Analysis Report PO_6620200947535257662_Arabico.PDF.exe

Overview

General Information

Sample Name: PO_6620200947535257662_Arabico.PDF.exe
Analysis ID: 382596
MD5: b737570f9e9a1bdd794f78e3906e61b9
SHA1: 0dd10acab603b2f1269d05534902b09d38e31ac5
SHA256: 0a3a85fd6964b0cf1b61e41cc7c117ada4c8607a0107ad4921dafa69933ef0ac
Tags: exe
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Yara detected Nanocore RAT
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Drops PE files to the user root directory
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Contains capabilities to detect virtual machines
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 0000001C.00000002.605270680.0000000004179000.00000004.00000001.sdmp Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "883c2226-d991-4f34-8646-4dd2732a", "Group": "", "Domain1": "185.157.161.86", "Domain2": "nanopc.linkpc.net", "Port": 50005, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Disable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\ghfvjjtjhhjghdgghrba.exe Metadefender: Detection: 13% Perma Link
Source: C:\Users\user\AppData\Local\Temp\ghfvjjtjhhjghdgghrba.exe ReversingLabs: Detection: 25%
Source: C:\Users\user\gvvccsccefghhsnd.exe ReversingLabs: Detection: 20%
Multi AV Scanner detection for submitted file
Source: PO_6620200947535257662_Arabico.PDF.exe ReversingLabs: Detection: 20%
Yara detected Nanocore RAT
Source: Yara match File source: 0000001C.00000002.601546888.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.611212434.0000000005970000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.612087588.00000000039B3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.605270680.0000000004179000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.611698378.0000000003738000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.466854129.00000000037EA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.467149528.0000000003947000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.611940927.0000000003856000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PO_6620200947535257662_Arabico.PDF.exe PID: 6408, type: MEMORY
Source: Yara match File source: Process Memory Space: gvvccsccefghhsnd.exe PID: 6824, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 5596, type: MEMORY
Source: Yara match File source: 19.2.gvvccsccefghhsnd.exe.39f9dd8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.398d830.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.gvvccsccefghhsnd.exe.3739510.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.397a5ca.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.InstallUtil.exe.41bb14e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.InstallUtil.exe.41bff84.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.InstallUtil.exe.5970000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.gvvccsccefghhsnd.exe.38e24c2.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.gvvccsccefghhsnd.exe.39f9dd8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.gvvccsccefghhsnd.exe.38cf242.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.398d830.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.38300ba.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.InstallUtil.exe.41c45ad.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.3875f1a.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.38300ba.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.InstallUtil.exe.5970000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.InstallUtil.exe.41bff84.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.gvvccsccefghhsnd.exe.389c662.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.3875f1a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.gvvccsccefghhsnd.exe.39e6b72.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.39479ea.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.gvvccsccefghhsnd.exe.38e24c2.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.InstallUtil.exe.5974629.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.gvvccsccefghhsnd.exe.39b3f92.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.39479ea.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.gvvccsccefghhsnd.exe.39b3f92.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.3862c9a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.gvvccsccefghhsnd.exe.389c662.4.raw.unpack, type: UNPACKEDPE
Machine Learning detection for dropped file
Source: C:\Users\user\gvvccsccefghhsnd.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: PO_6620200947535257662_Arabico.PDF.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 28.2.InstallUtil.exe.5970000.9.unpack Avira: Label: TR/NanoCore.fadte
Source: 28.2.InstallUtil.exe.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

barindex
Uses 32bit PE files
Source: PO_6620200947535257662_Arabico.PDF.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: PO_6620200947535257662_Arabico.PDF.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 0000001C.00000002.601725662.0000000000C82000.00000002.00020000.sdmp, InstallUtil.exe.0.dr
Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, InstallUtil.exe.0.dr

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_04B9B700
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Code function: 4x nop then jmp 04B96611h 0_2_04B95D98
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Code function: 4x nop then push dword ptr [ebp-24h] 0_2_04B9BDF0
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_04B9BDF0
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_04B9AFF4
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_04B9E0A4
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_04B9B1EC
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Code function: 4x nop then jmp 04B96611h 0_2_04B95D8A
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Code function: 4x nop then push dword ptr [ebp-24h] 0_2_04B9BDE4
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_04B9BDE4
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Code function: 4x nop then xor edx, edx 0_2_04B9BD28
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Code function: 4x nop then xor edx, edx 0_2_04B9BD1E
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Code function: 4x nop then push dword ptr [ebp-20h] 0_2_04B9BAD0
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_04B9BAD0
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Code function: 4x nop then push dword ptr [ebp-20h] 0_2_04B9BAC4
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_04B9BAC4
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_04B9DA74
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 0_2_063F4460
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Code function: 4x nop then lea esp, dword ptr [ebp-08h] 0_2_063F8090
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 19_2_04D5B700
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 4x nop then push dword ptr [ebp-24h] 19_2_04D5BDF0
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 19_2_04D5BDF0
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 4x nop then jmp 04D56611h 19_2_04D55D98
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 19_2_04D5AFF4
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 19_2_04D5E0A4
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 19_2_04D5B1EC
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 4x nop then push dword ptr [ebp-24h] 19_2_04D5BDE4
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 19_2_04D5BDE4
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 4x nop then jmp 04D56611h 19_2_04D55D8A
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 4x nop then xor edx, edx 19_2_04D5BD1E
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 4x nop then xor edx, edx 19_2_04D5BD28
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 4x nop then push dword ptr [ebp-20h] 19_2_04D5BAD0
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 19_2_04D5BAD0
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 4x nop then push dword ptr [ebp-20h] 19_2_04D5BAC4
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 19_2_04D5BAC4
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 19_2_04D5DA74
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 19_2_065D4460
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 19_2_065D4450
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 4x nop then jmp 06602717h 19_2_066025D8
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 4x nop then jmp 06602717h 19_2_066025C8
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 4x nop then jmp 06603C35h 19_2_06603AA0
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 4x nop then jmp 06603C35h 19_2_06603A91

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: nanopc.linkpc.net
Source: Malware configuration extractor URLs: 185.157.161.86
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49754 -> 185.157.161.86:50005
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.157.161.86 185.157.161.86
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: OBE-EUROPEObenetworkEuropeSE OBE-EUROPEObenetworkEuropeSE
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.161.86
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.161.86
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.161.86
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.161.86
Source: gvvccsccefghhsnd.exe, 00000013.00000002.602922386.00000000009F5000.00000004.00000020.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: PO_6620200947535257662_Arabico.PDF.exe, 00000000.00000002.465739066.00000000026EE000.00000004.00000001.sdmp, gvvccsccefghhsnd.exe, 00000013.00000002.603029028.0000000000A22000.00000004.00000020.sdmp String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: gvvccsccefghhsnd.exe, 00000013.00000002.603029028.0000000000A22000.00000004.00000020.sdmp String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: gvvccsccefghhsnd.exe, 00000013.00000002.603029028.0000000000A22000.00000004.00000020.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: gvvccsccefghhsnd.exe, 00000013.00000002.603029028.0000000000A22000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: PO_6620200947535257662_Arabico.PDF.exe, 00000000.00000002.465799062.000000000271C000.00000004.00000001.sdmp, gvvccsccefghhsnd.exe, 00000013.00000002.603029028.0000000000A22000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: gvvccsccefghhsnd.exe, 00000013.00000002.603029028.0000000000A22000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: PO_6620200947535257662_Arabico.PDF.exe, 00000000.00000002.465739066.00000000026EE000.00000004.00000001.sdmp, gvvccsccefghhsnd.exe, 00000013.00000002.603029028.0000000000A22000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: PO_6620200947535257662_Arabico.PDF.exe, 00000000.00000002.465739066.00000000026EE000.00000004.00000001.sdmp, gvvccsccefghhsnd.exe, 00000013.00000002.603029028.0000000000A22000.00000004.00000020.sdmp String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: gvvccsccefghhsnd.exe, 00000013.00000002.604420150.000000000275E000.00000004.00000001.sdmp String found in binary or memory: http://schema.org/WebPage
Source: PO_6620200947535257662_Arabico.PDF.exe, 00000000.00000002.465715365.00000000026C1000.00000004.00000001.sdmp, gvvccsccefghhsnd.exe, 00000013.00000002.604361409.0000000002731000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: gvvccsccefghhsnd.exe, 00000013.00000002.603029028.0000000000A22000.00000004.00000020.sdmp String found in binary or memory: https://pki.goog/repository/0
Source: PO_6620200947535257662_Arabico.PDF.exe, 00000000.00000002.465715365.00000000026C1000.00000004.00000001.sdmp, gvvccsccefghhsnd.exe, 00000013.00000002.604361409.0000000002731000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com
Source: PO_6620200947535257662_Arabico.PDF.exe, 00000000.00000002.465715365.00000000026C1000.00000004.00000001.sdmp, gvvccsccefghhsnd.exe, 00000013.00000002.604361409.0000000002731000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a raw input device (often for capturing keystrokes)
Source: InstallUtil.exe, 0000001C.00000002.605270680.0000000004179000.00000004.00000001.sdmp Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 0000001C.00000002.601546888.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.611212434.0000000005970000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.612087588.00000000039B3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.605270680.0000000004179000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.611698378.0000000003738000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.466854129.00000000037EA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.467149528.0000000003947000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.611940927.0000000003856000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PO_6620200947535257662_Arabico.PDF.exe PID: 6408, type: MEMORY
Source: Yara match File source: Process Memory Space: gvvccsccefghhsnd.exe PID: 6824, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 5596, type: MEMORY
Source: Yara match File source: 19.2.gvvccsccefghhsnd.exe.39f9dd8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.398d830.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.gvvccsccefghhsnd.exe.3739510.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.397a5ca.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.InstallUtil.exe.41bb14e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.InstallUtil.exe.41bff84.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.InstallUtil.exe.5970000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.gvvccsccefghhsnd.exe.38e24c2.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.gvvccsccefghhsnd.exe.39f9dd8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.gvvccsccefghhsnd.exe.38cf242.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.398d830.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.38300ba.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.InstallUtil.exe.41c45ad.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.3875f1a.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.38300ba.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.InstallUtil.exe.5970000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.InstallUtil.exe.41bff84.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.gvvccsccefghhsnd.exe.389c662.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.3875f1a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.gvvccsccefghhsnd.exe.39e6b72.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.39479ea.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.gvvccsccefghhsnd.exe.38e24c2.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.InstallUtil.exe.5974629.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.gvvccsccefghhsnd.exe.39b3f92.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.39479ea.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.gvvccsccefghhsnd.exe.39b3f92.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.3862c9a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.gvvccsccefghhsnd.exe.389c662.4.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 0000001C.00000002.601546888.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000001C.00000002.601546888.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001C.00000002.611212434.0000000005970000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000013.00000002.612087588.00000000039B3000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000013.00000002.612087588.00000000039B3000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001C.00000002.605270680.0000000004179000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001C.00000002.610481587.0000000005780000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000013.00000002.611698378.0000000003738000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000013.00000002.611698378.0000000003738000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.466854129.00000000037EA000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.466854129.00000000037EA000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.467149528.0000000003947000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.467149528.0000000003947000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000013.00000002.611940927.0000000003856000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000013.00000002.611940927.0000000003856000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: PO_6620200947535257662_Arabico.PDF.exe PID: 6408, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: PO_6620200947535257662_Arabico.PDF.exe PID: 6408, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: gvvccsccefghhsnd.exe PID: 6824, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: gvvccsccefghhsnd.exe PID: 6824, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: InstallUtil.exe PID: 5596, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: InstallUtil.exe PID: 5596, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.gvvccsccefghhsnd.exe.39f9dd8.7.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.gvvccsccefghhsnd.exe.39f9dd8.7.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.398d830.8.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.398d830.8.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.gvvccsccefghhsnd.exe.3739510.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.gvvccsccefghhsnd.exe.3739510.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.397a5ca.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.397a5ca.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 28.2.InstallUtil.exe.41bb14e.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 28.2.InstallUtil.exe.41bb14e.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 28.2.InstallUtil.exe.41bff84.5.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 28.2.InstallUtil.exe.5970000.9.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.gvvccsccefghhsnd.exe.38e24c2.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.gvvccsccefghhsnd.exe.38e24c2.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.gvvccsccefghhsnd.exe.39f9dd8.7.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.gvvccsccefghhsnd.exe.39f9dd8.7.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.gvvccsccefghhsnd.exe.38cf242.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.gvvccsccefghhsnd.exe.38cf242.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.398d830.8.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.398d830.8.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.38300ba.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.38300ba.4.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 28.2.InstallUtil.exe.41c45ad.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.3875f1a.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.3875f1a.3.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.38300ba.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.38300ba.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 28.2.InstallUtil.exe.5970000.9.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 28.2.InstallUtil.exe.41bff84.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.gvvccsccefghhsnd.exe.389c662.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.gvvccsccefghhsnd.exe.389c662.4.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.3875f1a.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.3875f1a.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 28.2.InstallUtil.exe.31d9708.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.gvvccsccefghhsnd.exe.39e6b72.8.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.gvvccsccefghhsnd.exe.39e6b72.8.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 28.2.InstallUtil.exe.5780000.7.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 28.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 28.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.39479ea.7.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.39479ea.7.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.gvvccsccefghhsnd.exe.38e24c2.6.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.gvvccsccefghhsnd.exe.38e24c2.6.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 28.2.InstallUtil.exe.5974629.10.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.gvvccsccefghhsnd.exe.39b3f92.9.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.gvvccsccefghhsnd.exe.39b3f92.9.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.39479ea.7.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.39479ea.7.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.gvvccsccefghhsnd.exe.39b3f92.9.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.gvvccsccefghhsnd.exe.39b3f92.9.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.3862c9a.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.3862c9a.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 19.2.gvvccsccefghhsnd.exe.389c662.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 19.2.gvvccsccefghhsnd.exe.389c662.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
.NET source code contains very large array initializations
Source: PO_6620200947535257662_Arabico.PDF.exe, Dj7z/e1J0.cs Large array initialization: .cctor: array initializer size 2488
Source: gvvccsccefghhsnd.exe.0.dr, Dj7z/e1J0.cs Large array initialization: .cctor: array initializer size 2488
Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.240000.0.unpack, Dj7z/e1J0.cs Large array initialization: .cctor: array initializer size 2488
Source: 0.0.PO_6620200947535257662_Arabico.PDF.exe.240000.0.unpack, Dj7z/e1J0.cs Large array initialization: .cctor: array initializer size 2488
Source: 19.2.gvvccsccefghhsnd.exe.340000.0.unpack, Dj7z/e1J0.cs Large array initialization: .cctor: array initializer size 2488
Source: 19.0.gvvccsccefghhsnd.exe.340000.0.unpack, Dj7z/e1J0.cs Large array initialization: .cctor: array initializer size 2488
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: PO_6620200947535257662_Arabico.PDF.exe
Source: initial sample Static PE information: Filename: PO_6620200947535257662_Arabico.PDF.exe
Contains functionality to launch a process as a different user
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 19_2_065D6E24 CreateProcessAsUserW, 19_2_065D6E24
Detected potential crypto function
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Code function: 0_2_002434F8 0_2_002434F8
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Code function: 0_2_00D0E020 0_2_00D0E020
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Code function: 0_2_00D0AF40 0_2_00D0AF40
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Code function: 0_2_00D0BC30 0_2_00D0BC30
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Code function: 0_2_04B93498 0_2_04B93498
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Code function: 0_2_04B94218 0_2_04B94218
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Code function: 0_2_04B95D98 0_2_04B95D98
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Code function: 0_2_04B9C5A8 0_2_04B9C5A8
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Code function: 0_2_04B9C598 0_2_04B9C598
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Code function: 0_2_04B96638 0_2_04B96638
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Code function: 0_2_04B96628 0_2_04B96628
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Code function: 0_2_04B9420E 0_2_04B9420E
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Code function: 0_2_04B90340 0_2_04B90340
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Code function: 0_2_04B97870 0_2_04B97870
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Code function: 0_2_04B9CB58 0_2_04B9CB58
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Code function: 0_2_04B9CB4A 0_2_04B9CB4A
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 19_2_003434F8 19_2_003434F8
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 19_2_0255E020 19_2_0255E020
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 19_2_0255A990 19_2_0255A990
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 19_2_0255AF40 19_2_0255AF40
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 19_2_0255BFE0 19_2_0255BFE0
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 19_2_0255A358 19_2_0255A358
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 19_2_0255BC30 19_2_0255BC30
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 19_2_04D504A0 19_2_04D504A0
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 19_2_04D54218 19_2_04D54218
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 19_2_04D55D98 19_2_04D55D98
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 19_2_04D5C598 19_2_04D5C598
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 19_2_04D5C5A8 19_2_04D5C5A8
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 19_2_04D56638 19_2_04D56638
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 19_2_04D56628 19_2_04D56628
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 19_2_04D54208 19_2_04D54208
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 19_2_04D5CB58 19_2_04D5CB58
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 19_2_04D5CB4A 19_2_04D5CB4A
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 19_2_065D6558 19_2_065D6558
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 19_2_065D7D0F 19_2_065D7D0F
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 19_2_065DD258 19_2_065DD258
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 19_2_065D7218 19_2_065D7218
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 19_2_065DB22A 19_2_065DB22A
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 19_2_065DAB02 19_2_065DAB02
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 19_2_065D9038 19_2_065D9038
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 19_2_065DDC78 19_2_065DDC78
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 19_2_065DDC0F 19_2_065DDC0F
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 19_2_065DC4B0 19_2_065DC4B0
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 19_2_065DC4A0 19_2_065DC4A0
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 19_2_065D6548 19_2_065D6548
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 19_2_065D4B78 19_2_065D4B78
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 19_2_065D4B68 19_2_065D4B68
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 19_2_065DE8E8 19_2_065DE8E8
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 19_2_065DC918 19_2_065DC918
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 19_2_065DC928 19_2_065DC928
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 19_2_06600C60 19_2_06600C60
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 19_2_06600040 19_2_06600040
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 19_2_06600006 19_2_06600006
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 28_2_00C820B0 28_2_00C820B0
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 28_2_0302E471 28_2_0302E471
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 28_2_0302E480 28_2_0302E480
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 28_2_0302BBD4 28_2_0302BBD4
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 28_2_0564F5F8 28_2_0564F5F8
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 28_2_05649788 28_2_05649788
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 28_2_05643550 28_2_05643550
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 28_2_0564A610 28_2_0564A610
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\InstallUtil.exe 46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
PE file contains strange resources
Source: PO_6620200947535257662_Arabico.PDF.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: gvvccsccefghhsnd.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: PO_6620200947535257662_Arabico.PDF.exe, 00000000.00000000.336475419.0000000000301000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamemcntyre.exeH vs PO_6620200947535257662_Arabico.PDF.exe
Source: PO_6620200947535257662_Arabico.PDF.exe, 00000000.00000002.465913401.00000000027FE000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameAstronot plart.exe> vs PO_6620200947535257662_Arabico.PDF.exe
Source: PO_6620200947535257662_Arabico.PDF.exe, 00000000.00000002.470839679.0000000006390000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSHCore1.dll0 vs PO_6620200947535257662_Arabico.PDF.exe
Source: PO_6620200947535257662_Arabico.PDF.exe, 00000000.00000002.470947040.0000000006420000.00000002.00000001.sdmp Binary or memory string: originalfilename vs PO_6620200947535257662_Arabico.PDF.exe
Source: PO_6620200947535257662_Arabico.PDF.exe, 00000000.00000002.470947040.0000000006420000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs PO_6620200947535257662_Arabico.PDF.exe
Source: PO_6620200947535257662_Arabico.PDF.exe, 00000000.00000002.472908360.0000000006FF0000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs PO_6620200947535257662_Arabico.PDF.exe
Source: PO_6620200947535257662_Arabico.PDF.exe, 00000000.00000002.470185755.0000000005700000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs PO_6620200947535257662_Arabico.PDF.exe
Source: PO_6620200947535257662_Arabico.PDF.exe, 00000000.00000002.470532416.0000000006070000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs PO_6620200947535257662_Arabico.PDF.exe
Source: PO_6620200947535257662_Arabico.PDF.exe Binary or memory string: OriginalFilenamemcntyre.exeH vs PO_6620200947535257662_Arabico.PDF.exe
Uses 32bit PE files
Source: PO_6620200947535257662_Arabico.PDF.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Uses reg.exe to modify the Windows registry
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' /f /v 'Shell' /t REG_SZ /d 'explorer.exe,C:\Users\user\gvvccsccefghhsnd.exe,'
Yara signature match
Source: 0000001C.00000002.601546888.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001C.00000002.601546888.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001C.00000002.611212434.0000000005970000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001C.00000002.611212434.0000000005970000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000002.612087588.00000000039B3000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000013.00000002.612087588.00000000039B3000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001C.00000002.605270680.0000000004179000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000001C.00000002.610481587.0000000005780000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000001C.00000002.610481587.0000000005780000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000013.00000002.611698378.0000000003738000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000013.00000002.611698378.0000000003738000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.466854129.00000000037EA000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.466854129.00000000037EA000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.467149528.0000000003947000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.467149528.0000000003947000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000013.00000002.611940927.0000000003856000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000013.00000002.611940927.0000000003856000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: PO_6620200947535257662_Arabico.PDF.exe PID: 6408, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: PO_6620200947535257662_Arabico.PDF.exe PID: 6408, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: gvvccsccefghhsnd.exe PID: 6824, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: gvvccsccefghhsnd.exe PID: 6824, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: InstallUtil.exe PID: 5596, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: InstallUtil.exe PID: 5596, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 19.2.gvvccsccefghhsnd.exe.39f9dd8.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.gvvccsccefghhsnd.exe.39f9dd8.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.gvvccsccefghhsnd.exe.39f9dd8.7.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.398d830.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.398d830.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.398d830.8.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 19.2.gvvccsccefghhsnd.exe.3739510.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.gvvccsccefghhsnd.exe.3739510.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.gvvccsccefghhsnd.exe.3739510.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.397a5ca.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.397a5ca.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.397a5ca.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 28.2.InstallUtil.exe.41bb14e.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 28.2.InstallUtil.exe.41bb14e.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 28.2.InstallUtil.exe.41bb14e.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 28.2.InstallUtil.exe.41bff84.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 28.2.InstallUtil.exe.41bff84.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 28.2.InstallUtil.exe.5970000.9.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 28.2.InstallUtil.exe.5970000.9.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.gvvccsccefghhsnd.exe.38e24c2.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.gvvccsccefghhsnd.exe.38e24c2.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.gvvccsccefghhsnd.exe.38e24c2.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 19.2.gvvccsccefghhsnd.exe.39f9dd8.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.gvvccsccefghhsnd.exe.39f9dd8.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.gvvccsccefghhsnd.exe.39f9dd8.7.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 19.2.gvvccsccefghhsnd.exe.38cf242.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.gvvccsccefghhsnd.exe.38cf242.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.398d830.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.398d830.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.398d830.8.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.38300ba.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.38300ba.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.38300ba.4.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 28.2.InstallUtil.exe.41c45ad.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 28.2.InstallUtil.exe.41c45ad.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.3875f1a.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.3875f1a.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.3875f1a.3.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.38300ba.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.38300ba.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 28.2.InstallUtil.exe.5970000.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 28.2.InstallUtil.exe.5970000.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 28.2.InstallUtil.exe.41bff84.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 28.2.InstallUtil.exe.41bff84.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.gvvccsccefghhsnd.exe.389c662.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.gvvccsccefghhsnd.exe.389c662.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.gvvccsccefghhsnd.exe.389c662.4.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.3875f1a.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.3875f1a.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.3875f1a.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 28.2.InstallUtil.exe.31d9708.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.gvvccsccefghhsnd.exe.39e6b72.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.gvvccsccefghhsnd.exe.39e6b72.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.gvvccsccefghhsnd.exe.39e6b72.8.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 28.2.InstallUtil.exe.5780000.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 28.2.InstallUtil.exe.5780000.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 28.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 28.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 28.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.39479ea.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.39479ea.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.39479ea.7.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 19.2.gvvccsccefghhsnd.exe.38e24c2.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.gvvccsccefghhsnd.exe.38e24c2.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.gvvccsccefghhsnd.exe.38e24c2.6.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 28.2.InstallUtil.exe.5974629.10.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 28.2.InstallUtil.exe.5974629.10.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.gvvccsccefghhsnd.exe.39b3f92.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.gvvccsccefghhsnd.exe.39b3f92.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.gvvccsccefghhsnd.exe.39b3f92.9.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.39479ea.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.39479ea.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.39479ea.7.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 19.2.gvvccsccefghhsnd.exe.39b3f92.9.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.gvvccsccefghhsnd.exe.39b3f92.9.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.gvvccsccefghhsnd.exe.39b3f92.9.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.3862c9a.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.3862c9a.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 19.2.gvvccsccefghhsnd.exe.389c662.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 19.2.gvvccsccefghhsnd.exe.389c662.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 28.2.InstallUtil.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 28.2.InstallUtil.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'CreateDecryptor'
Source: 28.2.InstallUtil.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'TransformFinalBlock'
Source: classification engine Classification label: mal100.troj.evad.winEXE@10/7@0/1
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe File created: C:\Users\user\gvvccsccefghhsnd.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{883c2226-d991-4f34-8646-4dd2732a341c}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6788:120:WilError_01
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe File created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to behavior
Source: PO_6620200947535257662_Arabico.PDF.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: PO_6620200947535257662_Arabico.PDF.exe ReversingLabs: Detection: 20%
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe File read: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe 'C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe'
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' /f /v 'Shell' /t REG_SZ /d 'explorer.exe,C:\Users\user\gvvccsccefghhsnd.exe,'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' /f /v 'Shell' /t REG_SZ /d 'explorer.exe,C:\Users\user\gvvccsccefghhsnd.exe,'
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Process created: C:\Users\user\gvvccsccefghhsnd.exe 'C:\Users\user\gvvccsccefghhsnd.exe'
Source: C:\Users\user\gvvccsccefghhsnd.exe Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' /f /v 'Shell' /t REG_SZ /d 'explorer.exe,C:\Users\user\gvvccsccefghhsnd.exe,' Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Process created: C:\Users\user\gvvccsccefghhsnd.exe 'C:\Users\user\gvvccsccefghhsnd.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' /f /v 'Shell' /t REG_SZ /d 'explorer.exe,C:\Users\user\gvvccsccefghhsnd.exe,' Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: PO_6620200947535257662_Arabico.PDF.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: PO_6620200947535257662_Arabico.PDF.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 0000001C.00000002.601725662.0000000000C82000.00000002.00020000.sdmp, InstallUtil.exe.0.dr
Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, InstallUtil.exe.0.dr

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: 28.2.InstallUtil.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 28.2.InstallUtil.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Binary contains a suspicious time stamp
Source: ghfvjjtjhhjghdgghrba.exe.19.dr Static PE information: 0xC7142059 [Sun Nov 3 05:36:25 2075 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Code function: 0_2_0024333E push cs; retf 0_2_00243380
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Code function: 0_2_00243381 push cs; retf 0_2_002433A0
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Code function: 0_2_0024277B push edi; iretd 0_2_0024277D
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 19_2_0034333E push cs; retf 19_2_00343380
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 19_2_00343381 push cs; retf 19_2_003433A0
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 19_2_0034277B push edi; iretd 19_2_0034277D
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 19_2_04D55950 push es; retf 19_2_04D5595C
Source: C:\Users\user\gvvccsccefghhsnd.exe Code function: 19_2_065D4B21 pushfd ; retf 19_2_065D4B2D
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 28_2_0564B5E0 push eax; retf 28_2_0564B5ED
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 28_2_056469F8 pushad ; retf 28_2_056469F9
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Code function: 28_2_056469FA push esp; retf 28_2_05646A01
Source: ghfvjjtjhhjghdgghrba.exe.19.dr, Astronotplart/My/tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.cs High entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
Source: ghfvjjtjhhjghdgghrba.exe.19.dr, Astronotplart/gabKErPURPS76kDKjrme.cs High entropy of concatenated method names: '.ctor', 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
Source: ghfvjjtjhhjghdgghrba.exe.19.dr, Astronotplart/My/nVdeDLHvVsfVxwgFzORDky8W3f9u4lGmiaWnSDb.cs High entropy of concatenated method names: '.cctor', 'ipfF6OV8JHE8Qin24Sz2H', 'GBAU51HdoykwtyLJ8j', 'A6Cmw4VPbNKHMkR6BnXqjGTCsaLYYK', 'ZhXAveIVREq8oAgNFODqxTnhx35', 'TL13XiWxESQiImm09SkPUl2iIyfqvqfNa1eW0WN', 'hXlgWtIDkKwHkCLRcj1P0yvWMryPDm997zSDv', 'crnIowWf8YVTDoRdGn'
Source: ghfvjjtjhhjghdgghrba.exe.19.dr, Astronotplart/My/Resources/cZsjfbJLI2Nt8If5QOa3YzSXxDXbcmzUTY.cs High entropy of concatenated method names: '7tuLHfXnvgcErulp', 'vFPZGqKub8S44KK9njyrAe1CN2qDJ3IQa7tiGW3Oebu', 'p0Rr9tY6YlifmwQtRmfPXGEDX', 'IPf8zIYNrroPiylxpRDezmMidW58Fr8mLO'
Source: ghfvjjtjhhjghdgghrba.exe.19.dr, Astronotplart/rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.cs High entropy of concatenated method names: '.ctor', 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
Source: 28.2.InstallUtil.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 28.2.InstallUtil.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe File created: C:\Users\user\gvvccsccefghhsnd.exe Jump to dropped file
Source: C:\Users\user\gvvccsccefghhsnd.exe File created: C:\Users\user\AppData\Local\Temp\ghfvjjtjhhjghdgghrba.exe Jump to dropped file
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe File created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe File created: C:\Users\user\gvvccsccefghhsnd.exe Jump to dropped file

Boot Survival:

barindex
Creates an undocumented autostart registry key
Source: C:\Windows\SysWOW64\reg.exe Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon Shell Jump to behavior
Drops PE files to the user root directory
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe File created: C:\Users\user\gvvccsccefghhsnd.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe File opened: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe\:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe File opened: C:\Users\user\gvvccsccefghhsnd.exe\:Zone.Identifier read attributes | delete Jump to behavior
Uses an obfuscated file name to hide its real file extension (double extension)
Source: Possible double extension: pdf.exe Static PE information: PO_6620200947535257662_Arabico.PDF.exe
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains capabilities to detect virtual machines
Source: C:\Users\user\gvvccsccefghhsnd.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Window / User API: threadDelayed 496 Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Window / User API: threadDelayed 9288 Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Window / User API: threadDelayed 361 Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Window / User API: threadDelayed 9441 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Window / User API: threadDelayed 1877 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Window / User API: threadDelayed 7713 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\gvvccsccefghhsnd.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ghfvjjtjhhjghdgghrba.exe Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe TID: 6592 Thread sleep time: -9223372036854770s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe TID: 6668 Thread sleep count: 496 > 30 Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe TID: 6668 Thread sleep count: 9288 > 30 Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe TID: 6592 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe TID: 5904 Thread sleep time: -11068046444225724s >= -30000s Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe TID: 5700 Thread sleep count: 361 > 30 Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe TID: 5700 Thread sleep count: 9441 > 30 Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe TID: 5904 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe TID: 5904 Thread sleep count: 41 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 5960 Thread sleep time: -20291418481080494s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: PO_6620200947535257662_Arabico.PDF.exe, 00000000.00000002.471113156.0000000006634000.00000004.00000001.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:!
Source: gvvccsccefghhsnd.exe, 00000013.00000002.614103031.00000000061CF000.00000004.00000001.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
Source: PO_6620200947535257662_Arabico.PDF.exe, 00000000.00000002.470185755.0000000005700000.00000002.00000001.sdmp, reg.exe, 00000007.00000002.374539474.0000000003A00000.00000002.00000001.sdmp, gvvccsccefghhsnd.exe, 00000013.00000002.613605348.0000000005770000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: PO_6620200947535257662_Arabico.PDF.exe, 00000000.00000002.470185755.0000000005700000.00000002.00000001.sdmp, reg.exe, 00000007.00000002.374539474.0000000003A00000.00000002.00000001.sdmp, gvvccsccefghhsnd.exe, 00000013.00000002.613605348.0000000005770000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: PO_6620200947535257662_Arabico.PDF.exe, 00000000.00000002.470185755.0000000005700000.00000002.00000001.sdmp, reg.exe, 00000007.00000002.374539474.0000000003A00000.00000002.00000001.sdmp, gvvccsccefghhsnd.exe, 00000013.00000002.613605348.0000000005770000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: gvvccsccefghhsnd.exe, 00000013.00000002.602922386.00000000009F5000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllc
Source: InstallUtil.exe, 0000001C.00000002.602877999.00000000012A4000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: PO_6620200947535257662_Arabico.PDF.exe, 00000000.00000002.470185755.0000000005700000.00000002.00000001.sdmp, reg.exe, 00000007.00000002.374539474.0000000003A00000.00000002.00000001.sdmp, gvvccsccefghhsnd.exe, 00000013.00000002.613605348.0000000005770000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processes
Source: C:\Users\user\gvvccsccefghhsnd.exe Memory allocated: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\gvvccsccefghhsnd.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\gvvccsccefghhsnd.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 402000 Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 420000 Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 422000 Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Memory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: EA4008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' /f /v 'Shell' /t REG_SZ /d 'explorer.exe,C:\Users\user\gvvccsccefghhsnd.exe,' Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Process created: C:\Users\user\gvvccsccefghhsnd.exe 'C:\Users\user\gvvccsccefghhsnd.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' /f /v 'Shell' /t REG_SZ /d 'explorer.exe,C:\Users\user\gvvccsccefghhsnd.exe,' Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Process created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe Jump to behavior
Source: InstallUtil.exe, 0000001C.00000002.605205180.00000000032A8000.00000004.00000001.sdmp Binary or memory string: Program Manager
Source: gvvccsccefghhsnd.exe, 00000013.00000002.603925047.00000000010C0000.00000002.00000001.sdmp, InstallUtil.exe, 0000001C.00000002.603679432.0000000001AD0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: gvvccsccefghhsnd.exe, 00000013.00000002.603925047.00000000010C0000.00000002.00000001.sdmp, InstallUtil.exe, 0000001C.00000002.603679432.0000000001AD0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: gvvccsccefghhsnd.exe, 00000013.00000002.603925047.00000000010C0000.00000002.00000001.sdmp, InstallUtil.exe, 0000001C.00000002.603679432.0000000001AD0000.00000002.00000001.sdmp Binary or memory string: &Program Manager
Source: InstallUtil.exe, 0000001C.00000002.604626929.00000000031D2000.00000004.00000001.sdmp Binary or memory string: Program Managerx
Source: InstallUtil.exe, 0000001C.00000002.604626929.00000000031D2000.00000004.00000001.sdmp Binary or memory string: Program Manager`n
Source: gvvccsccefghhsnd.exe, 00000013.00000002.603925047.00000000010C0000.00000002.00000001.sdmp, InstallUtil.exe, 0000001C.00000002.603679432.0000000001AD0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Queries volume information: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Queries volume information: C:\Users\user\gvvccsccefghhsnd.exe VolumeInformation Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\gvvccsccefghhsnd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Users\user\AppData\Local\Temp\InstallUtil.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 0000001C.00000002.601546888.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.611212434.0000000005970000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.612087588.00000000039B3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.605270680.0000000004179000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.611698378.0000000003738000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.466854129.00000000037EA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.467149528.0000000003947000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.611940927.0000000003856000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PO_6620200947535257662_Arabico.PDF.exe PID: 6408, type: MEMORY
Source: Yara match File source: Process Memory Space: gvvccsccefghhsnd.exe PID: 6824, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 5596, type: MEMORY
Source: Yara match File source: 19.2.gvvccsccefghhsnd.exe.39f9dd8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.398d830.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.gvvccsccefghhsnd.exe.3739510.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.397a5ca.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.InstallUtil.exe.41bb14e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.InstallUtil.exe.41bff84.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.InstallUtil.exe.5970000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.gvvccsccefghhsnd.exe.38e24c2.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.gvvccsccefghhsnd.exe.39f9dd8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.gvvccsccefghhsnd.exe.38cf242.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.398d830.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.38300ba.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.InstallUtil.exe.41c45ad.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.3875f1a.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.38300ba.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.InstallUtil.exe.5970000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.InstallUtil.exe.41bff84.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.gvvccsccefghhsnd.exe.389c662.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.3875f1a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.gvvccsccefghhsnd.exe.39e6b72.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.39479ea.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.gvvccsccefghhsnd.exe.38e24c2.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.InstallUtil.exe.5974629.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.gvvccsccefghhsnd.exe.39b3f92.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.39479ea.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.gvvccsccefghhsnd.exe.39b3f92.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.3862c9a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.gvvccsccefghhsnd.exe.389c662.4.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Detected Nanocore Rat
Source: PO_6620200947535257662_Arabico.PDF.exe, 00000000.00000002.467149528.0000000003947000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: gvvccsccefghhsnd.exe, 00000013.00000002.612087588.00000000039B3000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: InstallUtil.exe, 0000001C.00000002.601546888.0000000000402000.00000040.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: InstallUtil.exe, 0000001C.00000002.605270680.0000000004179000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Yara detected Nanocore RAT
Source: Yara match File source: 0000001C.00000002.601546888.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.611212434.0000000005970000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.612087588.00000000039B3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.605270680.0000000004179000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.611698378.0000000003738000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.466854129.00000000037EA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.467149528.0000000003947000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.611940927.0000000003856000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PO_6620200947535257662_Arabico.PDF.exe PID: 6408, type: MEMORY
Source: Yara match File source: Process Memory Space: gvvccsccefghhsnd.exe PID: 6824, type: MEMORY
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 5596, type: MEMORY
Source: Yara match File source: 19.2.gvvccsccefghhsnd.exe.39f9dd8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.398d830.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.gvvccsccefghhsnd.exe.3739510.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.397a5ca.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.InstallUtil.exe.41bb14e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.InstallUtil.exe.41bff84.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.InstallUtil.exe.5970000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.gvvccsccefghhsnd.exe.38e24c2.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.gvvccsccefghhsnd.exe.39f9dd8.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.gvvccsccefghhsnd.exe.38cf242.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.398d830.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.38300ba.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.InstallUtil.exe.41c45ad.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.3875f1a.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.38300ba.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.InstallUtil.exe.5970000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.InstallUtil.exe.41bff84.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.gvvccsccefghhsnd.exe.389c662.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.3875f1a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.gvvccsccefghhsnd.exe.39e6b72.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.39479ea.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.gvvccsccefghhsnd.exe.38e24c2.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.InstallUtil.exe.5974629.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.gvvccsccefghhsnd.exe.39b3f92.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.39479ea.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.gvvccsccefghhsnd.exe.39b3f92.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.3862c9a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.gvvccsccefghhsnd.exe.389c662.4.raw.unpack, type: UNPACKEDPE
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 382596 Sample: PO_6620200947535257662_Arab... Startdate: 06/04/2021 Architecture: WINDOWS Score: 100 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Multi AV Scanner detection for dropped file 2->44 46 10 other signatures 2->46 7 PO_6620200947535257662_Arabico.PDF.exe 15 7 2->7         started        process3 file4 28 C:\Users\user\gvvccsccefghhsnd.exe, PE32 7->28 dropped 30 C:\Users\user\AppData\...\InstallUtil.exe, PE32 7->30 dropped 32 C:\...\gvvccsccefghhsnd.exe:Zone.Identifier, ASCII 7->32 dropped 34 PO_662020094753525...Arabico.PDF.exe.log, ASCII 7->34 dropped 50 Drops PE files to the user root directory 7->50 52 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->52 11 gvvccsccefghhsnd.exe 14 5 7->11         started        15 cmd.exe 1 7->15         started        signatures5 process6 file7 36 C:\Users\user\...\ghfvjjtjhhjghdgghrba.exe, PE32 11->36 dropped 54 Multi AV Scanner detection for dropped file 11->54 56 Machine Learning detection for dropped file 11->56 58 Writes to foreign memory regions 11->58 60 3 other signatures 11->60 17 InstallUtil.exe 6 11->17         started        21 reg.exe 1 1 15->21         started        24 conhost.exe 15->24         started        signatures8 process9 dnsIp10 38 185.157.161.86, 50005 OBE-EUROPEObenetworkEuropeSE Sweden 17->38 26 C:\Users\user\AppData\Roaming\...\run.dat, data 17->26 dropped 48 Creates an undocumented autostart registry key 21->48 file11 signatures12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.157.161.86
unknown Sweden
197595 OBE-EUROPEObenetworkEuropeSE true

Contacted URLs

Name Malicious Antivirus Detection Reputation
nanopc.linkpc.net false
    high
    185.157.161.86 true
    • Avira URL Cloud: safe
    unknown