32.0.0 Black Diamond
IR
432024
CloudBasic
16:56:45
09/06/2021
xtxr8lHa5F.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
c89c05d0f2853fa30b535aa2544006e5
2e3a6adc296d26732a3c61ac761052b8793f7da0
b2ec2e506bc9741873e39cc6fdc07802a1180136657582ae807d5f6112cfc02a
Win32 Executable (generic) Net Framework (10011505/4) 49.80%
true
false
false
false
100
0
100
5
0
5
false
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
false
D621FD77BD585874F9686D3A76462EF1
ABCAE05EE61EE6292003AABD8C80583FA49EDDA2
2CA7CF7146FB8209CF3C6CECB1C5AA154C61E046DC07AFA05E8158F2C0DDE2F6
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log
true
486580834B084C92AE1F3866166C9C34
C8EB7E1CEF55A6C9EB931487E9AA4A2098AACEDF
65C5B1213E371D449E2A239557A5F250FEA1D3473A1B5C4C5FF7492085F663FB
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
false
C7F28B87C2CAD111D929CB9A0FF822F8
C2CF9E7A3F6EFD9000FE76EBE54E4E9AE5754267
D1B02C20EACF464229AB063FA947A525E2ED7772259A8F70C7205DC13599EAE6
C:\Users\user\AppData\Local\Temp\tmp604E.tmp
false
3E2B26ED8B75AE83A269595180E84EF6
D30A0335FCCE406BCA8BA5764288235E6192F608
108BE30AEB8EB31C185A39A6726F26DACBC4E4124951C61A29ADE4B7038C71EA
C:\Users\user\AppData\Local\Temp\tmp6502.tmp
false
5C2F41CFC6F988C859DA7D727AC2B62A
68999C85FC7E37BAB9216E0099836D40D4545C1C
98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
C:\Users\user\AppData\Local\Temp\tmp76E9.tmp
true
EE08731F2635FB10A5E1E6F0747AB40F
E0D3F0D3F2177ECC73C45479FA66DFC14C5306DF
E441C2F354D1D3AA8DA9E3B2CB2737C95905B88DF668C2F9D111C9A4D2025E52
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
false
838CD9DBC78EA45A5406EAE23962086D
C8273AACDEE03AC0CDCDDBAA83F51D04D6A4203C
6E11A62511C5BBC0413128305069B780C448684B54FAA3E8DD0B4FD3DB8C9867
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
true
8531FB0CEC5F18EBD29FF0B57BC853B0
D7ACB93014DF7917C55380CE5F8E2C10D0E12EBE
A393F6022ED56CAF64A0865D97006C38620212D769CE5EA8B924683B700A1754
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
false
AE0F5E6CE7122AF264EC533C6B15A27B
1265A495C42EED76CC043D50C60C23297E76CCE1
73B0B92179C61C26589B47E9732CE418B07EDEE3860EE5A2A5FB06F3B8AA9B26
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
false
6ECAFC0490DAB08E4A288E0042B6B613
4A4529907588505FC65CC9933980CFE6E576B3D6
DC5F76FBF44B3E6CDDC14EA9E5BB9B6BD3A955197FE13F33F7DDA7ECC08E79E0
C:\Users\user\AppData\Roaming\rOKWrJ.exe
true
C89C05D0F2853FA30B535AA2544006E5
2E3A6ADC296D26732A3C61AC761052B8793F7DA0
B2EC2E506BC9741873E39CC6FDC07802A1180136657582AE807D5F6112CFC02A
\Device\ConDrv
false
6A9888952541A41F033EB114C24DC902
41903D7C8F31013C44572E09D97B9AAFBBCE77E6
41A61D0084CD7884BEA1DF02ED9213CB8C83F4034F5C8156FC5B06D6A3E133CE
82.64.141.173
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected Nanocore RAT