdPGGmBTUB' /XML 'C:\Users\user\AppData\Local\Temp\tmp4108.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 7164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "6f656d69-7475-8807-1300-000c0a4c", "Domain1": "185.140.53.138", "Domain2": "wealth2021.ddns.net", "Port": 20221, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Disable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.915585705.0000000004249000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000007.00000002.915585705.0000000004249000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x2f25:$a: NanoCore
    • 0x2f7e:$a: NanoCore
    • 0x2fbb:$a: NanoCore
    • 0x3034:$a: NanoCore
    • 0x166df:$a: NanoCore
    • 0x166f4:$a: NanoCore
    • 0x16729:$a: NanoCore
    • 0x2f1ab:$a: NanoCore
    • 0x2f1c0:$a: NanoCore
    • 0x2f1f5:$a: NanoCore
    • 0x2f87:$b: ClientPlugin
    • 0x2fc4:$b: ClientPlugin
    • 0x38c2:$b: ClientPlugin
    • 0x38cf:$b: ClientPlugin
    • 0x1649b:$b: ClientPlugin
    • 0x164b6:$b: ClientPlugin
    • 0x164e6:$b: ClientPlugin
    • 0x166fd:$b: ClientPlugin
    • 0x16732:$b: ClientPlugin
    • 0x2ef67:$b: ClientPlugin
    • 0x2ef82:$b: ClientPlugin
    00000007.00000002.910440446.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000007.00000002.910440446.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000007.00000002.910440446.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0xfcf5:$a: NanoCore
      • 0xfd05:$a: NanoCore
      • 0xff39:$a: NanoCore
      • 0xff4d:$a: NanoCore
      • 0xff8d:$a: NanoCore
      • 0xfd54:$b: ClientPlugin
      • 0xff56:$b: ClientPlugin
      • 0xff96:$b: ClientPlugin
      • 0xfe7b:$c: ProjectData
      • 0x10882:$d: DESCrypto
      • 0x1824e:$e: KeepAlive
      • 0x1623c:$g: LogClientMessage
      • 0x12437:$i: get_Connected
      • 0x10bb8:$j: #=q
      • 0x10be8:$j: #=q
      • 0x10c04:$j: #=q
      • 0x10c34:$j: #=q
      • 0x10c50:$j: #=q
      • 0x10c6c:$j: #=q
      • 0x10c9c:$j: #=q
      • 0x10cb8:$j: #=q
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      7.2.Quotation_Request.pdf.exe.5ab4629.9.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xb184:$x1: NanoCore.ClientPluginHost
      • 0xb1b1:$x2: IClientNetworkHost
      7.2.Quotation_Request.pdf.exe.5ab4629.9.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xb184:$x2: NanoCore.ClientPluginHost
      • 0xc25f:$s4: PipeCreated
      • 0xb19e:$s5: IClientLoggingHost
      7.2.Quotation_Request.pdf.exe.5ab4629.9.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        7.2.Quotation_Request.pdf.exe.58e0000.7.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xe75:$x1: NanoCore.ClientPluginHost
        • 0xe8f:$x2: IClientNetworkHost
        7.2.Quotation_Request.pdf.exe.58e0000.7.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xe75:$x2: NanoCore.ClientPluginHost
        • 0x1261:$s3: PipeExists
        • 0x1136:$s4: PipeCreated
        • 0xeb0:$s5: IClientLoggingHost
        Click to see the 35 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Quotation_Request.pdf.exe, ProcessId: 6184, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: Scheduled temp file as task from temp locationShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\mgdPGGmBTUB' /XML 'C:\Users\user\AppData\Local\Temp\tmp4108.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\mgdPGGmBTUB' /XML 'C:\Users\user\AppData\Local\Temp\tmp4108.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\Quotation_Request.pdf.exe' , ParentImage: C:\Users\user\Desktop\Quotation_Request.pdf.exe, ParentProcessId: 6812, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\mgdPGGmBTUB' /XML 'C:\Users\user\AppData\Local\Temp\tmp4108.tmp', ProcessId: 7156
        Sigma detected: Suspicious Double ExtensionShow sources
        Source: Process startedAuthor: Florian Roth (rule), @blu3_team (idea): Data: Command: {path}, CommandLine: {path}, CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\Quotation_Request.pdf.exe, NewProcessName: C:\Users\user\Desktop\Quotation_Request.pdf.exe, OriginalFileName: C:\Users\user\Desktop\Quotation_Request.pdf.exe, ParentCommandLine: 'C:\Users\user\Desktop\Quotation_Request.pdf.exe' , ParentImage: C:\Users\user\Desktop\Quotation_Request.pdf.exe, ParentProcessId: 6812, ProcessCommandLine: {path}, ProcessId: 6184

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 00000007.00000002.915585705.0000000004249000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "6f656d69-7475-8807-1300-000c0a4c", "Domain1": "185.140.53.138", "Domain2": "wealth2021.ddns.net", "Port": 20221, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Disable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\mgdPGGmBTUB.exeMetadefender: Detection: 18%Perma Link
        Source: C:\Users\user\AppData\Roaming\mgdPGGmBTUB.exeReversingLabs: Detection: 58%
        Multi AV Scanner detection for submitted fileShow sources
        Source: Quotation_Request.pdf.exeVirustotal: Detection: 30%Perma Link
        Source: Quotation_Request.pdf.exeMetadefender: Detection: 18%Perma Link
        Source: Quotation_Request.pdf.exeReversingLabs: Detection: 58%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000007.00000002.915585705.0000000004249000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.910440446.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.912659858.0000000003201000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.672015342.00000000040A0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.917702828.0000000005AB0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.671468034.0000000003DD9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Quotation_Request.pdf.exe PID: 6184, type: MEMORY
        Source: Yara matchFile source: 7.2.Quotation_Request.pdf.exe.5ab4629.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.Quotation_Request.pdf.exe.424ff7c.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.Quotation_Request.pdf.exe.42545a5.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.Quotation_Request.pdf.exe.5ab0000.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Quotation_Request.pdf.exe.4054958.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.Quotation_Request.pdf.exe.5ab0000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.Quotation_Request.pdf.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.Quotation_Request.pdf.exe.424ff7c.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Quotation_Request.pdf.exe.4054958.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.Quotation_Request.pdf.exe.424b146.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Quotation_Request.pdf.exe.3f6fb08.2.raw.unpack, type: UNPACKEDPE
        Source: 7.2.Quotation_Request.pdf.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 7.2.Quotation_Request.pdf.exe.5ab0000.10.unpackAvira: Label: TR/NanoCore.fadte
        Source: Quotation_Request.pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: Quotation_Request.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: wealth2021.ddns.net
        Source: Malware configuration extractorURLs: 185.140.53.138
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: wealth2021.ddns.net
        Source: global trafficTCP traffic: 192.168.2.4:49726 -> 185.140.53.138:20221
        Source: Joe Sandbox ViewIP Address: 185.140.53.138 185.140.53.138
        Source: Joe Sandbox ViewASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
        Source: unknownDNS traffic detected: queries for: wealth2021.ddns.net
        Source: Quotation_Request.pdf.exe, 00000000.00000002.678291126.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
        Source: Quotation_Request.pdf.exe, 00000000.00000002.679777119.0000000009011000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: Quotation_Request.pdf.exe, 00000000.00000002.678291126.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: Quotation_Request.pdf.exe, 00000000.00000002.678291126.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: Quotation_Request.pdf.exe, 00000000.00000002.678291126.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: Quotation_Request.pdf.exe, 00000000.00000002.678291126.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: Quotation_Request.pdf.exe, 00000000.00000002.678291126.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: Quotation_Request.pdf.exe, 00000000.00000002.678291126.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: Quotation_Request.pdf.exe, 00000000.00000002.678291126.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
        Source: Quotation_Request.pdf.exe, 00000000.00000002.678291126.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: Quotation_Request.pdf.exe, 00000000.00000002.678291126.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: Quotation_Request.pdf.exe, 00000000.00000002.678291126.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: Quotation_Request.pdf.exe, 00000000.00000002.671021338.0000000001487000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comB.TTFZ
        Source: Quotation_Request.pdf.exe, 00000000.00000002.671021338.0000000001487000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.coma~
        Source: Quotation_Request.pdf.exe, 00000000.00000002.671021338.0000000001487000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comue9
        Source: Quotation_Request.pdf.exe, 00000000.00000002.678291126.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
        Source: Quotation_Request.pdf.exe, 00000000.00000002.678291126.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: Quotation_Request.pdf.exe, 00000000.00000002.678291126.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: Quotation_Request.pdf.exe, 00000000.00000002.678291126.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: Quotation_Request.pdf.exe, 00000000.00000002.678291126.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: Quotation_Request.pdf.exe, 00000000.00000002.678291126.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: Quotation_Request.pdf.exe, 00000000.00000002.678291126.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: Quotation_Request.pdf.exe, 00000000.00000002.678291126.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: Quotation_Request.pdf.exe, 00000000.00000002.678291126.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: Quotation_Request.pdf.exe, 00000000.00000002.678291126.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
        Source: Quotation_Request.pdf.exe, 00000000.00000002.678291126.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: Quotation_Request.pdf.exe, 00000000.00000002.678291126.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
        Source: Quotation_Request.pdf.exe, 00000000.00000002.678291126.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
        Source: Quotation_Request.pdf.exe, 00000000.00000002.678291126.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: Quotation_Request.pdf.exe, 00000000.00000002.678291126.0000000006EC2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
        Source: Quotation_Request.pdf.exe, 00000000.00000002.670658902.0000000001178000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
        Source: Quotation_Request.pdf.exe, 00000007.00000002.915585705.0000000004249000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000007.00000002.915585705.0000000004249000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.910440446.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.912659858.0000000003201000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.672015342.00000000040A0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.917702828.0000000005AB0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.671468034.0000000003DD9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Quotation_Request.pdf.exe PID: 6184, type: MEMORY
        Source: Yara matchFile source: 7.2.Quotation_Request.pdf.exe.5ab4629.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.Quotation_Request.pdf.exe.424ff7c.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.Quotation_Request.pdf.exe.42545a5.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.Quotation_Request.pdf.exe.5ab0000.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Quotation_Request.pdf.exe.4054958.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.Quotation_Request.pdf.exe.5ab0000.10.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.Quotation_Request.pdf.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.Quotation_Request.pdf.exe.424ff7c.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Quotation_Request.pdf.exe.4054958.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.Quotation_Request.pdf.exe.424b146.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Quotation_Request.pdf.exe.3f6fb08.2.raw.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000007.00000002.915585705.0000000004249000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000007.00000002.910440446.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000007.00000002.910440446.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.672015342.00000000040A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.672015342.00000000040A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000007.00000002.917484017.00000000058E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000007.00000002.917702828.0000000005AB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.671468034.0000000003DD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.671468034.0000000003DD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: Quotation_Request.pdf.exe PID: 6184, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: Quotation_Request.pdf.exe PID: 6184, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 7.2.Quotation_Request.pdf.exe.5ab4629.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.Quotation_Request.pdf.exe.58e0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.Quotation_Request.pdf.exe.424ff7c.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.Quotation_Request.pdf.exe.3254e94.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.Quotation_Request.pdf.exe.42545a5.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.Quotation_Request.pdf.exe.5ab0000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.Quotation_Request.pdf.exe.4054958.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.Quotation_Request.pdf.exe.4054958.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 7.2.Quotation_Request.pdf.exe.5ab0000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.Quotation_Request.pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.Quotation_Request.pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 7.2.Quotation_Request.pdf.exe.424ff7c.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.Quotation_Request.pdf.exe.4054958.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.Quotation_Request.pdf.exe.4054958.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 7.2.Quotation_Request.pdf.exe.424b146.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.Quotation_Request.pdf.exe.424b146.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.Quotation_Request.pdf.exe.3f6fb08.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.Quotation_Request.pdf.exe.3f6fb08.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Initial sample is a PE file and has a suspicious nameShow sources
        Source: initial sampleStatic PE information: Filename: Quotation_Request.pdf.exe
        Source: initial sampleStatic PE information: Filename: Quotation_Request.pdf.exe
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeCode function: 0_2_00A551750_2_00A55175
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeCode function: 0_2_0146C3040_2_0146C304
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeCode function: 0_2_0146E7400_2_0146E740
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeCode function: 0_2_0146E7500_2_0146E750
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeCode function: 0_2_04E325A80_2_04E325A8
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeCode function: 0_2_04E315880_2_04E31588
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeCode function: 0_2_04E36FB80_2_04E36FB8
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeCode function: 0_2_04E323280_2_04E32328
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeCode function: 0_2_04E30B180_2_04E30B18
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeCode function: 0_2_04E30DC80_2_04E30DC8
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeCode function: 0_2_04E30DBB0_2_04E30DBB
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeCode function: 0_2_04E325980_2_04E32598
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeCode function: 0_2_04E315780_2_04E31578
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeCode function: 0_2_04E31FE00_2_04E31FE0
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeCode function: 0_2_04E31FF00_2_04E31FF0
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeCode function: 0_2_04E30B090_2_04E30B09
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeCode function: 0_2_04E323180_2_04E32318
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeCode function: 0_2_08BDD5000_2_08BDD500
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeCode function: 0_2_08BD74880_2_08BD7488
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeCode function: 0_2_08BDB0D00_2_08BDB0D0
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeCode function: 0_2_08BD68C00_2_08BD68C0
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeCode function: 0_2_08BDB0C00_2_08BDB0C0
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeCode function: 0_2_08BDD9E80_2_08BDD9E8
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeCode function: 0_2_08BDF1D80_2_08BDF1D8
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeCode function: 0_2_08BD71380_2_08BD7138
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeCode function: 0_2_08BD5D300_2_08BD5D30
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeCode function: 0_2_08BDB5280_2_08BDB528
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeCode function: 0_2_08BD5D200_2_08BD5D20
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeCode function: 0_2_08BDB5180_2_08BDB518
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeCode function: 0_2_08BD69780_2_08BD6978
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeCode function: 0_2_08BD8D700_2_08BD8D70
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeCode function: 0_2_08BD55680_2_08BD5568
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeCode function: 0_2_08BD71480_2_08BD7148
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeCode function: 0_2_08BDAEB00_2_08BDAEB0
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeCode function: 0_2_08BDAEA30_2_08BDAEA3
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeCode function: 0_2_08BDAAF80_2_08BDAAF8
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeCode function: 0_2_08BD3ED80_2_08BD3ED8
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeCode function: 0_2_08BD3EC80_2_08BD3EC8
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeCode function: 0_2_08BD8E600_2_08BD8E60
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeCode function: 0_2_08BD52500_2_08BD5250
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeCode function: 0_2_08BD7F980_2_08BD7F98
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeCode function: 0_2_08BD7F880_2_08BD7F88
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeCode function: 0_2_08BDAB080_2_08BDAB08
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeCode function: 0_2_08BDB3480_2_08BDB348
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeCode function: 0_2_08BDB3410_2_08BDB341
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeCode function: 7_2_00E851757_2_00E85175
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeCode function: 7_2_056EE4717_2_056EE471
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeCode function: 7_2_056EE4807_2_056EE480
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeCode function: 7_2_056EBBD47_2_056EBBD4
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeCode function: 7_2_0583F5F87_2_0583F5F8
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeCode function: 7_2_058397887_2_05839788
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeCode function: 7_2_0583A5D07_2_0583A5D0
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeCode function: 7_2_0583A5F87_2_0583A5F8
        Source: Quotation_Request.pdf.exeBinary or memory string: OriginalFilename vs Quotation_Request.pdf.exe
        Source: Quotation_Request.pdf.exe, 00000000.00000002.680531854.0000000010720000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Quotation_Request.pdf.exe
        Source: Quotation_Request.pdf.exe, 00000000.00000002.670658902.0000000001178000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Quotation_Request.pdf.exe
        Source: Quotation_Request.pdf.exe, 00000000.00000002.678847721.00000000072A0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs Quotation_Request.pdf.exe
        Source: Quotation_Request.pdf.exe, 00000000.00000002.679162865.0000000007770000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Quotation_Request.pdf.exe
        Source: Quotation_Request.pdf.exe, 00000000.00000002.679162865.0000000007770000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Quotation_Request.pdf.exe
        Source: Quotation_Request.pdf.exe, 00000000.00000002.679394775.0000000008AD0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Quotation_Request.pdf.exe
        Source: Quotation_Request.pdf.exe, 00000000.00000002.671368871.0000000002E06000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMetroFramework.dll> vs Quotation_Request.pdf.exe
        Source: Quotation_Request.pdf.exeBinary or memory string: OriginalFilename vs Quotation_Request.pdf.exe
        Source: Quotation_Request.pdf.exe, 00000007.00000002.915585705.0000000004249000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs Quotation_Request.pdf.exe
        Source: Quotation_Request.pdf.exe, 00000007.00000002.915585705.0000000004249000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs Quotation_Request.pdf.exe
        Source: Quotation_Request.pdf.exe, 00000007.00000002.915585705.0000000004249000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Quotation_Request.pdf.exe
        Source: Quotation_Request.pdf.exe, 00000007.00000002.911620548.0000000001548000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Quotation_Request.pdf.exe
        Source: Quotation_Request.pdf.exe, 00000007.00000002.918173912.0000000006C10000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Quotation_Request.pdf.exe
        Source: Quotation_Request.pdf.exeBinary or memory string: OriginalFilename vs Quotation_Request.pdf.exe
        Source: Quotation_Request.pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 00000007.00000002.915585705.0000000004249000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000007.00000002.910440446.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000007.00000002.910440446.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.672015342.00000000040A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.672015342.00000000040A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000007.00000002.917484017.00000000058E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000007.00000002.917484017.00000000058E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000007.00000002.917702828.0000000005AB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000007.00000002.917702828.0000000005AB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000000.00000002.671468034.0000000003DD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.671468034.0000000003DD9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: Quotation_Request.pdf.exe PID: 6184, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: Quotation_Request.pdf.exe PID: 6184, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 7.2.Quotation_Request.pdf.exe.5ab4629.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.Quotation_Request.pdf.exe.5ab4629.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 7.2.Quotation_Request.pdf.exe.58e0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.Quotation_Request.pdf.exe.58e0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 7.2.Quotation_Request.pdf.exe.424ff7c.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.Quotation_Request.pdf.exe.424ff7c.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 7.2.Quotation_Request.pdf.exe.3254e94.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.Quotation_Request.pdf.exe.42545a5.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.Quotation_Request.pdf.exe.42545a5.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 7.2.Quotation_Request.pdf.exe.5ab0000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.Quotation_Request.pdf.exe.5ab0000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.Quotation_Request.pdf.exe.4054958.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.Quotation_Request.pdf.exe.4054958.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.Quotation_Request.pdf.exe.4054958.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 7.2.Quotation_Request.pdf.exe.5ab0000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.Quotation_Request.pdf.exe.5ab0000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 7.2.Quotation_Request.pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.Quotation_Request.pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 7.2.Quotation_Request.pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 7.2.Quotation_Request.pdf.exe.424ff7c.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.Quotation_Request.pdf.exe.424ff7c.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.Quotation_Request.pdf.exe.4054958.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.Quotation_Request.pdf.exe.4054958.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.Quotation_Request.pdf.exe.4054958.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 7.2.Quotation_Request.pdf.exe.424b146.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.Quotation_Request.pdf.exe.424b146.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 7.2.Quotation_Request.pdf.exe.424b146.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.Quotation_Request.pdf.exe.3f6fb08.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.Quotation_Request.pdf.exe.3f6fb08.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Quotation_Request.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: mgdPGGmBTUB.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: 7.2.Quotation_Request.pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 7.2.Quotation_Request.pdf.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 7.2.Quotation_Request.pdf.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: classification engineClassification label: mal100.troj.evad.winEXE@6/4@10/1
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeFile created: C:\Users\user\AppData\Roaming\mgdPGGmBTUB.exeJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7164:120:WilError_01
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeMutant created: \Sessions\1\BaseNamedObjects\ezkCzBbgDrtHZqSnkTc
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{ae697278-0563-480d-a326-4f0ab2164ba0}
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmp4108.tmpJump to behavior
        Source: Quotation_Request.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: Quotation_Request.pdf.exeVirustotal: Detection: 30%
        Source: Quotation_Request.pdf.exeMetadefender: Detection: 18%
        Source: Quotation_Request.pdf.exeReversingLabs: Detection: 58%
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeFile read: C:\Users\user\Desktop\Quotation_Request.pdf.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\Quotation_Request.pdf.exe 'C:\Users\user\Desktop\Quotation_Request.pdf.exe'
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\mgdPGGmBTUB' /XML 'C:\Users\user\AppData\Local\Temp\tmp4108.tmp'
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeProcess created: C:\Users\user\Desktop\Quotation_Request.pdf.exe {path}
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\mgdPGGmBTUB' /XML 'C:\Users\user\AppData\Local\Temp\tmp4108.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeProcess created: C:\Users\user\Desktop\Quotation_Request.pdf.exe {path}Jump to behavior
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: Quotation_Request.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: Quotation_Request.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

        Data Obfuscation:

        barindex
        .NET source code contains method to dynamically call methods (often used by packers)Show sources
        Source: Quotation_Request.pdf.exe, FrmMain.cs.Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
        Source: mgdPGGmBTUB.exe.0.dr, FrmMain.cs.Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
        Source: 0.0.Quotation_Request.pdf.exe.a50000.0.unpack, FrmMain.cs.Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
        Source: 0.2.Quotation_Request.pdf.exe.a50000.0.unpack, FrmMain.cs.Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
        Source: 7.2.Quotation_Request.pdf.exe.e80000.1.unpack, FrmMain.cs.Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
        Source: 7.0.Quotation_Request.pdf.exe.e80000.0.unpack, FrmMain.cs.Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
        .NET source code contains potential unpackerShow sources
        Source: Quotation_Request.pdf.exe, FrmMain.cs.Net Code: sssss System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: mgdPGGmBTUB.exe.0.dr, FrmMain.cs.Net Code: sssss System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 0.0.Quotation_Request.pdf.exe.a50000.0.unpack, FrmMain.cs.Net Code: sssss System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 0.2.Quotation_Request.pdf.exe.a50000.0.unpack, FrmMain.cs.Net Code: sssss System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 7.2.Quotation_Request.pdf.exe.e80000.1.unpack, FrmMain.cs.Net Code: sssss System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 7.2.Quotation_Request.pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 7.2.Quotation_Request.pdf.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 7.0.Quotation_Request.pdf.exe.e80000.0.unpack, FrmMain.cs.Net Code: sssss System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeCode function: 0_2_04E3293A push ebp; ret 0_2_04E3293B
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeCode function: 0_2_04E302AE push ss; ret 0_2_04E302AF
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeCode function: 0_2_08BD61E6 push esi; iretd 0_2_08BD61E7
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeCode function: 0_2_08BD6226 push ss; iretd 0_2_08BD6227
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeCode function: 7_2_058369FB push esp; retf 7_2_05836A01
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeCode function: 7_2_058369F8 pushad ; retf 7_2_058369F9
        Source: initial sampleStatic PE information: section name: .text entropy: 7.72629270512
        Source: initial sampleStatic PE information: section name: .text entropy: 7.72629270512
        Source: 7.2.Quotation_Request.pdf.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 7.2.Quotation_Request.pdf.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: C:\Users\user\Desktop\Quotation_Request.pdf.exeFile created: C:\Users\user\AppData\Roaming\mgdPGGmBTUB.exeJump to dropped file

        Boot Survival: