33.0.0 White Diamond
IR
452642
CloudBasic
17:14:21
22/07/2021
R6093846s-Invoice-Receipt.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
cd0645cb78b55f0babbdbc4d51f23bd8
f5221832b2b4b7338bc21e42f7e2c983d82dbdf4
5b618273e08f4e9633ec359cff551345d0dabf0c64da9d3b5437d1c88c4bd226
Win32 Executable (generic) Net Framework (10011505/4) 49.83%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\R6093846s-Invoice-Receipt.exe.log
true
FED34146BF2F2FA59DCF8702FCC8232E
B03BFEA175989D989850CF06FE5E7BBF56EAA00A
123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
C:\Users\user\AppData\Local\Temp\tmpCCAD.tmp
true
10825A068F66AFA5B707A7B3CDAB7FFF
2DD947530450B2144FA27C0947F8A3CC1088E075
AF1419ABF53B8CC7904C4909ACB750191BC45C248C266D22EB3C542F3D8B9C5B
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
false
DF9DF69B9BDF9E9F14ACBA7F6AAA0439
F69C499EA98CB3B3FC303A8C19017F150D2FDAA1
172CAF6D0566CCDAD43210FC178D55B2D12F18070F4978B27AFBE2EECB904239
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
true
87A19E60362ADB0A4C4DEDA315D07F62
6340BAD06709D73A2D2946AC49CB5FC77B1E4DA7
548F2F89D08DD063284AA4FEA0BE342B4BF8C1516613EA3DC945C294DE8816D8
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bak
false
ACD3FB4310417DC77FE06F15B0E353E6
80E7002E655EB5765FDEB21114295CB96AD9D5EB
DC3AE604991C9BB8FF8BC4502AE3D0DB8A3317512C0F432490B103B89C1A4368
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
false
BB0F9B9992809E733EFFF8B0E562CFD6
F0BAB3CF73A04F5A689E6AFC764FEE9276992742
C48F04FE7525AA3A3F9540889883F649726233DE021724823720A59B4F37CEAC
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
false
6AB7A5BD77B3380B3DAC6164123D58C8
1732E82902857F97E49541719EA46CFB88FCA68B
B89A2604B568E5D5435CE1885752739E481E83C08063DEA8FBC5CF271C0BA6D7
C:\Users\user\AppData\Roaming\UALCBPTejUQxQ.exe
true
CD0645CB78B55F0BABBDBC4D51F23BD8
F5221832B2B4B7338BC21E42F7E2C983D82DBDF4
5B618273E08F4E9633EC359CFF551345D0DABF0C64DA9D3B5437D1C88C4BD226
192.168.2.1
185.244.26.194
omaprilcode.duckdns.org
true
185.244.26.194
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Nanocore RAT