32.0.0 Black Diamond
IR
431840
CloudBasic
12:25:52
09/06/2021
InvoicePOzGlybgcIc1vHasG.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
372a0f073e924d0411a1fb660840a4cb
4d7784beff50b79d456d7d18eeddf8fbaf66afb9
babc65e527c875dbdd52604ef5ff4d2549958aaa59807a513d9008734754198c
Win32 Executable (generic) Net Framework (10011505/4) 49.83%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\InvoicePOzGlybgcIc1vHasG.exe.log
false
B1DB55991C3DA14E35249AEA1BC357CA
0DD2D91198FDEF296441B12F1A906669B279700C
34D3E48321D5010AD2BD1F3F0B728077E4F5A7F70D66FA36B57E5209580B6BDC
C:\Users\user\AppData\Local\Temp\tmp6CCF.tmp
true
65B8E874E8C7B722282D9EAE22636205
3911D252BE06E717C92BCB33596F612990551227
EACBBD33FFFD20262DB15EB1844EDA88C36B74111D4E9AEE14F5AC6D9571D8B8
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
false
3F16EC9869DEDFFEC07792CA71B87AB5
124F3AAEB04E11DEA7361736CE472750D237D3D2
1A187F3EF38284FF4EE2B20D6021C884E42FC72284F2DA858D7E389CE9C7D0E9
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
true
175E573A6A264D22DEF1E0549EE24B19
D304CB912B1E7CB1B3A38E4F6A06C073D2CD868D
08D59D3DF6BB432EB397E6FDC2900B8180BB9F6877D7A9875526ABE2EC9E2F3C
C:\Users\user\AppData\Roaming\OWNYQkAV.exe
true
372A0F073E924D0411A1FB660840A4CB
4D7784BEFF50B79D456D7D18EEDDF8FBAF66AFB9
BABC65E527C875DBDD52604EF5FF4D2549958AAA59807A513D9008734754198C
C:\Users\user\AppData\Roaming\OWNYQkAV.exe:Zone.Identifier
false
187F488E27DB4AF347237FE461A079AD
6693BA299EC1881249D59262276A0D2CB21F8E64
255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
194.5.98.87
kkmmtt.duckdns.org
true
194.5.98.87
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Detected Nanocore Rat
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected Nanocore RAT