Windows Analysis Report Eral_order_8499248_pdf.exe

Overview

General Information

Sample Name: Eral_order_8499248_pdf.exe
Analysis ID: 499571
MD5: c87a4d4a3d7055d3fb628e9f5034200a
SHA1: fcaea92aebebd7ed940e1fab475a99d4bb08c45b
SHA256: 5925ea17cc4efd2b4f52887a3d669aa83c52e3aa14df43c7f275d2d9d33ad5df
Tags: exe
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Sigma detected: NanoCore
Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Yara detected Nanocore RAT
Detected unpacking (creates a PE file in dynamic memory)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Drops PE files
Contains functionality to read the PEB
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Detected TCP or UDP traffic on non-standard ports
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000001.00000002.556639770.00000000038ED000.00000004.00000001.sdmp Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "8eff5e85-5667-437d-b37d-ffe758cd", "Group": "NETH", "Domain1": "185.157.162.92", "Domain2": "", "Port": 2036, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
Multi AV Scanner detection for submitted file
Source: Eral_order_8499248_pdf.exe Virustotal: Detection: 38% Perma Link
Yara detected Nanocore RAT
Source: Yara match File source: 8.2.Eral_order_8499248_pdf.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Eral_order_8499248_pdf.exe.e801458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.39016e4.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Eral_order_8499248_pdf.exe.e7f0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.39016e4.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Eral_order_8499248_pdf.exe.e801458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Eral_order_8499248_pdf.exe.4840000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Eral_order_8499248_pdf.exe.5d20a0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.23c0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Eral_order_8499248_pdf.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.1.Eral_order_8499248_pdf.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.Eral_order_8499248_pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Eral_order_8499248_pdf.exe.5d20a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.Eral_order_8499248_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Eral_order_8499248_pdf.exe.4800000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Eral_order_8499248_pdf.exe.36e16e4.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.5224629.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Eral_order_8499248_pdf.exe.e7f0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Eral_order_8499248_pdf.exe.e801458.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.3905d0d.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.4980000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.Eral_order_8499248_pdf.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Eral_order_8499248_pdf.exe.e801458.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Eral_order_8499248_pdf.exe.e7f0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Eral_order_8499248_pdf.exe.3663258.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.Eral_order_8499248_pdf.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.5220000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Eral_order_8499248_pdf.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Eral_order_8499248_pdf.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Eral_order_8499248_pdf.exe.36dc8ae.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Eral_order_8499248_pdf.exe.3663258.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.5288d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.5220000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.23c0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Eral_order_8499248_pdf.exe.36e16e4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.5288d0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.38fc8ae.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Eral_order_8499248_pdf.exe.4800000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.1.Eral_order_8499248_pdf.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Eral_order_8499248_pdf.exe.e7f0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.1.Eral_order_8499248_pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.556639770.00000000038ED000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.557530361.0000000005220000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.556147476.0000000002881000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000001.300118720.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000001.317135947.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.302913256.000000000E7F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.553982010.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.335925171.0000000003661000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.335611612.00000000005C4000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.318858456.000000000E7F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.555999309.00000000023C0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.556927651.0000000004982000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.336058089.0000000004800000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.335435218.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.554316233.000000000051A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.336095821.0000000004842000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Eral_order_8499248_pdf.exe PID: 6636, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Eral_order_8499248_pdf.exe PID: 2932, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Eral_order_8499248_pdf.exe PID: 5284, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Eral_order_8499248_pdf.exe PID: 6592, type: MEMORYSTR
Machine Learning detection for sample
Source: Eral_order_8499248_pdf.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\nsd3EE2.tmp\cbehatjjoa.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\nsp5C2E.tmp\cbehatjjoa.dll Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 1.1.Eral_order_8499248_pdf.exe.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 8.2.Eral_order_8499248_pdf.exe.4840000.8.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 1.2.Eral_order_8499248_pdf.exe.4980000.8.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 1.2.Eral_order_8499248_pdf.exe.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 1.2.Eral_order_8499248_pdf.exe.5220000.10.unpack Avira: Label: TR/NanoCore.fadte
Source: 8.2.Eral_order_8499248_pdf.exe.400000.1.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 8.1.Eral_order_8499248_pdf.exe.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Unpacked PE file: 1.2.Eral_order_8499248_pdf.exe.400000.0.unpack
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Unpacked PE file: 8.2.Eral_order_8499248_pdf.exe.400000.1.unpack
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Unpacked PE file: 1.2.Eral_order_8499248_pdf.exe.4980000.8.unpack
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Unpacked PE file: 8.2.Eral_order_8499248_pdf.exe.4840000.8.unpack
Uses 32bit PE files
Source: Eral_order_8499248_pdf.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: Binary string: wntdll.pdbUGP source: Eral_order_8499248_pdf.exe, 00000000.00000003.292397035.000000000E9D0000.00000004.00000001.sdmp, Eral_order_8499248_pdf.exe, 00000007.00000003.313372407.000000000E840000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: Eral_order_8499248_pdf.exe, 00000000.00000003.292397035.000000000E9D0000.00000004.00000001.sdmp, Eral_order_8499248_pdf.exe, 00000007.00000003.313372407.000000000E840000.00000004.00000001.sdmp
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 0_2_00405EC2 FindFirstFileA,FindClose, 0_2_00405EC2
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 0_2_004054EC DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_004054EC
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 0_2_00402671 FindFirstFileA, 0_2_00402671
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 1_2_00404A29 FindFirstFileExW, 1_2_00404A29
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 7_2_00405EC2 FindFirstFileA,FindClose, 7_2_00405EC2
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 7_2_004054EC DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 7_2_004054EC
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 7_2_00402671 FindFirstFileA, 7_2_00402671
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 8_2_00404A29 FindFirstFileExW, 8_2_00404A29
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 8_1_00404A29 FindFirstFileExW, 8_1_00404A29

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs:
Source: Malware configuration extractor URLs: 185.157.162.92
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: OBE-EUROPEObenetworkEuropeSE OBE-EUROPEObenetworkEuropeSE
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49750 -> 185.157.162.92:2036
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.162.92
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.162.92
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.162.92
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.162.92
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.162.92
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.162.92
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.162.92
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.162.92
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.162.92
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.162.92
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.162.92
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.162.92
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.162.92
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.162.92
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.162.92
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.162.92
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.162.92
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.162.92
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.162.92
Source: unknown TCP traffic detected without corresponding DNS query: 185.157.162.92
Source: Eral_order_8499248_pdf.exe String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Eral_order_8499248_pdf.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: Eral_order_8499248_pdf.exe, 00000000.00000002.301349083.00000000006BA000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Installs a raw input device (often for capturing keystrokes)
Source: Eral_order_8499248_pdf.exe, 00000001.00000002.556639770.00000000038ED000.00000004.00000001.sdmp Binary or memory string: RegisterRawInputDevices
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 0_2_00404FF1 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00404FF1

E-Banking Fraud:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 8.2.Eral_order_8499248_pdf.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Eral_order_8499248_pdf.exe.e801458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.39016e4.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Eral_order_8499248_pdf.exe.e7f0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.39016e4.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Eral_order_8499248_pdf.exe.e801458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Eral_order_8499248_pdf.exe.4840000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Eral_order_8499248_pdf.exe.5d20a0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.23c0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Eral_order_8499248_pdf.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.1.Eral_order_8499248_pdf.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.Eral_order_8499248_pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Eral_order_8499248_pdf.exe.5d20a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.Eral_order_8499248_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Eral_order_8499248_pdf.exe.4800000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Eral_order_8499248_pdf.exe.36e16e4.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.5224629.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Eral_order_8499248_pdf.exe.e7f0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Eral_order_8499248_pdf.exe.e801458.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.3905d0d.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.4980000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.Eral_order_8499248_pdf.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Eral_order_8499248_pdf.exe.e801458.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Eral_order_8499248_pdf.exe.e7f0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Eral_order_8499248_pdf.exe.3663258.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.Eral_order_8499248_pdf.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.5220000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Eral_order_8499248_pdf.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Eral_order_8499248_pdf.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Eral_order_8499248_pdf.exe.36dc8ae.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Eral_order_8499248_pdf.exe.3663258.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.5288d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.5220000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.23c0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Eral_order_8499248_pdf.exe.36e16e4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.5288d0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.38fc8ae.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Eral_order_8499248_pdf.exe.4800000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.1.Eral_order_8499248_pdf.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Eral_order_8499248_pdf.exe.e7f0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.1.Eral_order_8499248_pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.556639770.00000000038ED000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.557530361.0000000005220000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.556147476.0000000002881000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000001.300118720.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000001.317135947.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.302913256.000000000E7F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.553982010.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.335925171.0000000003661000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.335611612.00000000005C4000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.318858456.000000000E7F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.555999309.00000000023C0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.556927651.0000000004982000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.336058089.0000000004800000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.335435218.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.554316233.000000000051A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.336095821.0000000004842000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Eral_order_8499248_pdf.exe PID: 6636, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Eral_order_8499248_pdf.exe PID: 2932, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Eral_order_8499248_pdf.exe PID: 5284, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Eral_order_8499248_pdf.exe PID: 6592, type: MEMORYSTR

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 8.2.Eral_order_8499248_pdf.exe.415058.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.Eral_order_8499248_pdf.exe.415058.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.Eral_order_8499248_pdf.exe.e801458.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.Eral_order_8499248_pdf.exe.e801458.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.Eral_order_8499248_pdf.exe.39016e4.7.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Eral_order_8499248_pdf.exe.e7f0000.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Eral_order_8499248_pdf.exe.e7f0000.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.Eral_order_8499248_pdf.exe.39016e4.7.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Eral_order_8499248_pdf.exe.e801458.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Eral_order_8499248_pdf.exe.e801458.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.Eral_order_8499248_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.Eral_order_8499248_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.Eral_order_8499248_pdf.exe.4840000.8.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.Eral_order_8499248_pdf.exe.4840000.8.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.Eral_order_8499248_pdf.exe.5d20a0.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.Eral_order_8499248_pdf.exe.5d20a0.2.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.Eral_order_8499248_pdf.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.Eral_order_8499248_pdf.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.Eral_order_8499248_pdf.exe.23c0000.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.Eral_order_8499248_pdf.exe.23c0000.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.Eral_order_8499248_pdf.exe.415058.0.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.Eral_order_8499248_pdf.exe.415058.0.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.1.Eral_order_8499248_pdf.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.1.Eral_order_8499248_pdf.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.1.Eral_order_8499248_pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.1.Eral_order_8499248_pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.Eral_order_8499248_pdf.exe.5d20a0.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.Eral_order_8499248_pdf.exe.5d20a0.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.1.Eral_order_8499248_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.1.Eral_order_8499248_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.Eral_order_8499248_pdf.exe.4800000.7.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.Eral_order_8499248_pdf.exe.4800000.7.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.Eral_order_8499248_pdf.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.Eral_order_8499248_pdf.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.Eral_order_8499248_pdf.exe.36e16e4.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.Eral_order_8499248_pdf.exe.268683c.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.Eral_order_8499248_pdf.exe.5224629.11.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.Eral_order_8499248_pdf.exe.e7f0000.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.Eral_order_8499248_pdf.exe.e7f0000.4.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.Eral_order_8499248_pdf.exe.e801458.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Eral_order_8499248_pdf.exe.e801458.4.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.Eral_order_8499248_pdf.exe.3905d0d.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.Eral_order_8499248_pdf.exe.4980000.8.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.Eral_order_8499248_pdf.exe.4980000.8.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.Eral_order_8499248_pdf.exe.4d90000.9.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.1.Eral_order_8499248_pdf.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.1.Eral_order_8499248_pdf.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.Eral_order_8499248_pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.Eral_order_8499248_pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.Eral_order_8499248_pdf.exe.e801458.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.Eral_order_8499248_pdf.exe.e801458.3.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.Eral_order_8499248_pdf.exe.e7f0000.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Eral_order_8499248_pdf.exe.e7f0000.3.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.Eral_order_8499248_pdf.exe.3663258.6.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.Eral_order_8499248_pdf.exe.3663258.6.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.1.Eral_order_8499248_pdf.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.1.Eral_order_8499248_pdf.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.Eral_order_8499248_pdf.exe.5220000.10.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.Eral_order_8499248_pdf.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.Eral_order_8499248_pdf.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.Eral_order_8499248_pdf.exe.2891970.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.Eral_order_8499248_pdf.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.Eral_order_8499248_pdf.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.Eral_order_8499248_pdf.exe.36dc8ae.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.Eral_order_8499248_pdf.exe.36dc8ae.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.Eral_order_8499248_pdf.exe.3663258.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.Eral_order_8499248_pdf.exe.3663258.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.Eral_order_8499248_pdf.exe.5288d0.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.Eral_order_8499248_pdf.exe.5288d0.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.Eral_order_8499248_pdf.exe.5220000.10.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.Eral_order_8499248_pdf.exe.23c0000.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.Eral_order_8499248_pdf.exe.23c0000.3.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.Eral_order_8499248_pdf.exe.36e16e4.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.Eral_order_8499248_pdf.exe.5288d0.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.Eral_order_8499248_pdf.exe.5288d0.2.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.Eral_order_8499248_pdf.exe.38fc8ae.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.Eral_order_8499248_pdf.exe.38fc8ae.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.Eral_order_8499248_pdf.exe.4800000.7.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.Eral_order_8499248_pdf.exe.4800000.7.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.1.Eral_order_8499248_pdf.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.1.Eral_order_8499248_pdf.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.Eral_order_8499248_pdf.exe.e7f0000.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.Eral_order_8499248_pdf.exe.e7f0000.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.1.Eral_order_8499248_pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.1.Eral_order_8499248_pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.556639770.00000000038ED000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.557530361.0000000005220000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000001.300118720.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000001.300118720.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000001.317135947.0000000000414000.00000040.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000001.317135947.0000000000414000.00000040.00020000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.302913256.000000000E7F0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.302913256.000000000E7F0000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.553982010.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.553982010.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.335925171.0000000003661000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000002.335925171.0000000003661000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.335611612.00000000005C4000.00000004.00000020.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000002.335611612.00000000005C4000.00000004.00000020.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.557320658.0000000004D90000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.318858456.000000000E7F0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.318858456.000000000E7F0000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.555999309.00000000023C0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.555999309.00000000023C0000.00000004.00020000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.556927651.0000000004982000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.556927651.0000000004982000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.336058089.0000000004800000.00000004.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000002.336058089.0000000004800000.00000004.00020000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.335435218.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000002.335435218.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.554316233.000000000051A000.00000004.00000020.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.554316233.000000000051A000.00000004.00000020.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.336095821.0000000004842000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000002.336095821.0000000004842000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.335899814.000000000266E000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Eral_order_8499248_pdf.exe PID: 6636, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Eral_order_8499248_pdf.exe PID: 6636, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Eral_order_8499248_pdf.exe PID: 2932, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Eral_order_8499248_pdf.exe PID: 5284, type: MEMORYSTR Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Eral_order_8499248_pdf.exe PID: 5284, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Eral_order_8499248_pdf.exe PID: 6592, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Eral_order_8499248_pdf.exe
Source: initial sample Static PE information: Filename: Eral_order_8499248_pdf.exe
Uses 32bit PE files
Source: Eral_order_8499248_pdf.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 8.2.Eral_order_8499248_pdf.exe.415058.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.Eral_order_8499248_pdf.exe.415058.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.Eral_order_8499248_pdf.exe.415058.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.Eral_order_8499248_pdf.exe.e801458.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.Eral_order_8499248_pdf.exe.e801458.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.Eral_order_8499248_pdf.exe.e801458.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.Eral_order_8499248_pdf.exe.39016e4.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.Eral_order_8499248_pdf.exe.39016e4.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.Eral_order_8499248_pdf.exe.e7f0000.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Eral_order_8499248_pdf.exe.e7f0000.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.Eral_order_8499248_pdf.exe.e7f0000.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.Eral_order_8499248_pdf.exe.39016e4.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.Eral_order_8499248_pdf.exe.39016e4.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.Eral_order_8499248_pdf.exe.e801458.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Eral_order_8499248_pdf.exe.e801458.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.Eral_order_8499248_pdf.exe.e801458.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.Eral_order_8499248_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.Eral_order_8499248_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.Eral_order_8499248_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.Eral_order_8499248_pdf.exe.4840000.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.Eral_order_8499248_pdf.exe.4840000.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.Eral_order_8499248_pdf.exe.4840000.8.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.Eral_order_8499248_pdf.exe.5d20a0.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.Eral_order_8499248_pdf.exe.5d20a0.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.Eral_order_8499248_pdf.exe.5d20a0.2.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.Eral_order_8499248_pdf.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.Eral_order_8499248_pdf.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.Eral_order_8499248_pdf.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.Eral_order_8499248_pdf.exe.23c0000.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.Eral_order_8499248_pdf.exe.23c0000.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.Eral_order_8499248_pdf.exe.23c0000.3.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.Eral_order_8499248_pdf.exe.415058.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.Eral_order_8499248_pdf.exe.415058.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.Eral_order_8499248_pdf.exe.415058.0.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.1.Eral_order_8499248_pdf.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.1.Eral_order_8499248_pdf.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.1.Eral_order_8499248_pdf.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.1.Eral_order_8499248_pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.1.Eral_order_8499248_pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.1.Eral_order_8499248_pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.Eral_order_8499248_pdf.exe.5d20a0.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.Eral_order_8499248_pdf.exe.5d20a0.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.Eral_order_8499248_pdf.exe.5d20a0.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.1.Eral_order_8499248_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.1.Eral_order_8499248_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.1.Eral_order_8499248_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.Eral_order_8499248_pdf.exe.4800000.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.Eral_order_8499248_pdf.exe.4800000.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.Eral_order_8499248_pdf.exe.4800000.7.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.Eral_order_8499248_pdf.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.Eral_order_8499248_pdf.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.Eral_order_8499248_pdf.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.Eral_order_8499248_pdf.exe.36e16e4.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.Eral_order_8499248_pdf.exe.36e16e4.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.Eral_order_8499248_pdf.exe.268683c.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.Eral_order_8499248_pdf.exe.268683c.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.Eral_order_8499248_pdf.exe.5224629.11.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.Eral_order_8499248_pdf.exe.5224629.11.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.Eral_order_8499248_pdf.exe.e7f0000.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.Eral_order_8499248_pdf.exe.e7f0000.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.Eral_order_8499248_pdf.exe.e7f0000.4.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.Eral_order_8499248_pdf.exe.e801458.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Eral_order_8499248_pdf.exe.e801458.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.Eral_order_8499248_pdf.exe.e801458.4.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.Eral_order_8499248_pdf.exe.3905d0d.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.Eral_order_8499248_pdf.exe.3905d0d.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.Eral_order_8499248_pdf.exe.4980000.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.Eral_order_8499248_pdf.exe.4980000.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.Eral_order_8499248_pdf.exe.4980000.8.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.Eral_order_8499248_pdf.exe.4d90000.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.Eral_order_8499248_pdf.exe.4d90000.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.1.Eral_order_8499248_pdf.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.1.Eral_order_8499248_pdf.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.1.Eral_order_8499248_pdf.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.Eral_order_8499248_pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.Eral_order_8499248_pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.Eral_order_8499248_pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.Eral_order_8499248_pdf.exe.e801458.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.Eral_order_8499248_pdf.exe.e801458.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.Eral_order_8499248_pdf.exe.e801458.3.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.Eral_order_8499248_pdf.exe.e7f0000.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Eral_order_8499248_pdf.exe.e7f0000.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0.2.Eral_order_8499248_pdf.exe.e7f0000.3.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.Eral_order_8499248_pdf.exe.3663258.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.Eral_order_8499248_pdf.exe.3663258.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.Eral_order_8499248_pdf.exe.3663258.6.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.1.Eral_order_8499248_pdf.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.1.Eral_order_8499248_pdf.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.1.Eral_order_8499248_pdf.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.Eral_order_8499248_pdf.exe.5220000.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.Eral_order_8499248_pdf.exe.5220000.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.Eral_order_8499248_pdf.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.Eral_order_8499248_pdf.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.Eral_order_8499248_pdf.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.Eral_order_8499248_pdf.exe.2891970.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.Eral_order_8499248_pdf.exe.2891970.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.Eral_order_8499248_pdf.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.Eral_order_8499248_pdf.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.Eral_order_8499248_pdf.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.Eral_order_8499248_pdf.exe.36dc8ae.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.Eral_order_8499248_pdf.exe.36dc8ae.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.Eral_order_8499248_pdf.exe.36dc8ae.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.Eral_order_8499248_pdf.exe.3663258.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.Eral_order_8499248_pdf.exe.3663258.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.Eral_order_8499248_pdf.exe.5288d0.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.Eral_order_8499248_pdf.exe.5288d0.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.Eral_order_8499248_pdf.exe.5288d0.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.Eral_order_8499248_pdf.exe.5220000.10.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.Eral_order_8499248_pdf.exe.5220000.10.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.Eral_order_8499248_pdf.exe.23c0000.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.Eral_order_8499248_pdf.exe.23c0000.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.Eral_order_8499248_pdf.exe.23c0000.3.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.Eral_order_8499248_pdf.exe.36e16e4.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.Eral_order_8499248_pdf.exe.36e16e4.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.Eral_order_8499248_pdf.exe.5288d0.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.Eral_order_8499248_pdf.exe.5288d0.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.Eral_order_8499248_pdf.exe.5288d0.2.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.Eral_order_8499248_pdf.exe.38fc8ae.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.Eral_order_8499248_pdf.exe.38fc8ae.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.Eral_order_8499248_pdf.exe.38fc8ae.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.Eral_order_8499248_pdf.exe.4800000.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.Eral_order_8499248_pdf.exe.4800000.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.Eral_order_8499248_pdf.exe.4800000.7.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.1.Eral_order_8499248_pdf.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.1.Eral_order_8499248_pdf.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.1.Eral_order_8499248_pdf.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.Eral_order_8499248_pdf.exe.e7f0000.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.Eral_order_8499248_pdf.exe.e7f0000.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 7.2.Eral_order_8499248_pdf.exe.e7f0000.4.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.1.Eral_order_8499248_pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.1.Eral_order_8499248_pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.1.Eral_order_8499248_pdf.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.556639770.00000000038ED000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.557530361.0000000005220000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.557530361.0000000005220000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000001.300118720.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000001.300118720.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000001.300118720.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000001.317135947.0000000000414000.00000040.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000001.317135947.0000000000414000.00000040.00020000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.302913256.000000000E7F0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.302913256.000000000E7F0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000000.00000002.302913256.000000000E7F0000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.553982010.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.553982010.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.553982010.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000002.335925171.0000000003661000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000002.335925171.0000000003661000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000002.335611612.00000000005C4000.00000004.00000020.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000002.335611612.00000000005C4000.00000004.00000020.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.557320658.0000000004D90000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.557320658.0000000004D90000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000002.318858456.000000000E7F0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.318858456.000000000E7F0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000002.318858456.000000000E7F0000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.555999309.00000000023C0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.555999309.00000000023C0000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.555999309.00000000023C0000.00000004.00020000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.556927651.0000000004982000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.556927651.0000000004982000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000002.336058089.0000000004800000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000002.336058089.0000000004800000.00000004.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000008.00000002.336058089.0000000004800000.00000004.00020000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000002.335435218.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000002.335435218.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000008.00000002.335435218.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.554316233.000000000051A000.00000004.00000020.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.554316233.000000000051A000.00000004.00000020.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000002.336095821.0000000004842000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000002.336095821.0000000004842000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000002.335899814.000000000266E000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Eral_order_8499248_pdf.exe PID: 6636, type: MEMORYSTR Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Eral_order_8499248_pdf.exe PID: 6636, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Eral_order_8499248_pdf.exe PID: 2932, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Eral_order_8499248_pdf.exe PID: 5284, type: MEMORYSTR Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Eral_order_8499248_pdf.exe PID: 5284, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Eral_order_8499248_pdf.exe PID: 6592, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 0_2_0040312A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_0040312A
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 7_2_0040312A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 7_2_0040312A
Detected potential crypto function
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 0_2_00406354 0_2_00406354
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 0_2_00404802 0_2_00404802
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 0_2_00406B2B 0_2_00406B2B
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 0_2_10006EEF 0_2_10006EEF
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 0_2_10006EFE 0_2_10006EFE
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 1_2_0040A2A5 1_2_0040A2A5
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 1_2_049C3850 1_2_049C3850
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 1_2_049C86A8 1_2_049C86A8
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 1_2_049C2FA8 1_2_049C2FA8
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 1_2_049C23A0 1_2_049C23A0
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 1_2_049CAF78 1_2_049CAF78
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 1_2_049C306F 1_2_049C306F
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 1_2_049C92A8 1_2_049C92A8
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 1_2_049C936F 1_2_049C936F
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 7_2_00406354 7_2_00406354
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 7_2_00404802 7_2_00404802
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 7_2_00406B2B 7_2_00406B2B
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 7_2_10006EEF 7_2_10006EEF
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 7_2_10006EFE 7_2_10006EFE
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 8_2_0040A2A5 8_2_0040A2A5
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 8_2_04883850 8_2_04883850
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 8_2_04882FA8 8_2_04882FA8
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 8_2_048823A0 8_2_048823A0
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 8_2_0488306F 8_2_0488306F
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 8_2_0488238F 8_2_0488238F
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 8_1_0040A2A5 8_1_0040A2A5
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: String function: 00402A29 appears 52 times
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: String function: 00401ED0 appears 69 times
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: String function: 0040569E appears 54 times
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: String function: 00405BC7 appears 36 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 1_2_04B41C6A NtQuerySystemInformation, 1_2_04B41C6A
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 1_2_04B41C2F NtQuerySystemInformation, 1_2_04B41C2F
Sample file is different than original file name gathered from version info
Source: Eral_order_8499248_pdf.exe, 00000000.00000003.293846730.000000000E956000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Eral_order_8499248_pdf.exe
Source: Eral_order_8499248_pdf.exe, 00000001.00000002.556639770.00000000038ED000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameClientPlugin.dll4 vs Eral_order_8499248_pdf.exe
Source: Eral_order_8499248_pdf.exe, 00000001.00000002.556639770.00000000038ED000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameLzma#.dll4 vs Eral_order_8499248_pdf.exe
Source: Eral_order_8499248_pdf.exe, 00000001.00000002.556639770.00000000038ED000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Eral_order_8499248_pdf.exe
Source: Eral_order_8499248_pdf.exe, 00000007.00000003.311248425.000000000E956000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Eral_order_8499248_pdf.exe
Source: Eral_order_8499248_pdf.exe, 00000008.00000002.335925171.0000000003661000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameClientPlugin.dll4 vs Eral_order_8499248_pdf.exe
Source: Eral_order_8499248_pdf.exe, 00000008.00000002.335925171.0000000003661000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameLzma#.dll4 vs Eral_order_8499248_pdf.exe
Source: Eral_order_8499248_pdf.exe, 00000008.00000002.335925171.0000000003661000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Eral_order_8499248_pdf.exe
Source: Eral_order_8499248_pdf.exe Virustotal: Detection: 38%
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe File read: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Jump to behavior
Source: Eral_order_8499248_pdf.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe 'C:\Users\user\Desktop\Eral_order_8499248_pdf.exe'
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process created: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe 'C:\Users\user\Desktop\Eral_order_8499248_pdf.exe'
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp8379.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe C:\Users\user\Desktop\Eral_order_8499248_pdf.exe 0
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process created: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe C:\Users\user\Desktop\Eral_order_8499248_pdf.exe 0
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process created: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe 'C:\Users\user\Desktop\Eral_order_8499248_pdf.exe' Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp8379.tmp' Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process created: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe C:\Users\user\Desktop\Eral_order_8499248_pdf.exe 0 Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 1_2_04B41A2A AdjustTokenPrivileges, 1_2_04B41A2A
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 1_2_04B419F3 AdjustTokenPrivileges, 1_2_04B419F3
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe File created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe File created: C:\Users\user\AppData\Local\Temp\nsd3EE1.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@9/8@0/1
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 0_2_00402053 CoCreateInstance,MultiByteToWideChar, 0_2_00402053
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 0_2_004042C1 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_004042C1
Source: 1.2.Eral_order_8499248_pdf.exe.4980000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.2.Eral_order_8499248_pdf.exe.4980000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 8.2.Eral_order_8499248_pdf.exe.4840000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 8.2.Eral_order_8499248_pdf.exe.4840000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4508:120:WilError_01
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{8eff5e85-5667-437d-b37d-ffe758cdad30}
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 1_2_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess, 1_2_00401489
Source: 1.2.Eral_order_8499248_pdf.exe.4980000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.Eral_order_8499248_pdf.exe.4980000.8.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.Eral_order_8499248_pdf.exe.4980000.8.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 8.2.Eral_order_8499248_pdf.exe.4840000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 8.2.Eral_order_8499248_pdf.exe.4840000.8.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'CreateDecryptor'
Source: 8.2.Eral_order_8499248_pdf.exe.4840000.8.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'TransformFinalBlock'
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: Binary string: wntdll.pdbUGP source: Eral_order_8499248_pdf.exe, 00000000.00000003.292397035.000000000E9D0000.00000004.00000001.sdmp, Eral_order_8499248_pdf.exe, 00000007.00000003.313372407.000000000E840000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: Eral_order_8499248_pdf.exe, 00000000.00000003.292397035.000000000E9D0000.00000004.00000001.sdmp, Eral_order_8499248_pdf.exe, 00000007.00000003.313372407.000000000E840000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Unpacked PE file: 1.2.Eral_order_8499248_pdf.exe.400000.0.unpack
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Unpacked PE file: 8.2.Eral_order_8499248_pdf.exe.400000.1.unpack
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Unpacked PE file: 1.2.Eral_order_8499248_pdf.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Unpacked PE file: 8.2.Eral_order_8499248_pdf.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Unpacked PE file: 1.2.Eral_order_8499248_pdf.exe.4980000.8.unpack
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Unpacked PE file: 8.2.Eral_order_8499248_pdf.exe.4840000.8.unpack
.NET source code contains potential unpacker
Source: 1.2.Eral_order_8499248_pdf.exe.4980000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.Eral_order_8499248_pdf.exe.4980000.8.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.2.Eral_order_8499248_pdf.exe.4840000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.2.Eral_order_8499248_pdf.exe.4840000.8.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 1_2_00401F16 push ecx; ret 1_2_00401F29
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 1_2_02219D53 pushad ; retf 1_2_02219D59
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 1_2_022174AC push ecx; ret 1_2_022174AD
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 1_2_022174B8 push ebp; ret 1_2_022174B9
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 8_2_00401F16 push ecx; ret 8_2_00401F29
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 8_1_00401F16 push ecx; ret 8_1_00401F29
PE file contains an invalid checksum
Source: cbehatjjoa.dll.0.dr Static PE information: real checksum: 0x13358 should be: 0x8974
Source: Eral_order_8499248_pdf.exe Static PE information: real checksum: 0x0 should be: 0x567a5
Source: cbehatjjoa.dll.7.dr Static PE information: real checksum: 0x13358 should be: 0x8974
Source: initial sample Static PE information: section name: .data entropy: 7.54425971933
Source: initial sample Static PE information: section name: .data entropy: 7.54425971933
Source: 1.2.Eral_order_8499248_pdf.exe.4980000.8.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 1.2.Eral_order_8499248_pdf.exe.4980000.8.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 8.2.Eral_order_8499248_pdf.exe.4840000.8.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 8.2.Eral_order_8499248_pdf.exe.4840000.8.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe File created: C:\Users\user\AppData\Local\Temp\nsp5C2E.tmp\cbehatjjoa.dll Jump to dropped file
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe File created: C:\Users\user\AppData\Local\Temp\nsd3EE2.tmp\cbehatjjoa.dll Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp8379.tmp'

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe File opened: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe TID: 4964 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe TID: 5580 Thread sleep time: -80000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe TID: 4596 Thread sleep count: 38 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe TID: 4540 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Window / User API: threadDelayed 672 Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Window / User API: foregroundWindowGot 961 Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 1_2_04B41752 GetSystemInfo, 1_2_04B41752
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 0_2_00405EC2 FindFirstFileA,FindClose, 0_2_00405EC2
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 0_2_004054EC DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_004054EC
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 0_2_00402671 FindFirstFileA, 0_2_00402671
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 1_2_00404A29 FindFirstFileExW, 1_2_00404A29
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 7_2_00405EC2 FindFirstFileA,FindClose, 7_2_00405EC2
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 7_2_004054EC DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 7_2_004054EC
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 7_2_00402671 FindFirstFileA, 7_2_00402671
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 8_2_00404A29 FindFirstFileExW, 8_2_00404A29
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 8_1_00404A29 FindFirstFileExW, 8_1_00404A29
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 1_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0040446F
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 0_2_10002ED0 drtyghank,GetProcessHeap,RtlAllocateHeap,memset,EnumSystemCodePagesW, 0_2_10002ED0
Enables debug privileges
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 0_2_100067E2 mov eax, dword ptr fs:[00000030h] 0_2_100067E2
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 0_2_10006B24 mov eax, dword ptr fs:[00000030h] 0_2_10006B24
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 0_2_10006AA7 mov eax, dword ptr fs:[00000030h] 0_2_10006AA7
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 0_2_10006AE6 mov eax, dword ptr fs:[00000030h] 0_2_10006AE6
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 0_2_100069F6 mov eax, dword ptr fs:[00000030h] 0_2_100069F6
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 1_2_004035F1 mov eax, dword ptr fs:[00000030h] 1_2_004035F1
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 7_2_100067E2 mov eax, dword ptr fs:[00000030h] 7_2_100067E2
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 7_2_10006B24 mov eax, dword ptr fs:[00000030h] 7_2_10006B24
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 7_2_10006AA7 mov eax, dword ptr fs:[00000030h] 7_2_10006AA7
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 7_2_10006AE6 mov eax, dword ptr fs:[00000030h] 7_2_10006AE6
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 7_2_100069F6 mov eax, dword ptr fs:[00000030h] 7_2_100069F6
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 8_2_004035F1 mov eax, dword ptr fs:[00000030h] 8_2_004035F1
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 8_1_004035F1 mov eax, dword ptr fs:[00000030h] 8_1_004035F1
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 1_2_00401E1D SetUnhandledExceptionFilter, 1_2_00401E1D
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 1_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0040446F
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 1_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00401C88
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 1_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_00401F30
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 8_2_00401E1D SetUnhandledExceptionFilter, 8_2_00401E1D
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 8_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_0040446F
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 8_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_00401C88
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 8_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 8_2_00401F30
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 8_1_00401E1D SetUnhandledExceptionFilter, 8_1_00401E1D
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 8_1_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_1_0040446F
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 8_1_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_1_00401C88
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 8_1_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 8_1_00401F30

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Memory written: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Memory written: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process created: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe 'C:\Users\user\Desktop\Eral_order_8499248_pdf.exe' Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp8379.tmp' Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Process created: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe C:\Users\user\Desktop\Eral_order_8499248_pdf.exe 0 Jump to behavior
Source: Eral_order_8499248_pdf.exe, 00000001.00000002.556276205.0000000002911000.00000004.00000001.sdmp Binary or memory string: Program Manager
Source: Eral_order_8499248_pdf.exe, 00000001.00000002.555075839.0000000000DE0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: Eral_order_8499248_pdf.exe, 00000001.00000002.555075839.0000000000DE0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: Eral_order_8499248_pdf.exe, 00000001.00000002.555075839.0000000000DE0000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 1_2_0040208D cpuid 1_2_0040208D
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 1_2_00401B74 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 1_2_00401B74
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 0_2_0040312A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_0040312A
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 1_2_0220B0CA GetUserNameW, 1_2_0220B0CA

Stealing of Sensitive Information:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 8.2.Eral_order_8499248_pdf.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Eral_order_8499248_pdf.exe.e801458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.39016e4.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Eral_order_8499248_pdf.exe.e7f0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.39016e4.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Eral_order_8499248_pdf.exe.e801458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Eral_order_8499248_pdf.exe.4840000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Eral_order_8499248_pdf.exe.5d20a0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.23c0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Eral_order_8499248_pdf.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.1.Eral_order_8499248_pdf.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.Eral_order_8499248_pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Eral_order_8499248_pdf.exe.5d20a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.Eral_order_8499248_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Eral_order_8499248_pdf.exe.4800000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Eral_order_8499248_pdf.exe.36e16e4.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.5224629.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Eral_order_8499248_pdf.exe.e7f0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Eral_order_8499248_pdf.exe.e801458.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.3905d0d.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.4980000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.Eral_order_8499248_pdf.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Eral_order_8499248_pdf.exe.e801458.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Eral_order_8499248_pdf.exe.e7f0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Eral_order_8499248_pdf.exe.3663258.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.Eral_order_8499248_pdf.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.5220000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Eral_order_8499248_pdf.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Eral_order_8499248_pdf.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Eral_order_8499248_pdf.exe.36dc8ae.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Eral_order_8499248_pdf.exe.3663258.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.5288d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.5220000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.23c0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Eral_order_8499248_pdf.exe.36e16e4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.5288d0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.38fc8ae.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Eral_order_8499248_pdf.exe.4800000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.1.Eral_order_8499248_pdf.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Eral_order_8499248_pdf.exe.e7f0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.1.Eral_order_8499248_pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.556639770.00000000038ED000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.557530361.0000000005220000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.556147476.0000000002881000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000001.300118720.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000001.317135947.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.302913256.000000000E7F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.553982010.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.335925171.0000000003661000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.335611612.00000000005C4000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.318858456.000000000E7F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.555999309.00000000023C0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.556927651.0000000004982000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.336058089.0000000004800000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.335435218.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.554316233.000000000051A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.336095821.0000000004842000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Eral_order_8499248_pdf.exe PID: 6636, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Eral_order_8499248_pdf.exe PID: 2932, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Eral_order_8499248_pdf.exe PID: 5284, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Eral_order_8499248_pdf.exe PID: 6592, type: MEMORYSTR

Remote Access Functionality:

barindex
Detected Nanocore Rat
Source: Eral_order_8499248_pdf.exe, 00000000.00000002.302913256.000000000E7F0000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: Eral_order_8499248_pdf.exe String found in binary or memory: NanoCore.ClientPluginHost
Source: Eral_order_8499248_pdf.exe, 00000001.00000002.556639770.00000000038ED000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: Eral_order_8499248_pdf.exe, 00000007.00000002.318858456.000000000E7F0000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: Eral_order_8499248_pdf.exe String found in binary or memory: NanoCore.ClientPluginHost
Source: Eral_order_8499248_pdf.exe, 00000008.00000002.335925171.0000000003661000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Yara detected Nanocore RAT
Source: Yara match File source: 8.2.Eral_order_8499248_pdf.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Eral_order_8499248_pdf.exe.e801458.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.39016e4.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Eral_order_8499248_pdf.exe.e7f0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.39016e4.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Eral_order_8499248_pdf.exe.e801458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Eral_order_8499248_pdf.exe.4840000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Eral_order_8499248_pdf.exe.5d20a0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.23c0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Eral_order_8499248_pdf.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.1.Eral_order_8499248_pdf.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.Eral_order_8499248_pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Eral_order_8499248_pdf.exe.5d20a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.Eral_order_8499248_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Eral_order_8499248_pdf.exe.4800000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Eral_order_8499248_pdf.exe.36e16e4.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.5224629.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Eral_order_8499248_pdf.exe.e7f0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Eral_order_8499248_pdf.exe.e801458.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.3905d0d.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.4980000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.Eral_order_8499248_pdf.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Eral_order_8499248_pdf.exe.e801458.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Eral_order_8499248_pdf.exe.e7f0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Eral_order_8499248_pdf.exe.3663258.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.Eral_order_8499248_pdf.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.5220000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Eral_order_8499248_pdf.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Eral_order_8499248_pdf.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Eral_order_8499248_pdf.exe.36dc8ae.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Eral_order_8499248_pdf.exe.3663258.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.5288d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.5220000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.23c0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Eral_order_8499248_pdf.exe.36e16e4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.5288d0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.Eral_order_8499248_pdf.exe.38fc8ae.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Eral_order_8499248_pdf.exe.4800000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.1.Eral_order_8499248_pdf.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.Eral_order_8499248_pdf.exe.e7f0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.1.Eral_order_8499248_pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.556639770.00000000038ED000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.557530361.0000000005220000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.556147476.0000000002881000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000001.300118720.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000001.317135947.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.302913256.000000000E7F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.553982010.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.335925171.0000000003661000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.335611612.00000000005C4000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.318858456.000000000E7F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.555999309.00000000023C0000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.556927651.0000000004982000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.336058089.0000000004800000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.335435218.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.554316233.000000000051A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.336095821.0000000004842000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Eral_order_8499248_pdf.exe PID: 6636, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Eral_order_8499248_pdf.exe PID: 2932, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Eral_order_8499248_pdf.exe PID: 5284, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Eral_order_8499248_pdf.exe PID: 6592, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 0_2_10001B10 CreateBindCtx, 0_2_10001B10
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 0_2_10001940 CreateBindCtx, 0_2_10001940
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 0_2_100015A0 CreateBindCtx,wcschr,CoTaskMemFree, 0_2_100015A0
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 0_2_10001CD0 CreateBindCtx,ShellExecuteW,CoTaskMemFree, 0_2_10001CD0
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 0_2_100016E0 CreateBindCtx,MkParseDisplayName,wcschr,CreateFileMoniker, 0_2_100016E0
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 1_2_04B42C8A bind, 1_2_04B42C8A
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 1_2_04B42C57 bind, 1_2_04B42C57
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 7_2_10001B10 CreateBindCtx, 7_2_10001B10
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 7_2_10001940 CreateBindCtx, 7_2_10001940
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 7_2_100015A0 CreateBindCtx,wcschr,CoTaskMemFree, 7_2_100015A0
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 7_2_10001CD0 CreateBindCtx,ShellExecuteW,CoTaskMemFree, 7_2_10001CD0
Source: C:\Users\user\Desktop\Eral_order_8499248_pdf.exe Code function: 7_2_100016E0 CreateBindCtx,MkParseDisplayName,wcschr,CreateFileMoniker, 7_2_100016E0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 499571 Sample: Eral_order_8499248_pdf.exe Startdate: 08/10/2021 Architecture: WINDOWS Score: 100 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 8 other signatures 2->45 8 Eral_order_8499248_pdf.exe 17 2->8         started        12 Eral_order_8499248_pdf.exe 16 2->12         started        process3 file4 25 C:\Users\user\AppData\...\cbehatjjoa.dll, PE32 8->25 dropped 47 Detected unpacking (changes PE section rights) 8->47 49 Detected unpacking (creates a PE file in dynamic memory) 8->49 51 Detected unpacking (overwrites its own PE header) 8->51 53 Uses schtasks.exe or at.exe to add and modify task schedules 8->53 14 Eral_order_8499248_pdf.exe 10 8->14         started        27 C:\Users\user\AppData\...\cbehatjjoa.dll, PE32 12->27 dropped 55 Injects a PE file into a foreign processes 12->55 19 Eral_order_8499248_pdf.exe 3 12->19         started        signatures5 process6 dnsIp7 35 185.157.162.92, 2036 OBE-EUROPEObenetworkEuropeSE Sweden 14->35 29 C:\Users\user\AppData\Roaming\...\run.dat, data 14->29 dropped 31 C:\Users\user\AppData\Local\...\tmp8379.tmp, XML 14->31 dropped 37 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->37 21 schtasks.exe 1 14->21         started        33 C:\Users\...ral_order_8499248_pdf.exe.log, ASCII 19->33 dropped file8 signatures9 process10 process11 23 conhost.exe 21->23         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.157.162.92
 unknown Sweden
197595 OBE-EUROPEObenetworkEuropeSE true

Contacted Domains

Name IP Active
windowsupdate.s.llnwi.net 178.79.242.128 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
true
  • Avira URL Cloud: safe
 low
185.157.162.92 true
  • Avira URL Cloud: safe
 unknown