Loading ...

Play interactive tourEdit tour

Analysis Report iOULCQFZba.bin

Overview

General Information

Sample Name:iOULCQFZba.bin (renamed file extension from bin to exe)
MD5:964c22f7e89bf513de1c03964805855a
SHA1:28cdd0673db28e5b383bcac81012206650a9a8db
SHA256:d6332d4b5b5984ebb39685164428ad0f1f1b04e82b14cd5d773bbdd0d4ad05dc

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Yara detected Nanocore RAT
Contains functionality to detect sleep reduction / modifications
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality locales information (e.g. system language)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains strange resources
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara signature match

Classification

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.1230238134.0000000000912000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000002.1230238134.0000000000912000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000001.00000002.1230238134.0000000000912000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    00000001.00000002.1229304922.0000000000439000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1e1e5:$x1: NanoCore.ClientPluginHost
    • 0x1e222:$x2: IClientNetworkHost
    • 0x21d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000001.00000002.1229304922.0000000000439000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 33 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.iOULCQFZba.exe.4bc0000.5.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe75:$x1: NanoCore.ClientPluginHost
      • 0xe8f:$x2: IClientNetworkHost
      1.2.iOULCQFZba.exe.4bc0000.5.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe75:$x2: NanoCore.ClientPluginHost
      • 0x1261:$s3: PipeExists
      • 0x1136:$s4: PipeCreated
      • 0xeb0:$s5: IClientLoggingHost
      1.2.iOULCQFZba.exe.4bd0000.6.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xd9ad:$x1: NanoCore.ClientPluginHost
      • 0xd9da:$x2: IClientNetworkHost
      1.2.iOULCQFZba.exe.4bd0000.6.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xd9ad:$x2: NanoCore.ClientPluginHost
      • 0xea88:$s4: PipeCreated
      • 0xd9c7:$s5: IClientLoggingHost
      1.2.iOULCQFZba.exe.4bd0000.6.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        Click to see the 28 entries

        Sigma Overview


        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\iOULCQFZba.exe, ProcessId: 3728, TargetFilename: C:\Users\user\AppData\Roaming\59407D34-C8C5-44DF-A766-BA8A11CB1CB0\run.dat

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Multi AV Scanner detection for submitted fileShow sources
        Source: iOULCQFZba.exeVirustotal: Detection: 86%Perma Link
        Source: iOULCQFZba.exeReversingLabs: Detection: 90%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000001.00000002.1230238134.0000000000912000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.1229304922.0000000000439000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000001.813848195.000000000044D000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.1235335106.0000000004BD0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.1229186174.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.817497603.0000000002B49000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.817378207.0000000002B12000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.1233858706.0000000003897000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.1229447082.00000000004C0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.1230556901.0000000002102000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: iOULCQFZba.exe PID: 3728, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: iOULCQFZba.exe PID: 2768, type: MEMORY
        Source: Yara matchFile source: 1.2.iOULCQFZba.exe.4bd0000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.iOULCQFZba.exe.4bd0000.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.iOULCQFZba.exe.4c0000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.iOULCQFZba.exe.2100000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.iOULCQFZba.exe.4c0000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.1.iOULCQFZba.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.iOULCQFZba.exe.910000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.iOULCQFZba.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.iOULCQFZba.exe.2b10000.3.unpack, type: UNPACKEDPE
        Machine Learning detection for sampleShow sources
        Source: iOULCQFZba.exeJoe Sandbox ML: detected
        Source: 1.2.iOULCQFZba.exe.910000.2.unpackAvira: Label: TR/Dropper.Gen
        Source: 1.1.iOULCQFZba.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
        Source: 1.2.iOULCQFZba.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
        Source: 0.2.iOULCQFZba.exe.2b10000.3.unpackAvira: Label: TR/Dropper.Gen
        Source: 1.2.iOULCQFZba.exe.2100000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7

        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_00408324 FindFirstFileA,GetLastError,0_2_00408324
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_00408224 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,0_2_00408224
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_00405020 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_00405020

        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 4x nop then push 00000000h0_2_0045B88C
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 4x nop then pop ebx0_2_0045B88C
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 4x nop then xor eax, eax0_2_0045B59C
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 4x nop then mov al, byte ptr [esi]0_2_0045B59C
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 4x nop then mov edx, dword ptr [ebp+edi*4-00000420h]0_2_0045B59C
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 4x nop then inc ebx0_2_0045B59C
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 4x nop then mov ecx, dword ptr [ebp+edi*4-00000420h]0_2_0045B59C
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 4x nop then and eax, 800000FFh0_2_0045B59C
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 4x nop then inc dword ptr [ebp-10h]0_2_0045B59C
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 4x nop then movzx eax, word ptr [ebp-2Eh]0_2_0045B758
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 4x nop then mov ax, word ptr [ebp-30h]0_2_0045B758

        Source: global trafficTCP traffic: 192.168.2.5:49741 -> 185.244.30.139:4050
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.30.139
        Source: version.txtString found in binary or memory: http://wf.html
        Source: iOULCQFZba.exeString found in binary or memory: http://wf.htmlDVarFileInfo$

        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_00439D70 GetKeyboardState,KiUserCallbackDispatcher,0_2_00439D70
        Source: iOULCQFZba.exe, 00000000.00000002.815104034.00000000007A0000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
        Source: iOULCQFZba.exe, 00000001.00000002.1235335106.0000000004BD0000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000001.00000002.1230238134.0000000000912000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.1229304922.0000000000439000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000001.813848195.000000000044D000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.1235335106.0000000004BD0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.1229186174.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.817497603.0000000002B49000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.817378207.0000000002B12000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.1233858706.0000000003897000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.1229447082.00000000004C0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.1230556901.0000000002102000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: iOULCQFZba.exe PID: 3728, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: iOULCQFZba.exe PID: 2768, type: MEMORY
        Source: Yara matchFile source: 1.2.iOULCQFZba.exe.4bd0000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.iOULCQFZba.exe.4bd0000.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.iOULCQFZba.exe.4c0000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.iOULCQFZba.exe.2100000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.iOULCQFZba.exe.4c0000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.1.iOULCQFZba.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.iOULCQFZba.exe.910000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.iOULCQFZba.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.iOULCQFZba.exe.2b10000.3.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000001.00000002.1230238134.0000000000912000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000002.1230238134.0000000000912000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.1229304922.0000000000439000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000002.1229304922.0000000000439000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000001.813848195.000000000044D000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000001.813848195.000000000044D000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.1235318701.0000000004BC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000002.1235335106.0000000004BD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000002.1229186174.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000002.1229186174.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.817497603.0000000002B49000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.817497603.0000000002B49000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.817378207.0000000002B12000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.817378207.0000000002B12000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.1233858706.0000000003897000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.1229447082.00000000004C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000002.1229447082.00000000004C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.1230556901.0000000002102000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000002.1230556901.0000000002102000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: iOULCQFZba.exe PID: 3728, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: iOULCQFZba.exe PID: 3728, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: iOULCQFZba.exe PID: 2768, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: iOULCQFZba.exe PID: 2768, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.iOULCQFZba.exe.4bc0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.iOULCQFZba.exe.4bd0000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.iOULCQFZba.exe.4bd0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.iOULCQFZba.exe.4c0000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.iOULCQFZba.exe.4c0000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.iOULCQFZba.exe.2100000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.iOULCQFZba.exe.2100000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.iOULCQFZba.exe.4c0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.iOULCQFZba.exe.4c0000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.1.iOULCQFZba.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.1.iOULCQFZba.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.iOULCQFZba.exe.910000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.iOULCQFZba.exe.910000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.iOULCQFZba.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.iOULCQFZba.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.iOULCQFZba.exe.2b10000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.iOULCQFZba.exe.2b10000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_0043CCEC NtdllDefWindowProc_A,GetCapture,KiUserCallbackDispatcher,0_2_0043CCEC
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_0045777C NtdllDefWindowProc_A,0_2_0045777C
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_004263B8 NtdllDefWindowProc_A,0_2_004263B8
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_0044CA8C GetSubMenu,SaveDC,RestoreDC,7337B080,SaveDC,RestoreDC,NtdllDefWindowProc_A,0_2_0044CA8C
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_00457F24 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_00457F24
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_00457FD4 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_00457FD4
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_007823F6 NtCreateSection,0_2_007823F6
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_00780BA6 SetThreadContext,NtResumeThread,GetThreadContext,0_2_00780BA6
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_00780EF0 VirtualAlloc,CreateProcessW,NtUnmapViewOfSection,0_2_00780EF0
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_00781033 NtQueryInformationProcess,NtQueryInformationProcess,0_2_00781033
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_00783E91 NtMapViewOfSection,0_2_00783E91
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 1_2_00440159 NtCreateSection,1_2_00440159
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 1_2_04961642 NtQuerySystemInformation,1_2_04961642
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 1_2_04961607 NtQuerySystemInformation,1_2_04961607
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_0044CA8C0_2_0044CA8C
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_00451C740_2_00451C74
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_00411D1D0_2_00411D1D
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_0041BEC40_2_0041BEC4
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 1_2_0040524A1_2_0040524A
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 1_2_0044A4A21_2_0044A4A2
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 1_2_004399761_2_00439976
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 1_2_0043F13D1_2_0043F13D
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 1_2_021D7AC61_2_021D7AC6
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 1_2_023632BB1_2_023632BB
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 1_2_023623A01_2_023623A0
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 1_2_02362FA81_2_02362FA8
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 1_2_023684681_2_02368468
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 1_2_023690681_2_02369068
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 1_2_023638501_2_02363850
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 1_2_0236AEF81_2_0236AEF8
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 1_2_0236937B1_2_0236937B
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 1_2_0236306F1_2_0236306F
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 1_2_0236912F1_2_0236912F
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 1_2_023699101_2_02369910
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: String function: 00406018 appears 63 times
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: String function: 00403EFC appears 70 times
        Source: iOULCQFZba.exeStatic PE information: Resource name: RT_DIALOG type: COM executable for DOS
        Source: iOULCQFZba.exeStatic PE information: Resource name: RT_DIALOG type: DOS executable (COM, 0x8C-variant)
        Source: iOULCQFZba.exeStatic PE information: Resource name: RT_DIALOG type: COM executable for DOS
        Source: iOULCQFZba.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
        Source: iOULCQFZba.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
        Source: iOULCQFZba.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
        Source: iOULCQFZba.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
        Source: iOULCQFZba.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
        Source: iOULCQFZba.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
        Source: iOULCQFZba.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
        Source: iOULCQFZba.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
        Source: iOULCQFZba.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
        Source: iOULCQFZba.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
        Source: iOULCQFZba.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
        Source: iOULCQFZba.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
        Source: iOULCQFZba.exe, 00000000.00000000.809839791.00000000004AE000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamegperf.exe, vs iOULCQFZba.exe
        Source: iOULCQFZba.exe, 00000000.00000002.815264890.0000000002280000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCOMCTL32.DLL.MUIj% vs iOULCQFZba.exe
        Source: iOULCQFZba.exe, 00000000.00000002.815018305.0000000000660000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs iOULCQFZba.exe
        Source: iOULCQFZba.exe, 00000001.00000002.1235335106.0000000004BD0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs iOULCQFZba.exe
        Source: iOULCQFZba.exe, 00000001.00000002.1235335106.0000000004BD0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs iOULCQFZba.exe
        Source: iOULCQFZba.exe, 00000001.00000002.1235318701.0000000004BC0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs iOULCQFZba.exe
        Source: iOULCQFZba.exe, 00000001.00000002.1234924931.0000000004950000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs iOULCQFZba.exe
        Source: iOULCQFZba.exe, 00000001.00000002.1235974227.0000000005770000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs iOULCQFZba.exe
        Source: iOULCQFZba.exeBinary or memory string: OriginalFilenamegperf.exe, vs iOULCQFZba.exe
        Source: 00000001.00000002.1230238134.0000000000912000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.1230238134.0000000000912000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000002.1229304922.0000000000439000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.1229304922.0000000000439000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000001.813848195.000000000044D000.00000040.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000001.813848195.000000000044D000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000002.1235318701.0000000004BC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.1235318701.0000000004BC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000001.00000002.1235335106.0000000004BD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.1235335106.0000000004BD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000001.00000002.1229186174.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.1229186174.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.817497603.0000000002B49000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.817497603.0000000002B49000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.817378207.0000000002B12000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.817378207.0000000002B12000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000002.1233858706.0000000003897000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000002.1229447082.00000000004C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.1229447082.00000000004C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000001.00000002.1229447082.00000000004C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000002.1230556901.0000000002102000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.1230556901.0000000002102000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: iOULCQFZba.exe PID: 3728, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: iOULCQFZba.exe PID: 3728, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: iOULCQFZba.exe PID: 2768, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: iOULCQFZba.exe PID: 2768, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.iOULCQFZba.exe.4bc0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.iOULCQFZba.exe.4bc0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.iOULCQFZba.exe.4bd0000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.iOULCQFZba.exe.4bd0000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.iOULCQFZba.exe.4bd0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.iOULCQFZba.exe.4bd0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.iOULCQFZba.exe.4c0000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.iOULCQFZba.exe.4c0000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.iOULCQFZba.exe.4c0000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.iOULCQFZba.exe.2100000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.iOULCQFZba.exe.2100000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.iOULCQFZba.exe.2100000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.iOULCQFZba.exe.4c0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.iOULCQFZba.exe.4c0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.iOULCQFZba.exe.4c0000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.1.iOULCQFZba.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.1.iOULCQFZba.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.1.iOULCQFZba.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.iOULCQFZba.exe.910000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.iOULCQFZba.exe.910000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.iOULCQFZba.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.iOULCQFZba.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.iOULCQFZba.exe.2b10000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.iOULCQFZba.exe.2b10000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.iOULCQFZba.exe.2b10000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 0.2.iOULCQFZba.exe.2b10000.3.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.2.iOULCQFZba.exe.2b10000.3.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 1.2.iOULCQFZba.exe.910000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 1.2.iOULCQFZba.exe.910000.2.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 1.2.iOULCQFZba.exe.910000.2.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 1.2.iOULCQFZba.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 1.2.iOULCQFZba.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 1.2.iOULCQFZba.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 0.2.iOULCQFZba.exe.2b10000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 0.2.iOULCQFZba.exe.2b10000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 1.2.iOULCQFZba.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 1.2.iOULCQFZba.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 1.2.iOULCQFZba.exe.910000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 1.2.iOULCQFZba.exe.910000.2.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 1.2.iOULCQFZba.exe.2100000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 1.2.iOULCQFZba.exe.2100000.3.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: classification engineClassification label: mal100.troj.evad.winEXE@3/1@0/1
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_0041E56C GetLastError,FormatMessageA,0_2_0041E56C
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 1_2_04961402 AdjustTokenPrivileges,1_2_04961402
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 1_2_049613CB AdjustTokenPrivileges,1_2_049613CB
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_00408582 GetDiskFreeSpaceA,0_2_00408582
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_00783B85 CreateToolhelp32Snapshot,VirtualAlloc,Process32FirstW,0_2_00783B85
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_004139C4 FindResourceA,0_2_004139C4
        Source: C:\Users\user\Desktop\iOULCQFZba.exeFile created: C:\Users\user\AppData\Roaming\59407D34-C8C5-44DF-A766-BA8A11CB1CB0Jump to behavior
        Source: C:\Users\user\Desktop\iOULCQFZba.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{52e05d5b-dcbb-4f70-86bd-eb80b3602ddc}
        Source: C:\Users\user\Desktop\iOULCQFZba.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
        Source: C:\Users\user\Desktop\iOULCQFZba.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
        Source: C:\Users\user\Desktop\iOULCQFZba.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\iOULCQFZba.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
        Source: C:\Users\user\Desktop\iOULCQFZba.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
        Source: C:\Users\user\Desktop\iOULCQFZba.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: iOULCQFZba.exeVirustotal: Detection: 86%
        Source: iOULCQFZba.exeReversingLabs: Detection: 90%
        Source: C:\Users\user\Desktop\iOULCQFZba.exeFile read: C:\Users\user\Desktop\iOULCQFZba.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\iOULCQFZba.exe 'C:\Users\user\Desktop\iOULCQFZba.exe'
        Source: unknownProcess created: C:\Users\user\Desktop\iOULCQFZba.exe 'C:\Users\user\Desktop\iOULCQFZba.exe'
        Source: C:\Users\user\Desktop\iOULCQFZba.exeProcess created: C:\Users\user\Desktop\iOULCQFZba.exe 'C:\Users\user\Desktop\iOULCQFZba.exe' Jump to behavior
        Source: C:\Users\user\Desktop\iOULCQFZba.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
        Source: C:\Users\user\Desktop\iOULCQFZba.exeWindow found: window name: TButtonJump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\user\Desktop\iOULCQFZba.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
        Source: C:\Users\user\Desktop\iOULCQFZba.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior

        Data Obfuscation:

        barindex
        Detected unpacking (changes PE section rights)Show sources
        Source: C:\Users\user\Desktop\iOULCQFZba.exeUnpacked PE file: 1.2.iOULCQFZba.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;.reloc:R;.rsrc:R;
        Detected unpacking (creates a PE file in dynamic memory)Show sources
        Source: C:\Users\user\Desktop\iOULCQFZba.exeUnpacked PE file: 1.2.iOULCQFZba.exe.2100000.3.unpack
        Detected unpacking (overwrites its own PE header)Show sources
        Source: C:\Users\user\Desktop\iOULCQFZba.exeUnpacked PE file: 1.2.iOULCQFZba.exe.400000.0.unpack
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_00425184 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00425184
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_0044429C push 00444329h; ret 0_2_00444321
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_00426180 push 004261D9h; ret 0_2_004261D1
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_0042C264 push 0042C2A6h; ret 0_2_0042C29E
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_00444234 push 0044429Ah; ret 0_2_00444292
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_004284D8 push ecx; mov dword ptr [esp], ecx0_2_004284DC
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_0041A504 push ecx; mov dword ptr [esp], edx0_2_0041A509
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_004325F0 push 0043261Ch; ret 0_2_00432614
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_00410662 push 004106DAh; ret 0_2_004106D2
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_00410664 push 004106DAh; ret 0_2_004106D2
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_004106DC push 00410784h; ret 0_2_0041077C
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_00432758 push 00432784h; ret 0_2_0043277C
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_004287E8 push 0042880Eh; ret 0_2_00428806
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_004267F8 push 0042683Bh; ret 0_2_00426833
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_0042884C push 00428878h; ret 0_2_00428870
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_00426878 push 004268A4h; ret 0_2_0042689C
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_00410880 push 004108ACh; ret 0_2_004108A4
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_0040688C push ecx; mov dword ptr [esp], eax0_2_0040688D
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_004268B0 push 004268E8h; ret 0_2_004268E0
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_00426944 push 00426970h; ret 0_2_00426968
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_004169FC push ecx; mov dword ptr [esp], edx0_2_004169FE
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_00426A74 push 00426AA0h; ret 0_2_00426A98
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_00406A78 push 00406AA4h; ret 0_2_00406A9C
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_00426A14 push 00426A47h; ret 0_2_00426A3F
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_00424A3C push 00424A7Ah; ret 0_2_00424A72
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_00426AC4 push 00426B07h; ret 0_2_00426AFF
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_00424A84 push 00424AB0h; ret 0_2_00424AA8
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_00406AB0 push 00406ADCh; ret 0_2_00406AD4
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_00424ABC push 00424AF4h; ret 0_2_00424AEC
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_00422B24 push 00422BF4h; ret 0_2_00422BEC
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_00426B2C push 00426B6Fh; ret 0_2_00426B67
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_00426BE8 push 00426C33h; ret 0_2_00426C2B
        Source: 0.2.iOULCQFZba.exe.2b10000.3.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 0.2.iOULCQFZba.exe.2b10000.3.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 1.2.iOULCQFZba.exe.910000.2.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 1.2.iOULCQFZba.exe.910000.2.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 1.2.iOULCQFZba.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 1.2.iOULCQFZba.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 1.2.iOULCQFZba.exe.2100000.3.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 1.2.iOULCQFZba.exe.2100000.3.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\iOULCQFZba.exeFile opened: C:\Users\user\Desktop\iOULCQFZba.exe:Zone.Identifier read attributes | deleteJump to behavior
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_0045482C SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,0_2_0045482C
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_00457804 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,0_2_00457804
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_0043E410 IsIconic,GetCapture,0_2_0043E410
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_0043ECC4 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,0_2_0043ECC4
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_004234CC MonitorFromWindow,MonitorFromWindow,IsIconic,GetWindowPlacement,GetWindowRect,0_2_004234CC
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_0043F5E8 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,0_2_0043F5E8
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_00457F24 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_00457F24
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_00457FD4 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_00457FD4
        Source: C:\Users\user\Desktop\iOULCQFZba.exeCode function: 0_2_00425184 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00425184
        Source: C:\Users\user\Desktop\iOULCQFZba.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iOULCQFZba.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iOULCQFZba.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iOULCQFZba.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iOULCQFZba.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iOULCQFZba.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iOULCQFZba.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iOULCQFZba.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iOULCQFZba.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iOULCQFZba.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iOULCQFZba.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iOULCQFZba.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iOULCQFZba.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iOULCQFZba.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iOULCQFZba.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iOULCQFZba.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iOULCQFZba.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iOULCQFZba.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iOULCQFZba.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iOULCQFZba.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iOULCQFZba.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iOULCQFZba.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iOULCQFZba.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iOULCQFZba.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iOULCQFZba.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iOULCQFZba.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iOULCQFZba.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iOULCQFZba.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iOULCQFZba.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iOULCQFZba.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iOULCQFZba.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iOULCQFZba.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iOULCQFZba.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iOULCQFZba.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iOULCQFZba.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iOULCQFZba.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iOULCQFZba.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iOULCQFZba.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iOULCQFZba.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iOULCQFZba.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iOULCQFZba.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iOULCQFZba.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iOULCQFZba.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iOULCQFZba.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iOULCQFZba.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\iOULCQFZba.exeProcess information set: NOOPENFILEERRORBOX