34.0.0 Boulder Opal
IR
526564
CloudBasic
18:53:36
22/11/2021
PO-13917890546653455345200914.PDF.EXE
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
84449b1242cb54afc4bb3e9b628fdfac
5e652729685a2717ff71bffd51b6fd3f5614196d
2b8acfa28705c8321a35e0a22f554e56b5007d2d4e383061ec3da0fb9658aeca
Win32 Executable (generic) Net Framework (10011505/4) 49.83%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO-13917890546653455345200914.PDF.EXE.log
true
FED34146BF2F2FA59DCF8702FCC8232E
B03BFEA175989D989850CF06FE5E7BBF56EAA00A
123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
false
C962158D9DE14FF5B13EC094263838DF
D5FE4F32494480B5852915FC4B485476CADB7A67
89AC2D261F9E059B55529F88093B5096223AF7B0CA0FE419A839E5AA3FE1DB91
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j0vmi1oo.4vc.psm1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mqqok3ey.rsj.ps1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mzqv2te3.s4z.psm1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uqylmfg2.jq4.ps1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\tmpC2D8.tmp
true
EF2D169434860F3DFBF1B43C9A84D0A1
47E142BCC66D171BE211153297C328E300B58073
14FA2717EB4C611F088C596B047C7696EC0CD6B9880906AFBC764F4DADAE8900
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
true
F4B927879C434BD317A04D5A0B760AE1
A7BB61B40C2F8729047A12C8CF69ED82ABA436D0
CA49E6943AFE422EDCF7EF2A338B17E78BA9ED262449E30E48FD03D23B005BC3
C:\Users\user\AppData\Roaming\JlUFSgJsk.exe
true
84449B1242CB54AFC4BB3E9B628FDFAC
5E652729685A2717FF71BFFD51B6FD3F5614196D
2B8ACFA28705C8321A35E0A22F554E56B5007D2D4E383061EC3DA0FB9658AECA
C:\Users\user\AppData\Roaming\JlUFSgJsk.exe:Zone.Identifier
true
187F488E27DB4AF347237FE461A079AD
6693BA299EC1881249D59262276A0D2CB21F8E64
255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\Documents\20211122\PowerShell_transcript.618321.fCS6NoyN.20211122185441.txt
false
797AD35BEDA046E298BF19CB9DC2112A
A653451F2F1C1166377D3956B6188BAEF7BDB3E8
75700861B2E80B6431DAB49A315188757C619A4478FBA1D215D59268642D4E34
C:\Users\user\Documents\20211122\PowerShell_transcript.618321.gbK9sM4K.20211122185443.txt
false
73E27B8634CB3CCA7352310AF76381D4
BE67ADE2C393291F542635BEB36FD092D50B679B
B3FFA5C4E7FBAA6FD79AF16F6A0303749AA1759BCEDB4B91816937C4FC2336FA
217.64.149.171
185.157.160.229
neoncorex.duckdns.org
true
217.64.149.171
Found malware configuration
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sigma detected: NanoCore
Sigma detected: Suspicius Add Task From User AppData Temp
Yara detected AntiVM3
Machine Learning detection for sample
Detected Nanocore Rat
.NET source code contains potential unpacker
Sigma detected: Powershell Defender Exclusion
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Adds a directory exclusion to Windows Defender
Uses an obfuscated file name to hide its real file extension (double extension)
Multi AV Scanner detection for dropped file
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Yara detected Nanocore RAT