31.0.0 Emerald
IR
383611
CloudBasic
02:46:16
08/04/2021
AIC7VMxudf.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
d14d623ad514f6ef05fb94541868b29c
d5a787167ab02d7fd194fccb1f6335c8927702ad
ff6ac9d2d223f204f998eb31cf4dc2045bee3ba86f481d8cea7a8b24a2ebf889
Win32 Executable (generic) Net Framework (10011505/4) 49.80%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AIC7VMxudf.exe.log
true
5DDFC467AB8C44DEA19603E0ECDA810D
BE369FE7C7D3A4D32886C1BA7319FCA14BA40776
AE759C8FFA5038FC35A1F3C27EC1401909248A05E207CD940CBEF821E02B5A59
C:\Users\user\AppData\Local\Temp\tmp819D.tmp
true
80385303CD5BBCE7CD306E0FF332C35E
5E8C4EFC88C2264B00BE4D82F84D8D71A7AB7EB3
4B279EFC48FB03FD795202AD7753334967CA327D611CC0E04B569EFE3C30101A
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
false
281F575A1418DE9976BA07B4A58F860B
275A3E5F9E5064B8DE30E3AC1C089109C2FE22D6
3736A2E2E6F777CACC098F9B7F7B5770A045B4952AEC6182448E730D116A0B5B
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
true
BCF72E34F695DA2FE3C6859FB39A68CF
5CC167E48BC3C14D9FCF8A9DBB906FAE3554BCF4
DB15F8F0FDFB3CAF164B7EE5114BFA58E21F1012CE187B093C6316BF1F0D6565
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
false
78E439043BA0679B60222A2ADF210FA6
3321C991EB442CD04F8AE4AC446FFD3A0EC2F693
B39C660B6B9393FE0DA45B730B6BFA7C7780A20EB196890F57500D9F91E76408
C:\Users\user\AppData\Roaming\TqksXQmEOtil.exe
true
D14D623AD514F6EF05FB94541868B29C
D5A787167AB02D7FD194FCCB1F6335C8927702AD
FF6AC9D2D223F204F998EB31CF4DC2045BEE3BA86F481D8CEA7A8B24A2EBF889
C:\Users\user\AppData\Roaming\TqksXQmEOtil.exe:Zone.Identifier
false
187F488E27DB4AF347237FE461A079AD
6693BA299EC1881249D59262276A0D2CB21F8E64
255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
192.168.2.1
194.5.98.250
79.134.225.30
nassiru1144.ddns.net
true
79.134.225.30
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected Nanocore RAT