33.0.0 White Diamond
IR
499571
CloudBasic
16:11:08
08/10/2021
Eral_order_8499248_pdf.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
c87a4d4a3d7055d3fb628e9f5034200a
fcaea92aebebd7ed940e1fab475a99d4bb08c45b
5925ea17cc4efd2b4f52887a3d669aa83c52e3aa14df43c7f275d2d9d33ad5df
Win32 Executable (generic) a (10002005/4) 99.96%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Eral_order_8499248_pdf.exe.log
true
61CCF53571C9ABA6511D696CB0D32E45
A13A42A20EC14942F52DB20FB16A0A520F8183CE
3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
C:\Users\user\AppData\Local\Temp\ijcljyxfxut6da6vqh6
false
228C47B10B0283F9188ABFA3567302F1
33A187CA72A3B803EB7B7C9E004B19EE930484EE
C1C8363884A0024C242BAA282190ED422B13999B5D859E2A2374B2245AABC0E9
C:\Users\user\AppData\Local\Temp\nsd3EE2.tmp\cbehatjjoa.dll
true
A2C9F39FB658E262EC11F2B71E51CCB4
6346BA3BEE37FD6EE00302D248D100D7AB83A3BF
014C3580F81D7FEC4940CFB878424686DFB892DCA045FD1AB424500DD228FBC9
C:\Users\user\AppData\Local\Temp\nsp5C2E.tmp\cbehatjjoa.dll
true
A2C9F39FB658E262EC11F2B71E51CCB4
6346BA3BEE37FD6EE00302D248D100D7AB83A3BF
014C3580F81D7FEC4940CFB878424686DFB892DCA045FD1AB424500DD228FBC9
C:\Users\user\AppData\Local\Temp\tmp8379.tmp
true
28C6CCB4C5E8AACD15CE372D111A1306
062401C4CC0F0FA07DDFE4F725D53E903F86770A
A04EAF8682A798F8A215362EBBC1ED41856E90126D407ECF168C4D954AEC0AE5
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
true
F382205FFA13FF7489C0BBD84EF8AE78
0A7DB89A589F1A192E82161F8F7CEBADB77B44A6
BF2307BEDD4BB977A9FD475D1B13E005191626D69E9E30CD34E10E9A9120CEB0
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
false
323122791470119B97405F7A5233F247
8166BD5CEE0793CC3CA5A0753B98FD03D31DE100
3F00D1F39CABC0B0D9F6AF7A702A7C390F7DA1DA1103C8CD7D510A1F53550876
185.157.162.92
windowsupdate.s.llnwi.net
false
178.79.242.128
Found malware configuration
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Sigma detected: NanoCore
Machine Learning detection for sample
Detected Nanocore Rat
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Detected unpacking (changes PE section rights)
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Nanocore RAT
Detected unpacking (creates a PE file in dynamic memory)