34.0.0 Boulder Opal
IR
552628
CloudBasic
15:31:20
13/01/2022
G2M8C76V_INV0ICE_RECEIPT.exe
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
d272e884f59ff9d7921619f88766709d
b9013dcffc28e174c1cb7d81fd46b6463b4ff579
94a00e5d13eebc1a99dd48e2d9f9cb48935c424c6bd58ab9f6d78ff0caa36506
Win32 Executable (generic) a (10002005/4) 92.16%
true
false
false
false
100
0
100
5
0
5
false
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\chmac.exe.log
true
61CCF53571C9ABA6511D696CB0D32E45
A13A42A20EC14942F52DB20FB16A0A520F8183CE
3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
C:\Users\user\AppData\Local\Temp\56mc2ilzkdt85ppfm
false
E2674E39313EB905BEDB38EE4A90EB82
7EC20D0AD4E70C7621B7D0D836CA7C22029B8A9E
91CBC859051888ECD50E3765A1A0AE9280DBD540A32A272D6D153F969CEA606D
C:\Users\user\AppData\Local\Temp\nfjvhlc
false
812162B475D941A12A193D8C085597E6
9B4B7CD34860F8FA19B0B5154DBB7F69CFC99489
C89928AC7C6B93AB283B1197CA645AF22DC77FBFA5E066EDEEAE3402A952ED47
C:\Users\user\AppData\Local\Temp\nsiCC1.tmp
false
C2D44B063B4B0AABF482FFB2E1074145
F5EFA683BD7E7FCDF848C26F8E8A81D9DDA9CFE6
0994AF1254D390C551AD60759AF35F2267CB7324182C2087772D51D89DB9C004
C:\Users\user\AppData\Local\Temp\nsiCC2.tmp\esrskf.dll
false
CA6B2E72403972AE585025A81040FC44
BDA160D06EE5611B6CFE53F048CC00526941A1D4
E0932A5438FFEE964EF9DEB10C5C5F187B12B319894552BA062A36E93EABBBF8
C:\Users\user\AppData\Local\Temp\nsq5FC3.tmp
false
C2D44B063B4B0AABF482FFB2E1074145
F5EFA683BD7E7FCDF848C26F8E8A81D9DDA9CFE6
0994AF1254D390C551AD60759AF35F2267CB7324182C2087772D51D89DB9C004
C:\Users\user\AppData\Local\Temp\nsq5FC4.tmp\esrskf.dll
false
CA6B2E72403972AE585025A81040FC44
BDA160D06EE5611B6CFE53F048CC00526941A1D4
E0932A5438FFEE964EF9DEB10C5C5F187B12B319894552BA062A36E93EABBBF8
C:\Users\user\AppData\Local\Temp\nsx3DC4.tmp
false
C2D44B063B4B0AABF482FFB2E1074145
F5EFA683BD7E7FCDF848C26F8E8A81D9DDA9CFE6
0994AF1254D390C551AD60759AF35F2267CB7324182C2087772D51D89DB9C004
C:\Users\user\AppData\Local\Temp\nsx3DC5.tmp\esrskf.dll
false
CA6B2E72403972AE585025A81040FC44
BDA160D06EE5611B6CFE53F048CC00526941A1D4
E0932A5438FFEE964EF9DEB10C5C5F187B12B319894552BA062A36E93EABBBF8
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
false
9E7D0351E4DF94A9B0BADCEB6A9DB963
76C6A69B1C31CEA2014D1FD1E222A3DD1E433005
AAFC7B40C5FE680A2BB549C3B90AABAAC63163F74FFFC0B00277C6BBFF88B757
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
true
96A85767F76F3E5FC753A622A56C5315
67832A8FDABC53BB4AF9DFEB37705D62A32559A5
8AE24E6F0625954103BC1DE425F96A077410B995891E73E706600B3F3F7B23AC
C:\Users\user\AppData\Roaming\dihsw\chmac.exe
true
D272E884F59FF9D7921619F88766709D
B9013DCFFC28E174C1CB7D81FD46B6463B4FF579
94A00E5D13EEBC1A99DD48E2D9F9CB48935C424C6BD58AB9F6D78FF0CAA36506
192.168.2.1
194.5.98.28
boyhome5100.duckdns.org
true
194.5.98.28
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Detected Nanocore Rat
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
C2 URLs / IPs found in malware configuration
Antivirus detection for URL or domain
Hides that the sample has been downloaded from the Internet (zone.identifier)
Multi AV Scanner detection for dropped file
Uses dynamic DNS services
Yara detected Nanocore RAT
Detected unpacking (creates a PE file in dynamic memory)