33.0.0 White Diamond
IR
500302
CloudBasic
22:23:13
11/10/2021
NGhyIeBff1.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
9333b848ec502f882c35f7d865aec7d6
c56c21e6918f2efd0050552ac8fb831c8ed6da3a
e564c250cd0780ed1870506da94c0cb34240c41f361a9bee13db815e4e58b266
Win32 Executable (generic) Net Framework (10011505/4) 49.83%
true
false
false
false
100
0
100
5
0
5
false
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
true
9333B848EC502F882C35F7D865AEC7D6
C56C21E6918F2EFD0050552AC8FB831C8ED6DA3A
E564C250CD0780ED1870506DA94C0CB34240C41F361A9BEE13DB815E4E58B266
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
true
187F488E27DB4AF347237FE461A079AD
6693BA299EC1881249D59262276A0D2CB21F8E64
255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\NGhyIeBff1.exe.log
true
61CCF53571C9ABA6511D696CB0D32E45
A13A42A20EC14942F52DB20FB16A0A520F8183CE
3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log
true
61CCF53571C9ABA6511D696CB0D32E45
A13A42A20EC14942F52DB20FB16A0A520F8183CE
3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
C:\Users\user\AppData\Local\Temp\tmp3DAC.tmp
true
7ED50DDB670C4D724687165ADDEC7FDA
4C25267008670344F418E1E0E84C7230004CC5A9
CD0A89913273F71B6568341FB88079BB697D1284F9E96E1C7D318C96DEB73474
C:\Users\user\AppData\Local\Temp\tmp4260.tmp
false
5C2F41CFC6F988C859DA7D727AC2B62A
68999C85FC7E37BAB9216E0099836D40D4545C1C
98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
true
D29B6D18688071581274CB485A37339F
E7B1D873D097B1381379CBA8072875FEF4FBA91E
B623FEA42193B5C60220E3EC61EF504F31D8DFEBD0B3225E82C9E6161F964FAC
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
false
723A31B71F2E5C8E3241700F41AFD1CF
B542A7109BAE634D405E94D0A23073E33ECA4DB7
65F2B439813258C1AD1D0B83B2C40D9CDDAB3E8EC5D4FAB71965248F6166B664
192.168.2.23
Found malware configuration
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Machine Learning detection for sample
Detected Nanocore Rat
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Nanocore RAT