34.0.0 Boulder Opal
IR
553203
CloudBasic
13:34:24
14/01/2022
G2M18C6INV0ICERECEIPT.vbs
default.jbs
Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
WINDOWS
e193dff484ce89bc7ba5ae2022ab7227
49d652b6e0fe6071b99fa9a7e891cc5187ebc4db
1b8775fa633e04edf24411129b02074e4a9b8a79c28896908ff57dafe7cde968
true
false
false
false
100
0
100
5
0
5
false
C:\ProgramData\5197349279415287975939\5197349279415287975939.HTA
true
0328D91C5D8F820EF69BDF98DD17310E
23821BDB5C5C0500C557887E3083E26E4F4FBA7D
B51B5DE30F56E9FC09858C1F9A43F7B897286FF1582AE81F714A5D0D57552CA8
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
false
1F1446CE05A385817C3EF20CBD8B6E6A
1E4B1EE5EFCA361C9FB5DC286DD7A99DEA31F33D
2BCEC12B7B67668569124FED0E0CEF2C1505B742F7AE2CF86C8544D07D59F2CE
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
false
05CF074042A017A42C1877FC5DB819AB
5AF2016605B06ECE0BFB3916A9480D6042355188
971C67A02609B2B561618099F48D245EA4EB689C6E9F85232158E74269CAA650
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_axtvtxvy.mrw.psm1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jvx5tmpj.e0j.ps1
false
C4CA4238A0B923820DCC509A6F75849B
356A192B7913B04C54574D18C28D46E6395428AB
6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
false
C8013C97F9E5AC8BC1A5C760C8E90286
A635B2C83A4B1A0896FFA95CDF2C8F4A5FA8AD0D
ECC2D8FFD4183F94F2AC3CD082FFEFB0EACC07D266F9FEE9AB44E2DDE2A9839B
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
true
9694A30911D686B65D5945CB73621859
8D910DDE2DE75E1AFECA2C739A57923B2778297E
FC067983418432829610764679C54ECD5053539CAC42EB61AAFEA092BCA9F3CF
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
false
4E5E92E2369688041CC82EF9650EDED2
15E44F2F3194EE232B44E9684163B6F66472C862
F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
false
582B006BBF28E0A891A06EDA92B06C8F
5121864FDE6CC7FC65408442E62B2B1BA7A678EA
7531A54E0B0E1090694E8CDECA5DE9B0088F45AF63BDFE83AE995D1B754B1B95
C:\Users\user\Documents\20220114\PowerShell_transcript.210979.BVPagTEC.20220114133521.txt
false
665601201DF2CA8F9E745092B2660F3B
FC48280CD19D80EE0F47F8CC11C9824B18F69661
75D121BBF2F25A1C03EFCE141DED1815A850E97877DF85416BF72853E6D69601
185.140.53.10
192.168.2.1
107.180.25.2
testalienscy9090.duckdns.org
true
185.140.53.10
swmen.com
true
107.180.25.2
Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
VBScript performs obfuscated calls to suspicious functions
Sigma detected: Suspicious PowerShell Command Line
Detected Nanocore Rat
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Creates an undocumented autostart registry key
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Yara detected HtmlPhish44
Yara detected Powershell download and execute
Uses dynamic DNS services
Yara detected Nanocore RAT