Play interactive tour

Edit tour

Analysis Report Quotation_Request.pdf.exe

Overview

General Information

Sample Name:	Quotation_Request.pdf.exe
Analysis ID:	381954
MD5:	79cd8383f51372c9f0721289f6470889
SHA1:	41b082acc2c9725da7c20ff93dc26df2ab06d1aa
SHA256:	08ecce1fb89755fa576a2c1c855bbb0f701ef20c791f56dc0c675fb2a8163691
Tags:	exeNanoCore
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Sigma detected: Suspicious Double Extension

Yara detected AntiVM3

Yara detected Nanocore RAT

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses an obfuscated file name to hide its real file extension (double extension)

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

Quotation_Request.pdf.exe (PID: 6812 cmdline: 'C:\Users\user\Desktop\Quotation_Request.pdf.exe' MD5: 79CD8383F51372C9F0721289F6470889)

schtasks.exe (PID: 7156 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\mgdPGGmBTUB' /XML 'C:\Users\user\AppData\Local\Temp\tmp4108.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 7164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Quotation_Request.pdf.exe (PID: 6184 cmdline: {path} MD5: 79CD8383F51372C9F0721289F6470889)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "6f656d69-7475-8807-1300-000c0a4c", "Domain1": "185.140.53.138", "Domain2": "wealth2021.ddns.net", "Port": 20221, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Disable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.915585705.0000000004249000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000002.915585705.0000000004249000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2f25:$a: NanoCore 0x2f7e:$a: NanoCore 0x2fbb:$a: NanoCore 0x3034:$a: NanoCore 0x166df:$a: NanoCore 0x166f4:$a: NanoCore 0x16729:$a: NanoCore 0x2f1ab:$a: NanoCore 0x2f1c0:$a: NanoCore 0x2f1f5:$a: NanoCore 0x2f87:$b: ClientPlugin 0x2fc4:$b: ClientPlugin 0x38c2:$b: ClientPlugin 0x38cf:$b: ClientPlugin 0x1649b:$b: ClientPlugin 0x164b6:$b: ClientPlugin 0x164e6:$b: ClientPlugin 0x166fd:$b: ClientPlugin 0x16732:$b: ClientPlugin 0x2ef67:$b: ClientPlugin 0x2ef82:$b: ClientPlugin
00000007.00000002.910440446.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000007.00000002.910440446.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000002.910440446.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000007.00000002.912659858.0000000003201000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.672015342.00000000040A0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb1925:$x1: NanoCore.ClientPluginHost 0xb1962:$x2: IClientNetworkHost 0xb5495:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.672015342.00000000040A0000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.672015342.00000000040A0000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xb168d:$a: NanoCore 0xb169d:$a: NanoCore 0xb18d1:$a: NanoCore 0xb18e5:$a: NanoCore 0xb1925:$a: NanoCore 0xb16ec:$b: ClientPlugin 0xb18ee:$b: ClientPlugin 0xb192e:$b: ClientPlugin 0xb1813:$c: ProjectData 0xb221a:$d: DESCrypto 0xb9be6:$e: KeepAlive 0xb7bd4:$g: LogClientMessage 0xb3dcf:$i: get_Connected 0xb2550:$j: #=q 0xb2580:$j: #=q 0xb259c:$j: #=q 0xb25cc:$j: #=q 0xb25e8:$j: #=q 0xb2604:$j: #=q 0xb2634:$j: #=q 0xb2650:$j: #=q
00000007.00000002.917484017.00000000058E0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000007.00000002.917484017.00000000058E0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000007.00000002.917702828.0000000005AB0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000007.00000002.917702828.0000000005AB0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000007.00000002.917702828.0000000005AB0000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.671468034.0000000003DD9000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x28bae5:$x1: NanoCore.ClientPluginHost 0x28bb22:$x2: IClientNetworkHost 0x28f655:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.671468034.0000000003DD9000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.671468034.0000000003DD9000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x28b84d:$a: NanoCore 0x28b85d:$a: NanoCore 0x28ba91:$a: NanoCore 0x28baa5:$a: NanoCore 0x28bae5:$a: NanoCore 0x28b8ac:$b: ClientPlugin 0x28baae:$b: ClientPlugin 0x28baee:$b: ClientPlugin 0x247120:$c: ProjectData 0x28b9d3:$c: ProjectData 0x28c3da:$d: DESCrypto 0x293da6:$e: KeepAlive 0x291d94:$g: LogClientMessage 0x28df8f:$i: get_Connected 0x28c710:$j: #=q 0x28c740:$j: #=q 0x28c75c:$j: #=q 0x28c78c:$j: #=q 0x28c7a8:$j: #=q 0x28c7c4:$j: #=q 0x28c7f4:$j: #=q
Process Memory Space: Quotation_Request.pdf.exe PID: 6184	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x86a1:$x1: NanoCore.ClientPluginHost 0xe260:$x1: NanoCore.ClientPluginHost 0x1f0d9:$x1: NanoCore.ClientPluginHost 0x94a2e:$x1: NanoCore.ClientPluginHost 0xbcd67:$x1: NanoCore.ClientPluginHost 0x86c7:$x2: IClientNetworkHost 0xe2a5:$x2: IClientNetworkHost 0x1f11e:$x2: IClientNetworkHost 0x94a54:$x2: IClientNetworkHost 0xbcdc8:$x2: IClientNetworkHost 0xc21cd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xd013f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: Quotation_Request.pdf.exe PID: 6184	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: Quotation_Request.pdf.exe PID: 6184	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8593:$a: NanoCore 0x8634:$a: NanoCore 0x86a1:$a: NanoCore 0x8762:$a: NanoCore 0x9633:$a: NanoCore 0x9686:$a: NanoCore 0x96bf:$a: NanoCore 0x9732:$a: NanoCore 0xe1da:$a: NanoCore 0xe207:$a: NanoCore 0xe260:$a: NanoCore 0x15a6f:$a: NanoCore 0x15a82:$a: NanoCore 0x15ab4:$a: NanoCore 0x1f053:$a: NanoCore 0x1f080:$a: NanoCore 0x1f0d9:$a: NanoCore 0x268e8:$a: NanoCore 0x268fb:$a: NanoCore 0x2692d:$a: NanoCore 0x6ea29:$a: NanoCore
Process Memory Space: Quotation_Request.pdf.exe PID: 6812	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 16 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
7.2.Quotation_Request.pdf.exe.5ab4629.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
7.2.Quotation_Request.pdf.exe.5ab4629.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
7.2.Quotation_Request.pdf.exe.5ab4629.9.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.Quotation_Request.pdf.exe.58e0000.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
7.2.Quotation_Request.pdf.exe.58e0000.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
7.2.Quotation_Request.pdf.exe.424ff7c.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
7.2.Quotation_Request.pdf.exe.424ff7c.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
7.2.Quotation_Request.pdf.exe.424ff7c.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.Quotation_Request.pdf.exe.3254e94.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
7.2.Quotation_Request.pdf.exe.42545a5.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x23c50:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x23c7d:$x2: IClientNetworkHost
7.2.Quotation_Request.pdf.exe.42545a5.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x23c50:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x24d2b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x23c6a:$s5: IClientLoggingHost
7.2.Quotation_Request.pdf.exe.42545a5.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.Quotation_Request.pdf.exe.5ab0000.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
7.2.Quotation_Request.pdf.exe.5ab0000.10.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
7.2.Quotation_Request.pdf.exe.5ab0000.10.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.Quotation_Request.pdf.exe.4054958.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.Quotation_Request.pdf.exe.4054958.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0.2.Quotation_Request.pdf.exe.4054958.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.Quotation_Request.pdf.exe.4054958.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
7.2.Quotation_Request.pdf.exe.5ab0000.10.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
7.2.Quotation_Request.pdf.exe.5ab0000.10.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
7.2.Quotation_Request.pdf.exe.5ab0000.10.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.Quotation_Request.pdf.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.2.Quotation_Request.pdf.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
7.2.Quotation_Request.pdf.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.Quotation_Request.pdf.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
7.2.Quotation_Request.pdf.exe.424ff7c.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28279:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x282a6:$x2: IClientNetworkHost
7.2.Quotation_Request.pdf.exe.424ff7c.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28279:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29354:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x28293:$s5: IClientLoggingHost
7.2.Quotation_Request.pdf.exe.424ff7c.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.Quotation_Request.pdf.exe.4054958.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.Quotation_Request.pdf.exe.4054958.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.Quotation_Request.pdf.exe.4054958.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.Quotation_Request.pdf.exe.4054958.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
7.2.Quotation_Request.pdf.exe.424b146.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d0af:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d0dc:$x2: IClientNetworkHost
7.2.Quotation_Request.pdf.exe.424b146.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d0af:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e18a:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d0c9:$s5: IClientLoggingHost
7.2.Quotation_Request.pdf.exe.424b146.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.Quotation_Request.pdf.exe.424b146.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d065:$a: NanoCore 0x2d07a:$a: NanoCore 0x2d0af:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2ce21:$b: ClientPlugin 0x2ce3c:$b: ClientPlugin
0.2.Quotation_Request.pdf.exe.3f6fb08.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf4fdd:$x1: NanoCore.ClientPluginHost 0xf501a:$x2: IClientNetworkHost 0xf8b4d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.Quotation_Request.pdf.exe.3f6fb08.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.Quotation_Request.pdf.exe.3f6fb08.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf4d45:$a: NanoCore 0xf4d55:$a: NanoCore 0xf4f89:$a: NanoCore 0xf4f9d:$a: NanoCore 0xf4fdd:$a: NanoCore 0xf4da4:$b: ClientPlugin 0xf4fa6:$b: ClientPlugin 0xf4fe6:$b: ClientPlugin 0xb0618:$c: ProjectData 0xf4ecb:$c: ProjectData 0xf58d2:$d: DESCrypto 0xfd29e:$e: KeepAlive 0xfb28c:$g: LogClientMessage 0xf7487:$i: get_Connected 0xf5c08:$j: #=q 0xf5c38:$j: #=q 0xf5c54:$j: #=q 0xf5c84:$j: #=q 0xf5ca0:$j: #=q 0xf5cbc:$j: #=q 0xf5cec:$j: #=q
Click to see the 35 entries

Sigma Overview

System Summary:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Quotation_Request.pdf.exe, ProcessId: 6184, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\mgdPGGmBTUB' /XML 'C:\Users\user\AppData\Local\Temp\tmp4108.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\mgdPGGmBTUB' /XML 'C:\Users\user\AppData\Local\Temp\tmp4108.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\Quotation_Request.pdf.exe' , ParentImage: C:\Users\user\Desktop\Quotation_Request.pdf.exe, ParentProcessId: 6812, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\mgdPGGmBTUB' /XML 'C:\Users\user\AppData\Local\Temp\tmp4108.tmp', ProcessId: 7156

Sigma detected: Suspicious Double Extension

Show sources

Source: Process started

Author: Florian Roth (rule), @blu3_team (idea): Data: Command: {path}, CommandLine: {path}, CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\Quotation_Request.pdf.exe, NewProcessName: C:\Users\user\Desktop\Quotation_Request.pdf.exe, OriginalFileName: C:\Users\user\Desktop\Quotation_Request.pdf.exe, ParentCommandLine: 'C:\Users\user\Desktop\Quotation_Request.pdf.exe' , ParentImage: C:\Users\user\Desktop\Quotation_Request.pdf.exe, ParentProcessId: 6812, ProcessCommandLine: {path}, ProcessId: 6184

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000007.00000002.915585705.0000000004249000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "6f656d69-7475-8807-1300-000c0a4c", "Domain1": "185.140.53.138", "Domain2": "wealth2021.ddns.net", "Port": 20221, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Disable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\mgdPGGmBTUB.exe	Metadefender: Detection: 18%			Perma Link
Source: C:\Users\user\AppData\Roaming\mgdPGGmBTUB.exe	ReversingLabs: Detection: 58%

Multi AV Scanner detection for submitted file

Show sources

Source: Quotation_Request.pdf.exe	Virustotal: Detection: 30%	Perma Link
Source: Quotation_Request.pdf.exe	Metadefender: Detection: 18%	Perma Link
Source: Quotation_Request.pdf.exe	ReversingLabs: Detection: 58%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000007.00000002.915585705.0000000004249000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.910440446.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.912659858.0000000003201000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.672015342.00000000040A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.917702828.0000000005AB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.671468034.0000000003DD9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation_Request.pdf.exe PID: 6184, type: MEMORY
Source: Yara match	File source: 7.2.Quotation_Request.pdf.exe.5ab4629.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Quotation_Request.pdf.exe.424ff7c.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Quotation_Request.pdf.exe.42545a5.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Quotation_Request.pdf.exe.5ab0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quotation_Request.pdf.exe.4054958.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Quotation_Request.pdf.exe.5ab0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Quotation_Request.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Quotation_Request.pdf.exe.424ff7c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quotation_Request.pdf.exe.4054958.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Quotation_Request.pdf.exe.424b146.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quotation_Request.pdf.exe.3f6fb08.2.raw.unpack, type: UNPACKEDPE

Source: 7.2.Quotation_Request.pdf.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.2.Quotation_Request.pdf.exe.5ab0000.10.unpack	Avira: Label: TR/NanoCore.fadte

Source: Quotation_Request.pdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: Quotation_Request.pdf.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: wealth2021.ddns.net
Source: Malware configuration extractor	URLs: 185.140.53.138

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: wealth2021.ddns.net

Source: global traffic

TCP traffic: 192.168.2.4:49726 -> 185.140.53.138:20221

Source: Joe Sandbox View

IP Address: 185.140.53.138 185.140.53.138

Source: Joe Sandbox View

ASN Name: DAVID_CRAIGGG DAVID_CRAIGGG

Source: unknown

DNS traffic detected: queries for: wealth2021.ddns.net

Source: Quotation_Request.pdf.exe, 00000000.00000002.678291126.0000000006EC2000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Quotation_Request.pdf.exe, 00000000.00000002.679777119.0000000009011000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Quotation_Request.pdf.exe, 00000000.00000002.678291126.0000000006EC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Quotation_Request.pdf.exe, 00000000.00000002.678291126.0000000006EC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Quotation_Request.pdf.exe, 00000000.00000002.678291126.0000000006EC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Quotation_Request.pdf.exe, 00000000.00000002.678291126.0000000006EC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Quotation_Request.pdf.exe, 00000000.00000002.678291126.0000000006EC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Quotation_Request.pdf.exe, 00000000.00000002.678291126.0000000006EC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Quotation_Request.pdf.exe, 00000000.00000002.678291126.0000000006EC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Quotation_Request.pdf.exe, 00000000.00000002.678291126.0000000006EC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Quotation_Request.pdf.exe, 00000000.00000002.678291126.0000000006EC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Quotation_Request.pdf.exe, 00000000.00000002.678291126.0000000006EC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Quotation_Request.pdf.exe, 00000000.00000002.671021338.0000000001487000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.comB.TTFZ
Source: Quotation_Request.pdf.exe, 00000000.00000002.671021338.0000000001487000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.coma~
Source: Quotation_Request.pdf.exe, 00000000.00000002.671021338.0000000001487000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.comue9
Source: Quotation_Request.pdf.exe, 00000000.00000002.678291126.0000000006EC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: Quotation_Request.pdf.exe, 00000000.00000002.678291126.0000000006EC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Quotation_Request.pdf.exe, 00000000.00000002.678291126.0000000006EC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Quotation_Request.pdf.exe, 00000000.00000002.678291126.0000000006EC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Quotation_Request.pdf.exe, 00000000.00000002.678291126.0000000006EC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Quotation_Request.pdf.exe, 00000000.00000002.678291126.0000000006EC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Quotation_Request.pdf.exe, 00000000.00000002.678291126.0000000006EC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Quotation_Request.pdf.exe, 00000000.00000002.678291126.0000000006EC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Quotation_Request.pdf.exe, 00000000.00000002.678291126.0000000006EC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Quotation_Request.pdf.exe, 00000000.00000002.678291126.0000000006EC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Quotation_Request.pdf.exe, 00000000.00000002.678291126.0000000006EC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Quotation_Request.pdf.exe, 00000000.00000002.678291126.0000000006EC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: Quotation_Request.pdf.exe, 00000000.00000002.678291126.0000000006EC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: Quotation_Request.pdf.exe, 00000000.00000002.678291126.0000000006EC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Quotation_Request.pdf.exe, 00000000.00000002.678291126.0000000006EC2000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: Quotation_Request.pdf.exe, 00000000.00000002.670658902.0000000001178000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: Quotation_Request.pdf.exe, 00000007.00000002.915585705.0000000004249000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000007.00000002.915585705.0000000004249000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.910440446.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.912659858.0000000003201000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.672015342.00000000040A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.917702828.0000000005AB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.671468034.0000000003DD9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation_Request.pdf.exe PID: 6184, type: MEMORY
Source: Yara match	File source: 7.2.Quotation_Request.pdf.exe.5ab4629.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Quotation_Request.pdf.exe.424ff7c.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Quotation_Request.pdf.exe.42545a5.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Quotation_Request.pdf.exe.5ab0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quotation_Request.pdf.exe.4054958.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Quotation_Request.pdf.exe.5ab0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Quotation_Request.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Quotation_Request.pdf.exe.424ff7c.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quotation_Request.pdf.exe.4054958.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Quotation_Request.pdf.exe.424b146.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Quotation_Request.pdf.exe.3f6fb08.2.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000007.00000002.915585705.0000000004249000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.910440446.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.910440446.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.672015342.00000000040A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.672015342.00000000040A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.917484017.00000000058E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.917702828.0000000005AB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.671468034.0000000003DD9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.671468034.0000000003DD9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Quotation_Request.pdf.exe PID: 6184, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Quotation_Request.pdf.exe PID: 6184, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.Quotation_Request.pdf.exe.5ab4629.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.Quotation_Request.pdf.exe.58e0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.Quotation_Request.pdf.exe.424ff7c.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.Quotation_Request.pdf.exe.3254e94.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.Quotation_Request.pdf.exe.42545a5.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.Quotation_Request.pdf.exe.5ab0000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Quotation_Request.pdf.exe.4054958.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Quotation_Request.pdf.exe.4054958.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.Quotation_Request.pdf.exe.5ab0000.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.Quotation_Request.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.Quotation_Request.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.Quotation_Request.pdf.exe.424ff7c.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Quotation_Request.pdf.exe.4054958.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Quotation_Request.pdf.exe.4054958.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.Quotation_Request.pdf.exe.424b146.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.Quotation_Request.pdf.exe.424b146.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.Quotation_Request.pdf.exe.3f6fb08.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Quotation_Request.pdf.exe.3f6fb08.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample	Static PE information: Filename: Quotation_Request.pdf.exe
Source: initial sample	Static PE information: Filename: Quotation_Request.pdf.exe

Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Code function: 0_2_00A55175	0_2_00A55175
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Code function: 0_2_0146C304	0_2_0146C304
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Code function: 0_2_0146E740	0_2_0146E740
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Code function: 0_2_0146E750	0_2_0146E750
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Code function: 0_2_04E325A8	0_2_04E325A8
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Code function: 0_2_04E31588	0_2_04E31588
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Code function: 0_2_04E36FB8	0_2_04E36FB8
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Code function: 0_2_04E32328	0_2_04E32328
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Code function: 0_2_04E30B18	0_2_04E30B18
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Code function: 0_2_04E30DC8	0_2_04E30DC8
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Code function: 0_2_04E30DBB	0_2_04E30DBB
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Code function: 0_2_04E32598	0_2_04E32598
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Code function: 0_2_04E31578	0_2_04E31578
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Code function: 0_2_04E31FE0	0_2_04E31FE0
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Code function: 0_2_04E31FF0	0_2_04E31FF0
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Code function: 0_2_04E30B09	0_2_04E30B09
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Code function: 0_2_04E32318	0_2_04E32318
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Code function: 0_2_08BDD500	0_2_08BDD500
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Code function: 0_2_08BD7488	0_2_08BD7488
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Code function: 0_2_08BDB0D0	0_2_08BDB0D0
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Code function: 0_2_08BD68C0	0_2_08BD68C0
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Code function: 0_2_08BDB0C0	0_2_08BDB0C0
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Code function: 0_2_08BDD9E8	0_2_08BDD9E8
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Code function: 0_2_08BDF1D8	0_2_08BDF1D8
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Code function: 0_2_08BD7138	0_2_08BD7138
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Code function: 0_2_08BD5D30	0_2_08BD5D30
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Code function: 0_2_08BDB528	0_2_08BDB528
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Code function: 0_2_08BD5D20	0_2_08BD5D20
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Code function: 0_2_08BDB518	0_2_08BDB518
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Code function: 0_2_08BD6978	0_2_08BD6978
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Code function: 0_2_08BD8D70	0_2_08BD8D70
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Code function: 0_2_08BD5568	0_2_08BD5568
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Code function: 0_2_08BD7148	0_2_08BD7148
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Code function: 0_2_08BDAEB0	0_2_08BDAEB0
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Code function: 0_2_08BDAEA3	0_2_08BDAEA3
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Code function: 0_2_08BDAAF8	0_2_08BDAAF8
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Code function: 0_2_08BD3ED8	0_2_08BD3ED8
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Code function: 0_2_08BD3EC8	0_2_08BD3EC8
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Code function: 0_2_08BD8E60	0_2_08BD8E60
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Code function: 0_2_08BD5250	0_2_08BD5250
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Code function: 0_2_08BD7F98	0_2_08BD7F98
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Code function: 0_2_08BD7F88	0_2_08BD7F88
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Code function: 0_2_08BDAB08	0_2_08BDAB08
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Code function: 0_2_08BDB348	0_2_08BDB348
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Code function: 0_2_08BDB341	0_2_08BDB341
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Code function: 7_2_00E85175	7_2_00E85175
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Code function: 7_2_056EE471	7_2_056EE471
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Code function: 7_2_056EE480	7_2_056EE480
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Code function: 7_2_056EBBD4	7_2_056EBBD4
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Code function: 7_2_0583F5F8	7_2_0583F5F8
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Code function: 7_2_05839788	7_2_05839788
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Code function: 7_2_0583A5D0	7_2_0583A5D0
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Code function: 7_2_0583A5F8	7_2_0583A5F8

Source: Quotation_Request.pdf.exe	Binary or memory string: OriginalFilename vs Quotation_Request.pdf.exe
Source: Quotation_Request.pdf.exe, 00000000.00000002.680531854.0000000010720000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs Quotation_Request.pdf.exe
Source: Quotation_Request.pdf.exe, 00000000.00000002.670658902.0000000001178000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Quotation_Request.pdf.exe
Source: Quotation_Request.pdf.exe, 00000000.00000002.678847721.00000000072A0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMajorRevision.exe< vs Quotation_Request.pdf.exe
Source: Quotation_Request.pdf.exe, 00000000.00000002.679162865.0000000007770000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs Quotation_Request.pdf.exe
Source: Quotation_Request.pdf.exe, 00000000.00000002.679162865.0000000007770000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs Quotation_Request.pdf.exe
Source: Quotation_Request.pdf.exe, 00000000.00000002.679394775.0000000008AD0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs Quotation_Request.pdf.exe
Source: Quotation_Request.pdf.exe, 00000000.00000002.671368871.0000000002E06000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMetroFramework.dll> vs Quotation_Request.pdf.exe
Source: Quotation_Request.pdf.exe	Binary or memory string: OriginalFilename vs Quotation_Request.pdf.exe
Source: Quotation_Request.pdf.exe, 00000007.00000002.915585705.0000000004249000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs Quotation_Request.pdf.exe
Source: Quotation_Request.pdf.exe, 00000007.00000002.915585705.0000000004249000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs Quotation_Request.pdf.exe
Source: Quotation_Request.pdf.exe, 00000007.00000002.915585705.0000000004249000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Quotation_Request.pdf.exe
Source: Quotation_Request.pdf.exe, 00000007.00000002.911620548.0000000001548000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Quotation_Request.pdf.exe
Source: Quotation_Request.pdf.exe, 00000007.00000002.918173912.0000000006C10000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs Quotation_Request.pdf.exe
Source: Quotation_Request.pdf.exe	Binary or memory string: OriginalFilename vs Quotation_Request.pdf.exe

Source: Quotation_Request.pdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000007.00000002.915585705.0000000004249000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.910440446.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.910440446.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.672015342.00000000040A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.672015342.00000000040A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.917484017.00000000058E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.917484017.00000000058E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.917702828.0000000005AB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.917702828.0000000005AB0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.671468034.0000000003DD9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.671468034.0000000003DD9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Quotation_Request.pdf.exe PID: 6184, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Quotation_Request.pdf.exe PID: 6184, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.Quotation_Request.pdf.exe.5ab4629.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.Quotation_Request.pdf.exe.5ab4629.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.Quotation_Request.pdf.exe.58e0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.Quotation_Request.pdf.exe.58e0000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.Quotation_Request.pdf.exe.424ff7c.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.Quotation_Request.pdf.exe.424ff7c.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.Quotation_Request.pdf.exe.3254e94.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.Quotation_Request.pdf.exe.42545a5.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.Quotation_Request.pdf.exe.42545a5.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.Quotation_Request.pdf.exe.5ab0000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.Quotation_Request.pdf.exe.5ab0000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Quotation_Request.pdf.exe.4054958.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Quotation_Request.pdf.exe.4054958.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Quotation_Request.pdf.exe.4054958.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.Quotation_Request.pdf.exe.5ab0000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.Quotation_Request.pdf.exe.5ab0000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.Quotation_Request.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.Quotation_Request.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.Quotation_Request.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.Quotation_Request.pdf.exe.424ff7c.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.Quotation_Request.pdf.exe.424ff7c.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Quotation_Request.pdf.exe.4054958.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Quotation_Request.pdf.exe.4054958.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Quotation_Request.pdf.exe.4054958.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.Quotation_Request.pdf.exe.424b146.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.Quotation_Request.pdf.exe.424b146.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.Quotation_Request.pdf.exe.424b146.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.Quotation_Request.pdf.exe.3f6fb08.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Quotation_Request.pdf.exe.3f6fb08.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: Quotation_Request.pdf.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: mgdPGGmBTUB.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 7.2.Quotation_Request.pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.2.Quotation_Request.pdf.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.Quotation_Request.pdf.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@6/4@10/1

Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe

File created: C:\Users\user\AppData\Roaming\mgdPGGmBTUB.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7164:120:WilError_01
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Mutant created: \Sessions\1\BaseNamedObjects\ezkCzBbgDrtHZqSnkTc
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{ae697278-0563-480d-a326-4f0ab2164ba0}

Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe

File created: C:\Users\user\AppData\Local\Temp\tmp4108.tmp

Jump to behavior

Source: Quotation_Request.pdf.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Quotation_Request.pdf.exe	Virustotal: Detection: 30%
Source: Quotation_Request.pdf.exe	Metadefender: Detection: 18%
Source: Quotation_Request.pdf.exe	ReversingLabs: Detection: 58%

Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe

File read: C:\Users\user\Desktop\Quotation_Request.pdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Quotation_Request.pdf.exe 'C:\Users\user\Desktop\Quotation_Request.pdf.exe'
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\mgdPGGmBTUB' /XML 'C:\Users\user\AppData\Local\Temp\tmp4108.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Process created: C:\Users\user\Desktop\Quotation_Request.pdf.exe {path}
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\mgdPGGmBTUB' /XML 'C:\Users\user\AppData\Local\Temp\tmp4108.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Process created: C:\Users\user\Desktop\Quotation_Request.pdf.exe {path}	Jump to behavior

Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Quotation_Request.pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Quotation_Request.pdf.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

.NET source code contains method to dynamically call methods (often used by packers)

Show sources

Source: Quotation_Request.pdf.exe, FrmMain.cs	.Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
Source: mgdPGGmBTUB.exe.0.dr, FrmMain.cs	.Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
Source: 0.0.Quotation_Request.pdf.exe.a50000.0.unpack, FrmMain.cs	.Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
Source: 0.2.Quotation_Request.pdf.exe.a50000.0.unpack, FrmMain.cs	.Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
Source: 7.2.Quotation_Request.pdf.exe.e80000.1.unpack, FrmMain.cs	.Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
Source: 7.0.Quotation_Request.pdf.exe.e80000.0.unpack, FrmMain.cs	.Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)

.NET source code contains potential unpacker

Show sources

Source: Quotation_Request.pdf.exe, FrmMain.cs	.Net Code: sssss System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: mgdPGGmBTUB.exe.0.dr, FrmMain.cs	.Net Code: sssss System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.Quotation_Request.pdf.exe.a50000.0.unpack, FrmMain.cs	.Net Code: sssss System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.Quotation_Request.pdf.exe.a50000.0.unpack, FrmMain.cs	.Net Code: sssss System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.Quotation_Request.pdf.exe.e80000.1.unpack, FrmMain.cs	.Net Code: sssss System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.Quotation_Request.pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.Quotation_Request.pdf.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.Quotation_Request.pdf.exe.e80000.0.unpack, FrmMain.cs	.Net Code: sssss System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Code function: 0_2_04E3293A push ebp; ret	0_2_04E3293B
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Code function: 0_2_04E302AE push ss; ret	0_2_04E302AF
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Code function: 0_2_08BD61E6 push esi; iretd	0_2_08BD61E7
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Code function: 0_2_08BD6226 push ss; iretd	0_2_08BD6227
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Code function: 7_2_058369FB push esp; retf	7_2_05836A01
Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe	Code function: 7_2_058369F8 pushad ; retf	7_2_058369F9

Source: initial sample	Static PE information: section name: .text entropy: 7.72629270512
Source: initial sample	Static PE information: section name: .text entropy: 7.72629270512

Source: 7.2.Quotation_Request.pdf.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 7.2.Quotation_Request.pdf.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='

Source: C:\Users\user\Desktop\Quotation_Request.pdf.exe

File created: C:\Users\user\AppData\Roaming\mgdPGGmBTUB.exe

Jump to dropped file

Boot Survival:

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Quotation_Request.pdf.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival: