Loading ...

Play interactive tourEdit tour

Analysis Report NEW_ORDER.pdf.exe

Overview

General Information

Sample Name:NEW_ORDER.pdf.exe
Analysis ID:382703
MD5:17bdd9b47882dfba3b0d800f94d7dbc1
SHA1:fba3196ceef380d49c18322ba1201b1afb9c9991
SHA256:5802e266beeabe10852b45ee17c86e9c7c8b62bc155848c809d3781e1b7a9123
Tags:exeNanoCore
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected Nanocore RAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • NEW_ORDER.pdf.exe (PID: 7156 cmdline: 'C:\Users\user\Desktop\NEW_ORDER.pdf.exe' MD5: 17BDD9B47882DFBA3B0D800F94D7DBC1)
    • schtasks.exe (PID: 5124 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lmZfKRr' /XML 'C:\Users\user\AppData\Local\Temp\tmp53CF.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 5832 cmdline: {path} MD5: 2867A3817C9245F7CF518524DFD18F28)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "6f656d69-7475-8807-1300-000c0a4c", "Domain1": "185.140.53.138", "Domain2": "wealth2021.ddns.net", "Port": 20221, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Disable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.908113491.0000000005140000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xf7ad:$x1: NanoCore.ClientPluginHost
  • 0xf7da:$x2: IClientNetworkHost
00000004.00000002.908113491.0000000005140000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xf7ad:$x2: NanoCore.ClientPluginHost
  • 0x10888:$s4: PipeCreated
  • 0xf7c7:$s5: IClientLoggingHost
00000004.00000002.908113491.0000000005140000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000004.00000002.903831602.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000004.00000002.903831602.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.RegSvcs.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      4.2.RegSvcs.exe.400000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xff05:$x1: NanoCore Client.exe
      • 0x1018d:$x2: NanoCore.ClientPluginHost
      • 0x117c6:$s1: PluginCommand
      • 0x117ba:$s2: FileCommand
      • 0x1266b:$s3: PipeExists
      • 0x18422:$s4: PipeCreated
      • 0x101b7:$s5: IClientLoggingHost
      4.2.RegSvcs.exe.400000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        4.2.RegSvcs.exe.400000.0.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xfef5:$a: NanoCore
        • 0xff05:$a: NanoCore
        • 0x10139:$a: NanoCore
        • 0x1014d:$a: NanoCore
        • 0x1018d:$a: NanoCore
        • 0xff54:$b: ClientPlugin
        • 0x10156:$b: ClientPlugin
        • 0x10196:$b: ClientPlugin
        • 0x1007b:$c: ProjectData
        • 0x10a82:$d: DESCrypto
        • 0x1844e:$e: KeepAlive
        • 0x1643c:$g: LogClientMessage
        • 0x12637:$i: get_Connected
        • 0x10db8:$j: #=q
        • 0x10de8:$j: #=q
        • 0x10e04:$j: #=q
        • 0x10e34:$j: #=q
        • 0x10e50:$j: #=q
        • 0x10e6c:$j: #=q
        • 0x10e9c:$j: #=q
        • 0x10eb8:$j: #=q
        4.2.RegSvcs.exe.5144629.9.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xb184:$x1: NanoCore.ClientPluginHost
        • 0xb1b1:$x2: IClientNetworkHost
        Click to see the 35 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 5832, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: Scheduled temp file as task from temp locationShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lmZfKRr' /XML 'C:\Users\user\AppData\Local\Temp\tmp53CF.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lmZfKRr' /XML 'C:\Users\user\AppData\Local\Temp\tmp53CF.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\NEW_ORDER.pdf.exe' , ParentImage: C:\Users\user\Desktop\NEW_ORDER.pdf.exe, ParentProcessId: 7156, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lmZfKRr' /XML 'C:\Users\user\AppData\Local\Temp\tmp53CF.tmp', ProcessId: 5124

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 00000004.00000002.905761481.00000000039C9000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "6f656d69-7475-8807-1300-000c0a4c", "Domain1": "185.140.53.138", "Domain2": "wealth2021.ddns.net", "Port": 20221, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Disable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\lmZfKRr.exeMetadefender: Detection: 13%Perma Link
        Source: C:\Users\user\AppData\Roaming\lmZfKRr.exeReversingLabs: Detection: 54%
        Multi AV Scanner detection for submitted fileShow sources
        Source: NEW_ORDER.pdf.exeMetadefender: Detection: 13%Perma Link
        Source: NEW_ORDER.pdf.exeReversingLabs: Detection: 46%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000004.00000002.908113491.0000000005140000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.903831602.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.905010283.0000000002981000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.905761481.00000000039C9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.657514928.0000000003B9A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5832, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: NEW_ORDER.pdf.exe PID: 7156, type: MEMORY
        Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.RegSvcs.exe.5144629.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.NEW_ORDER.pdf.exe.3d42b30.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.RegSvcs.exe.39cff7c.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.RegSvcs.exe.39cb146.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.RegSvcs.exe.5140000.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.RegSvcs.exe.5140000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.RegSvcs.exe.39d45a5.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.RegSvcs.exe.39cff7c.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.NEW_ORDER.pdf.exe.3d42b30.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.NEW_ORDER.pdf.exe.3c9c0e0.2.raw.unpack, type: UNPACKEDPE
        Source: 4.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 4.2.RegSvcs.exe.5140000.8.unpackAvira: Label: TR/NanoCore.fadte
        Source: NEW_ORDER.pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: NEW_ORDER.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: wealth2021.ddns.net
        Source: Malware configuration extractorURLs: 185.140.53.138
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: wealth2021.ddns.net
        Source: global trafficTCP traffic: 192.168.2.4:49727 -> 185.140.53.138:20221
        Source: Joe Sandbox ViewIP Address: 185.140.53.138 185.140.53.138
        Source: Joe Sandbox ViewASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
        Source: unknownDNS traffic detected: queries for: wealth2021.ddns.net
        Source: NEW_ORDER.pdf.exe, 00000000.00000002.662939421.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
        Source: NEW_ORDER.pdf.exe, 00000000.00000002.665162901.0000000007943000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: NEW_ORDER.pdf.exe, 00000000.00000002.662939421.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: NEW_ORDER.pdf.exe, 00000000.00000002.662939421.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: NEW_ORDER.pdf.exeString found in binary or memory: http://www.efg2.com/Lab/Library/ImageProcessing/DHALF.TXT
        Source: NEW_ORDER.pdf.exe, 00000000.00000002.662939421.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: NEW_ORDER.pdf.exe, 00000000.00000002.662939421.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: NEW_ORDER.pdf.exe, 00000000.00000002.662939421.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: NEW_ORDER.pdf.exe, 00000000.00000002.662939421.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: NEW_ORDER.pdf.exe, 00000000.00000002.662939421.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
        Source: NEW_ORDER.pdf.exe, 00000000.00000002.662939421.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: NEW_ORDER.pdf.exe, 00000000.00000002.662939421.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: NEW_ORDER.pdf.exe, 00000000.00000002.662939421.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: NEW_ORDER.pdf.exe, 00000000.00000002.662939421.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
        Source: NEW_ORDER.pdf.exe, 00000000.00000002.662939421.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: NEW_ORDER.pdf.exe, 00000000.00000002.662939421.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: NEW_ORDER.pdf.exe, 00000000.00000002.662939421.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: NEW_ORDER.pdf.exe, 00000000.00000002.662939421.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: NEW_ORDER.pdf.exe, 00000000.00000002.662939421.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: NEW_ORDER.pdf.exe, 00000000.00000002.662939421.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: NEW_ORDER.pdf.exe, 00000000.00000002.662939421.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: NEW_ORDER.pdf.exe, 00000000.00000002.662939421.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: NEW_ORDER.pdf.exe, 00000000.00000002.662939421.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
        Source: NEW_ORDER.pdf.exe, 00000000.00000002.662939421.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: NEW_ORDER.pdf.exeString found in binary or memory: http://www.tannerhelland.com/4660/dithering-eleven-algorithms-source-code/
        Source: NEW_ORDER.pdf.exe, 00000000.00000002.662939421.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
        Source: NEW_ORDER.pdf.exe, 00000000.00000002.662939421.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
        Source: NEW_ORDER.pdf.exe, 00000000.00000002.662939421.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: NEW_ORDER.pdf.exe, 00000000.00000002.662939421.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
        Source: NEW_ORDER.pdf.exeString found in binary or memory: https://github.com/Whiplash141/Whips-Image-Converter/releases/latest
        Source: NEW_ORDER.pdf.exeString found in binary or memory: https://stackoverflow.com/questions/5940188/how-to-convert-a-24-bit-png-to-3-bit-png-using-floyd-ste
        Source: RegSvcs.exe, 00000004.00000002.905761481.00000000039C9000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000004.00000002.908113491.0000000005140000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.903831602.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.905010283.0000000002981000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.905761481.00000000039C9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.657514928.0000000003B9A000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5832, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: NEW_ORDER.pdf.exe PID: 7156, type: MEMORY
        Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.RegSvcs.exe.5144629.9.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.NEW_ORDER.pdf.exe.3d42b30.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.RegSvcs.exe.39cff7c.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.RegSvcs.exe.39cb146.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.RegSvcs.exe.5140000.8.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.RegSvcs.exe.5140000.8.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.RegSvcs.exe.39d45a5.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.RegSvcs.exe.39cff7c.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.NEW_ORDER.pdf.exe.3d42b30.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.NEW_ORDER.pdf.exe.3c9c0e0.2.raw.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000004.00000002.908113491.0000000005140000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000002.903831602.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000002.903831602.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000002.908094344.0000000005130000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000002.905761481.00000000039C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.657514928.0000000003B9A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.657514928.0000000003B9A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: RegSvcs.exe PID: 5832, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: RegSvcs.exe PID: 5832, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: NEW_ORDER.pdf.exe PID: 7156, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: NEW_ORDER.pdf.exe PID: 7156, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.2.RegSvcs.exe.5144629.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.NEW_ORDER.pdf.exe.3d42b30.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.NEW_ORDER.pdf.exe.3d42b30.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.2.RegSvcs.exe.39cff7c.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.RegSvcs.exe.5130000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.RegSvcs.exe.39cb146.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.RegSvcs.exe.39cb146.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.2.RegSvcs.exe.5140000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.RegSvcs.exe.5140000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.RegSvcs.exe.29b4920.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.RegSvcs.exe.39d45a5.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.RegSvcs.exe.39cff7c.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.NEW_ORDER.pdf.exe.3d42b30.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.NEW_ORDER.pdf.exe.3d42b30.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.NEW_ORDER.pdf.exe.3c9c0e0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.NEW_ORDER.pdf.exe.3c9c0e0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Initial sample is a PE file and has a suspicious nameShow sources
        Source: initial sampleStatic PE information: Filename: NEW_ORDER.pdf.exe
        Source: initial sampleStatic PE information: Filename: NEW_ORDER.pdf.exe
        Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_0298A2980_2_0298A298
        Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_02980A500_2_02980A50
        Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_029863D00_2_029863D0
        Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_029800400_2_02980040
        Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_029819800_2_02981980
        Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_02988EC80_2_02988EC8
        Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_0298C50C0_2_0298C50C
        Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_0298A2880_2_0298A288
        Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_02983A380_2_02983A38
        Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_02983A290_2_02983A29
        Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_02980A410_2_02980A41
        Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_029833B10_2_029833B1
        Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_029833C00_2_029833C0
        Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_029863C20_2_029863C2
        Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_029840800_2_02984080
        Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_029818800_2_02981880
        Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_029868D00_2_029868D0
        Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_029800060_2_02980006
        Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_029818540_2_02981854
        Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_0298407A0_2_0298407A
        Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_0298F1C80_2_0298F1C8
        Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_02983E900_2_02983E90
        Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_02988EB70_2_02988EB7
        Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_02983EA00_2_02983EA0
        Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_02989F100_2_02989F10
        Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_02989F020_2_02989F02
        Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_02983C580_2_02983C58
        Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_02983C490_2_02983C49
        Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_029854450_2_02985445
        Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_029854680_2_02985468
        Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_0298A5300_2_0298A530
        Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_0298A5200_2_0298A520
        Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_04F7B6F00_2_04F7B6F0
        Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_04F749880_2_04F74988
        Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_04F7B6E00_2_04F7B6E0
        Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_04F752580_2_04F75258
        Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_04F7524B0_2_04F7524B
        Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_04F76CD40_2_04F76CD4
        Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_04F76CD10_2_04F76CD1
        Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_04F72E140_2_04F72E14
        Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_006279C10_2_006279C1
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_027DE4714_2_027DE471
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_027DE4804_2_027DE480
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_027DBBD44_2_027DBBD4
        Source: NEW_ORDER.pdf.exeBinary or memory string: OriginalFilename vs NEW_ORDER.pdf.exe
        Source: NEW_ORDER.pdf.exe, 00000000.00000002.665616120.000000000F530000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs NEW_ORDER.pdf.exe
        Source: NEW_ORDER.pdf.exe, 00000000.00000002.665854825.000000000F620000.00000002.00000001.sdmpBinary or memory string: originalfilename vs NEW_ORDER.pdf.exe
        Source: NEW_ORDER.pdf.exe, 00000000.00000002.665854825.000000000F620000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs NEW_ORDER.pdf.exe
        Source: NEW_ORDER.pdf.exe, 00000000.00000002.657260140.00000000029F1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMetroFramework.dll> vs NEW_ORDER.pdf.exe
        Source: NEW_ORDER.pdf.exe, 00000000.00000002.659038115.0000000004326000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs NEW_ORDER.pdf.exe
        Source: NEW_ORDER.pdf.exe, 00000000.00000002.657514928.0000000003B9A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamey~ vs NEW_ORDER.pdf.exe
        Source: NEW_ORDER.pdf.exeBinary or memory string: OriginalFilenamey~ vs NEW_ORDER.pdf.exe
        Source: NEW_ORDER.pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 00000004.00000002.908113491.0000000005140000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000002.908113491.0000000005140000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000004.00000002.903831602.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000002.903831602.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000002.908094344.0000000005130000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000002.908094344.0000000005130000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000004.00000002.905761481.00000000039C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.657514928.0000000003B9A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.657514928.0000000003B9A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: RegSvcs.exe PID: 5832, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: RegSvcs.exe PID: 5832, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: NEW_ORDER.pdf.exe PID: 7156, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: NEW_ORDER.pdf.exe PID: 7156, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.2.RegSvcs.exe.5144629.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.RegSvcs.exe.5144629.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.NEW_ORDER.pdf.exe.3d42b30.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.NEW_ORDER.pdf.exe.3d42b30.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.NEW_ORDER.pdf.exe.3d42b30.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.2.RegSvcs.exe.39cff7c.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.RegSvcs.exe.39cff7c.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 4.2.RegSvcs.exe.5130000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.RegSvcs.exe.5130000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 4.2.RegSvcs.exe.39cb146.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.RegSvcs.exe.39cb146.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 4.2.RegSvcs.exe.39cb146.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.2.RegSvcs.exe.5140000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.RegSvcs.exe.5140000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 4.2.RegSvcs.exe.5140000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.RegSvcs.exe.5140000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 4.2.RegSvcs.exe.29b4920.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.RegSvcs.exe.29b4920.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 4.2.RegSvcs.exe.39d45a5.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.RegSvcs.exe.39d45a5.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 4.2.RegSvcs.exe.39cff7c.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.RegSvcs.exe.39cff7c.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.NEW_ORDER.pdf.exe.3d42b30.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.NEW_ORDER.pdf.exe.3d42b30.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.NEW_ORDER.pdf.exe.3c9c0e0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.NEW_ORDER.pdf.exe.3c9c0e0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: NEW_ORDER.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: lmZfKRr.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: classification engineClassification label: mal100.troj.evad.winEXE@6/4@11/1
        Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeFile created: C:\Users\user\AppData\Roaming\lmZfKRr.exeJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5720:120:WilError_01
        Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeMutant created: \Sessions\1\BaseNamedObjects\NjUgKeijLA
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{ae697278-0563-480d-a326-4f0ab2164ba0}
        Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmp53CF.tmpJump to behavior
        Source: NEW_ORDER.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: NEW_ORDER.pdf.exeMetadefender: Detection: 13%
        Source: NEW_ORDER.pdf.exeReversingLabs: Detection: 46%
        Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeFile read: C:\Users\user\Desktop\NEW_ORDER.pdf.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\NEW_ORDER.pdf.exe 'C:\Users\user\Desktop\NEW_ORDER.pdf.exe'
        Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lmZfKRr' /XML 'C:\Users\user\AppData\Local\Temp\tmp53CF.tmp'
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
        Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lmZfKRr' /XML 'C:\Users\user\AppData\Local\Temp\tmp53CF.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}Jump to behavior
        Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: NEW_ORDER.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: NEW_ORDER.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

        Data Obfuscation:

        barindex
        .NET source code contains method to dynamically call methods (often used by packers)Show sources
        Source: NEW_ORDER.pdf.exe, SqlFormatter/Graham_And_Jarvis.cs.Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
        Source: lmZfKRr.exe.0.dr, SqlFormatter/Graham_And_Jarvis.cs.Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
        Source: 0.0.NEW_ORDER.pdf.exe.620000.0.unpack, SqlFormatter/Graham_And_Jarvis.cs.Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
        Source: 0.2.NEW_ORDER.pdf.exe.620000.0.unpack, SqlFormatter/Graham_And_Jarvis.cs.Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
        .NET source code contains potential unpackerShow sources
        Source: NEW_ORDER.pdf.exe, SqlFormatter/Graham_And_Jarvis.cs.Net Code: sssss System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: lmZfKRr.exe.0.dr, SqlFormatter/Graham_And_Jarvis.cs.Net Code: sssss System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 0.0.NEW_ORDER.pdf.exe.620000.0.unpack, SqlFormatter/Graham_And_Jarvis.cs.Net Code: sssss System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 0.2.NEW_ORDER.pdf.exe.620000.0.unpack, SqlFormatter/Graham_And_Jarvis.cs.Net Code: sssss System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_04F7304A push eax; retf 0_2_04F73051
        Source: initial sampleStatic PE information: section name: .text entropy: 7.88331546414
        Source: initial sampleStatic PE information: section name: .text entropy: 7.88331546414
        Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeFile created: C:\Users\user\AppData\Roaming\lmZfKRr.exeJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\lmZfKRr' /XML 'C:\Users\user\AppData\Local\Temp\tmp53CF.tmp'

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Uses an obfuscated file name to hide its real file extension (double extension)Show sources
        Source: Possible double extension: pdf.exeStatic PE information: NEW_ORDER.pdf.exe
        Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeProcess information set: NOOPENFILEERRORBOX