34.0.0 Boulder Opal
IR
552676
CloudBasic
16:15:41
13/01/2022
BmFKvDpmPT
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
33c0d67befa115099a9136f837d11cc9
843fad90b9becb0457824cbaeabc3899fc055bea
1fd93f45ddbe62337f2b72e31e6a82880bc0581430abeaebda88ac1f58272210
Win32 Executable (generic) Net Framework (10011505/4) 49.83%
true
false
false
false
100
0
100
5
0
5
false
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
false
2867A3817C9245F7CF518524DFD18F28
D7BA2A111CEDD5BF523224B3F1CFE58EEC7C2FDC
43026DCFF238F20CFF0419924486DEE45178119CFDD0D366B79D67D950A9BF50
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BmFKvDpmPT.exe.log
true
D918C6A765EDB90D2A227FE23A3FEC98
8BA802AD8D740F114783F0DADC407CBFD2A209B3
AB0E9F716E31502A4C6786575C5E64DFD9D24AF99056BBE2640A2FA322CFF4D6
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log
false
8C0458BB9EA02D50565175E38D577E35
F0B50702CD6470F3C17D637908F83212FDBDB2F2
C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
false
8C0458BB9EA02D50565175E38D577E35
F0B50702CD6470F3C17D637908F83212FDBDB2F2
C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
false
CA690D76A0FBACD13729411033DE4080
2C544994C7FA4A483B87C7BED0F442CE4610FD7A
A2E7A4802F7AF8A433032B9D83160D0352184C97637752125C111ADBB6B7D12F
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1cc2z5ov.cvt.ps1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gtqgws2z.xpb.psm1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\tmp362C.tmp
false
8CAD1B41587CED0F1E74396794F31D58
11054BF74FCF5E8E412768035E4DAE43AA7B710F
3086D914F6B23268F8A12CB1A05516CD5465C2577E1D1E449F1B45C8E5E8F83C
C:\Users\user\AppData\Local\Temp\tmp408E.tmp
false
5C2F41CFC6F988C859DA7D727AC2B62A
68999C85FC7E37BAB9216E0099836D40D4545C1C
98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
C:\Users\user\AppData\Local\Temp\tmpD8B7.tmp
true
2A834FE86EAC835920AC846A22C7F27C
1BBABFB4220120CF1CD6420B930684983A961B68
46D349E79C06781E623586007DB7779AF3190EFF029DB504AB8D26A030E26F2A
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
false
32D0AAE13696FF7F8AF33B2D22451028
EF80C4E0DB2AE8EF288027C9D3518E6950B583A4
5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
true
70C2F77424FFC5FE5CC6CE131AB75A1A
5387F558ADF54CE9462C7662E72E10F2FFC5877A
D986AFDE5DC2CB7F4D2495357F01B6D9DDD4372A87ED53475077A9F768D49E03
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
false
AE0F5E6CE7122AF264EC533C6B15A27B
1265A495C42EED76CC043D50C60C23297E76CCE1
73B0B92179C61C26589B47E9732CE418B07EDEE3860EE5A2A5FB06F3B8AA9B26
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
false
7E8F4A764B981D5B82D1CC49D341E9C6
D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
false
08E799E8E9B4FDA648F2500A40A11933
AC76B5E20DED247803448A2F586731ED7D84B9F3
D46E34924067EB071D1F031C0BC015F4B711EDCE64D8AE00F24F29E73ECB71DB
C:\Users\user\AppData\Roaming\RlKeHhAgpZws.exe
true
33C0D67BEFA115099A9136F837D11CC9
843FAD90B9BECB0457824CBAEABC3899FC055BEA
1FD93F45DDBE62337F2B72E31E6A82880BC0581430ABEAEBDA88AC1F58272210
C:\Users\user\AppData\Roaming\RlKeHhAgpZws.exe:Zone.Identifier
true
187F488E27DB4AF347237FE461A079AD
6693BA299EC1881249D59262276A0D2CB21F8E64
255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\Documents\20220113\PowerShell_transcript.116938.iUjVe067.20220113161648.txt
false
342ECDAF4F6F13CE7BFB199E9DDD5E1B
207035F852A492CFB34D737A060A93719CE17DA1
AACC9F126CBE6D338796C036ADDF70031F2FAD9540E459A9784552AF47EC8EF2
\Device\ConDrv
false
1AEB3A784552CFD2AEDEDC1D43A97A4F
804286AB9F8B3DE053222826A69A7CDA3492411A
0BC438F4B1208E1390C12D375B6CBB08BF47599D1F24BD07799BB1DF384AA293
192.168.2.1
103.153.78.234
obeyice4rm392.bounceme.net
true
103.153.78.234
Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sigma detected: NanoCore
Sigma detected: Suspicius Add Task From User AppData Temp
Yara detected AntiVM3
Machine Learning detection for sample
Detected Nanocore Rat
.NET source code contains potential unpacker
Sigma detected: Powershell Defender Exclusion
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Antivirus detection for URL or domain
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Nanocore RAT