33.0.0 White Diamond
IR
452441
CloudBasic
11:09:09
22/07/2021
Document.1-xml.eml.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
4d48e3cbfc19b5729b6c7a968a957805
4863e913b2e5709d9ed8c5937ae046e2edeee152
45cf5d850ca6806fd9b55ef35a2ebe8aa2d9b724b67f96eac270c44d1a85e810
Win32 Executable (generic) Net Framework (10011505/4) 50.01%
true
false
false
false
100
0
100
5
0
5
false
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
true
4D48E3CBFC19B5729B6C7A968A957805
4863E913B2E5709D9ED8C5937AE046E2EDEEE152
45CF5D850CA6806FD9B55EF35A2EBE8AA2D9B724B67F96EAC270C44D1A85E810
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
false
187F488E27DB4AF347237FE461A079AD
6693BA299EC1881249D59262276A0D2CB21F8E64
255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\AppData\Local\Temp\tmp3A3F.tmp
true
F02D946FE2EDA095757A14A5D6B3BF6C
2AFBD7F5FBE2CA13357D9BE3DCAAF5F7162D32D4
2BF693A2ADB49A20EE00B31714B8E284F8FE4090D4CEC038AC799DE677B91C03
C:\Users\user\AppData\Local\Temp\tmp3DCA.tmp
false
5C2F41CFC6F988C859DA7D727AC2B62A
68999C85FC7E37BAB9216E0099836D40D4545C1C
98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
false
0D79388CEC6619D612C2088173BB6741
8A312E3198009C545D0CF3254572189D29A03EA7
D7D423B23D932E306F3CCB2F7A984B7036A042C007A43FD655C6B57B960BB8DF
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
true
74D4095194671D1DA20222ADFA1C18BC
4B47B8408E276625224DE42E215599003B266077
3244CA869DD5C5746ACA3A8B6BD25780FE44BCD7AC82256D9DC93F42FDEE325A
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
false
B6A68884FD59FC6156B731FD07370D3F
287D7FE38B4353680C61C163FF0FD407CA5D9161
EB08A56415072B846D03AECB1A5FD7B9570F90F79F92D6C7DDD37ACFBF28ED19
194.5.98.136
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Executable has a suspicious name (potential lure to open the executable)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Uses schtasks.exe or at.exe to add and modify task schedules
Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Nanocore RAT