Loading ...

Play interactive tourEdit tour

Analysis Report Balance Payment pdf.exe

Overview

General Information

Sample Name:Balance Payment pdf.exe
Analysis ID:404098
MD5:d4fad25d6c1355a4c67213e0dd62f306
SHA1:28470472420f3b1062ed51a67a45e638929a99d0
SHA256:a5f9d3b38612d88169c4cf6f934a93fcf3bbd772f2f3e5ac1e4a7f0b4ce6d115
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Non Interactive PowerShell
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Balance Payment pdf.exe (PID: 6956 cmdline: 'C:\Users\user\Desktop\Balance Payment pdf.exe' MD5: D4FAD25D6C1355A4C67213E0DD62F306)
    • powershell.exe (PID: 7156 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Balance Payment pdf.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 4596 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\hYnuhetGj.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 6396 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\hYnuhetGj' /XML 'C:\Users\user\AppData\Local\Temp\tmpD240.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 3496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 5804 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\hYnuhetGj.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 5724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Balance Payment pdf.exe (PID: 5976 cmdline: C:\Users\user\Desktop\Balance Payment pdf.exe MD5: D4FAD25D6C1355A4C67213E0DD62F306)
    • Balance Payment pdf.exe (PID: 6884 cmdline: C:\Users\user\Desktop\Balance Payment pdf.exe MD5: D4FAD25D6C1355A4C67213E0DD62F306)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "e64c9aca-1b5d-4ef8-a2af-039c3760", "Group": "101", "Domain1": "23.105.131.190", "Domain2": "", "Port": 4040, "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.918498051.0000000005900000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xe75:$x1: NanoCore.ClientPluginHost
  • 0xe8f:$x2: IClientNetworkHost
0000000D.00000002.918498051.0000000005900000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xe75:$x2: NanoCore.ClientPluginHost
  • 0x1261:$s3: PipeExists
  • 0x1136:$s4: PipeCreated
  • 0xeb0:$s5: IClientLoggingHost
00000000.00000002.698203410.00000000036C9000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x1fa565:$x1: NanoCore.ClientPluginHost
  • 0x22cd85:$x1: NanoCore.ClientPluginHost
  • 0x1fa5a2:$x2: IClientNetworkHost
  • 0x22cdc2:$x2: IClientNetworkHost
  • 0x1fe0d5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
  • 0x2308f5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.698203410.00000000036C9000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000000.00000002.698203410.00000000036C9000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x1fa2cd:$a: NanoCore
    • 0x1fa2dd:$a: NanoCore
    • 0x1fa511:$a: NanoCore
    • 0x1fa525:$a: NanoCore
    • 0x1fa565:$a: NanoCore
    • 0x22caed:$a: NanoCore
    • 0x22cafd:$a: NanoCore
    • 0x22cd31:$a: NanoCore
    • 0x22cd45:$a: NanoCore
    • 0x22cd85:$a: NanoCore
    • 0x1fa32c:$b: ClientPlugin
    • 0x1fa52e:$b: ClientPlugin
    • 0x1fa56e:$b: ClientPlugin
    • 0x22cb4c:$b: ClientPlugin
    • 0x22cd4e:$b: ClientPlugin
    • 0x22cd8e:$b: ClientPlugin
    • 0x150638:$c: ProjectData
    • 0x1fa453:$c: ProjectData
    • 0x22cc73:$c: ProjectData
    • 0x1fae5a:$d: DESCrypto
    • 0x22d67a:$d: DESCrypto
    Click to see the 13 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    13.2.Balance Payment pdf.exe.404b0e6.3.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xe75:$x1: NanoCore.ClientPluginHost
    • 0x145e3:$x1: NanoCore.ClientPluginHost
    • 0x2d087:$x1: NanoCore.ClientPluginHost
    • 0xe8f:$x2: IClientNetworkHost
    • 0x14610:$x2: IClientNetworkHost
    • 0x2d0b4:$x2: IClientNetworkHost
    13.2.Balance Payment pdf.exe.404b0e6.3.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xe75:$x2: NanoCore.ClientPluginHost
    • 0x145e3:$x2: NanoCore.ClientPluginHost
    • 0x2d087:$x2: NanoCore.ClientPluginHost
    • 0x1261:$s3: PipeExists
    • 0x1136:$s4: PipeCreated
    • 0x156be:$s4: PipeCreated
    • 0x2e162:$s4: PipeCreated
    • 0xeb0:$s5: IClientLoggingHost
    • 0x145fd:$s5: IClientLoggingHost
    • 0x2d0a1:$s5: IClientLoggingHost
    13.2.Balance Payment pdf.exe.404b0e6.3.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      13.2.Balance Payment pdf.exe.404b0e6.3.raw.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0xddf:$a: NanoCore
      • 0xe38:$a: NanoCore
      • 0xe75:$a: NanoCore
      • 0xeee:$a: NanoCore
      • 0x14599:$a: NanoCore
      • 0x145ae:$a: NanoCore
      • 0x145e3:$a: NanoCore
      • 0x2d03d:$a: NanoCore
      • 0x2d052:$a: NanoCore
      • 0x2d087:$a: NanoCore
      • 0xe41:$b: ClientPlugin
      • 0xe7e:$b: ClientPlugin
      • 0x177c:$b: ClientPlugin
      • 0x1789:$b: ClientPlugin
      • 0x14355:$b: ClientPlugin
      • 0x14370:$b: ClientPlugin
      • 0x143a0:$b: ClientPlugin
      • 0x145b7:$b: ClientPlugin
      • 0x145ec:$b: ClientPlugin
      • 0x2cdf9:$b: ClientPlugin
      • 0x2ce14:$b: ClientPlugin
      13.2.Balance Payment pdf.exe.59e4629.8.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xb184:$x1: NanoCore.ClientPluginHost
      • 0xb1b1:$x2: IClientNetworkHost
      Click to see the 37 entries

      Sigma Overview

      AV Detection:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Balance Payment pdf.exe, ProcessId: 6884, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      E-Banking Fraud:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Balance Payment pdf.exe, ProcessId: 6884, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      System Summary:

      barindex
      Sigma detected: Non Interactive PowerShellShow sources
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Balance Payment pdf.exe', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Balance Payment pdf.exe', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Users\user\Desktop\Balance Payment pdf.exe' , ParentImage: C:\Users\user\Desktop\Balance Payment pdf.exe, ParentProcessId: 6956, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\Balance Payment pdf.exe', ProcessId: 7156

      Stealing of Sensitive Information:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Balance Payment pdf.exe, ProcessId: 6884, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Remote Access Functionality:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Balance Payment pdf.exe, ProcessId: 6884, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: 0000000D.00000002.917233484.0000000004009000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "e64c9aca-1b5d-4ef8-a2af-039c3760", "Group": "101", "Domain1": "23.105.131.190", "Domain2": "", "Port": 4040, "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\hYnuhetGj.exeReversingLabs: Detection: 17%
      Multi AV Scanner detection for submitted fileShow sources
      Source: Balance Payment pdf.exeReversingLabs: Detection: 17%
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000000.00000002.698203410.00000000036C9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.918667020.00000000059E0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.917233484.0000000004009000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.913942813.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Balance Payment pdf.exe PID: 6884, type: MEMORY
      Source: Yara matchFile source: 13.2.Balance Payment pdf.exe.404b0e6.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.Balance Payment pdf.exe.59e4629.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.Balance Payment pdf.exe.59e0000.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.Balance Payment pdf.exe.59e0000.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.Balance Payment pdf.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Balance Payment pdf.exe.38b33d8.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.Balance Payment pdf.exe.4054545.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Balance Payment pdf.exe.38b33d8.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.Balance Payment pdf.exe.404ff1c.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.Balance Payment pdf.exe.404ff1c.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Balance Payment pdf.exe.376df28.3.raw.unpack, type: UNPACKEDPE
      Machine Learning detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\hYnuhetGj.exeJoe Sandbox ML: detected
      Machine Learning detection for sampleShow sources
      Source: Balance Payment pdf.exeJoe Sandbox ML: detected
      Source: 13.2.Balance Payment pdf.exe.59e0000.9.unpackAvira: Label: TR/NanoCore.fadte
      Source: 13.2.Balance Payment pdf.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: Balance Payment pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: Balance Payment pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: n.pdb source: powershell.exe, 00000003.00000003.857931919.0000000009313000.00000004.00000001.sdmp

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49743 -> 23.105.131.190:4040
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49746 -> 23.105.131.190:4040
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49748 -> 23.105.131.190:4040
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49749 -> 23.105.131.190:4040
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49750 -> 23.105.131.190:4040
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49755 -> 23.105.131.190:4040
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49760 -> 23.105.131.190:4040
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49768 -> 23.105.131.190:4040
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorURLs: 23.105.131.190
      Source: Malware configuration extractorURLs:
      Source: global trafficTCP traffic: 192.168.2.4:49743 -> 23.105.131.190:4040
      Source: Joe Sandbox ViewASN Name: LEASEWEB-USA-NYC-11US LEASEWEB-USA-NYC-11US
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.190
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.190
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.190
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.190
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.190
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.190
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.190
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.190
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.190
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.190
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.190
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.190
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.190
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.190
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.190
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.190
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.190
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.190
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.190
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.190
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.190
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.190
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.190
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.190
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.190
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.190
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.190
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.190
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.190
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.190
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.190
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.190
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.190
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.190
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.190
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.190
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.190
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.190
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.190
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.190
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.190
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.190
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.190
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.190
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.190
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.190
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.190
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.190
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.190
      Source: unknownTCP traffic detected without corresponding DNS query: 23.105.131.190
      Source: powershell.exe, 00000003.00000003.805355542.0000000009323000.00000004.00000001.sdmpString found in binary or memory: http://crl.mQi
      Source: powershell.exe, 00000003.00000003.784289077.0000000007B37000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
      Source: Balance Payment pdf.exe, 00000000.00000002.689387795.00000000026C1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: Balance Payment pdf.exeString found in binary or memory: http://vbcity.com/forums/t/51894.aspx
      Source: powershell.exe, 00000003.00000003.784289077.0000000007B37000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
      Source: Balance Payment pdf.exeString found in binary or memory: https://github.com/MrCylops
      Source: powershell.exe, 00000003.00000003.784289077.0000000007B37000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
      Source: powershell.exe, 00000005.00000003.807446956.0000000009BAB000.00000004.00000001.sdmpString found in binary or memory: https://go.mic)
      Source: powershell.exe, 00000005.00000003.805132736.0000000005AF0000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
      Source: powershell.exe, 00000003.00000003.789746829.00000000053AE000.00000004.00000001.sdmpString found in binary or memory: https://go.micro(J
      Source: Balance Payment pdf.exe, 00000000.00000002.689387795.00000000026C1000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
      Source: Balance Payment pdf.exe, 00000000.00000002.686029590.0000000000A78000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
      Source: Balance Payment pdf.exe, 0000000D.00000002.917233484.0000000004009000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000000.00000002.698203410.00000000036C9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.918667020.00000000059E0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.917233484.0000000004009000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.913942813.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Balance Payment pdf.exe PID: 6884, type: MEMORY
      Source: Yara matchFile source: 13.2.Balance Payment pdf.exe.404b0e6.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.Balance Payment pdf.exe.59e4629.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.Balance Payment pdf.exe.59e0000.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.Balance Payment pdf.exe.59e0000.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.Balance Payment pdf.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Balance Payment pdf.exe.38b33d8.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.Balance Payment pdf.exe.4054545.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Balance Payment pdf.exe.38b33d8.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.Balance Payment pdf.exe.404ff1c.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.Balance Payment pdf.exe.404ff1c.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Balance Payment pdf.exe.376df28.3.raw.unpack, type: UNPACKEDPE

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 0000000D.00000002.918498051.0000000005900000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.698203410.00000000036C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.698203410.00000000036C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000D.00000002.918667020.00000000059E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000D.00000002.917233484.0000000004009000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000D.00000002.913942813.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000D.00000002.913942813.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: Balance Payment pdf.exe PID: 6884, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: Balance Payment pdf.exe PID: 6884, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 13.2.Balance Payment pdf.exe.404b0e6.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 13.2.Balance Payment pdf.exe.404b0e6.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 13.2.Balance Payment pdf.exe.59e4629.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 13.2.Balance Payment pdf.exe.59e0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 13.2.Balance Payment pdf.exe.59e0000.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 13.2.Balance Payment pdf.exe.5900000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 13.2.Balance Payment pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 13.2.Balance Payment pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.Balance Payment pdf.exe.38b33d8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.Balance Payment pdf.exe.38b33d8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 13.2.Balance Payment pdf.exe.4054545.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 13.2.Balance Payment pdf.exe.302ddb4.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.Balance Payment pdf.exe.38b33d8.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.Balance Payment pdf.exe.38b33d8.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 13.2.Balance Payment pdf.exe.404ff1c.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 13.2.Balance Payment pdf.exe.404ff1c.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.Balance Payment pdf.exe.376df28.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.Balance Payment pdf.exe.376df28.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Initial sample is a PE file and has a suspicious nameShow sources
      Source: initial sampleStatic PE information: Filename: Balance Payment pdf.exe
      Source: C:\Users\user\Desktop\Balance Payment pdf.exeCode function: 0_2_008AC2B00_2_008AC2B0
      Source: C:\Users\user\Desktop\Balance Payment pdf.exeCode function: 0_2_008A99900_2_008A9990
      Source: C:\Users\user\Desktop\Balance Payment pdf.exeCode function: 13_2_0121E47113_2_0121E471
      Source: C:\Users\user\Desktop\Balance Payment pdf.exeCode function: 13_2_0121E48013_2_0121E480
      Source: C:\Users\user\Desktop\Balance Payment pdf.exeCode function: 13_2_0121BBD413_2_0121BBD4
      Source: C:\Users\user\Desktop\Balance Payment pdf.exeCode function: 13_2_054EF5F813_2_054EF5F8
      Source: C:\Users\user\Desktop\Balance Payment pdf.exeCode function: 13_2_054E978813_2_054E9788
      Source: C:\Users\user\Desktop\Balance Payment pdf.exeCode function: 13_2_054EA5E113_2_054EA5E1
      Source: C:\Users\user\Desktop\Balance Payment pdf.exeCode function: 13_2_054EA61013_2_054EA610
      Source: Balance Payment pdf.exe, 00000000.00000000.647263631.0000000000298000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWindowsRuntimeMetadata.exe> vs Balance Payment pdf.exe
      Source: Balance Payment pdf.exe, 00000000.00000002.686029590.0000000000A78000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Balance Payment pdf.exe
      Source: Balance Payment pdf.exe, 00000000.00000002.689387795.00000000026C1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll( vs Balance Payment pdf.exe
      Source: Balance Payment pdf.exe, 00000000.00000002.712149270.0000000005960000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs Balance Payment pdf.exe
      Source: Balance Payment pdf.exe, 00000000.00000002.713667239.000000000B6B0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Balance Payment pdf.exe
      Source: Balance Payment pdf.exe, 00000000.00000002.713667239.000000000B6B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Balance Payment pdf.exe
      Source: Balance Payment pdf.exe, 00000000.00000002.712963528.000000000B5C0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Balance Payment pdf.exe
      Source: Balance Payment pdf.exe, 0000000B.00000000.667550205.0000000000288000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWindowsRuntimeMetadata.exe> vs Balance Payment pdf.exe
      Source: Balance Payment pdf.exe, 0000000D.00000002.920282198.0000000006D30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Balance Payment pdf.exe
      Source: Balance Payment pdf.exe, 0000000D.00000002.914132580.0000000000BA8000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWindowsRuntimeMetadata.exe> vs Balance Payment pdf.exe
      Source: Balance Payment pdf.exe, 0000000D.00000002.916481975.0000000003001000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs Balance Payment pdf.exe
      Source: Balance Payment pdf.exe, 0000000D.00000002.917233484.0000000004009000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs Balance Payment pdf.exe
      Source: Balance Payment pdf.exe, 0000000D.00000002.917233484.0000000004009000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Balance Payment pdf.exe
      Source: Balance Payment pdf.exe, 0000000D.00000002.918806526.0000000006150000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Balance Payment pdf.exe
      Source: Balance Payment pdf.exe, 0000000D.00000002.915099428.000000000122A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Balance Payment pdf.exe
      Source: Balance Payment pdf.exeBinary or memory string: OriginalFilenameWindowsRuntimeMetadata.exe> vs Balance Payment pdf.exe
      Source: C:\Users\user\Desktop\Balance Payment pdf.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: Balance Payment pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: 0000000D.00000002.918498051.0000000005900000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000D.00000002.918498051.0000000005900000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000000.00000002.698203410.00000000036C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.698203410.00000000036C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000D.00000002.918667020.00000000059E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000D.00000002.918667020.00000000059E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000D.00000002.917233484.0000000004009000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000D.00000002.913942813.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000D.00000002.913942813.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: Balance Payment pdf.exe PID: 6884, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: Balance Payment pdf.exe PID: 6884, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 13.2.Balance Payment pdf.exe.404b0e6.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 13.2.Balance Payment pdf.exe.404b0e6.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.2.Balance Payment pdf.exe.404b0e6.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 13.2.Balance Payment pdf.exe.59e4629.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 13.2.Balance Payment pdf.exe.59e4629.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.2.Balance Payment pdf.exe.59e0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 13.2.Balance Payment pdf.exe.59e0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.2.Balance Payment pdf.exe.59e0000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 13.2.Balance Payment pdf.exe.59e0000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.2.Balance Payment pdf.exe.5900000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 13.2.Balance Payment pdf.exe.5900000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.2.Balance Payment pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 13.2.Balance Payment pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.2.Balance Payment pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.2.Balance Payment pdf.exe.38b33d8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.Balance Payment pdf.exe.38b33d8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.Balance Payment pdf.exe.38b33d8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 13.2.Balance Payment pdf.exe.4054545.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 13.2.Balance Payment pdf.exe.4054545.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.2.Balance Payment pdf.exe.302ddb4.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 13.2.Balance Payment pdf.exe.302ddb4.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.Balance Payment pdf.exe.38b33d8.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.Balance Payment pdf.exe.38b33d8.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.Balance Payment pdf.exe.38b33d8.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 13.2.Balance Payment pdf.exe.404ff1c.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 13.2.Balance Payment pdf.exe.404ff1c.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.2.Balance Payment pdf.exe.404ff1c.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 13.2.Balance Payment pdf.exe.404ff1c.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.Balance Payment pdf.exe.376df28.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.Balance Payment pdf.exe.376df28.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Balance Payment pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: hYnuhetGj.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: 13.2.Balance Payment pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 13.2.Balance Payment pdf.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 13.2.Balance Payment pdf.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: classification engineClassification label: mal100.troj.evad.winEXE@17/20@0/1
      Source: C:\Users\user\Desktop\Balance Payment pdf.exeFile created: C:\Users\user\AppData\Roaming\hYnuhetGj.exeJump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5724:120:WilError_01
      Source: C:\Users\user\Desktop\Balance Payment pdf.exeMutant created: \Sessions\1\BaseNamedObjects\KebJbSdYcpCWTYHT
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6172:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4484:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3496:120:WilError_01
      Source: C:\Users\user\Desktop\Balance Payment pdf.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{e64c9aca-1b5d-4ef8-a2af-039c3760277c}
      Source: C:\Users\user\Desktop\Balance Payment pdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmpD240.tmpJump to behavior
      Source: Balance Payment pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\Balance Payment pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\Balance Payment pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\Balance Payment pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\Balance Payment pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: Balance Payment pdf.exe, 00000000.00000002.689387795.00000000026C1000.00000004.00000001.sdmpBinary or m