Loading ...

Play interactive tourEdit tour

Analysis Report test.exe

Overview

General Information

Sample Name:test.exe
MD5:b98dace620ab0b2946bde862fdd5c6da
SHA1:266a8e6eeea1241015c598b55d0b9d508fbcd5d8
SHA256:f869ca8af6fb4e313d7c66b9b883c8429808dc9b01d5dfb66e6ec16c4fccb86b

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Contains functionality to detect sleep reduction / modifications
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality locales information (e.g. system language)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara signature match

Classification

Startup

  • System is w10x64
  • test.exe (PID: 400 cmdline: 'C:\Users\user\Desktop\test.exe' MD5: B98DACE620AB0B2946BDE862FDD5C6DA)
    • test.exe (PID: 2872 cmdline: 'C:\Users\user\Desktop\test.exe' MD5: B98DACE620AB0B2946BDE862FDD5C6DA)
      • schtasks.exe (PID: 3580 cmdline: 'schtasks.exe' /create /f /tn 'WPA Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp67AA.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 4296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • test.exe (PID: 1228 cmdline: C:\Users\user\Desktop\test.exe 0 MD5: B98DACE620AB0B2946BDE862FDD5C6DA)
    • test.exe (PID: 4628 cmdline: C:\Users\user\Desktop\test.exe 0 MD5: B98DACE620AB0B2946BDE862FDD5C6DA)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["255.255.255.255", "46.36.38.133"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1245481117.00000000020F2000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000002.00000002.1245481117.00000000020F2000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000002.00000002.1245481117.00000000020F2000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    00000002.00000002.1244361706.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000002.00000002.1244361706.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 68 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.test.exe.4aa0000.5.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe75:$x1: NanoCore.ClientPluginHost
      • 0xe8f:$x2: IClientNetworkHost
      2.2.test.exe.4aa0000.5.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe75:$x2: NanoCore.ClientPluginHost
      • 0x1261:$s3: PipeExists
      • 0x1136:$s4: PipeCreated
      • 0xeb0:$s5: IClientLoggingHost
      2.2.test.exe.53a0000.7.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xd9ad:$x1: NanoCore.ClientPluginHost
      • 0xd9da:$x2: IClientNetworkHost
      2.2.test.exe.53a0000.7.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xd9ad:$x2: NanoCore.ClientPluginHost
      • 0xea88:$s4: PipeCreated
      • 0xd9c7:$s5: IClientLoggingHost
      2.2.test.exe.53a0000.7.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        Click to see the 57 entries

        Sigma Overview


        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\test.exe, ProcessId: 2872, TargetFilename: C:\Users\user\AppData\Roaming\59407D34-C8C5-44DF-A766-BA8A11CB1CB0\run.dat
        Sigma detected: Scheduled temp file as task from temp locationShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'WPA Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp67AA.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'WPA Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp67AA.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\test.exe' , ParentImage: C:\Users\user\Desktop\test.exe, ParentProcessId: 2872, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'WPA Service' /xml 'C:\Users\user\AppData\Local\Temp\tmp67AA.tmp', ProcessId: 3580

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: test.exe.4628.6.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["255.255.255.255", "46.36.38.133"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
        Multi AV Scanner detection for submitted fileShow sources
        Source: test.exeVirustotal: Detection: 52%Perma Link
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000002.00000002.1245481117.00000000020F2000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.1244361706.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.1251253753.00000000053A0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.873179913.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.1245587466.0000000002132000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.1249553061.00000000038C7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.850676518.00000000027C2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.834929819.00000000027F9000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.1244482993.0000000000439000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000001.848086290.0000000000439000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.850823933.00000000027F9000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.1245373768.00000000020B0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.873482604.0000000000439000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.882132495.0000000002760000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.877803632.00000000020F2000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000001.831513577.0000000000439000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.877701586.00000000020B0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.834784193.00000000027C2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.877932726.0000000002132000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.882255649.0000000003760000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: test.exe PID: 400, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: test.exe PID: 1228, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: test.exe PID: 2872, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: test.exe PID: 4628, type: MEMORY
        Source: Yara matchFile source: 2.2.test.exe.53a0000.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.test.exe.2130000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.test.exe.20b0000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.test.exe.20b0000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.test.exe.53a0000.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.test.exe.20b0000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.test.exe.20b0000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.test.exe.2130000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.test.exe.2770000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.1.test.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.1.test.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.test.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.test.exe.27c0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.test.exe.27c0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.test.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.test.exe.20f0000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.test.exe.20f0000.2.unpack, type: UNPACKEDPE
        Machine Learning detection for sampleShow sources
        Source: test.exeJoe Sandbox ML: detected
        Source: 2.1.test.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 5.2.test.exe.27c0000.3.unpackAvira: Label: TR/Dropper.Gen
        Source: 6.2.test.exe.20f0000.2.unpackAvira: Label: TR/Dropper.Gen
        Source: 2.2.test.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
        Source: 0.2.test.exe.2770000.2.unpackAvira: Label: TR/Patched.Ren.Gen
        Source: 6.2.test.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
        Source: 0.2.test.exe.27c0000.3.unpackAvira: Label: TR/Dropper.Gen
        Source: 6.2.test.exe.2130000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 2.2.test.exe.20f0000.2.unpackAvira: Label: TR/Dropper.Gen
        Source: 2.2.test.exe.2130000.3.unpackAvira: Label: TR/Dropper.MSIL.Gen7

        Source: C:\Users\user\Desktop\test.exeCode function: 0_2_0040504C GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_0040504C
        Source: C:\Users\user\Desktop\test.exeCode function: 5_2_0040504C GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,5_2_0040504C

        Source: C:\Users\user\Desktop\test.exeCode function: 4x nop then push 00458B48h0_2_00452310
        Source: C:\Users\user\Desktop\test.exeCode function: 4x nop then movzx eax, word ptr [ebp-3Ah]0_2_00452310
        Source: C:\Users\user\Desktop\test.exeCode function: 4x nop then push 00458B48h5_2_00452310
        Source: C:\Users\user\Desktop\test.exeCode function: 4x nop then movzx eax, word ptr [ebp-3Ah]5_2_00452310

        Source: Joe Sandbox ViewASN Name: unknown unknown
        Source: C:\Users\user\Desktop\test.exeCode function: 2_2_04A43196 WSARecv,2_2_04A43196
        Source: unknownDNS traffic detected: queries for: cyprusboy123.hopto.org
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
        Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
        Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
        Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
        Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
        Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745

        Source: C:\Users\user\Desktop\test.exeCode function: 5_2_0041EFE0 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,5_2_0041EFE0
        Source: C:\Users\user\Desktop\test.exeCode function: 0_2_0043264C GetKeyboardState,0_2_0043264C
        Source: test.exe, 00000002.00000002.1251253753.00000000053A0000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000002.00000002.1245481117.00000000020F2000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.1244361706.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.1251253753.00000000053A0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.873179913.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.1245587466.0000000002132000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.1249553061.00000000038C7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.850676518.00000000027C2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.834929819.00000000027F9000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.1244482993.0000000000439000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000001.848086290.0000000000439000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.850823933.00000000027F9000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.1245373768.00000000020B0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.873482604.0000000000439000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.882132495.0000000002760000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.877803632.00000000020F2000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000001.831513577.0000000000439000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.877701586.00000000020B0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.834784193.00000000027C2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.877932726.0000000002132000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.882255649.0000000003760000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: test.exe PID: 400, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: test.exe PID: 1228, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: test.exe PID: 2872, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: test.exe PID: 4628, type: MEMORY
        Source: Yara matchFile source: 2.2.test.exe.53a0000.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.test.exe.2130000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.test.exe.20b0000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.test.exe.20b0000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.test.exe.53a0000.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.test.exe.20b0000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.test.exe.20b0000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.test.exe.2130000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.test.exe.2770000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.1.test.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.1.test.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.test.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.test.exe.27c0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.test.exe.27c0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.test.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.test.exe.20f0000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 2.2.test.exe.20f0000.2.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000002.00000002.1245481117.00000000020F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000002.00000002.1245481117.00000000020F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000002.1244361706.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000002.00000002.1244361706.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000002.1251253753.00000000053A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000002.00000002.1250520882.0000000004AA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000006.00000002.873179913.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000006.00000002.873179913.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000002.1245587466.0000000002132000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000002.00000002.1245587466.0000000002132000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000002.1249553061.00000000038C7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000005.00000002.850676518.00000000027C2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000005.00000002.850676518.00000000027C2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.834929819.00000000027F9000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.834929819.00000000027F9000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000002.1244482993.0000000000439000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000002.00000002.1244482993.0000000000439000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000006.00000001.848086290.0000000000439000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000006.00000001.848086290.0000000000439000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000005.00000002.850823933.00000000027F9000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000005.00000002.850823933.00000000027F9000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000002.1245373768.00000000020B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000002.00000002.1245373768.00000000020B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000006.00000002.873482604.0000000000439000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000006.00000002.873482604.0000000000439000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000006.00000002.882132495.0000000002760000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000006.00000002.877803632.00000000020F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000006.00000002.877803632.00000000020F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000001.831513577.0000000000439000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000002.00000001.831513577.0000000000439000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000006.00000002.877701586.00000000020B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000006.00000002.877701586.00000000020B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.834784193.00000000027C2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.834784193.00000000027C2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000006.00000002.877932726.0000000002132000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000006.00000002.877932726.0000000002132000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000006.00000002.882255649.0000000003760000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: test.exe PID: 400, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: test.exe PID: 400, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: test.exe PID: 1228, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: test.exe PID: 1228, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: test.exe PID: 2872, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: test.exe PID: 2872, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: test.exe PID: 4628, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: test.exe PID: 4628, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 2.2.test.exe.4aa0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 2.2.test.exe.53a0000.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 6.2.test.exe.2130000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 6.2.test.exe.2130000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 6.2.test.exe.20b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 6.2.test.exe.20b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 2.2.test.exe.20b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 2.2.test.exe.20b0000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 2.2.test.exe.53a0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 6.2.test.exe.20b0000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 6.2.test.exe.20b0000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 2.2.test.exe.20b0000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 2.2.test.exe.20b0000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 2.2.test.exe.2130000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 2.2.test.exe.2130000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.test.exe.2770000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.test.exe.2770000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 6.1.test.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 6.1.test.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 2.1.test.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 2.1.test.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 6.2.test.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 2.2.test.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 6.2.test.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.test.exe.27c0000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.test.exe.27c0000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.test.exe.27c0000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 6.2.test.exe.20f0000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.test.exe.27c0000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 2.2.test.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 6.2.test.exe.20f0000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 2.2.test.exe.20f0000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 2.2.test.exe.20f0000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: C:\Users\user\Desktop\test.exeCode function: 0_2_004528C2 NtMapViewOfSection,0_2_004528C2
        Source: C:\Users\user\Desktop\test.exeCode function: 0_2_0045297C NtQueryInformationProcess,NtQueryInformationProcess,0_2_0045297C
        Source: C:\Users\user\Desktop\test.exeCode function: 0_2_0044FDF4 NtdllDefWindowProc_A,0_2_0044FDF4
        Source: C:\Users\user\Desktop\test.exeCode function: 0_2_0045059C IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_0045059C
        Source: C:\Users\user\Desktop\test.exeCode function: 0_2_004265B4 NtdllDefWindowProc_A,0_2_004265B4
        Source: C:\Users\user\Desktop\test.exeCode function: 0_2_0045064C IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_0045064C
        Source: C:\Users\user\Desktop\test.exeCode function: 0_2_00445120 GetSubMenu,SaveDC,RestoreDC,7337B080,SaveDC,RestoreDC,NtdllDefWindowProc_A,0_2_00445120
        Source: C:\Users\user\Desktop\test.exeCode function: 0_2_004355C8 NtdllDefWindowProc_A,GetCapture,0_2_004355C8
        Source: C:\Users\user\Desktop\test.exeCode function: 2_2_00440159 NtCreateSection,2_2_00440159
        Source: C:\Users\user\Desktop\test.exeCode function: 2_2_04A41A02 NtQuerySystemInformation,2_2_04A41A02
        Source: C:\Users\user\Desktop\test.exeCode function: 2_2_04A419C7 NtQuerySystemInformation,2_2_04A419C7
        Source: C:\Users\user\Desktop\test.exeCode function: 2_1_00440159 NtCreateSection,2_1_00440159
        Source: C:\Users\user\Desktop\test.exeCode function: 5_2_004528C2 NtMapViewOfSection,5_2_004528C2
        Source: C:\Users\user\Desktop\test.exeCode function: 5_2_0045297C NtQueryInformationProcess,NtQueryInformationProcess,5_2_0045297C
        Source: C:\Users\user\Desktop\test.exeCode function: 5_2_0044FDF4 NtdllDefWindowProc_A,5_2_0044FDF4
        Source: C:\Users\user\Desktop\test.exeCode function: 5_2_0045059C IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,5_2_0045059C
        Source: C:\Users\user\Desktop\test.exeCode function: 5_2_004265B4 NtdllDefWindowProc_A,5_2_004265B4
        Source: C:\Users\user\Desktop\test.exeCode function: 5_2_0045064C IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,5_2_0045064C
        Source: C:\Users\user\Desktop\test.exeCode function: 5_2_00445120 GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,5_2_00445120
        Source: C:\Users\user\Desktop\test.exeCode function: 5_2_004355C8 NtdllDefWindowProc_A,GetCapture,5_2_004355C8
        Source: C:\Users\user\Desktop\test.exeCode function: 6_2_00440159 NtCreateSection,6_2_00440159
        Source: C:\Users\user\Desktop\test.exeCode function: 6_1_00440159 NtCreateSection,6_1_00440159
        Source: C:\Users\user\Desktop\test.exeCode function: 0_2_0044A2EC0_2_0044A2EC
        Source: C:\Users\user\Desktop\test.exeCode function: 0_2_004451200_2_00445120
        Source: C:\Users\user\Desktop\test.exeCode function: 2_2_0040524A2_2_0040524A
        Source: C:\Users\user\Desktop\test.exeCode function: 2_2_0044A4A22_2_0044A4A2
        Source: C:\Users\user\Desktop\test.exeCode function: 2_2_004399762_2_00439976
        Source: C:\Users\user\Desktop\test.exeCode function: 2_2_0043F13D2_2_0043F13D
        Source: C:\Users\user\Desktop\test.exeCode function: 2_2_028186A82_2_028186A8
        Source: C:\Users\user\Desktop\test.exeCode function: 2_2_028192A82_2_028192A8
        Source: C:\Users\user\Desktop\test.exeCode function: 2_2_028132BB2_2_028132BB
        Source: C:\Users\user\Desktop\test.exeCode function: 2_2_028123A02_2_028123A0
        Source: C:\Users\user\Desktop\test.exeCode function: 2_2_02812FA82_2_02812FA8
        Source: C:\Users\user\Desktop\test.exeCode function: 2_2_0281AF782_2_0281AF78
        Source: C:\Users\user\Desktop\test.exeCode function: 2_2_028138502_2_02813850
        Source: C:\Users\user\Desktop\test.exeCode function: 2_2_02819B502_2_02819B50
        Source: C:\Users\user\Desktop\test.exeCode function: 2_2_0281936F2_2_0281936F
        Source: C:\Users\user\Desktop\test.exeCode function: 2_2_0281306F2_2_0281306F
        Source: C:\Users\user\Desktop\test.exeCode function: 2_2_028195BB2_2_028195BB
        Source: C:\Users\user\Desktop\test.exeCode function: 2_1_0044A4A22_1_0044A4A2
        Source: C:\Users\user\Desktop\test.exeCode function: 2_1_004399762_1_00439976
        Source: C:\Users\user\Desktop\test.exeCode function: 2_1_0043F13D2_1_0043F13D
        Source: C:\Users\user\Desktop\test.exeCode function: 5_2_0044A2EC5_2_0044A2EC
        Source: C:\Users\user\Desktop\test.exeCode function: 5_2_004451205_2_00445120
        Source: C:\Users\user\Desktop\test.exeCode function: 6_2_0044A4A26_2_0044A4A2
        Source: C:\Users\user\Desktop\test.exeCode function: 6_2_004399766_2_00439976
        Source: C:\Users\user\Desktop\test.exeCode function: 6_2_0043F13D6_2_0043F13D
        Source: C:\Users\user\Desktop\test.exeCode function: 6_2_049332BB6_2_049332BB
        Source: C:\Users\user\Desktop\test.exeCode function: 6_2_049323A06_2_049323A0
        Source: C:\Users\user\Desktop\test.exeCode function: 6_2_04932FA86_2_04932FA8
        Source: C:\Users\user\Desktop\test.exeCode function: 6_2_049338506_2_04933850
        Source: C:\Users\user\Desktop\test.exeCode function: 6_2_0493306F6_2_0493306F
        Source: C:\Users\user\Desktop\test.exeCode function: 6_1_0044A4A26_1_0044A4A2
        Source: C:\Users\user\Desktop\test.exeCode function: 6_1_004399766_1_00439976
        Source: C:\Users\user\Desktop\test.exeCode function: 6_1_0043F13D6_1_0043F13D
        Source: C:\Users\user\Desktop\test.exeCode function: String function: 00406024 appears 126 times
        Source: C:\Users\user\Desktop\test.exeCode function: String function: 00439F3C appears 72 times
        Source: C:\Users\user\Desktop\test.exeCode function: String function: 004035B0 appears 46 times
        Source: C:\Users\user\Desktop\test.exeCode function: String function: 0044034A appears 36 times
        Source: C:\Users\user\Desktop\test.exeCode function: String function: 00405D10 appears 32 times
        Source: C:\Users\user\Desktop\test.exeCode function: String function: 0043936B appears 64 times
        Source: C:\Users\user\Desktop\test.exeCode function: String function: 00403F98 appears 40 times
        Source: C:\Users\user\Desktop\test.exeCode function: String function: 0040D6F8 appears 42 times
        Source: C:\Users\user\Desktop\test.exeCode function: String function: 00403F74 appears 135 times
        Source: test.exeStatic PE information: Resource name: RT_CURSOR type: COM executable for DOS
        Source: test.exeStatic PE information: Resource name: RT_CURSOR type: COM executable for DOS
        Source: test.exeStatic PE information: Resource name: RT_CURSOR type: COM executable for DOS
        Source: test.exeStatic PE information: Resource name: RT_CURSOR type: DOS executable (COM, 0x8C-variant)
        Source: test.exeStatic PE information: Resource name: RT_CURSOR type: COM executable for DOS
        Source: test.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
        Source: test.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: test.exe, 00000000.00000002.833750553.0000000002210000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs test.exe
        Source: test.exe, 00000002.00000002.1251253753.00000000053A0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs test.exe
        Source: test.exe, 00000002.00000002.1251253753.00000000053A0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs test.exe
        Source: test.exe, 00000002.00000002.1250520882.0000000004AA0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs test.exe
        Source: test.exe, 00000002.00000002.1248035449.0000000002860000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs test.exe
        Source: test.exe, 00000002.00000002.1251641256.0000000005DD0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs test.exe
        Source: test.exe, 00000005.00000002.849445931.0000000002200000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs test.exe
        Source: test.exe, 00000006.00000002.883042696.0000000004A40000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs test.exe
        Source: test.exe, 00000006.00000002.882132495.0000000002760000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs test.exe
        Source: test.exe, 00000006.00000002.882132495.0000000002760000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs test.exe
        Source: test.exe, 00000006.00000002.882255649.0000000003760000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs test.exe
        Source: 00000002.00000002.1245481117.00000000020F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000002.1245481117.00000000020F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000002.1244361706.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000002.1244361706.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000002.1251253753.00000000053A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000002.1251253753.00000000053A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000002.00000002.1250520882.0000000004AA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000002.1250520882.0000000004AA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000006.00000002.873179913.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000006.00000002.873179913.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000002.1245587466.0000000002132000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000002.1245587466.0000000002132000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000002.1249553061.00000000038C7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000005.00000002.850676518.00000000027C2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000005.00000002.850676518.00000000027C2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.834929819.00000000027F9000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.834929819.00000000027F9000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000002.1244482993.0000000000439000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000002.1244482993.0000000000439000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000006.00000001.848086290.0000000000439000.00000040.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000006.00000001.848086290.0000000000439000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000005.00000002.850823933.00000000027F9000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000005.00000002.850823933.00000000027F9000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000002.1245373768.00000000020B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000002.1245373768.00000000020B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000002.00000002.1245373768.00000000020B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000006.00000002.873482604.0000000000439000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000006.00000002.873482604.0000000000439000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000006.00000002.882132495.0000000002760000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000006.00000002.877803632.00000000020F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000006.00000002.877803632.00000000020F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000002.00000001.831513577.0000000000439000.00000040.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000002.00000001.831513577.0000000000439000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000006.00000002.877701586.00000000020B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000006.00000002.877701586.00000000020B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000006.00000002.877701586.00000000020B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.834784193.00000000027C2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.834784193.00000000027C2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000006.00000002.877932726.0000000002132000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000006.00000002.877932726.0000000002132000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000006.00000002.882255649.0000000003760000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: test.exe PID: 400, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: test.exe PID: 400, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: test.exe PID: 1228, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: test.exe PID: 1228, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: test.exe PID: 2872, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: test.exe PID: 2872, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: test.exe PID: 4628, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: test.exe PID: 4628, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe,