Loading ...

Play interactive tourEdit tour

Analysis Report NEW_ORDER.pdf.exe

Overview

General Information

Sample Name:NEW_ORDER.pdf.exe
Analysis ID:383990
MD5:5e618064ece7e7ae38af0dc9aa5a5559
SHA1:9114a9bad82d1430dddadc38e05759782ae166bc
SHA256:f0e948526717e90fe4de5a54a4c2e7b1d80e9e7074ba989292c69e9f67a52a1e
Tags:NanoCore
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • NEW_ORDER.pdf.exe (PID: 5416 cmdline: 'C:\Users\user\Desktop\NEW_ORDER.pdf.exe' MD5: 5E618064ECE7E7AE38AF0DC9AA5A5559)
    • schtasks.exe (PID: 5492 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\rrnBESjNXy' /XML 'C:\Users\user\AppData\Local\Temp\tmp3114.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 3148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 5076 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "6f656d69-7475-8807-1300-000c0a4c", "Domain1": "185.140.53.138", "Domain2": "wealth2021.ddns.net", "Port": 20221, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Disable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.227237084.00000000035EC000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xa8d5d:$x1: NanoCore.ClientPluginHost
  • 0xdbd9d:$x1: NanoCore.ClientPluginHost
  • 0xa8d9a:$x2: IClientNetworkHost
  • 0xdbdda:$x2: IClientNetworkHost
  • 0xac8cd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
  • 0xdf90d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.227237084.00000000035EC000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000000.00000002.227237084.00000000035EC000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xa8ac5:$a: NanoCore
    • 0xa8ad5:$a: NanoCore
    • 0xa8d09:$a: NanoCore
    • 0xa8d1d:$a: NanoCore
    • 0xa8d5d:$a: NanoCore
    • 0xdbb05:$a: NanoCore
    • 0xdbb15:$a: NanoCore
    • 0xdbd49:$a: NanoCore
    • 0xdbd5d:$a: NanoCore
    • 0xdbd9d:$a: NanoCore
    • 0xa8b24:$b: ClientPlugin
    • 0xa8d26:$b: ClientPlugin
    • 0xa8d66:$b: ClientPlugin
    • 0xdbb64:$b: ClientPlugin
    • 0xdbd66:$b: ClientPlugin
    • 0xdbda6:$b: ClientPlugin
    • 0xa8c4b:$c: ProjectData
    • 0xdbc8b:$c: ProjectData
    • 0x199991:$c: ProjectData
    • 0x2179b1:$c: ProjectData
    • 0xa9652:$d: DESCrypto
    00000004.00000002.468190414.0000000005830000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xe75:$x1: NanoCore.ClientPluginHost
    • 0xe8f:$x2: IClientNetworkHost
    00000004.00000002.468190414.0000000005830000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xe75:$x2: NanoCore.ClientPluginHost
    • 0x1261:$s3: PipeExists
    • 0x1136:$s4: PipeCreated
    • 0xeb0:$s5: IClientLoggingHost
    Click to see the 16 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    4.2.RegSvcs.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1018d:$x1: NanoCore.ClientPluginHost
    • 0x101ca:$x2: IClientNetworkHost
    • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    4.2.RegSvcs.exe.400000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xff05:$x1: NanoCore Client.exe
    • 0x1018d:$x2: NanoCore.ClientPluginHost
    • 0x117c6:$s1: PluginCommand
    • 0x117ba:$s2: FileCommand
    • 0x1266b:$s3: PipeExists
    • 0x18422:$s4: PipeCreated
    • 0x101b7:$s5: IClientLoggingHost
    4.2.RegSvcs.exe.400000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      4.2.RegSvcs.exe.400000.0.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0xfef5:$a: NanoCore
      • 0xff05:$a: NanoCore
      • 0x10139:$a: NanoCore
      • 0x1014d:$a: NanoCore
      • 0x1018d:$a: NanoCore
      • 0xff54:$b: ClientPlugin
      • 0x10156:$b: ClientPlugin
      • 0x10196:$b: ClientPlugin
      • 0x1007b:$c: ProjectData
      • 0x10a82:$d: DESCrypto
      • 0x1844e:$e: KeepAlive
      • 0x1643c:$g: LogClientMessage
      • 0x12637:$i: get_Connected
      • 0x10db8:$j: #=q
      • 0x10de8:$j: #=q
      • 0x10e04:$j: #=q
      • 0x10e34:$j: #=q
      • 0x10e50:$j: #=q
      • 0x10e6c:$j: #=q
      • 0x10e9c:$j: #=q
      • 0x10eb8:$j: #=q
      4.2.RegSvcs.exe.6230000.9.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xf7ad:$x1: NanoCore.ClientPluginHost
      • 0xf7da:$x2: IClientNetworkHost
      Click to see the 31 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 5076, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
      Sigma detected: Scheduled temp file as task from temp locationShow sources
      Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\rrnBESjNXy' /XML 'C:\Users\user\AppData\Local\Temp\tmp3114.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\rrnBESjNXy' /XML 'C:\Users\user\AppData\Local\Temp\tmp3114.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\NEW_ORDER.pdf.exe' , ParentImage: C:\Users\user\Desktop\NEW_ORDER.pdf.exe, ParentProcessId: 5416, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\rrnBESjNXy' /XML 'C:\Users\user\AppData\Local\Temp\tmp3114.tmp', ProcessId: 5492

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Antivirus / Scanner detection for submitted sampleShow sources
      Source: NEW_ORDER.pdf.exeAvira: detected
      Antivirus detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\rrnBESjNXy.exeAvira: detection malicious, Label: HEUR/AGEN.1138557
      Found malware configurationShow sources
      Source: 00000004.00000002.466700290.0000000004019000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "6f656d69-7475-8807-1300-000c0a4c", "Domain1": "185.140.53.138", "Domain2": "wealth2021.ddns.net", "Port": 20221, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Disable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\rrnBESjNXy.exeReversingLabs: Detection: 31%
      Multi AV Scanner detection for submitted fileShow sources
      Source: NEW_ORDER.pdf.exeReversingLabs: Detection: 31%
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000000.00000002.227237084.00000000035EC000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.468713610.0000000006230000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.458836428.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.466700290.0000000004019000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: NEW_ORDER.pdf.exe PID: 5416, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5076, type: MEMORY
      Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.RegSvcs.exe.6230000.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.RegSvcs.exe.6234629.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.RegSvcs.exe.401ff7c.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.RegSvcs.exe.401ff7c.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.RegSvcs.exe.401b146.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.RegSvcs.exe.40245a5.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.NEW_ORDER.pdf.exe.3684bd0.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.NEW_ORDER.pdf.exe.3684bd0.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.RegSvcs.exe.6230000.9.unpack, type: UNPACKEDPE
      Machine Learning detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\rrnBESjNXy.exeJoe Sandbox ML: detected
      Machine Learning detection for sampleShow sources
      Source: NEW_ORDER.pdf.exeJoe Sandbox ML: detected
      Source: 4.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 4.2.RegSvcs.exe.6230000.9.unpackAvira: Label: TR/NanoCore.fadte
      Source: NEW_ORDER.pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: NEW_ORDER.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_0E8B1660
      Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_0E8B165F
      Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_0E8B1714
      Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_0E8B35B0
      Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_0E8B35C0

      Networking:

      barindex
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorURLs: wealth2021.ddns.net
      Source: Malware configuration extractorURLs: 185.140.53.138
      Uses dynamic DNS servicesShow sources
      Source: unknownDNS query: name: wealth2021.ddns.net
      Source: global trafficTCP traffic: 192.168.2.3:49721 -> 185.140.53.138:20221
      Source: Joe Sandbox ViewIP Address: 185.140.53.138 185.140.53.138
      Source: Joe Sandbox ViewASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
      Source: unknownDNS traffic detected: queries for: wealth2021.ddns.net
      Source: NEW_ORDER.pdf.exe, 00000000.00000002.229401070.0000000005670000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: NEW_ORDER.pdf.exe, 00000000.00000002.223799082.00000000025C2000.00000004.00000001.sdmp, NEW_ORDER.pdf.exe, 00000000.00000002.223565195.0000000002521000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: NEW_ORDER.pdf.exe, 00000000.00000002.223799082.00000000025C2000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4
      Source: NEW_ORDER.pdf.exeString found in binary or memory: http://tempuri.org/GridOneHSDataSet.xsd
      Source: NEW_ORDER.pdf.exeString found in binary or memory: http://tempuri.org/HighScoresDataSet.xsd
      Source: NEW_ORDER.pdf.exe, 00000000.00000002.229401070.0000000005670000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: NEW_ORDER.pdf.exe, 00000000.00000002.229401070.0000000005670000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: NEW_ORDER.pdf.exe, 00000000.00000002.229401070.0000000005670000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: NEW_ORDER.pdf.exe, 00000000.00000002.229401070.0000000005670000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: NEW_ORDER.pdf.exe, 00000000.00000002.229401070.0000000005670000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: NEW_ORDER.pdf.exe, 00000000.00000002.229401070.0000000005670000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: NEW_ORDER.pdf.exe, 00000000.00000002.229401070.0000000005670000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: NEW_ORDER.pdf.exe, 00000000.00000002.229401070.0000000005670000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: NEW_ORDER.pdf.exe, 00000000.00000002.229401070.0000000005670000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: NEW_ORDER.pdf.exe, 00000000.00000002.229401070.0000000005670000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: NEW_ORDER.pdf.exe, 00000000.00000002.223374262.0000000000BA7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comm
      Source: NEW_ORDER.pdf.exe, 00000000.00000002.229401070.0000000005670000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: NEW_ORDER.pdf.exe, 00000000.00000003.196181845.000000000559B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comc
      Source: NEW_ORDER.pdf.exe, 00000000.00000003.196107574.000000000559B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comc9
      Source: NEW_ORDER.pdf.exe, 00000000.00000002.229401070.0000000005670000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: NEW_ORDER.pdf.exe, 00000000.00000002.229401070.0000000005670000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: NEW_ORDER.pdf.exe, 00000000.00000002.229401070.0000000005670000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: NEW_ORDER.pdf.exe, 00000000.00000003.197658552.000000000558E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnIT
      Source: NEW_ORDER.pdf.exe, 00000000.00000003.197658552.000000000558E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnnte
      Source: NEW_ORDER.pdf.exe, 00000000.00000002.229401070.0000000005670000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: NEW_ORDER.pdf.exe, 00000000.00000002.229401070.0000000005670000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: NEW_ORDER.pdf.exe, 00000000.00000002.229401070.0000000005670000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: NEW_ORDER.pdf.exe, 00000000.00000002.229401070.0000000005670000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: NEW_ORDER.pdf.exe, 00000000.00000002.229401070.0000000005670000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: NEW_ORDER.pdf.exe, 00000000.00000002.229401070.0000000005670000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: NEW_ORDER.pdf.exe, 00000000.00000002.229401070.0000000005670000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: NEW_ORDER.pdf.exe, 00000000.00000002.229401070.0000000005670000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: NEW_ORDER.pdf.exe, 00000000.00000003.196438326.000000000559B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com%
      Source: NEW_ORDER.pdf.exe, 00000000.00000003.196969332.000000000559B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com2
      Source: NEW_ORDER.pdf.exe, 00000000.00000002.229401070.0000000005670000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: NEW_ORDER.pdf.exe, 00000000.00000002.229401070.0000000005670000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: NEW_ORDER.pdf.exe, 00000000.00000002.229401070.0000000005670000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: NEW_ORDER.pdf.exe, 00000000.00000002.223660609.0000000002575000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
      Source: RegSvcs.exe, 00000004.00000002.468713610.0000000006230000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000000.00000002.227237084.00000000035EC000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.468713610.0000000006230000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.458836428.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.466700290.0000000004019000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: NEW_ORDER.pdf.exe PID: 5416, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5076, type: MEMORY
      Source: Yara matchFile source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.RegSvcs.exe.6230000.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.RegSvcs.exe.6234629.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.RegSvcs.exe.401ff7c.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.RegSvcs.exe.401ff7c.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.RegSvcs.exe.401b146.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.RegSvcs.exe.40245a5.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.NEW_ORDER.pdf.exe.3684bd0.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.NEW_ORDER.pdf.exe.3684bd0.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.RegSvcs.exe.6230000.9.unpack, type: UNPACKEDPE

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000000.00000002.227237084.00000000035EC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.227237084.00000000035EC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000004.00000002.468190414.0000000005830000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000004.00000002.468713610.0000000006230000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000004.00000002.458836428.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000004.00000002.458836428.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000004.00000002.466700290.0000000004019000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: NEW_ORDER.pdf.exe PID: 5416, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: NEW_ORDER.pdf.exe PID: 5416, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: RegSvcs.exe PID: 5076, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: RegSvcs.exe PID: 5076, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 4.2.RegSvcs.exe.6230000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.RegSvcs.exe.6234629.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.RegSvcs.exe.401ff7c.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.RegSvcs.exe.401ff7c.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.RegSvcs.exe.401b146.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.RegSvcs.exe.401b146.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 4.2.RegSvcs.exe.40245a5.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.RegSvcs.exe.302a91c.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.RegSvcs.exe.5830000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.NEW_ORDER.pdf.exe.3684bd0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.NEW_ORDER.pdf.exe.3684bd0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.NEW_ORDER.pdf.exe.3684bd0.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.NEW_ORDER.pdf.exe.3684bd0.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 4.2.RegSvcs.exe.6230000.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Initial sample is a PE file and has a suspicious nameShow sources
      Source: initial sampleStatic PE information: Filename: NEW_ORDER.pdf.exe
      Source: initial sampleStatic PE information: Filename: NEW_ORDER.pdf.exe
      Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_06D76868 NtQueryInformationProcess,0_2_06D76868
      Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_06D76860 NtQueryInformationProcess,0_2_06D76860
      Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_0098C2B00_2_0098C2B0
      Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_009899900_2_00989990
      Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_06D77AD80_2_06D77AD8
      Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_06D7C6E80_2_06D7C6E8
      Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_06D766330_2_06D76633
      Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_06D754E00_2_06D754E0
      Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_06D7CDB00_2_06D7CDB0
      Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_06D71ED90_2_06D71ED9
      Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_06D71EE80_2_06D71EE8
      Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_06D75E880_2_06D75E88
      Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_06D716A80_2_06D716A8
      Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_06D71A500_2_06D71A50
      Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_06D77A7C0_2_06D77A7C
      Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_06D75E790_2_06D75E79
      Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_06D71A600_2_06D71A60
      Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_06D707D00_2_06D707D0
      Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_06D707C00_2_06D707C0
      Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_06D713980_2_06D71398
      Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_06D713880_2_06D71388
      Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_06D757B00_2_06D757B0
      Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_06D757A00_2_06D757A0
      Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_06D754D00_2_06D754D0
      Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_06D720C80_2_06D720C8
      Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_06D758F00_2_06D758F0
      Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_06D71C800_2_06D71C80
      Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_06D72C800_2_06D72C80
      Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_06D720BB0_2_06D720BB
      Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_06D758520_2_06D75852
      Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_06D71C700_2_06D71C70
      Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_06D72C790_2_06D72C79
      Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_06D791F80_2_06D791F8
      Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_06D78D0B0_2_06D78D0B
      Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_0E8B1E600_2_0E8B1E60
      Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_0E8B31880_2_0E8B3188
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0156E4714_2_0156E471
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0156E4804_2_0156E480
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4_2_0156BBD44_2_0156BBD4
      Source: NEW_ORDER.pdf.exeBinary or memory string: OriginalFilename vs NEW_ORDER.pdf.exe
      Source: NEW_ORDER.pdf.exe, 00000000.00000002.227237084.00000000035EC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll" vs NEW_ORDER.pdf.exe
      Source: NEW_ORDER.pdf.exe, 00000000.00000002.233199984.000000000E480000.00000002.00000001.sdmpBinary or memory string: originalfilename vs NEW_ORDER.pdf.exe
      Source: NEW_ORDER.pdf.exe, 00000000.00000002.233199984.000000000E480000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs NEW_ORDER.pdf.exe
      Source: NEW_ORDER.pdf.exe, 00000000.00000003.221543576.000000000DB0D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameEmptySafeHandle.exe4 vs NEW_ORDER.pdf.exe
      Source: NEW_ORDER.pdf.exe, 00000000.00000002.223565195.0000000002521000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll2 vs NEW_ORDER.pdf.exe
      Source: NEW_ORDER.pdf.exe, 00000000.00000002.233062357.000000000E390000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs NEW_ORDER.pdf.exe
      Source: NEW_ORDER.pdf.exeBinary or memory string: OriginalFilenameEmptySafeHandle.exe4 vs NEW_ORDER.pdf.exe
      Source: NEW_ORDER.pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: 00000000.00000002.227237084.00000000035EC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.227237084.00000000035EC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000004.00000002.468190414.0000000005830000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000004.00000002.468190414.0000000005830000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000004.00000002.468713610.0000000006230000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000004.00000002.468713610.0000000006230000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000004.00000002.458836428.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000004.00000002.458836428.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000004.00000002.466700290.0000000004019000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: NEW_ORDER.pdf.exe PID: 5416, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: NEW_ORDER.pdf.exe PID: 5416, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: RegSvcs.exe PID: 5076, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: RegSvcs.exe PID: 5076, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 4.2.RegSvcs.exe.6230000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.RegSvcs.exe.6230000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.2.RegSvcs.exe.6234629.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.RegSvcs.exe.6234629.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.2.RegSvcs.exe.401ff7c.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.RegSvcs.exe.401ff7c.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.2.RegSvcs.exe.401ff7c.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.RegSvcs.exe.401ff7c.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.2.RegSvcs.exe.401b146.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.RegSvcs.exe.401b146.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.2.RegSvcs.exe.401b146.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 4.2.RegSvcs.exe.40245a5.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.RegSvcs.exe.40245a5.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.2.RegSvcs.exe.302a91c.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.RegSvcs.exe.5830000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.RegSvcs.exe.5830000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.NEW_ORDER.pdf.exe.3684bd0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.NEW_ORDER.pdf.exe.3684bd0.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.2.NEW_ORDER.pdf.exe.3684bd0.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.NEW_ORDER.pdf.exe.3684bd0.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.NEW_ORDER.pdf.exe.3684bd0.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 4.2.RegSvcs.exe.6230000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.RegSvcs.exe.6230000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: NEW_ORDER.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: rrnBESjNXy.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: classification engineClassification label: mal100.troj.evad.winEXE@6/5@13/1
      Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeFile created: C:\Users\user\AppData\Roaming\rrnBESjNXy.exeJump to behavior
      Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeMutant created: \Sessions\1\BaseNamedObjects\cbbvUnffDoOkFzvkbCRnCsWpZ
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3148:120:WilError_01
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{ae697278-0563-480d-a326-4f0ab2164ba0}
      Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmp3114.tmpJump to behavior
      Source: NEW_ORDER.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: NEW_ORDER.pdf.exe, 00000000.00000002.223660609.0000000002575000.00000004.00000001.sdmpBinary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
      Source: NEW_ORDER.pdf.exe, 00000000.00000002.223660609.0000000002575000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
      Source: NEW_ORDER.pdf.exe, 00000000.00000002.223660609.0000000002575000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
      Source: NEW_ORDER.pdf.exe, 00000000.00000002.223660609.0000000002575000.00000004.00000001.sdmpBinary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
      Source: NEW_ORDER.pdf.exe, 00000000.00000002.223660609.0000000002575000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
      Source: NEW_ORDER.pdf.exe, 00000000.00000002.223660609.0000000002575000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
      Source: NEW_ORDER.pdf.exe, 00000000.00000002.223660609.0000000002575000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
      Source: NEW_ORDER.pdf.exeReversingLabs: Detection: 31%
      Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeFile read: C:\Users\user\Desktop\NEW_ORDER.pdf.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\NEW_ORDER.pdf.exe 'C:\Users\user\Desktop\NEW_ORDER.pdf.exe'
      Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\rrnBESjNXy' /XML 'C:\Users\user\AppData\Local\Temp\tmp3114.tmp'
      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\rrnBESjNXy' /XML 'C:\Users\user\AppData\Local\Temp\tmp3114.tmp'Jump to behavior
      Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
      Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
      Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: NEW_ORDER.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: NEW_ORDER.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

      Data Obfuscation:

      barindex
      .NET source code contains potential unpackerShow sources
      Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_06D72540 push C035BA79h; ret 0_2_06D72545
      Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_0E8B14B8 push ebp; retf 0_2_0E8B14C6
      Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeCode function: 0_2_0E8B1510 push ebp; retf 0_2_0E8B151E
      Source: initial sampleStatic PE information: section name: .text entropy: 7.64783610174
      Source: initial sampleStatic PE information: section name: .text entropy: 7.64783610174
      Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeFile created: C:\Users\user\AppData\Roaming\rrnBESjNXy.exeJump to dropped file

      Boot Survival:

      barindex
      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
      Source: C:\Users\user\Desktop\NEW_ORDER.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\rrnBESjNXy' /XML 'C:\Users\user\AppData\Local\Temp\tmp3114.tmp'

      Hooking and other Techniques for Hiding and Protection: