32.0.0 Black Diamond
IR
404165
CloudBasic
19:08:52
04/05/2021
Invoice No F1019855_PDF.vbs
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
ce4dcec84bfeba49404fa70f5d137645
c31021953c59af126d0095bea70c26ca02a2d954
ca85b069b028fc30a2af436344eae332ad6afe8a7e3904a48ee63948ab6c3133
Visual Basic Script (13500/0) 100.00%
true
false
false
false
100
0
100
5
0
5
false
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
true
86A588C5A10A04AF998DBAD9FF9A31D1
8AC3E114D36F6674BF64D7F45221207E8575EA62
B9F40A82EB141D2C09E9FDF133B80DCEB4163C89471CEC7AF84DB2141C5D51A5
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log
true
61CCF53571C9ABA6511D696CB0D32E45
A13A42A20EC14942F52DB20FB16A0A520F8183CE
3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Notepads.exe.log
true
BEBB66F4CB83D5C34857FE75DE3A8610
66FB475AADAE0D4542125C8E272D9D6BBFA555BB
C1A8084313E66497C9F53D0F65E85AC2D4A840AF7FEBCCCFB3924F54BCF1BADC
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ame.exe.log
false
C8A62E39DE7A3F805D39384E8BABB1E0
B32B1257401F17A2D1D5D3CC1D8C1E072E3FEE31
A7BC127854C5327ABD50C86000BF10586B556A5E085BB23523B07A15DD4C5383
C:\Users\user\AppData\Local\Temp\ame.exe
true
F7F64EC1756119F19D52FB140E22382F
C4FA973B801D954562FE00AC7BD2C6D051AE6E2F
C676638B019D810CE392CADCF8F0719F76F305D380D69BA93A6FC60A3F92E2C7
C:\Users\user\AppData\Local\Temp\fi.exe
true
86A588C5A10A04AF998DBAD9FF9A31D1
8AC3E114D36F6674BF64D7F45221207E8575EA62
B9F40A82EB141D2C09E9FDF133B80DCEB4163C89471CEC7AF84DB2141C5D51A5
C:\Users\user\AppData\Local\Temp\tmp4DD8.tmp.vbs
true
13B68193AE7BF8E04468F23B2F878751
FBCB57D90B7ADFEB963E54ED0000610B6F88B939
97931461E7E1E8D01E0045A33E823D4B25AB89A7FC2BDD2A6BC79FE45DCF34C4
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
true
CC22F0048AEA8CDC7CFBCF7E10818E98
D27C83B167C3FAA39B8B9D10ECDB01D244D18A55
35A0A75FA2AC5DF4A72BC15E1C68536D4B09C9EFB506BC3CF8CF33AD207AAAC1
C:\Users\user\AppData\Roaming\Notepads.exe
true
F7F64EC1756119F19D52FB140E22382F
C4FA973B801D954562FE00AC7BD2C6D051AE6E2F
C676638B019D810CE392CADCF8F0719F76F305D380D69BA93A6FC60A3F92E2C7
191.96.25.26
192.168.2.1
79.137.109.121
sys2021.linkpc.net
false
79.137.109.121
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to log keystrokes (.Net Source)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Potential malicious VBS script found (has network functionality)
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus detection for dropped file
Benign windows process drops PE files
Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
VBScript performs obfuscated calls to suspicious functions
Yara detected AsyncRAT
Yara detected Nanocore RAT