Loading ...

Play interactive tourEdit tour

Analysis Report DHLAWB# 9284880911 pdf.exe

Overview

General Information

Sample Name:DHLAWB# 9284880911 pdf.exe
Analysis ID:402352
MD5:72208e35ab96b53baffd99165d2f50cb
SHA1:ca1a5cefafcd9e4f37bb3880d96aa0fb86043cf1
SHA256:a2bb219a5ecfa042dc97a47aeda8a637f49e70e09af3f7b52f7974f7b1c39172
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • DHLAWB# 9284880911 pdf.exe (PID: 3012 cmdline: 'C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe' MD5: 72208E35AB96B53BAFFD99165D2F50CB)
    • schtasks.exe (PID: 3468 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HVLIxSqWJDWWZt' /XML 'C:\Users\user\AppData\Local\Temp\tmpF4A2.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 2168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • DHLAWB# 9284880911 pdf.exe (PID: 1560 cmdline: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe MD5: 72208E35AB96B53BAFFD99165D2F50CB)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "97a824b7-e666-4a22-b2e3-fb501d91", "Group": "king", "Domain1": "23.105.131.171", "Domain2": "", "Port": 4040, "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.483729377.0000000005B80000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xe75:$x1: NanoCore.ClientPluginHost
  • 0xe8f:$x2: IClientNetworkHost
00000004.00000002.483729377.0000000005B80000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xe75:$x2: NanoCore.ClientPluginHost
  • 0x1261:$s3: PipeExists
  • 0x1136:$s4: PipeCreated
  • 0xeb0:$s5: IClientLoggingHost
00000004.00000002.472666786.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000004.00000002.472666786.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000004.00000002.472666786.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    Click to see the 14 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    4.2.DHLAWB# 9284880911 pdf.exe.38647fc.4.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x2dbb:$x1: NanoCore.ClientPluginHost
    • 0x2de5:$x2: IClientNetworkHost
    4.2.DHLAWB# 9284880911 pdf.exe.38647fc.4.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x2dbb:$x2: NanoCore.ClientPluginHost
    • 0x4c6b:$s4: PipeCreated
    0.2.DHLAWB# 9284880911 pdf.exe.46f7978.2.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1018d:$x1: NanoCore.ClientPluginHost
    • 0x429ad:$x1: NanoCore.ClientPluginHost
    • 0x101ca:$x2: IClientNetworkHost
    • 0x429ea:$x2: IClientNetworkHost
    • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0x4651d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    0.2.DHLAWB# 9284880911 pdf.exe.46f7978.2.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xff05:$x1: NanoCore Client.exe
    • 0x42725:$x1: NanoCore Client.exe
    • 0x1018d:$x2: NanoCore.ClientPluginHost
    • 0x429ad:$x2: NanoCore.ClientPluginHost
    • 0x117c6:$s1: PluginCommand
    • 0x43fe6:$s1: PluginCommand
    • 0x117ba:$s2: FileCommand
    • 0x43fda:$s2: FileCommand
    • 0x1266b:$s3: PipeExists
    • 0x44e8b:$s3: PipeExists
    • 0x18422:$s4: PipeCreated
    • 0x4ac42:$s4: PipeCreated
    • 0x101b7:$s5: IClientLoggingHost
    • 0x429d7:$s5: IClientLoggingHost
    0.2.DHLAWB# 9284880911 pdf.exe.46f7978.2.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 54 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe, ProcessId: 1560, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
      Sigma detected: Scheduled temp file as task from temp locationShow sources
      Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HVLIxSqWJDWWZt' /XML 'C:\Users\user\AppData\Local\Temp\tmpF4A2.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HVLIxSqWJDWWZt' /XML 'C:\Users\user\AppData\Local\Temp\tmpF4A2.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe' , ParentImage: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exe, ParentProcessId: 3012, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\HVLIxSqWJDWWZt' /XML 'C:\Users\user\AppData\Local\Temp\tmpF4A2.tmp', ProcessId: 3468

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: 0.2.DHLAWB# 9284880911 pdf.exe.46f7978.2.raw.unpackMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "97a824b7-e666-4a22-b2e3-fb501d91", "Group": "king", "Domain1": "23.105.131.171", "Domain2": "", "Port": 4040, "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8"}
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\HVLIxSqWJDWWZt.exeReversingLabs: Detection: 10%
      Multi AV Scanner detection for submitted fileShow sources
      Source: DHLAWB# 9284880911 pdf.exeReversingLabs: Detection: 10%
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000004.00000002.472666786.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.230786532.0000000004501000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.484302259.00000000060B0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.482228223.00000000047E1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: DHLAWB# 9284880911 pdf.exe PID: 1560, type: MEMORY
      Source: Yara matchFile source: 0.2.DHLAWB# 9284880911 pdf.exe.46f7978.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.DHLAWB# 9284880911 pdf.exe.46f7978.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.DHLAWB# 9284880911 pdf.exe.60b0000.17.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.DHLAWB# 9284880911 pdf.exe.60b4629.16.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.DHLAWB# 9284880911 pdf.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.DHLAWB# 9284880911 pdf.exe.60b0000.17.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.DHLAWB# 9284880911 pdf.exe.4846e90.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.DHLAWB# 9284880911 pdf.exe.45ac0d8.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.DHLAWB# 9284880911 pdf.exe.4846e90.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.DHLAWB# 9284880911 pdf.exe.48b6f59.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.DHLAWB# 9284880911 pdf.exe.484b4b9.6.raw.unpack, type: UNPACKEDPE
      Machine Learning detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\HVLIxSqWJDWWZt.exeJoe Sandbox ML: detected
      Machine Learning detection for sampleShow sources
      Source: DHLAWB# 9284880911 pdf.exeJoe Sandbox ML: detected
      Source: 4.2.DHLAWB# 9284880911 pdf.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 4.2.DHLAWB# 9284880911 pdf.exe.60b0000.17.unpackAvira: Label: TR/NanoCore.fadte
      Source: DHLAWB# 9284880911 pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
      Source: DHLAWB# 9284880911 pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: mscorlib.pdb source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.477033489.0000000001775000.00000004.00000040.sdmp
      Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\vCohllGlVk\src\obj\Debug\StringHandleOnStack.pdb source: DHLAWB# 9284880911 pdf.exe
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.482228223.00000000047E1000.00000004.00000001.sdmp
      Source: Binary string: C:\Windows\dll\mscorlib.pdb source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.477033489.0000000001775000.00000004.00000040.sdmp
      Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.482228223.00000000047E1000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.482228223.00000000047E1000.00000004.00000001.sdmp
      Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.482228223.00000000047E1000.00000004.00000001.sdmp
      Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.482228223.00000000047E1000.00000004.00000001.sdmp
      Source: Binary string: C:\Windows\mscorlib.pdbI source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.477033489.0000000001775000.00000004.00000040.sdmp
      Source: Binary string: mscorrc.pdb source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.234251673.0000000007540000.00000002.00000001.sdmp, DHLAWB# 9284880911 pdf.exe, 00000004.00000002.483898535.0000000005CB0000.00000002.00000001.sdmp
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.482228223.00000000047E1000.00000004.00000001.sdmp
      Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_05513430
      Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_05513421
      Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]4_2_06846808
      Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exeCode function: 4x nop then lea esp, dword ptr [ebp-0Ch]4_2_06846818
      Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exeCode function: 4x nop then mov esp, ebp4_2_06843508
      Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exeCode function: 4x nop then mov esp, ebp4_2_06843518

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49725 -> 23.105.131.171:4040
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49726 -> 23.105.131.171:4040
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49727 -> 23.105.131.171:4040
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49733 -> 23.105.131.171:4040
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49734 -> 23.105.131.171:4040
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49736 -> 23.105.131.171:4040
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49738 -> 23.105.131.171:4040
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49740 -> 23.105.131.171:4040
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49741 -> 23.105.131.171:4040
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49750 -> 23.105.131.171:4040
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49751 -> 23.105.131.171:4040
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49752 -> 23.105.131.171:4040
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49753 -> 23.105.131.171:4040
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49754 -> 23.105.131.171:4040
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49756 -> 23.105.131.171:4040
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49758 -> 23.105.131.171:4040
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49759 -> 23.105.131.171:4040
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49760 -> 23.105.131.171:4040
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49761 -> 23.105.131.171:4040
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorURLs:
      Source: Malware configuration extractorURLs: 23.105.131.171
      Source: global trafficTCP traffic: 192.168.2.3:49725 -> 23.105.131.171:4040
      Source: Joe Sandbox ViewASN Name: LEASEWEB-USA-NYC-11US LEASEWEB-USA-NYC-11US
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.171
      Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exeCode function: 4_2_05AA28CE WSARecv,4_2_05AA28CE
      Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.207004883.000000000195D000.00000004.00000001.sdmpString found in binary or memory: http://en.w
      Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.232662327.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.482228223.00000000047E1000.00000004.00000001.sdmpString found in binary or memory: http://google.com
      Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.232662327.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.232662327.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.226163799.0000000005880000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.232662327.0000000006B12000.00000004.00000001.sdmp, DHLAWB# 9284880911 pdf.exe, 00000000.00000003.212524209.000000000588D000.00000004.00000001.sdmp, DHLAWB# 9284880911 pdf.exe, 00000000.00000003.212025172.0000000005889000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.232662327.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.232662327.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.232662327.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.232662327.0000000006B12000.00000004.00000001.sdmp, DHLAWB# 9284880911 pdf.exe, 00000000.00000003.212524209.000000000588D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.232662327.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.232662327.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.226163799.0000000005880000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comceTF
      Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.207382725.000000000589B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.207382725.000000000589B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com-uA
      Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.207382725.000000000589B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comc
      Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.207425359.000000000589B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comic
      Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.208864496.0000000005884000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.208864496.0000000005884000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
      Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.208706639.0000000005884000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/MI:H
      Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.208864496.0000000005884000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/TS
      Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.232662327.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.232662327.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.208693548.00000000058BD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnb-n
      Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.208864496.0000000005884000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnerslH
      Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.208693548.00000000058BD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnk-s
      Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.208693548.00000000058BD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cns-m
      Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.232662327.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.232662327.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.232662327.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.209977218.0000000005884000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.209977218.0000000005884000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//
      Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.209977218.0000000005884000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/RT
      Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.209977218.0000000005884000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
      Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.209977218.0000000005884000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/a-e
      Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.209977218.0000000005884000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ito
      Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.209977218.0000000005884000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
      Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.209977218.0000000005884000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/8T
      Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.209977218.0000000005884000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ko
      Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.209977218.0000000005884000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/liquwT
      Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.207260612.000000000589B000.00000004.00000001.sdmp, DHLAWB# 9284880911 pdf.exe, 00000000.00000002.232662327.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.207260612.000000000589B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comibiT
      Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.232662327.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.232662327.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.208289981.0000000005886000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krZ
      Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.208289981.0000000005886000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kre
      Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.208289981.0000000005886000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krtriFH
      Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.232662327.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.207630084.000000000589B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comh
      Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000003.207580705.000000000589B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comtn
      Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.232662327.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.232662327.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.232662327.0000000006B12000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.227902373.0000000003540000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
      Source: DHLAWB# 9284880911 pdf.exe, 00000000.00000002.226833624.00000000015C8000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
      Source: DHLAWB# 9284880911 pdf.exe, 00000004.00000002.482228223.00000000047E1000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000004.00000002.472666786.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.230786532.0000000004501000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.484302259.00000000060B0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.482228223.00000000047E1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: DHLAWB# 9284880911 pdf.exe PID: 1560, type: MEMORY
      Source: Yara matchFile source: 0.2.DHLAWB# 9284880911 pdf.exe.46f7978.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.DHLAWB# 9284880911 pdf.exe.46f7978.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.DHLAWB# 9284880911 pdf.exe.60b0000.17.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.DHLAWB# 9284880911 pdf.exe.60b4629.16.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.DHLAWB# 9284880911 pdf.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.DHLAWB# 9284880911 pdf.exe.60b0000.17.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.DHLAWB# 9284880911 pdf.exe.4846e90.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.DHLAWB# 9284880911 pdf.exe.45ac0d8.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.DHLAWB# 9284880911 pdf.exe.4846e90.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.DHLAWB# 9284880911 pdf.exe.48b6f59.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.DHLAWB# 9284880911 pdf.exe.484b4b9.6.raw.unpack, type: UNPACKEDPE

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000004.00000002.483729377.0000000005B80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000004.00000002.472666786.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000004.00000002.472666786.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000002.230786532.0000000004501000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.230786532.0000000004501000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000004.00000002.481253287.000000000383B000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000004.00000002.484302259.00000000060B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000004.00000002.482228223.00000000047E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: DHLAWB# 9284880911 pdf.exe PID: 1560, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: DHLAWB# 9284880911 pdf.exe PID: 1560, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 4.2.DHLAWB# 9284880911 pdf.exe.38647fc.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.DHLAWB# 9284880911 pdf.exe.46f7978.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.DHLAWB# 9284880911 pdf.exe.46f7978.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 4.2.DHLAWB# 9284880911 pdf.exe.4b12c32.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.DHLAWB# 9284880911 pdf.exe.4b12c32.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.DHLAWB# 9284880911 pdf.exe.46f7978.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.DHLAWB# 9284880911 pdf.exe.46f7978.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 4.2.DHLAWB# 9284880911 pdf.exe.37f1288.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.DHLAWB# 9284880911 pdf.exe.60b0000.17.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.DHLAWB# 9284880911 pdf.exe.48b6f59.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.DHLAWB# 9284880911 pdf.exe.60b4629.16.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.DHLAWB# 9284880911 pdf.exe.4b178d1.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.DHLAWB# 9284880911 pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.DHLAWB# 9284880911 pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 4.2.DHLAWB# 9284880911 pdf.exe.60b0000.17.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.DHLAWB# 9284880911 pdf.exe.4846e90.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.DHLAWB# 9284880911 pdf.exe.4b099fe.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.DHLAWB# 9284880911 pdf.exe.4b099fe.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.DHLAWB# 9284880911 pdf.exe.5b80000.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.DHLAWB# 9284880911 pdf.exe.3870a70.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.DHLAWB# 9284880911 pdf.exe.45ac0d8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.DHLAWB# 9284880911 pdf.exe.45ac0d8.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 4.2.DHLAWB# 9284880911 pdf.exe.38647fc.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.DHLAWB# 9284880911 pdf.exe.38647fc.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 4.2.DHLAWB# 9284880911 pdf.exe.3870a70.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.DHLAWB# 9284880911 pdf.exe.3870a70.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 4.2.DHLAWB# 9284880911 pdf.exe.38850d8.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.DHLAWB# 9284880911 pdf.exe.38850d8.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 4.2.DHLAWB# 9284880911 pdf.exe.4846e90.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 4.2.DHLAWB# 9284880911 pdf.exe.48b6f59.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 4.2.DHLAWB# 9284880911 pdf.exe.484b4b9.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exeCode function: 0_2_055015E2 NtQuerySystemInformation,0_2_055015E2
      Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exeCode function: 0_2_055015B1 NtQuerySystemInformation,0_2_055015B1
      Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exeCode function: 4_2_05AA136A NtQuerySystemInformation,4_2_05AA136A
      Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exeCode function: 4_2_05AA132F NtQuerySystemInformation,4_2_05AA132F
      Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exeCode function: 0_2_00E38EF60_2_00E38EF6
      Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exeCode function: 0_2_00E3C6440_2_00E3C644
      Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exeCode function: 0_2_00E376930_2_00E37693
      Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exeCode function: 0_2_031A23B80_2_031A23B8
      Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exeCode function: 0_2_031A5A180_2_031A5A18
      Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exeCode function: 0_2_031A1E500_2_031A1E50
      Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exeCode function: 0_2_031AD5180_2_031AD518
      Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exeCode function: 0_2_031A49500_2_031A4950
      Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exeCode function: 0_2_031A51400_2_031A5140
      Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exeCode function: 0_2_031AD9600_2_031AD960
      Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exeCode function: 0_2_031A68780_2_031A6878
      Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exeCode function: 0_2_031A975A0_2_031A975A
      Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exeCode function: 0_2_031A23A80_2_031A23A8
      Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exeCode function: 0_2_031ADBF00_2_031ADBF0
      Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exeCode function: 0_2_031AE2680_2_031AE268
      Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exeCode function: 0_2_031A76B00_2_031A76B0
      Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exeCode function: 0_2_031A86D80_2_031A86D8
      Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exeCode function: 0_2_031A86C80_2_031A86C8
      Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exeCode function: 0_2_031A76C00_2_031A76C0
      Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exeCode function: 0_2_031A8AF00_2_031A8AF0
      Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exeCode function: 0_2_031A8AE00_2_031A8AE0
      Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exeCode function: 0_2_031ACD380_2_031ACD38
      Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exeCode function: 0_2_031A6D280_2_031A6D28
      Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exeCode function: 0_2_031A55500_2_031A5550
      Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exeCode function: 0_2_031A81410_2_031A8141
      Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exeCode function: 0_2_031AE9900_2_031AE990
      Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exeCode function: 0_2_031A3DB00_2_031A3DB0
      Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exeCode function: 0_2_031A8DC50_2_031A8DC5
      Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exeCode function: 0_2_031A681F0_2_031A681F
      Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exeCode function: 0_2_031A48980_2_031A4898
      Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exeCode function: 0_2_031A88910_2_031A8891
      Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exeCode function: 0_2_031A8CA90_2_031A8CA9
      Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exeCode function: 0_2_031A88A00_2_031A88A0
      Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exeCode function: 0_2_055114710_2_05511471
      Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exeCode function: 0_2_055100700_2_05510070
      Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exeCode function: 0_2_05510B200_2_05510B20
      Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exeCode function: 0_2_055104D00_2_055104D0
      Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exeCode function: 0_2_055130C00_2_055130C0
      Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exeCode function: 0_2_05510B100_2_05510B10
      Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exeCode function: 0_2_05511A130_2_05511A13
      Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exeCode function: 0_2_055100060_2_05510006
      Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exeCode function: 0_2_055104C00_2_055104C0
      Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exeCode function: 0_2_055117F10_2_055117F1
      Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exeCode function: 0_2_055119BB0_2_055119BB
      Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exeCode function: 4_2_00FB8EF64_2_00FB8EF6
      Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exeCode function: 4_2_00FBC6444_2_00FBC644
      Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exeCode function: 4_2_00FB76934_2_00FB7693
      Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pdf.exeCode function: 4_2_0596ACC84_2_0596ACC8
      Source: C:\Users\user\Desktop\DHLAWB# 9284880911 pd