31.0.0 Emerald
IR
383990
CloudBasic
13:45:13
08/04/2021
NEW_ORDER.pdf.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
5e618064ece7e7ae38af0dc9aa5a5559
9114a9bad82d1430dddadc38e05759782ae166bc
f0e948526717e90fe4de5a54a4c2e7b1d80e9e7074ba989292c69e9f67a52a1e
Win32 Executable (generic) Net Framework (10011505/4) 49.80%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NEW_ORDER.pdf.exe.log
true
1DC1A2DCC9EFAA84EABF4F6D6066565B
B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
C:\Users\user\AppData\Local\Temp\tmp3114.tmp
true
FD0EA8856B93E3C828C355804744440B
E5D6AF389AF533573C6EC5624689B47B770B07BA
92C34996FB6228C10EE9CAF86A7E587A86EA7BE16E950B16FEE28A908DC97D92
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
true
340C851A07E7700F5198DD6F64611971
D1A54C13DC89534A62F192EC86B6732F0A390348
2E97838358183765F2BEBE5B6A1DEC4671CD93FFFCA77E0A000B769F7C3EF1FC
C:\Users\user\AppData\Roaming\rrnBESjNXy.exe
true
5E618064ECE7E7AE38AF0DC9AA5A5559
9114A9BAD82D1430DDDADC38E05759782AE166BC
F0E948526717E90FE4DE5A54A4C2E7B1D80E9E7074BA989292C69E9F67A52A1E
C:\Users\user\AppData\Roaming\rrnBESjNXy.exe:Zone.Identifier
true
187F488E27DB4AF347237FE461A079AD
6693BA299EC1881249D59262276A0D2CB21F8E64
255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
185.140.53.138
wealth2021.ddns.net
true
185.140.53.138
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected Nanocore RAT