Loading ...

Play interactive tourEdit tour

Analysis Report InvoicePOzGlybgcIc1vHasG.exe

Overview

General Information

Sample Name:InvoicePOzGlybgcIc1vHasG.exe
Analysis ID:431840
MD5:372a0f073e924d0411a1fb660840a4cb
SHA1:4d7784beff50b79d456d7d18eeddf8fbaf66afb9
SHA256:babc65e527c875dbdd52604ef5ff4d2549958aaa59807a513d9008734754198c
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • InvoicePOzGlybgcIc1vHasG.exe (PID: 2168 cmdline: 'C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exe' MD5: 372A0F073E924D0411A1FB660840A4CB)
    • schtasks.exe (PID: 5400 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\OWNYQkAV' /XML 'C:\Users\user\AppData\Local\Temp\tmp6CCF.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "1fb9e357-3073-471b-ab6f-630ca123", "Group": "kmt", "Domain1": "kkmmtt.duckdns.org", "Domain2": "kmttk.hopto.org", "Port": 6060, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000000.241321715.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000004.00000000.241321715.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000004.00000000.241321715.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    00000000.00000002.247872551.0000000002D97000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000004.00000002.479356402.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xff8d:$x1: NanoCore.ClientPluginHost
      • 0xffca:$x2: IClientNetworkHost
      • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      Click to see the 15 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.InvoicePOzGlybgcIc1vHasG.exe.4a2d893.13.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x170b:$x1: NanoCore.ClientPluginHost
      • 0x1725:$x2: IClientNetworkHost
      4.2.InvoicePOzGlybgcIc1vHasG.exe.4a2d893.13.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0x170b:$x2: NanoCore.ClientPluginHost
      • 0x34b6:$s4: PipeCreated
      • 0x16f8:$s5: IClientLoggingHost
      4.2.InvoicePOzGlybgcIc1vHasG.exe.367a59c.6.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x2dbb:$x1: NanoCore.ClientPluginHost
      • 0x2de5:$x2: IClientNetworkHost
      4.2.InvoicePOzGlybgcIc1vHasG.exe.367a59c.6.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0x2dbb:$x2: NanoCore.ClientPluginHost
      • 0x4c6b:$s4: PipeCreated
      0.2.InvoicePOzGlybgcIc1vHasG.exe.3ea8e00.2.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe38d:$x1: NanoCore.ClientPluginHost
      • 0xe3ca:$x2: IClientNetworkHost
      • 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      Click to see the 61 entries

      Sigma Overview

      AV Detection:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exe, ProcessId: 6056, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      E-Banking Fraud:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exe, ProcessId: 6056, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Stealing of Sensitive Information:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exe, ProcessId: 6056, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Remote Access Functionality:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exe, ProcessId: 6056, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: 0.2.InvoicePOzGlybgcIc1vHasG.exe.3ea8e00.2.raw.unpackMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "1fb9e357-3073-471b-ab6f-630ca123", "Group": "kmt", "Domain1": "kkmmtt.duckdns.org", "Domain2": "kmttk.hopto.org", "Port": 6060, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
      Multi AV Scanner detection for domain / URLShow sources
      Source: kmttk.hopto.orgVirustotal: Detection: 6%Perma Link
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\OWNYQkAV.exeReversingLabs: Detection: 10%
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000004.00000000.241321715.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.479356402.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000000.240960733.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.248195118.0000000003D71000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.486935224.0000000004647000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: InvoicePOzGlybgcIc1vHasG.exe PID: 6056, type: MEMORY
      Source: Yara matchFile source: 0.2.InvoicePOzGlybgcIc1vHasG.exe.3ea8e00.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.0.InvoicePOzGlybgcIc1vHasG.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.InvoicePOzGlybgcIc1vHasG.exe.3ea8e00.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.4661990.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.4648ec9.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.0.InvoicePOzGlybgcIc1vHasG.exe.400000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.464d4f2.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.InvoicePOzGlybgcIc1vHasG.exe.3d77e00.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.4648ec9.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.4661990.9.raw.unpack, type: UNPACKEDPE
      Source: 4.0.InvoicePOzGlybgcIc1vHasG.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 4.0.InvoicePOzGlybgcIc1vHasG.exe.400000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: InvoicePOzGlybgcIc1vHasG.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
      Source: InvoicePOzGlybgcIc1vHasG.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.483102030.00000000032A5000.00000004.00000040.sdmp
      Source: Binary string: C:\Windows\mscorlib.pdb source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.483102030.00000000032A5000.00000004.00000040.sdmp
      Source: Binary string: mscorlib.pdb source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.483102030.00000000032A5000.00000004.00000040.sdmp
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.486935224.0000000004647000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.486935224.0000000004647000.00000004.00000001.sdmp
      Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.483102030.00000000032A5000.00000004.00000040.sdmp
      Source: Binary string: ll\System.pdb source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.482087676.0000000001507000.00000004.00000020.sdmp
      Source: Binary string: C:\Windows\dll\mscorlib.pdb source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.483102030.00000000032A5000.00000004.00000040.sdmp
      Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.486935224.0000000004647000.00000004.00000001.sdmp
      Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.486935224.0000000004647000.00000004.00000001.sdmp
      Source: Binary string: ll\mscorlib.pdb source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.482087676.0000000001507000.00000004.00000020.sdmp
      Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.486935224.0000000004647000.00000004.00000001.sdmp
      Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.483102030.00000000032A5000.00000004.00000040.sdmp
      Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.486935224.0000000004647000.00000004.00000001.sdmp
      Source: Binary string: mscorrc.pdb source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.252560663.0000000008050000.00000002.00000001.sdmp, InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.487773998.00000000057F0000.00000002.00000001.sdmp
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.486935224.0000000004647000.00000004.00000001.sdmp
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_06A6F370
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 4x nop then mov esp, ebp4_2_031F80F1

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49722 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49727 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49729 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49730 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49733 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49734 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49738 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49743 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49744 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49745 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49746 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49747 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49750 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49751 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49752 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49753 -> 194.5.98.87:6060
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49754 -> 194.5.98.87:6060
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorURLs: kmttk.hopto.org
      Source: Malware configuration extractorURLs: kkmmtt.duckdns.org
      Uses dynamic DNS servicesShow sources
      Source: unknownDNS query: name: kkmmtt.duckdns.org
      Source: global trafficTCP traffic: 192.168.2.3:49722 -> 194.5.98.87:6060
      Source: Joe Sandbox ViewASN Name: DANILENKODE DANILENKODE
      Source: C:\Users\user\Desktop\InvoicePOzGlybgcIc1vHasG.exeCode function: 4_2_03262936 WSARecv,4_2_03262936
      Source: unknownDNS traffic detected: queries for: kkmmtt.duckdns.org
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.213265466.0000000000FCD000.00000004.00000001.sdmpString found in binary or memory: http://en.wWD
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.486935224.0000000004647000.00000004.00000001.sdmpString found in binary or memory: http://google.com
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.241552978.00000000051E0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmp, InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.217977217.00000000051E9000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.218281882.00000000051ED000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersJ
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.217977217.00000000051E9000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersP
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.241552978.00000000051E0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.241552978.00000000051E0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.213633933.00000000051FB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.213654778.00000000051FB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comn
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.213633933.00000000051FB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comnn(6
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.215519323.00000000051E4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.c
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.215751413.00000000051E4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.215751413.00000000051E4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/i
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.215498919.000000000521D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnl-p
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.216650078.00000000051E4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.216650078.00000000051E4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/V
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.216650078.00000000051E4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.216650078.00000000051E4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/a-e
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.216650078.00000000051E4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ana
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.216650078.00000000051E4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.216650078.00000000051E4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/t
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.213633933.00000000051FB000.00000004.00000001.sdmp, InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.213633933.00000000051FB000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.coma-d
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.213633933.00000000051FB000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.coms
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.214817791.00000000051E6000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krH
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.213972429.00000000051FB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com)(u
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000003.214457549.00000000051FB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comnm
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.249023446.00000000052D0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000000.00000002.247872551.0000000002D97000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
      Source: InvoicePOzGlybgcIc1vHasG.exe, 00000004.00000002.486935224.0000000004647000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000004.00000000.241321715.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.479356402.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000000.240960733.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.248195118.0000000003D71000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.486935224.0000000004647000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: InvoicePOzGlybgcIc1vHasG.exe PID: 6056, type: MEMORY
      Source: Yara matchFile source: 0.2.InvoicePOzGlybgcIc1vHasG.exe.3ea8e00.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.0.InvoicePOzGlybgcIc1vHasG.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.InvoicePOzGlybgcIc1vHasG.exe.3ea8e00.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.4661990.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.4648ec9.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.0.InvoicePOzGlybgcIc1vHasG.exe.400000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.464d4f2.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.InvoicePOzGlybgcIc1vHasG.exe.3d77e00.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.4648ec9.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.4661990.9.raw.unpack, type: UNPACKEDPE

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000004.00000000.241321715.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000004.00000000.241321715.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000004.00000002.479356402.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000004.00000002.479356402.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000004.00000000.240960733.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000004.00000000.240960733.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000002.248195118.0000000003D71000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.248195118.0000000003D71000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000004.00000002.485726963.0000000003649000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000004.00000002.486935224.0000000004647000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: InvoicePOzGlybgcIc1vHasG.exe PID: 6056, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: InvoicePOzGlybgcIc1vHasG.exe PID: 6056, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.4a2d893.13.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.367a59c.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.InvoicePOzGlybgcIc1vHasG.exe.3ea8e00.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.InvoicePOzGlybgcIc1vHasG.exe.3ea8e00.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.4a1f463.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.4a36ac7.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.3606108.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.InvoicePOzGlybgcIc1vHasG.exe.4a2d893.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.0.InvoicePOzGlybgcIc1vHasG.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.0.InvoicePOzGlybgcIc1vHasG.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.InvoicePOzGlybgcIc1vHasG.exe.3ea8e00.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.InvoicePOzGlybgcIc1vHasG.exe.3ea8e00.2.raw.unpack, type: UNPACKEDPE