Windows Analysis Report
Receipt.exe

Machine Learning detection for sample

Source: Yara match	File source: 00000007.00000002.634818451.0000000004556000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.633515113.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Receipt.exe PID: 3492, type: MEMORYSTR

Source: Receipt.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe

Joe Sandbox ML: detected

Source: Receipt.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Receipt.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256w^ source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmp

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49697 -> 103.141.138.125:24980
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.5:49697 -> 103.141.138.125:24980
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 103.141.138.125:24980 -> 192.168.2.5:49697

Source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0K
Source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.newtonsoft.com/json
Source: Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

E-Banking Fraud

Malicious sample detected (through community Yara rule)

Source: Yara match	File source: 00000007.00000002.634818451.0000000004556000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.633515113.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Receipt.exe PID: 3492, type: MEMORYSTR

System Summary

Source: 00000007.00000002.634818451.0000000004556000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.634818451.0000000004556000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.634818451.0000000004556000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: 00000007.00000002.633515113.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.633515113.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.633515113.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown
Source: Process Memory Space: Receipt.exe PID: 3492, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Receipt.exe PID: 3492, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Receipt.exe PID: 3492, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Receipt.exe

Source: Receipt.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000007.00000002.634818451.0000000004556000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000002.634818451.0000000004556000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.634818451.0000000004556000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: 00000007.00000002.633515113.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000007.00000002.633515113.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.633515113.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23
Source: Process Memory Space: Receipt.exe PID: 3492, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: Receipt.exe PID: 3492, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Receipt.exe PID: 3492, type: MEMORYSTR	Matched rule: Windows_Trojan_Nanocore_d8c4e3c5 reference_sample = b2262126a955e306dc68487333394dc08c4fbd708a19afeb531f58916ddb1cfd, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Nanocore, fingerprint = e5c284f14c1c650ef8ddd7caf314f5318e46a811addc2af5e70890390c7307d4, id = d8c4e3c5-8bcc-43d2-9104-fa3774282da5, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\Receipt.exe	Code function: 0_2_018111B0	0_2_018111B0
Source: C:\Users\user\Desktop\Receipt.exe	Code function: 0_2_01815BD1	0_2_01815BD1
Source: C:\Users\user\Desktop\Receipt.exe	Code function: 0_2_01BF7120	0_2_01BF7120
Source: C:\Users\user\Desktop\Receipt.exe	Code function: 0_2_01BF33A8	0_2_01BF33A8
Source: C:\Users\user\Desktop\Receipt.exe	Code function: 0_2_01BF8CB8	0_2_01BF8CB8
Source: C:\Users\user\Desktop\Receipt.exe	Code function: 0_2_01BF3043	0_2_01BF3043
Source: C:\Users\user\Desktop\Receipt.exe	Code function: 0_2_01BF2E90	0_2_01BF2E90
Source: C:\Users\user\Desktop\Receipt.exe	Code function: 7_2_01621127	7_2_01621127
Source: C:\Users\user\Desktop\Receipt.exe	Code function: 7_2_01623000	7_2_01623000
Source: C:\Users\user\Desktop\Receipt.exe	Code function: 7_2_01625BE0	7_2_01625BE0
Source: C:\Users\user\Desktop\Receipt.exe	Code function: 7_2_01625BD1	7_2_01625BD1
Source: C:\Users\user\Desktop\Receipt.exe	Code function: 7_2_018891D8	7_2_018891D8
Source: C:\Users\user\Desktop\Receipt.exe	Code function: 7_2_018833A8	7_2_018833A8
Source: C:\Users\user\Desktop\Receipt.exe	Code function: 7_2_01882FEF	7_2_01882FEF
Source: C:\Users\user\Desktop\Receipt.exe	Code function: 7_2_032E9E00	7_2_032E9E00
Source: C:\Users\user\Desktop\Receipt.exe	Code function: 7_2_0590D5D0	7_2_0590D5D0
Source: C:\Users\user\Desktop\Receipt.exe	Code function: 7_2_05900CF0	7_2_05900CF0

Source: Receipt.exe	Static PE information: Resource name: RT_VERSION type: ARC archive data, packed
Source: Jzqbsob.exe.0.dr	Static PE information: Resource name: RT_VERSION type: ARC archive data, packed

Source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameQnwarliipjooijoxqlleev.dll" vs Receipt.exe
Source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs Receipt.exe
Source: Receipt.exe, 00000000.00000002.530701855.0000000005891000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamethats.exe" vs Receipt.exe
Source: Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs Receipt.exe
Source: Receipt.exe, 00000000.00000002.559896437.0000000005D91000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamethats.exe" vs Receipt.exe
Source: Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs Receipt.exe
Source: Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs Receipt.exe
Source: Receipt.exe, 00000000.00000002.461260742.00000000033B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamethats.exe" vs Receipt.exe
Source: Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs Receipt.exe
Source: Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs Receipt.exe
Source: Receipt.exe, 00000007.00000000.457523111.0000000000702000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamethats.exe" vs Receipt.exe
Source: Receipt.exe, 00000007.00000003.470098072.000000000488E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUwtpxswhphuvnrulrb.dll" vs Receipt.exe

Source: Receipt.exe

ReversingLabs: Detection: 35%

Source: C:\Users\user\Desktop\Receipt.exe

File read: C:\Users\user\Desktop\Receipt.exe

Source: Receipt.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Receipt.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\Receipt.exe C:\Users\user\Desktop\Receipt.exe
Source: C:\Users\user\Desktop\Receipt.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Receipt.exe	Process created: C:\Users\user\Desktop\Receipt.exe C:\Users\user\Desktop\Receipt.exe
Source: C:\Users\user\Desktop\Receipt.exe	Process created: C:\Users\user\Desktop\Receipt.exe C:\Users\user\Desktop\Receipt.exe
Source: C:\Users\user\Desktop\Receipt.exe	Process created: C:\Users\user\Desktop\Receipt.exe C:\Users\user\Desktop\Receipt.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe "C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe "C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe"
Source: C:\Users\user\Desktop\Receipt.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process created: C:\Users\user\Desktop\Receipt.exe C:\Users\user\Desktop\Receipt.exe	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process created: C:\Users\user\Desktop\Receipt.exe C:\Users\user\Desktop\Receipt.exe	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process created: C:\Users\user\Desktop\Receipt.exe C:\Users\user\Desktop\Receipt.exe	Jump to behavior

Source: C:\Users\user\Desktop\Receipt.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Source: C:\Users\user\Desktop\Receipt.exe

File created: C:\Users\user\AppData\Roaming\Bouqi

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_twhdr2os.ade.ps1

Source: classification engine

Classification label: mal100.troj.evad.winEXE@12/7@0/0

Source: C:\Users\user\Desktop\Receipt.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: Receipt.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\Receipt.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6008:120:WilError_01

Source: C:\Users\user\Desktop\Receipt.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Yara detected Costura Assembly Loader

Source: Receipt.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Receipt.exe

Static file information: File size 4574208 > 1048576

Source: Receipt.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Receipt.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x44fc00

Source: Receipt.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256w^ source: Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Source: Yara match	File source: 0.2.Receipt.exe.6b00000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.Receipt.exe.5010e10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.Receipt.exe.5010e10.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Receipt.exe.5770000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Receipt.exe.6b00000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Receipt.exe.5bd1038.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.Receipt.exe.4c90db0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.Receipt.exe.5bd1038.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.Receipt.exe.4c50d90.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Receipt.exe.5770000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.3.Receipt.exe.4c30d70.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.599774933.000000000360C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.618961337.000000000394C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.578345911.0000000006B00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.596522547.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.444317098.00000000059D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.614181534.000000000322B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.466500426.00000000036FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.599218252.0000000003355000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.491615975.0000000005010000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.461260742.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.635737864.0000000005770000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.470098072.000000000488E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Receipt.exe PID: 4740, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Receipt.exe PID: 3492, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jzqbsob.exe PID: 676, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Jzqbsob.exe PID: 2892, type: MEMORYSTR

Source: C:\Users\user\Desktop\Receipt.exe	Code function: 0_2_01BFE0E0 push 0000003Bh; ret	0_2_01BFE0E2
Source: C:\Users\user\Desktop\Receipt.exe	Code function: 0_2_01BFE0D2 push 0000003Bh; ret	0_2_01BFE0D4
Source: C:\Users\user\Desktop\Receipt.exe	Code function: 0_2_01BFD2D5 push FFFFFF8Bh; retf	0_2_01BFD2DF
Source: C:\Users\user\Desktop\Receipt.exe	Code function: 0_2_01BFDFA8 push 0000003Bh; ret	0_2_01BFDFAA
Source: C:\Users\user\Desktop\Receipt.exe	Code function: 7_2_05909C4A pushfd ; retf	7_2_05909C51
Source: C:\Users\user\Desktop\Receipt.exe	Code function: 7_2_05900FB0 push ss; ret	7_2_05900FE9
Source: C:\Users\user\Desktop\Receipt.exe	Code function: 7_2_05900F58 push ss; ret	7_2_05900FE9

Source: C:\Users\user\Desktop\Receipt.exe

File created: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Receipt.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Jzqbsob			Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Jzqbsob			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: download (102).png

Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\Receipt.exe TID: 5036	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 260	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 160	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\Receipt.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Window / User API: threadDelayed 8239

Source: C:\Users\user\Desktop\Receipt.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\Receipt.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\Receipt.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Receipt.exe

Memory allocated: page read and write | page guard

Encrypted powershell cmdline option found

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\Receipt.exe	Process created: Base64 decoded Start-Sleep -Seconds 50
Source: C:\Users\user\Desktop\Receipt.exe	Process created: Base64 decoded Start-Sleep -Seconds 50			Jump to behavior

Source: C:\Users\user\Desktop\Receipt.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process created: C:\Users\user\Desktop\Receipt.exe C:\Users\user\Desktop\Receipt.exe	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process created: C:\Users\user\Desktop\Receipt.exe C:\Users\user\Desktop\Receipt.exe	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Process created: C:\Users\user\Desktop\Receipt.exe C:\Users\user\Desktop\Receipt.exe	Jump to behavior

Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Users\user\Desktop\Receipt.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Users\user\Desktop\Receipt.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Receipt.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Queries volume information: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Queries volume information: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Receipt.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Source: Yara match	File source: 00000007.00000002.634818451.0000000004556000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.633515113.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Receipt.exe PID: 3492, type: MEMORYSTR

Remote Access Functionality

Detected Nanocore Rat

Source: Receipt.exe, 00000007.00000002.634818451.0000000004556000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Receipt.exe, 00000007.00000002.633515113.00000000044DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost

Source: Yara match	File source: 00000007.00000002.634818451.0000000004556000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.633515113.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Receipt.exe PID: 3492, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 PowerShell	1 Registry Run Keys / Startup Folder	11 Process Injection	11 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Registry Run Keys / Startup Folder	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Remote Access Software	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Obfuscated Files or Information	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
Receipt.exe	36%	ReversingLabs	Win32.Trojan.Woreflint
Receipt.exe	100%	Avira	HEUR/AGEN.1252994
Receipt.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	100%	Avira	HEUR/AGEN.1252994
C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe	36%	ReversingLabs	Win32.Trojan.Woreflint

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
7.0.Receipt.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1232002		Download File
0.0.Receipt.exe.c60000.0.unpack	100%	Avira	HEUR/AGEN.1252994		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://james.newtonking.com/projects/json	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.newtonsoft.com/json	Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.nuget.org/packages/Newtonsoft.Json.Bson	Receipt.exe, 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.467694143.00000000037A3000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000000.00000002.588758977.0000000006D50000.00000004.08000000.00040000.00000000.sdmp, Receipt.exe, 00000000.00000002.487184452.0000000004AB6000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.632548236.000000000449B000.00000004.00000800.00020000.00000000.sdmp, Receipt.exe, 00000007.00000002.601437093.00000000033DF000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000008.00000002.621710984.00000000039F4000.00000004.00000800.00020000.00000000.sdmp, Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://james.newtonking.com/projects/json	Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.newtonsoft.com/jsonschema	Jzqbsob.exe, 00000009.00000002.619058249.00000000032D3000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	714970
Start date and time:	2022-10-03 13:26:47 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Receipt.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@12/7@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 291 Number of non-executed functions: 4
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:27:54	API Interceptor	13x Sleep call for process: powershell.exe modified
13:28:51	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Jzqbsob "C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe"
13:28:59	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Jzqbsob "C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe"
13:30:08	Task Scheduler	Run new task: DHCP Monitor path: "C:\Users\user\Desktop\Receipt.exe" s>$(Arg0)

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Receipt.exe.log

Process:	C:\Users\user\Desktop\Receipt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1039
Entropy (8bit):	5.3436815157474165
Encrypted:	false
SSDEEP:	24:ML9E4Ks2wKDE4KhK3VZ9pKhyE4KdE4KBLWE4K5AE4Kzr7a:MxHKXwYHKhQnoyHKdHKBqHK5AHKzva
MD5:	6C24176D343957C767AA6536571797FA
SHA1:	64512F67A49AF75E9A67474DF54FCCD3472905B2
SHA-256:	63AB82B5B458425DB1E0831E1BB8CA642C602D9BCB0762A1E47C7836CACF3350
SHA-512:	D0DFB30B723CC1F0ADB8D9448220AC67A1A21243499B7EB31402CAA0CE9F6A892073E10C52D132E59BF2321F05DBB0973B7E1026023992FC33DE5AB74A6979A4
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"System.Numerics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\34957343ad5d84daee97a1affda91665\System.Runtime.Serialization.ni.dll",0..2,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b880

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	5829
Entropy (8bit):	4.8968676994158
Encrypted:	false
SSDEEP:	96:WCJ2Woe5o2k6Lm5emmXIGvgyg12jDs+un/iQLEYFjDaeWJ6KGcmXx9smyFRLcU6f:5xoe5oVsm5emd0gkjDt4iWN3yBGHh9s6
MD5:	36DE9155D6C265A1DE62A448F3B5B66E
SHA1:	02D21946CBDD01860A0DE38D7EEC6CDE3A964FC3
SHA-256:	8BA38D55AA8F1E4F959E7223FDF653ABB9BE5B8B5DE9D116604E1ABB371C1C87
SHA-512:	C734ADE161FB89472B1DF9B9F062F4A53E7010D3FF99EDC0BD564540A56BC35743625C50A00635C31D165A74DCDBB330FFB878C5919D7B267F6F33D2AAB328E7
Malicious:	false
Reputation:	high, very likely benign file
Preview:	PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	16484
Entropy (8bit):	5.5525830267255625
Encrypted:	false
SSDEEP:	384:3te/Rq01vrCHRZ/09E4xn6uxRiJ9gSSJ3uzp1AYv:5HRRYE4x6ux1ScuRv
MD5:	5E720B8C48A8866D6D7D049C08C1599B
SHA1:	AEF8EF6A27518FF21B7555F3BCB91D967583706D
SHA-256:	2F3A54859BBB76612C9C67167CD509C02496CE435E753FBADDEDBFC781EA5704
SHA-512:	76BA201A564BB26F9B8AC3AA78D45FD5BD3260276971C9BCDD2B996148567BD69BC98C2BE5EECC25AFECFF41146DBB9E2CA74DDDA388DA4D15D6AC73D362FF57
Malicious:	false
Preview:	@...e...............................8.M..............@..........H...............<@.^.L."My...:'..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.............System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mjzqitn5.ybc.psm1

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_twhdr2os.ade.ps1

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe

Process:	C:\Users\user\Desktop\Receipt.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4574208
Entropy (8bit):	4.096422057850003
Encrypted:	false
SSDEEP:	24576:RzSiXemZQDLG5EeMRROEtrclFD0bWfeX7TXkQqAbTWP0BT3pWiQFEIJMmDwkchWa:
MD5:	59082912CB9D1D4ECE0567B1354D0F34
SHA1:	A3C3E88B6C905EAEE872BB21916C792A3EC1D7E7
SHA-256:	7EF24F6499DD9FC7809783A98FEBC44C2DC25A3F74D02C9BF8DDBAE0D3B781C6
SHA-512:	B0FF1A80EDF7A0D3CAC7882DE5626C2F54B415C63454C8AFE8D256560439D0B41709B57B1B0CE149E3D6B6859AB4DEFC3D39563E7C40731966E9310C4220EEF0
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 36%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....:c..............0...D...........E.. ........@.. ....................... F...........`.................................x.E.S.... E.......................F...................................................... ............... ..H............text.....D.. ....D................. ..`.rsrc........ E.......D.............@..@.reloc........F.......E.............@..B..................E.....H.......l.E..............................................................s....(......(.....0..`.......s......o....t....r...po......o....o.....1)~.....rI..p .......o....t....~.....(....&...,..o.............OU.......(....(......(.....(.... ..D......%.....(....o....(.......0..4.........(....o....o....(....s......o........,..o.....&...*.........%.........../.......0.......... ..........s...... ....(....o.....+<.o.............rq..p(..................o.......o.......o.....o..

C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe:Zone.Identifier

Process:	C:\Users\user\Desktop\Receipt.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	4.096422057850003
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Receipt.exe
File size:	4574208
MD5:	59082912cb9d1d4ece0567b1354d0f34
SHA1:	a3c3e88b6c905eaee872bb21916c792a3ec1d7e7
SHA256:	7ef24f6499dd9fc7809783a98febc44c2dc25a3f74d02c9bf8ddbae0d3b781c6
SHA512:	b0ff1a80edf7a0d3cac7882de5626c2f54b415c63454c8afe8d256560439d0b41709b57b1b0ce149e3d6b6859ab4defc3d39563e7c40731966e9310c4220eef0
SSDEEP:	24576:RzSiXemZQDLG5EeMRROEtrclFD0bWfeX7TXkQqAbTWP0BT3pWiQFEIJMmDwkchWa:
TLSH:	9326AEE9D16E04D5EC067EF598283EC34B3136B38EE40524277EBA444FB74BE8509D6A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....:c..............0...D...........E.. ........@.. ....................... F...........`................................

File Icon


Icon Hash:	7cf292aecae8e896

Static PE Info

General

Entrypoint:	0x851bce
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x633AB216 [Mon Oct 3 09:57:42 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x451b78	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x452000	0xcc00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x460000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x44fbd4	0x44fc00	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x452000	0xcc00	0xcc00	False	0.37946155024509803	data	5.009048473408761	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x460000	0xc	0x200	False	0.044921875	MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "E"	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x452260	0x800	Device independent bitmap graphic, 48 x 96 x 4, image size 1152
RT_ICON	0x452a70	0x400	Device independent bitmap graphic, 32 x 64 x 4, image size 512
RT_ICON	0x452e80	0x200	Device independent bitmap graphic, 16 x 32 x 4, image size 128
RT_ICON	0x453090	0x1000	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors
RT_ICON	0x4540a0	0xa00	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors
RT_ICON	0x454ab0	0x800	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors
RT_ICON	0x4552c0	0x600	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors
RT_ICON	0x4558d0	0x4400	Device independent bitmap graphic, 64 x 128 x 32, image size 16896
RT_ICON	0x459ce0	0x2600	Device independent bitmap graphic, 48 x 96 x 32, image size 9600
RT_ICON	0x45c2f0	0x1200	Device independent bitmap graphic, 32 x 64 x 32, image size 4224
RT_ICON	0x45d500	0xa00	Device independent bitmap graphic, 24 x 48 x 32, image size 2400
RT_ICON	0x45df10	0x600	Device independent bitmap graphic, 16 x 32 x 32, image size 1088
RT_GROUP_ICON	0x45e520	0xae	data
RT_VERSION	0x45e5e0	0x31a	ARC archive data, packed
RT_MANIFEST	0x45e90c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Receipt.exePID: 4740, Parent PID: 3324

General

Target ID:	0
Start time:	13:27:40
Start date:	03/10/2022
Path:	C:\Users\user\Desktop\Receipt.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Receipt.exe
Imagebase:	0xc60000
File size:	4574208 bytes
MD5 hash:	59082912CB9D1D4ECE0567B1354D0F34
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000003.447622011.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.578345911.0000000006B00000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000003.444317098.00000000059D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.466500426.00000000036FB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.461260742.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: powershell.exePID: 5996, Parent PID: 4740

General

Target ID:	1
Start time:	13:27:52
Start date:	03/10/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
Imagebase:	0xb10000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: conhost.exePID: 6008, Parent PID: 5996

General

Target ID:	2
Start time:	13:27:52
Start date:	03/10/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7fcd70000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: Receipt.exePID: 2912, Parent PID: 4740

General

Target ID:	5
Start time:	13:28:53
Start date:	03/10/2022
Path:	C:\Users\user\Desktop\Receipt.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\Receipt.exe
Imagebase:	0x350000
File size:	4574208 bytes
MD5 hash:	59082912CB9D1D4ECE0567B1354D0F34
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: Receipt.exePID: 572, Parent PID: 4740

General

Target ID:	6
Start time:	13:28:54
Start date:	03/10/2022
Path:	C:\Users\user\Desktop\Receipt.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\Receipt.exe
Imagebase:	0x2a0000
File size:	4574208 bytes
MD5 hash:	59082912CB9D1D4ECE0567B1354D0F34
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: Receipt.exePID: 3492, Parent PID: 4740

General

Target ID:	7
Start time:	13:28:54
Start date:	03/10/2022
Path:	C:\Users\user\Desktop\Receipt.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Receipt.exe
Imagebase:	0xa70000
File size:	4574208 bytes
MD5 hash:	59082912CB9D1D4ECE0567B1354D0F34
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.634818451.0000000004556000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.634818451.0000000004556000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000007.00000002.634818451.0000000004556000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000007.00000002.634818451.0000000004556000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.633515113.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.633515113.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000007.00000002.633515113.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Windows_Trojan_Nanocore_d8c4e3c5, Description: unknown, Source: 00000007.00000002.633515113.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000007.00000002.599218252.0000000003355000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000007.00000003.491615975.0000000005010000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000007.00000002.635737864.0000000005770000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000007.00000003.470098072.000000000488E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: Jzqbsob.exePID: 676, Parent PID: 3324

General

Target ID:	8
Start time:	13:28:59
Start date:	03/10/2022
Path:	C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe"
Imagebase:	0xdb0000
File size:	4574208 bytes
MD5 hash:	59082912CB9D1D4ECE0567B1354D0F34
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000008.00000002.599774933.000000000360C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000008.00000002.618961337.000000000394C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 36%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: Jzqbsob.exePID: 2892, Parent PID: 3324

General

Target ID:	9
Start time:	13:29:08
Start date:	03/10/2022
Path:	C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Bouqi\Jzqbsob.exe"
Imagebase:	0x800000
File size:	4574208 bytes
MD5 hash:	59082912CB9D1D4ECE0567B1354D0F34
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000009.00000002.596522547.0000000002EEC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000009.00000002.614181534.000000000322B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low