Loading ...

Play interactive tourEdit tour

Analysis Report POInvoiceOrderIuVvcl0VWEOAmXy.exe

Overview

General Information

Sample Name:POInvoiceOrderIuVvcl0VWEOAmXy.exe
Analysis ID:431795
MD5:fb1eb909e34c22f21310565cf4b71563
SHA1:f301810874ac9b59aef7c5ca3d8377e35e4906ba
SHA256:acfd6ceddcb0f24e6a170eb64cfbbb1af4876bcda5fb572c36330b1f6208a84e
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • POInvoiceOrderIuVvcl0VWEOAmXy.exe (PID: 6140 cmdline: 'C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exe' MD5: FB1EB909E34C22F21310565CF4B71563)
    • schtasks.exe (PID: 5904 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\KbWjJvsRSE' /XML 'C:\Users\user\AppData\Local\Temp\tmp220B.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 1832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "1fb9e357-3073-471b-ab6f-630ca123", "Group": "kmt", "Domain1": "kkmmtt.duckdns.org", "Domain2": "kmttk.hopto.org", "Port": 6060, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.463995578.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000004.00000002.463995578.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000004.00000002.463995578.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    00000004.00000002.471906228.0000000005730000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xe75:$x1: NanoCore.ClientPluginHost
    • 0xe8f:$x2: IClientNetworkHost
    00000004.00000002.471906228.0000000005730000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xe75:$x2: NanoCore.ClientPluginHost
    • 0x1261:$s3: PipeExists
    • 0x1136:$s4: PipeCreated
    • 0xeb0:$s5: IClientLoggingHost
    Click to see the 20 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.5730000.8.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xe75:$x1: NanoCore.ClientPluginHost
    • 0xe8f:$x2: IClientNetworkHost
    4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.5730000.8.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xe75:$x2: NanoCore.ClientPluginHost
    • 0x1261:$s3: PipeExists
    • 0x1136:$s4: PipeCreated
    • 0xeb0:$s5: IClientLoggingHost
    4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.4351990.4.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xd9ad:$x1: NanoCore.ClientPluginHost
    • 0xd9da:$x2: IClientNetworkHost
    4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.4351990.4.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xd9ad:$x2: NanoCore.ClientPluginHost
    • 0xea88:$s4: PipeCreated
    • 0xd9c7:$s5: IClientLoggingHost
    4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.4351990.4.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 46 entries

      Sigma Overview

      AV Detection:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exe, ProcessId: 1084, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      E-Banking Fraud:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exe, ProcessId: 1084, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Stealing of Sensitive Information:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exe, ProcessId: 1084, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Remote Access Functionality:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exe, ProcessId: 1084, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: 00000004.00000002.471023992.000000000433F000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "1fb9e357-3073-471b-ab6f-630ca123", "Group": "kmt", "Domain1": "kkmmtt.duckdns.org", "Domain2": "kmttk.hopto.org", "Port": 6060, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
      Multi AV Scanner detection for domain / URLShow sources
      Source: kmttk.hopto.orgVirustotal: Detection: 6%Perma Link
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000004.00000002.463995578.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000000.232483645.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.471023992.000000000433F000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000000.231248149.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.234767836.0000000003EF1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.472281390.0000000005C60000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: POInvoiceOrderIuVvcl0VWEOAmXy.exe PID: 1084, type: MEMORY
      Source: Yara matchFile source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.4351990.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.5c60000.11.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.4351990.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.402cd10.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.4355fb9.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.5c64629.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.0.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.0.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.5c60000.11.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.402cd10.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.3ef7e00.1.raw.unpack, type: UNPACKEDPE
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.5c60000.11.unpackAvira: Label: TR/NanoCore.fadte
      Source: 4.0.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 4.0.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000002.466494396.0000000001675000.00000004.00000040.sdmp
      Source: Binary string: C:\Windows\mscorlib.pdb source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000002.466494396.0000000001675000.00000004.00000040.sdmp
      Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\ntNlgumrQW\src\obj\x86\Debug\DictionaryValueCollection.pdb source: POInvoiceOrderIuVvcl0VWEOAmXy.exe
      Source: Binary string: mscorlib.pdb source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000002.466494396.0000000001675000.00000004.00000040.sdmp
      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000003.415457537.00000000014C3000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000002.472266831.0000000005C50000.00000004.00000001.sdmp
      Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000002.466494396.0000000001675000.00000004.00000040.sdmp
      Source: Binary string: C:\Windows\dll\mscorlib.pdb source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000002.466494396.0000000001675000.00000004.00000040.sdmp
      Source: Binary string: indows\System.pdbpdbtem.pdb source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000002.466494396.0000000001675000.00000004.00000040.sdmp
      Source: Binary string: System.pdb source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000002.466494396.0000000001675000.00000004.00000040.sdmp
      Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000002.466494396.0000000001675000.00000004.00000040.sdmp
      Source: Binary string: mscorrc.pdb source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.240015874.00000000081C0000.00000002.00000001.sdmp, POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000002.471848695.00000000056C0000.00000002.00000001.sdmp
      Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000002.466494396.0000000001675000.00000004.00000040.sdmp
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h1_2_084FF138

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49715 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49717 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49727 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49733 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49736 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49742 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49743 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49747 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49752 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49753 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49755 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49756 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49761 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49762 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49763 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49764 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49765 -> 194.5.98.87:6060
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorURLs: kmttk.hopto.org
      Source: Malware configuration extractorURLs: kkmmtt.duckdns.org
      Uses dynamic DNS servicesShow sources
      Source: unknownDNS query: name: kkmmtt.duckdns.org
      Source: global trafficTCP traffic: 192.168.2.3:49715 -> 194.5.98.87:6060
      Source: Joe Sandbox ViewASN Name: DANILENKODE DANILENKODE
      Source: unknownDNS traffic detected: queries for: kkmmtt.duckdns.org
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.205717116.000000000533D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersT
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.237751926.0000000005330000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comion
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.237751926.0000000005330000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comionoO
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.237751926.0000000005330000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.198622750.000000000534B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.198676184.000000000534B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comn4
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.198649241.000000000534B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comt
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.200422874.0000000005334000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/MI
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.200705399.0000000005334000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/r
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.200403684.000000000536D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnl-p
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.202469085.0000000005334000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/2
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.202469085.0000000005334000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/=
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.202469085.0000000005334000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/O
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.202469085.0000000005334000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/V
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.202469085.0000000005334000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0e
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.202469085.0000000005334000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/i
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.202469085.0000000005334000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.202469085.0000000005334000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/s
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.202469085.0000000005334000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/z
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.198622750.000000000534B000.00000004.00000001.sdmp, POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.198622750.000000000534B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com5
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.198622750.000000000534B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comn-u
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmp, POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.199811798.0000000005339000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.199811798.0000000005339000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krnta
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmp, POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000003.198915643.000000000534B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.238749561.0000000006542000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.234244146.0000000002F17000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000002.471023992.000000000433F000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000004.00000002.463995578.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000000.232483645.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.471023992.000000000433F000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000000.231248149.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.234767836.0000000003EF1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.472281390.0000000005C60000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: POInvoiceOrderIuVvcl0VWEOAmXy.exe PID: 1084, type: MEMORY
      Source: Yara matchFile source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.4351990.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.5c60000.11.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.4351990.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.402cd10.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.4355fb9.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.5c64629.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.0.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.0.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.5c60000.11.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.402cd10.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.3ef7e00.1.raw.unpack, type: UNPACKEDPE

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000004.00000002.463995578.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000004.00000002.463995578.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000004.00000002.471906228.0000000005730000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000004.00000000.232483645.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000004.00000000.232483645.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000004.00000002.472266831.0000000005C50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000004.00000000.231248149.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000004.00000000.231248149.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000001.00000002.234767836.0000000003EF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.234767836.0000000003EF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000004.00000002.472281390.0000000005C60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: POInvoiceOrderIuVvcl0VWEOAmXy.exe PID: 1084, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: POInvoiceOrderIuVvcl0VWEOAmXy.exe PID: 1084, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.5730000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.4351990.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.5c50000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.5c60000.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.4351990.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.402cd10.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.402cd10.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.4355fb9.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.32f162c.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.5c64629.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.32f64a8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.0.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.0.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 4.0.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.0.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.5c60000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.32f162c.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.402cd10.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.402cd10.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.3ef7e00.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.3ef7e00.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Initial sample is a PE file and has a suspicious nameShow sources
      Source: initial sampleStatic PE information: Filename: POInvoiceOrderIuVvcl0VWEOAmXy.exe
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_04EF16E2 NtQuerySystemInformation,1_2_04EF16E2
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_04EF16B1 NtQuerySystemInformation,1_2_04EF16B1
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_050E85A01_2_050E85A0
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_050EF2281_2_050EF228
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_050E82801_2_050E8280
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_050E0AA01_2_050E0AA0
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_050E93BF1_2_050E93BF
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_050E93D01_2_050E93D0
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_050E96081_2_050E9608
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_050E96181_2_050E9618
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_050E82711_2_050E8271
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_050E0A931_2_050E0A93
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084F00701_2_084F0070
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084F289A1_2_084F289A
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084FBCB81_2_084FBCB8
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084FC0B01_2_084FC0B0
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084FB9681_2_084FB968
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084F0A581_2_084F0A58
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084F12281_2_084F1228
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084FC6E01_2_084FC6E0
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084F1B481_2_084F1B48
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084F93401_2_084F9340
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084F00061_2_084F0006
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084FA0381_2_084FA038
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084F4CD01_2_084F4CD0
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084F4CE01_2_084F4CE0
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084F48F81_2_084F48F8
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084F41501_2_084F4150
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084F41601_2_084F4160
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084F850F1_2_084F850F
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084F49081_2_084F4908
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084F85901_2_084F8590
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084F12181_2_084F1218
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084F9A281_2_084F9A28
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084F36C81_2_084F36C8
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084F56D91_2_084F56D9
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084F8AF01_2_084F8AF0
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084F36B91_2_084F36B9
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084F8B481_2_084F8B48
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084F1B421_2_084F1B42
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084F4B401_2_084F4B40
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084FA7681_2_084FA768
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084F57781_2_084F5778
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084F47181_2_084F4718
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084F47281_2_084F4728
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084F4B301_2_084F4B30
      Source: C:\Users\user\Desktop\POInvoiceOrderIuVvcl0VWEOAmXy.exeCode function: 1_2_084F97C81_2_084F97C8
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: KbWjJvsRSE.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.240684237.0000000008220000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKygo.dll* vs POInvoiceOrderIuVvcl0VWEOAmXy.exe
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.240015874.00000000081C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs POInvoiceOrderIuVvcl0VWEOAmXy.exe
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.236656130.00000000040E4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs POInvoiceOrderIuVvcl0VWEOAmXy.exe
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.233192925.00000000008F8000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDictionaryValueCollection.exe. vs POInvoiceOrderIuVvcl0VWEOAmXy.exe
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.241506811.0000000008700000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs POInvoiceOrderIuVvcl0VWEOAmXy.exe
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.241595592.00000000087F0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs POInvoiceOrderIuVvcl0VWEOAmXy.exe
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000001.00000002.241595592.00000000087F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs POInvoiceOrderIuVvcl0VWEOAmXy.exe
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000002.471906228.0000000005730000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs POInvoiceOrderIuVvcl0VWEOAmXy.exe
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000002.471750476.0000000005620000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs POInvoiceOrderIuVvcl0VWEOAmXy.exe
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000002.471023992.000000000433F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs POInvoiceOrderIuVvcl0VWEOAmXy.exe
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000002.471023992.000000000433F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs POInvoiceOrderIuVvcl0VWEOAmXy.exe
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000002.472266831.0000000005C50000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoProtectClient.dllT vs POInvoiceOrderIuVvcl0VWEOAmXy.exe
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000002.472842498.0000000006650000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs POInvoiceOrderIuVvcl0VWEOAmXy.exe
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000000.230828833.0000000000D28000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDictionaryValueCollection.exe. vs POInvoiceOrderIuVvcl0VWEOAmXy.exe
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exe, 00000004.00000002.471848695.00000000056C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs POInvoiceOrderIuVvcl0VWEOAmXy.exe
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exeBinary or memory string: OriginalFilenameDictionaryValueCollection.exe. vs POInvoiceOrderIuVvcl0VWEOAmXy.exe
      Source: POInvoiceOrderIuVvcl0VWEOAmXy.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: 00000004.00000002.463995578.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000004.00000002.463995578.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000004.00000002.471906228.0000000005730000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000004.00000002.471906228.0000000005730000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000004.00000000.232483645.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000004.00000000.232483645.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000004.00000002.472266831.0000000005C50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000004.00000002.472266831.0000000005C50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000004.00000000.231248149.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000004.00000000.231248149.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000001.00000002.234767836.0000000003EF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000001.00000002.234767836.0000000003EF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000004.00000002.472281390.0000000005C60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000004.00000002.472281390.0000000005C60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: Process Memory Space: POInvoiceOrderIuVvcl0VWEOAmXy.exe PID: 1084, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: POInvoiceOrderIuVvcl0VWEOAmXy.exe PID: 1084, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.5730000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.5730000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.4351990.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.4351990.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.5c50000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.5c50000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.5c60000.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.5c60000.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.4351990.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.4351990.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.402cd10.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.402cd10.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.402cd10.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.4355fb9.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.POInvoiceOrderIuVvcl0VWEOAmXy.exe.4355fb9.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Inte