flash

hbvo9thTAX.exe

Status: finished
Submission Time: 03.04.2021 19:26:14
Malicious
Trojan
Evader
Nanocore

Comments

Tags

  • exe
  • NanoCore
  • RAT

Details

  • Analysis ID:
    381486
  • API (Web) ID:
    665125
  • Analysis Started:
    03.04.2021 19:26:16
  • Analysis Finished:
    03.04.2021 19:43:56
  • MD5:
    0d646c6e6c2666f24b9e65cd1322fa86
  • SHA1:
    9e7bfc67a55d697ec2dc7779737e4bc4793fcce8
  • SHA256:
    cb19133e564f301e0b3bcba9f0cd81dd21ab65aaf5a4d506c29e70159b2c26bc
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

malicious

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
100/100

malicious
11/43

malicious

IPs

IP Country Detection
79.134.225.7
Switzerland

Domains

Name IP Detection
james12.ddns.net
79.134.225.7

URLs

Name Detection
james12.ddns.net
127.0.0.1
http://nuget.org/NuGet.exe
Click to see the 16 hidden entries
http://crl.m
http://logo.veris
http://pesterbdd.com/images/Pester.png
http://crl.D
http://schemas.xmlsoap.org/soap/encoding/
http://www.apache.org/licenses/LICENSE-2.0.html
http://www.microsoft.uc
http://schemas.xmlsoap.org/wsdl/
https://contoso.com/
https://nuget.org/nuget.exe
https://contoso.com/License
https://contoso.com/Icon
http://www.microsoft.cow:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
https://github.com/Pester/Pester
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

Dropped files

Name File Type Hashes Detection
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\hbvo9thTAX.exe.log
ASCII text, with CRLF line terminators
#
Click to see the 24 hidden entries
C:\Users\user\AppData\Local\Temp\tmpABAD.tmp
XML 1.0 document, ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
data
#
C:\Users\user\AppData\Roaming\QeANuFTFqbK.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Roaming\QeANuFTFqbK.exe:Zone.Identifier
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log
ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
data
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ajzbn5nt.ie4.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k4mlodfs.k4y.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lmafyeex.kax.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lyd25ghk.v0e.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nbbpxawf.xpy.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pyrii040.scl.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pzx2opuj.bcr.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rj0cfrkv.v0m.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ujmi11ov.11q.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zawy1uep.upl.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\tmp3FE.tmp
XML 1.0 document, ASCII text, with CRLF line terminators
#
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
data
#
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
data
#
C:\Users\user\Documents\20210403\PowerShell_transcript.134349.Jo7+hiPB.20210403192707.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\Documents\20210403\PowerShell_transcript.134349._m_N6GZ+.20210403192708.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\Documents\20210403\PowerShell_transcript.134349.lSfpxzZ7.20210403192730.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\Documents\20210403\PowerShell_transcript.134349.mGBKDpXQ.20210403192735.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\Documents\20210403\PowerShell_transcript.134349.mbI4G_ed.20210403192711.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#