32.0.0 Black Diamond
IR
431795
CloudBasic
10:35:15
09/06/2021
POInvoiceOrderIuVvcl0VWEOAmXy.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
fb1eb909e34c22f21310565cf4b71563
f301810874ac9b59aef7c5ca3d8377e35e4906ba
acfd6ceddcb0f24e6a170eb64cfbbb1af4876bcda5fb572c36330b1f6208a84e
Win32 Executable (generic) Net Framework (10011505/4) 49.83%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\POInvoiceOrderIuVvcl0VWEOAmXy.exe.log
false
B1DB55991C3DA14E35249AEA1BC357CA
0DD2D91198FDEF296441B12F1A906669B279700C
34D3E48321D5010AD2BD1F3F0B728077E4F5A7F70D66FA36B57E5209580B6BDC
C:\Users\user\AppData\Local\Temp\tmp220B.tmp
true
6BD2FC1377B3D6119F378DD2802ED9AB
E45F4CE47ED5253087DC3C91EDCDF6148BEF6624
A055D15B0C016003FEEF850630AE264447E960B36E5AF3AF59795C31C9F0A688
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
false
3F16EC9869DEDFFEC07792CA71B87AB5
124F3AAEB04E11DEA7361736CE472750D237D3D2
1A187F3EF38284FF4EE2B20D6021C884E42FC72284F2DA858D7E389CE9C7D0E9
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
true
D6F53F9D52EE3C43FAAB54C8BBDCDB9B
FC2E188E00AFF335ABF17FB3319433CEE7CBC77A
93FB74B9C257EF909456FB14BDE732BE75C99B21F66C6CD31BD5AE51614F8B4E
C:\Users\user\AppData\Roaming\KbWjJvsRSE.exe
false
FB1EB909E34C22F21310565CF4B71563
F301810874AC9B59AEF7C5CA3D8377E35E4906BA
ACFD6CEDDCB0F24E6A170EB64CFBBB1AF4876BCDA5FB572C36330B1F6208A84E
C:\Users\user\AppData\Roaming\KbWjJvsRSE.exe:Zone.Identifier
false
187F488E27DB4AF347237FE461A079AD
6693BA299EC1881249D59262276A0D2CB21F8E64
255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
194.5.98.87
kkmmtt.duckdns.org
true
194.5.98.87
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Detected Nanocore Rat
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected Nanocore RAT