Loading ...

Play interactive tourEdit tour

Windows Analysis Report Payment confirmation .exe

Overview

General Information

Sample Name:Payment confirmation .exe
Analysis ID:551433
MD5:aa035026516778019f8b8bd0e224fc03
SHA1:efae7e259b4581830c7e6bfeb94ed6dd25a54229
SHA256:39c5635ea42d63fe84500b9760fbe56e0fd3243007700749609bca1cd8d9e5d4
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected AntiVM3
Detected Nanocore Rat
Antivirus detection for URL or domain
Yara detected Nanocore RAT
Initial sample is a PE file and has a suspicious name
Connects to many ports of the same IP (likely port scanning)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sigma detected: Suspicius Add Task From User AppData Temp
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Sigma detected: Powershell Defender Exclusion
.NET source code contains method to dynamically call methods (often used by packers)
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • Payment confirmation .exe (PID: 6996 cmdline: "C:\Users\user\Desktop\Payment confirmation .exe" MD5: AA035026516778019F8B8BD0E224FC03)
    • powershell.exe (PID: 3604 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QNRauI.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 3600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 3116 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QNRauI" /XML "C:\Users\user\AppData\Local\Temp\tmpEEA4.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Payment confirmation .exe (PID: 5432 cmdline: C:\Users\user\Desktop\Payment confirmation .exe MD5: AA035026516778019F8B8BD0E224FC03)
    • Payment confirmation .exe (PID: 5520 cmdline: C:\Users\user\Desktop\Payment confirmation .exe MD5: AA035026516778019F8B8BD0E224FC03)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "2616a878-9933-42e4-9fe0-3b57e29b", "Domain1": "naki.airdns.org", "Domain2": "37.120.210.211", "Port": 56281, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "faff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.938485517.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000A.00000002.938485517.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000A.00000002.938485517.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    0000000A.00000002.943461917.00000000052E0000.00000004.00020000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xf7ad:$x1: NanoCore.ClientPluginHost
    • 0xf7da:$x2: IClientNetworkHost
    0000000A.00000002.943461917.00000000052E0000.00000004.00020000.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xf7ad:$x2: NanoCore.ClientPluginHost
    • 0x10888:$s4: PipeCreated
    • 0xf7c7:$s5: IClientLoggingHost
    Click to see the 32 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    0.2.Payment confirmation .exe.363c208.3.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1018d:$x1: NanoCore.ClientPluginHost
    • 0x5a9ad:$x1: NanoCore.ClientPluginHost
    • 0xa4fcd:$x1: NanoCore.ClientPluginHost
    • 0x101ca:$x2: IClientNetworkHost
    • 0x5a9ea:$x2: IClientNetworkHost
    • 0xa500a:$x2: IClientNetworkHost
    • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0x5e51d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0xa8b3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    0.2.Payment confirmation .exe.363c208.3.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      0.2.Payment confirmation .exe.363c208.3.raw.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0xfef5:$a: NanoCore
      • 0xff05:$a: NanoCore
      • 0x10139:$a: NanoCore
      • 0x1014d:$a: NanoCore
      • 0x1018d:$a: NanoCore
      • 0x5a715:$a: NanoCore
      • 0x5a725:$a: NanoCore
      • 0x5a959:$a: NanoCore
      • 0x5a96d:$a: NanoCore
      • 0x5a9ad:$a: NanoCore
      • 0xa4d35:$a: NanoCore
      • 0xa4d45:$a: NanoCore
      • 0xa4f79:$a: NanoCore
      • 0xa4f8d:$a: NanoCore
      • 0xa4fcd:$a: NanoCore
      • 0xff54:$b: ClientPlugin
      • 0x10156:$b: ClientPlugin
      • 0x10196:$b: ClientPlugin
      • 0x5a774:$b: ClientPlugin
      • 0x5a976:$b: ClientPlugin
      • 0x5a9b6:$b: ClientPlugin
      10.2.Payment confirmation .exe.3a22a86.5.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe75:$x1: NanoCore.ClientPluginHost
      • 0x145e3:$x1: NanoCore.ClientPluginHost
      • 0x3c845:$x1: NanoCore.ClientPluginHost
      • 0x556df:$x1: NanoCore.ClientPluginHost
      • 0x7d92d:$x1: NanoCore.ClientPluginHost
      • 0xe8f:$x2: IClientNetworkHost
      • 0x14610:$x2: IClientNetworkHost
      • 0x3c85f:$x2: IClientNetworkHost
      • 0x5570c:$x2: IClientNetworkHost
      • 0x7d947:$x2: IClientNetworkHost
      10.2.Payment confirmation .exe.3a22a86.5.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe75:$x2: NanoCore.ClientPluginHost
      • 0x145e3:$x2: NanoCore.ClientPluginHost
      • 0x3c845:$x2: NanoCore.ClientPluginHost
      • 0x556df:$x2: NanoCore.ClientPluginHost
      • 0x7d92d:$x2: NanoCore.ClientPluginHost
      • 0x1261:$s3: PipeExists
      • 0x1136:$s4: PipeCreated
      • 0x156be:$s4: PipeCreated
      • 0x3fb82:$s4: PipeCreated
      • 0x567ba:$s4: PipeCreated
      • 0x80c6a:$s4: PipeCreated
      • 0xeb0:$s5: IClientLoggingHost
      • 0x145fd:$s5: IClientLoggingHost
      • 0x3c832:$s5: IClientLoggingHost
      • 0x556f9:$s5: IClientLoggingHost
      • 0x7d91a:$s5: IClientLoggingHost
      Click to see the 69 entries

      Sigma Overview

      AV Detection:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Payment confirmation .exe, ProcessId: 5520, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      E-Banking Fraud:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Payment confirmation .exe, ProcessId: 5520, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      System Summary:

      barindex
      Sigma detected: Suspicius Add Task From User AppData TempShow sources
      Source: Process startedAuthor: frack113: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QNRauI" /XML "C:\Users\user\AppData\Local\Temp\tmpEEA4.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QNRauI" /XML "C:\Users\user\AppData\Local\Temp\tmpEEA4.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment confirmation .exe" , ParentImage: C:\Users\user\Desktop\Payment confirmation .exe, ParentProcessId: 6996, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QNRauI" /XML "C:\Users\user\AppData\Local\Temp\tmpEEA4.tmp, ProcessId: 3116
      Sigma detected: Powershell Defender ExclusionShow sources
      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QNRauI.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QNRauI.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment confirmation .exe" , ParentImage: C:\Users\user\Desktop\Payment confirmation .exe, ParentProcessId: 6996, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QNRauI.exe, ProcessId: 3604
      Sigma detected: Non Interactive PowerShellShow sources
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QNRauI.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QNRauI.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment confirmation .exe" , ParentImage: C:\Users\user\Desktop\Payment confirmation .exe, ParentProcessId: 6996, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\QNRauI.exe, ProcessId: 3604
      Sigma detected: T1086 PowerShell ExecutionShow sources
      Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132864459695901373.3604.DefaultAppDomain.powershell

      Stealing of Sensitive Information:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Payment confirmation .exe, ProcessId: 5520, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Remote Access Functionality:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Payment confirmation .exe, ProcessId: 5520, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: 0000000A.00000002.941482368.0000000003A19000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "2616a878-9933-42e4-9fe0-3b57e29b", "Domain1": "naki.airdns.org", "Domain2": "37.120.210.211", "Port": 56281, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "faff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
      Antivirus detection for URL or domainShow sources
      Source: 37.120.210.211Avira URL Cloud: Label: malware
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 0.2.Payment confirmation .exe.363c208.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.Payment confirmation .exe.3a22a86.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.Payment confirmation .exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Payment confirmation .exe.3686a28.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.0.Payment confirmation .exe.400000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.0.Payment confirmation .exe.400000.10.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.Payment confirmation .exe.52e0000.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.Payment confirmation .exe.3a2bee5.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.Payment confirmation .exe.3a278bc.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.0.Payment confirmation .exe.400000.12.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.Payment confirmation .exe.52e4629.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.0.Payment confirmation .exe.400000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Payment confirmation .exe.3686a28.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.0.Payment confirmation .exe.400000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.Payment confirmation .exe.52e0000.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Payment confirmation .exe.363c208.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.Payment confirmation .exe.3a278bc.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0000000A.00000002.938485517.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.943461917.00000000052E0000.00000004.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000000.726108630.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.939719570.0000000002991000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000000.725697344.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000000.726654593.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.941482368.0000000003A19000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000000.724292610.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.730520964.00000000034AE000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Payment confirmation .exe PID: 6996, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: Payment confirmation .exe PID: 5520, type: MEMORYSTR
      Machine Learning detection for sampleShow sources
      Source: Payment confirmation .exeJoe Sandbox ML: detected
      Machine Learning detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\QNRauI.exeJoe Sandbox ML: detected
      Source: 10.2.Payment confirmation .exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 10.2.Payment confirmation .exe.52e0000.7.unpackAvira: Label: TR/NanoCore.fadte
      Source: 10.0.Payment confirmation .exe.400000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 10.0.Payment confirmation .exe.400000.10.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 10.0.Payment confirmation .exe.400000.8.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 10.0.Payment confirmation .exe.400000.12.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 10.0.Payment confirmation .exe.400000.6.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: Payment confirmation .exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: Payment confirmation .exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

      Networking:

      barindex
      Connects to many ports of the same IP (likely port scanning)Show sources
      Source: global trafficTCP traffic: 146.70.76.43 ports 56281,1,2,5,6,8
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorURLs: 37.120.210.211
      Source: Malware configuration extractorURLs: naki.airdns.org
      Source: Joe Sandbox ViewASN Name: TENET-1ZA TENET-1ZA
      Source: global trafficTCP traffic: 192.168.2.4:49761 -> 146.70.76.43:56281
      Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: Payment confirmation .exe, 00000000.00000002.729736514.0000000002401000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: Payment confirmation .exe, 00000000.00000003.676666365.000000000540B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677385911.0000000005408000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677536867.000000000540B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677732929.0000000005409000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
      Source: Payment confirmation .exe, 00000000.00000003.676666365.000000000540B000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comM
      Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: Payment confirmation .exe, 00000000.00000003.677558315.0000000005408000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677216510.0000000005403000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.676666365.000000000540B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677385911.0000000005408000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677536867.000000000540B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677732929.0000000005409000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comwit
      Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: Payment confirmation .exe, 00000000.00000003.684072387.0000000005433000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: Payment confirmation .exe, 00000000.00000003.679784035.0000000005433000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.679682374.0000000005433000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
      Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: Payment confirmation .exe, 00000000.00000003.683286235.0000000005433000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.683406802.0000000005433000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.683351862.0000000005433000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
      Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: Payment confirmation .exe, 00000000.00000003.683286235.0000000005433000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.683351862.0000000005433000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmld
      Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
      Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: Payment confirmation .exe, 00000000.00000003.680816196.0000000005433000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersIUy
      Source: Payment confirmation .exe, 00000000.00000003.679938204.0000000005433000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.694073095.0000000005433000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.679784035.0000000005433000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersTUF
      Source: Payment confirmation .exe, 00000000.00000003.694127722.0000000005433000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersico
      Source: Payment confirmation .exe, 00000000.00000003.694073095.0000000005433000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.694127722.0000000005433000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersnox
      Source: Payment confirmation .exe, 00000000.00000003.683542352.0000000005433000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers~
      Source: Payment confirmation .exe, 00000000.00000003.694127722.0000000005433000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers~Ul
      Source: Payment confirmation .exe, 00000000.00000002.729385777.0000000000A74000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.commfet
      Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.676069541.000000000542F000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: Payment confirmation .exe, 00000000.00000003.687634241.0000000005433000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
      Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: Payment confirmation .exe, 00000000.00000003.687703540.0000000005433000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.687634241.0000000005433000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/~Rm
      Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: Payment confirmation .exe, 00000000.00000003.677709539.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677319400.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677594577.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677183385.0000000000A7B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: Payment confirmation .exe, 00000000.00000003.677319400.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677594577.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677183385.0000000000A7B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/)
      Source: Payment confirmation .exe, 00000000.00000003.677594577.0000000000A7B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/;
      Source: Payment confirmation .exe, 00000000.00000003.677594577.0000000000A7B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/C
      Source: Payment confirmation .exe, 00000000.00000003.677709539.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677594577.0000000000A7B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/L
      Source: Payment confirmation .exe, 00000000.00000003.677709539.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677594577.0000000000A7B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/O
      Source: Payment confirmation .exe, 00000000.00000003.677709539.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677594577.0000000000A7B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
      Source: Payment confirmation .exe, 00000000.00000003.677709539.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677594577.0000000000A7B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/
      Source: Payment confirmation .exe, 00000000.00000003.677709539.0000000000A7B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
      Source: Payment confirmation .exe, 00000000.00000003.677709539.0000000000A7B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/)
      Source: Payment confirmation .exe, 00000000.00000003.677709539.0000000000A7B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/;
      Source: Payment confirmation .exe, 00000000.00000003.677709539.0000000000A7B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/C
      Source: Payment confirmation .exe, 00000000.00000003.677709539.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677319400.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677594577.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677183385.0000000000A7B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/p
      Source: Payment confirmation .exe, 00000000.00000003.677709539.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677594577.0000000000A7B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/pt-b
      Source: Payment confirmation .exe, 00000000.00000003.677709539.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677594577.0000000000A7B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/t
      Source: Payment confirmation .exe, 00000000.00000003.677319400.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677594577.0000000000A7B000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677183385.0000000000A7B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/y
      Source: Payment confirmation .exe, 00000000.00000003.677709539.0000000000A7B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/z
      Source: Payment confirmation .exe, 00000000.00000003.680816196.0000000005433000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
      Source: Payment confirmation .exe, 00000000.00000003.687529964.000000000544C000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.687463634.000000000544C000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.687617708.000000000544C000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.687425665.000000000544C000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.p
      Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677972229.000000000542C000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: Payment confirmation .exe, 00000000.00000003.677944436.000000000542C000.00000004.00000001.sdmp, Payment confirmation .exe, 00000000.00000003.677972229.000000000542C000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com.
      Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: Payment confirmation .exe, 00000000.00000003.676666365.000000000540B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.como
      Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: Payment confirmation .exe, 00000000.00000002.733298449.0000000006612000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: unknownDNS traffic detected: queries for: naki.airdns.org
      Source: Payment confirmation .exe, 0000000A.00000002.941482368.0000000003A19000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 0.2.Payment confirmation .exe.363c208.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.Payment confirmation .exe.3a22a86.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.Payment confirmation .exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Payment confirmation .exe.3686a28.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.0.Payment confirmation .exe.400000.4.unpack, type: UNPACK<