31.0.0 Emerald
IR
383199
CloudBasic
13:11:11
07/04/2021
CU3e1CWzlr.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
bc906f26edfec13cdb13d8a6b97f344b
33933248690d87f77693865e7393395ec2ea3792
23ac7754b6ad5fc382857b05ad514a716cd3dcf861867d3be02a5a92ca7fe067
Win32 Executable (generic) a (10002005/4) 99.96%
true
false
false
false
100
0
100
5
0
5
false
C:\1.bat
false
31C145900B71996E1EF9D60F37899282
C6CE32DD6F468585A47AB317D5FBC14643F04BAE
64A6B58057E1FAF070B6757CB96699E6037079013D2F6103C146EC14C0788014
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
true
C83BD9093E7AE550FC49FDC1A90B7F9E
59E77D7E3C293A81C1113EF21B93F0D2792CF0D2
C3E6B1EB9B5B402489CA89A617577E0794E3B6D6A542AD11B43F9D37F0664622
C:\Quotation.exe
true
C83BD9093E7AE550FC49FDC1A90B7F9E
59E77D7E3C293A81C1113EF21B93F0D2792CF0D2
C3E6B1EB9B5B402489CA89A617577E0794E3B6D6A542AD11B43F9D37F0664622
C:\Quotation.sfx.exe
true
9C30B408BBF38395C4BB213682044B68
05B0F3897EC86D4803B4E631A68AB86DDDC6CA54
23748678A2C83CEE8C47A97C1263E57E3439F0E78141E2962966F59BAE87110A
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Quotation.exe.log
true
61CCF53571C9ABA6511D696CB0D32E45
A13A42A20EC14942F52DB20FB16A0A520F8183CE
3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log
true
61CCF53571C9ABA6511D696CB0D32E45
A13A42A20EC14942F52DB20FB16A0A520F8183CE
3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
C:\Users\user\AppData\Local\Temp\tmpA16B.tmp
true
020431D764EA265AB8462B9C69828063
257B24D0FF69B531CA5C0BA7E8D0A9CA208EEB9C
F85E229E04B155C4E0B5C7788DD735FB17542CE2028B3441560B77B30BB35306
C:\Users\user\AppData\Local\Temp\tmpA45A.tmp
false
5C2F41CFC6F988C859DA7D727AC2B62A
68999C85FC7E37BAB9216E0099836D40D4545C1C
98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
true
D6676EE740B651B46142810DB18B57F0
EE8AC1B50C1DE890E23B6B536AC43F7A7EE1E485
25A1101CDA6648DBA36FE002068CAB8D886668E21D6D4776F1042B430F813981
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
false
CCF14158D80722DA582C415C0CD0C267
1EEA0355F97142D9C9B123C04A9855A00695FA96
42A6CC1CA4FD2D7225F9D7ACB0243D15BAC13BB70D4B5716F55AFEED5551AF14
185.244.26.250
oleg321.ddns.net
true
185.244.26.250
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus detection for dropped file
Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected Nanocore RAT