32.0.0 Black Diamond
IR
403510
CloudBasic
06:51:27
04/05/2021
Thag3EQkV3.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
46596598ee9fe7c1b4677cbbfe8a00bf
59eae73c4d6519a70f0be2df462af90c8f53a5b0
01049edaf2ce6f350d8309ed530221c8371faac224e408c778beb56c7211df19
Win32 Executable (generic) Net Framework (10011505/4) 49.83%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Thag3EQkV3.exe.log
true
2E016B886BDB8389D2DD0867BE55F87B
25D28EF2ACBB41764571E06E11BF4C05DD0E2F8B
1D037CF00A8849E6866603297F85D3DABE09535E72EDD2636FB7D0F6C7DA3427
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
false
4289DB95A6CDB207BA517F49C4A24D05
548752FCAA6FF477FCA724F04809A43692B29026
D8BEF607E5237F2BDF202D39986BE376BCCFDE2AEA8DD6226E7CA2D70380FF03
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
false
754C024678ED1CDF33F3B5803B50C98D
C2A79BAD448EE0C910B6601E48779287A622525B
2EA18101D538A33919657002B055AF4E57B29CE5452C53350827E91FE1F33853
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5hrep33y.yqe.psm1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f12zqadg.xi1.ps1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ktivmfxo.eba.psm1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rgu1nmop.ph5.ps1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uvwwrcl4.q0o.ps1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wajlphlf.nmw.psm1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\tmp8204.tmp
true
D14D27982BB1E341E6C76DF133118CBA
019EB713294FE92A16AFBB02D6D04163C765038A
70BB25C92FD640D49AB95670C5CAC956B1F547B9DE926E7F8AE6BE3D5C135797
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
false
F15D8A964EB90E425BE1A8D14737C261
EE64B9095C84589881EDD4A317280FC461360209
F68636A717CDEEF69EA7AC43F1FC96DE8010565A16840C0B9924D27560E07BF4
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
true
5E22D59515A7D7900E9D95C1C71BEAE6
ADA625A0478EB2762E67565523C833ED8306D5B6
7BB7A7DAFCB215094BF61420BBC13BE7519DA99902B968BF9D124D56CA16C987
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
false
4E5E92E2369688041CC82EF9650EDED2
15E44F2F3194EE232B44E9684163B6F66472C862
F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
false
27C5226E10AC55C8A6CEA5328C87F82A
25A1EDE5EA110A07BCCD617C233277614AEF93D1
6C2E803D5ABEC40BC313078A3A8F319D24F3975ACC04F39A47852B5F9AA12117
C:\Users\user\AppData\Roaming\dZmzbca.exe
true
46596598EE9FE7C1B4677CBBFE8A00BF
59EAE73C4D6519A70F0BE2DF462AF90C8F53A5B0
01049EDAF2CE6F350D8309ED530221C8371FAAC224E408C778BEB56C7211DF19
C:\Users\user\AppData\Roaming\dZmzbca.exe:Zone.Identifier
false
187F488E27DB4AF347237FE461A079AD
6693BA299EC1881249D59262276A0D2CB21F8E64
255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\Documents\20210504\PowerShell_transcript.928100.0l+IhawI.20210504065226.txt
false
AE80BB0969755834B22C49E2710C1879
5E4D56A8ED215622758F13EF4FF40EE49B94667A
6D1D5D8D917C8AF594DD6C5B2D914F90B619CD5F4EC9452E455092FEDC4F19FB
C:\Users\user\Documents\20210504\PowerShell_transcript.928100.pjNT44Nw.20210504065226.txt
false
3AFDFFF2BA546E1410B6BA47B9435731
96FC4BCE1BA6E26C8EB5608BDEF077F3E3D5B285
773E323B92C6F78BB31EB941A8E7C80B18276A7611F88310B5AC8900DFA8EBBB
C:\Users\user\Documents\20210504\PowerShell_transcript.928100.v0ZiGqw1.20210504065230.txt
false
09A6D1ABE1086CECD57807AFC96A0203
7D7A2726E2F54C62C88C4957FC4EDB106CDECC29
6827BA8FAE92650D3A7D1D91EDD8D1022C089DEAE3A985658BF736882A30FB6F
192.168.2.1
89.44.9.69
securityveriservers.ddns.net
true
89.44.9.69
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected Nanocore RAT