Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Trojan.Nanocore.23.19592.12914

Overview

General Information

Sample Name:SecuriteInfo.com.Trojan.Nanocore.23.19592.12914 (renamed file extension from 12914 to exe)
Analysis ID:255587
MD5:c6eadbeef2558b9cc3620bedd9a44c26
SHA1:cc6dfc73f48357a5c0f6e0a2ed50c0efac436be1
SHA256:cbaa36e6dfc82d307e840bb2ed3e1322fb07b5086530abee2ae29fa99a355b26

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • dhcpmon.exe (PID: 3892 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: C6EADBEEF2558B9CC3620BEDD9A44C26)
    • dhcpmon.exe (PID: 1284 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: C6EADBEEF2558B9CC3620BEDD9A44C26)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["255.255.255.255"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.527737978.00000000053E0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xe75:$x1: NanoCore.ClientPluginHost
  • 0xe8f:$x2: IClientNetworkHost
00000002.00000002.527737978.00000000053E0000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xe75:$x2: NanoCore.ClientPluginHost
  • 0x1261:$s3: PipeExists
  • 0x1136:$s4: PipeCreated
  • 0xeb0:$s5: IClientLoggingHost
00000002.00000002.528032005.0000000005680000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xf7ad:$x1: NanoCore.ClientPluginHost
  • 0xf7da:$x2: IClientNetworkHost
00000002.00000002.528032005.0000000005680000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xf7ad:$x2: NanoCore.ClientPluginHost
  • 0x10888:$s4: PipeCreated
  • 0xf7c7:$s5: IClientLoggingHost
00000002.00000002.528032005.0000000005680000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    Click to see the 36 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    2.2.SecuriteInfo.com.Trojan.Nanocore.23.19592.exe.53e0000.4.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xe75:$x1: NanoCore.ClientPluginHost
    • 0xe8f:$x2: IClientNetworkHost
    2.2.SecuriteInfo.com.Trojan.Nanocore.23.19592.exe.53e0000.4.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xe75:$x2: NanoCore.ClientPluginHost
    • 0x1261:$s3: PipeExists
    • 0x1136:$s4: PipeCreated
    • 0xeb0:$s5: IClientLoggingHost
    2.2.SecuriteInfo.com.Trojan.Nanocore.23.19592.exe.5680000.6.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xd9ad:$x1: NanoCore.ClientPluginHost
    • 0xd9da:$x2: IClientNetworkHost
    2.2.SecuriteInfo.com.Trojan.Nanocore.23.19592.exe.5680000.6.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xd9ad:$x2: NanoCore.ClientPluginHost
    • 0xea88:$s4: PipeCreated
    • 0xd9c7:$s5: IClientLoggingHost
    2.2.SecuriteInfo.com.Trojan.Nanocore.23.19592.exe.5680000.6.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 15 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, ProcessId: 5876, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: dhcpmon.exe.1284.11.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["255.255.255.255"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000002.00000002.528032005.0000000005680000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.268331034.0000000006E11000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.320412929.00000000029C1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.519136465.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.317016768.00000000005C2000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.525808934.0000000003D97000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.303915399.0000000006371000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.320604650.00000000039C1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe PID: 5876, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 3892, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe PID: 7160, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 1284, type: MEMORY
      Source: Yara matchFile source: 2.2.SecuriteInfo.com.Trojan.Nanocore.23.19592.exe.5680000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SecuriteInfo.com.Trojan.Nanocore.23.19592.exe.5680000.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.5c0000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SecuriteInfo.com.Trojan.Nanocore.23.19592.exe.400000.0.unpack, type: UNPACKEDPE
      Machine Learning detection for dropped fileShow sources
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
      Machine Learning detection for sampleShow sources
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exeJoe Sandbox ML: detected
      Source: unknownDNS traffic detected: queries for: crc2k18.mooo.com
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000002.269811544.0000000007BA0000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.306955870.00000000070A0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000002.269811544.0000000007BA0000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.306955870.00000000070A0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000003.254360292.0000000007A32000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000003.254360292.0000000007A32000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000003.254360292.0000000007A32000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTCW
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000002.269811544.0000000007BA0000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.306955870.00000000070A0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000002.269811544.0000000007BA0000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.306955870.00000000070A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: dhcpmon.exe, 00000009.00000002.306955870.00000000070A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000002.269811544.0000000007BA0000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.306955870.00000000070A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000003.257748370.0000000007A5D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000002.269811544.0000000007BA0000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.306955870.00000000070A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000003.257211917.0000000007A5E000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000002.269811544.0000000007BA0000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.306955870.00000000070A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000002.269811544.0000000007BA0000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.306955870.00000000070A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000002.269811544.0000000007BA0000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.306955870.00000000070A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000002.269811544.0000000007BA0000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.306955870.00000000070A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000003.257669159.0000000007A3D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000003.266069897.0000000007A30000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000003.266069897.0000000007A30000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalic
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000003.257669159.0000000007A3D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessed
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000003.257669159.0000000007A3D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.commTTF
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000003.266069897.0000000007A30000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comoV
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000002.269811544.0000000007BA0000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.306955870.00000000070A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000003.253838389.0000000007A32000.00000004.00000001.sdmp, dhcpmon.exe, 00000009.00000002.306955870.00000000070A0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000002.269811544.0000000007BA0000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.306955870.00000000070A0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000002.269811544.0000000007BA0000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.306955870.00000000070A0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000003.253654047.0000000007A32000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn9
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000003.253504062.0000000007A3E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnL
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000003.253654047.0000000007A32000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnp
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000002.269811544.0000000007BA0000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.306955870.00000000070A0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000003.260826123.0000000007A5D000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000002.269811544.0000000007BA0000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.306955870.00000000070A0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000002.269811544.0000000007BA0000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.306955870.00000000070A0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000003.254778395.0000000007A3F000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000003.254627384.0000000007A3F000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000003.254987111.0000000007A3D000.00000004.00000001.sdmp, dhcpmon.exe, 00000009.00000002.306955870.00000000070A0000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000003.254778395.0000000007A3F000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/.
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000003.254778395.0000000007A3F000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/V
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000003.254778395.0000000007A3F000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000003.254778395.0000000007A3F000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/_
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000003.254627384.0000000007A3F000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/d
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000003.254778395.0000000007A3F000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/i
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000003.254778395.0000000007A3F000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000003.254778395.0000000007A3F000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/I
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000003.254987111.0000000007A3D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/_
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000003.254778395.0000000007A3F000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/d
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000003.254778395.0000000007A3F000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/k
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000003.254778395.0000000007A3F000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000003.254987111.0000000007A3D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/s
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000003.251333844.0000000007A4B000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000002.269811544.0000000007BA0000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.306955870.00000000070A0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000002.269811544.0000000007BA0000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.306955870.00000000070A0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000002.269811544.0000000007BA0000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.306955870.00000000070A0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: dhcpmon.exe, 00000009.00000002.306955870.00000000070A0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000003.253781639.0000000007A6D000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com2sS
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000003.253781639.0000000007A6D000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comIs
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000003.254268161.0000000007A40000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comZ
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000003.254268161.0000000007A40000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comc
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000002.269811544.0000000007BA0000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.306955870.00000000070A0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000002.269811544.0000000007BA0000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.306955870.00000000070A0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000002.269811544.0000000007BA0000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.306955870.00000000070A0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000002.00000002.528032005.0000000005680000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000002.00000002.528032005.0000000005680000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.268331034.0000000006E11000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.320412929.00000000029C1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.519136465.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.317016768.00000000005C2000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.525808934.0000000003D97000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.303915399.0000000006371000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.320604650.00000000039C1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe PID: 5876, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 3892, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe PID: 7160, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 1284, type: MEMORY
      Source: Yara matchFile source: 2.2.SecuriteInfo.com.Trojan.Nanocore.23.19592.exe.5680000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SecuriteInfo.com.Trojan.Nanocore.23.19592.exe.5680000.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 11.2.dhcpmon.exe.5c0000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SecuriteInfo.com.Trojan.Nanocore.23.19592.exe.400000.0.unpack, type: UNPACKEDPE

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000002.00000002.527737978.00000000053E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000002.00000002.528032005.0000000005680000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.268331034.0000000006E11000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.268331034.0000000006E11000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000B.00000002.320412929.00000000029C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000002.519136465.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000002.00000002.519136465.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000B.00000002.317016768.00000000005C2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000B.00000002.317016768.00000000005C2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000002.525808934.0000000003D97000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000009.00000002.303915399.0000000006371000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000009.00000002.303915399.0000000006371000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000B.00000002.320604650.00000000039C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe PID: 5876, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe PID: 5876, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: dhcpmon.exe PID: 3892, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: dhcpmon.exe PID: 3892, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe PID: 7160, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe PID: 7160, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: dhcpmon.exe PID: 1284, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: dhcpmon.exe PID: 1284, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.SecuriteInfo.com.Trojan.Nanocore.23.19592.exe.53e0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.SecuriteInfo.com.Trojan.Nanocore.23.19592.exe.5680000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.SecuriteInfo.com.Trojan.Nanocore.23.19592.exe.5680000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 11.2.dhcpmon.exe.5c0000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 11.2.dhcpmon.exe.5c0000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.SecuriteInfo.com.Trojan.Nanocore.23.19592.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.SecuriteInfo.com.Trojan.Nanocore.23.19592.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeCode function: 2_2_050717F2 NtQuerySystemInformation,2_2_050717F2
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeCode function: 2_2_050717B7 NtQuerySystemInformation,2_2_050717B7
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeCode function: 0_2_05499D500_2_05499D50
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeCode function: 0_2_0549B1790_2_0549B179
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeCode function: 0_2_054989180_2_05498918
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeCode function: 0_2_05491DC00_2_05491DC0
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeCode function: 0_2_054997F00_2_054997F0
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeCode function: 0_2_054914C00_2_054914C0
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeCode function: 0_2_054988C20_2_054988C2
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeCode function: 0_2_054918F90_2_054918F9
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeCode function: 0_2_054900990_2_05490099
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeCode function: 0_2_054939480_2_05493948
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeCode function: 0_2_05499D400_2_05499D40
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeCode function: 0_2_05497D5E0_2_05497D5E
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeCode function: 0_2_054989080_2_05498908
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeCode function: 0_2_054983280_2_05498328
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeCode function: 0_2_054939380_2_05493938
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeCode function: 0_2_054977D80_2_054977D8
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeCode function: 0_2_054997E20_2_054997E2
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeCode function: 0_2_054971F00_2_054971F0
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeCode function: 0_2_054945800_2_05494580
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeCode function: 0_2_054977800_2_05497780
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeCode function: 0_2_05497D900_2_05497D90
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeCode function: 0_2_054971BC0_2_054971BC
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeCode function: 0_2_05496C400_2_05496C40
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeCode function: 0_2_05496C500_2_05496C50
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeCode function: 0_2_054978560_2_05497856
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeCode function: 0_2_05494A680_2_05494A68
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeCode function: 0_2_05494A780_2_05494A78
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeCode function: 0_2_054982EE0_2_054982EE
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeCode function: 0_2_054948880_2_05494888
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeCode function: 0_2_054948980_2_05494898
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeCode function: 0_2_05494EA10_2_05494EA1
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeCode function: 0_2_05494CA00_2_05494CA0
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeCode function: 0_2_05494CB00_2_05494CB0
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeCode function: 2_2_04F4B0582_2_04F4B058
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeCode function: 2_2_04F439702_2_04F43970
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeCode function: 2_2_04F423A02_2_04F423A0
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeCode function: 2_2_04F42FA82_2_04F42FA8
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeCode function: 2_2_04F487882_2_04F48788
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeCode function: 2_2_04F4306F2_2_04F4306F
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeCode function: 2_2_04F4944F2_2_04F4944F
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeCode function: 2_2_04F49C302_2_04F49C30
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeCode function: 2_2_04F493882_2_04F49388
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_024A14C09_2_024A14C0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_024A18F99_2_024A18F9
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_024A00999_2_024A0099
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_024A9D509_2_024A9D50
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_024AB1799_2_024AB179
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_024A89189_2_024A8918
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_024A1DC09_2_024A1DC0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_024A97F09_2_024A97F0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_024A6C409_2_024A6C40
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_024A6C509_2_024A6C50
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_024A78569_2_024A7856
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_024A4A689_2_024A4A68
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_024A4A789_2_024A4A78
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_024A82E29_2_024A82E2
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_024A48889_2_024A4888
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_024A48989_2_024A4898
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_024A4CA09_2_024A4CA0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_024A4EA19_2_024A4EA1
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_024A4CB09_2_024A4CB0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_024A39489_2_024A3948
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_024A9D409_2_024A9D40
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_024A7D5E9_2_024A7D5E
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_024A89089_2_024A8908
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_024A83289_2_024A8328
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_024A39389_2_024A3938
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_024A77D89_2_024A77D8
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_024A97E29_2_024A97E2
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_024A71F09_2_024A71F0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_024A45809_2_024A4580
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_024A77809_2_024A7780
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_024A7D909_2_024A7D90
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_024A71BC9_2_024A71BC
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_0255385011_2_02553850
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_025523A011_2_025523A0
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_02552FA811_2_02552FA8
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 11_2_0255306F11_2_0255306F
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000002.277664211.000000000A9E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs SecuriteInfo.com.Trojan.Nanocore.23.19592.exe
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000002.266259163.0000000000BC2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWindowsFormsApplication1.exeT vs SecuriteInfo.com.Trojan.Nanocore.23.19592.exe
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000002.268331034.0000000006E11000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameBootstrapCS.exe8 vs SecuriteInfo.com.Trojan.Nanocore.23.19592.exe
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000002.269229915.00000000079D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs SecuriteInfo.com.Trojan.Nanocore.23.19592.exe
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000002.00000002.527737978.00000000053E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs SecuriteInfo.com.Trojan.Nanocore.23.19592.exe
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000002.00000002.528032005.0000000005680000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs SecuriteInfo.com.Trojan.Nanocore.23.19592.exe
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000002.00000002.528032005.0000000005680000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs SecuriteInfo.com.Trojan.Nanocore.23.19592.exe
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000002.00000002.527011070.0000000005060000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs SecuriteInfo.com.Trojan.Nanocore.23.19592.exe
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000002.00000002.520808762.0000000000C7A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs SecuriteInfo.com.Trojan.Nanocore.23.19592.exe
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000002.00000002.528538280.00000000061A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs SecuriteInfo.com.Trojan.Nanocore.23.19592.exe
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000002.00000002.527658695.0000000005380000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs SecuriteInfo.com.Trojan.Nanocore.23.19592.exe
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000002.00000000.265484332.0000000000652000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameWindowsFormsApplication1.exeT vs SecuriteInfo.com.Trojan.Nanocore.23.19592.exe
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exeBinary or memory string: OriginalFilenameWindowsFormsApplication1.exeT vs SecuriteInfo.com.Trojan.Nanocore.23.19592.exe
      Source: 00000002.00000002.527737978.00000000053E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000002.00000002.527737978.00000000053E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000002.00000002.528032005.0000000005680000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000002.00000002.528032005.0000000005680000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000000.00000002.268331034.0000000006E11000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.268331034.0000000006E11000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000B.00000002.320412929.00000000029C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000002.519136465.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000002.00000002.519136465.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000B.00000002.317016768.00000000005C2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000B.00000002.317016768.00000000005C2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000002.525808934.0000000003D97000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000009.00000002.303915399.0000000006371000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000009.00000002.303915399.0000000006371000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000B.00000002.320604650.00000000039C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe PID: 5876, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe PID: 5876, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: dhcpmon.exe PID: 3892, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: dhcpmon.exe PID: 3892, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe PID: 7160, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe PID: 7160, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: dhcpmon.exe PID: 1284, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: dhcpmon.exe PID: 1284, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.SecuriteInfo.com.Trojan.Nanocore.23.19592.exe.53e0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.SecuriteInfo.com.Trojan.Nanocore.23.19592.exe.53e0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.SecuriteInfo.com.Trojan.Nanocore.23.19592.exe.5680000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.SecuriteInfo.com.Trojan.Nanocore.23.19592.exe.5680000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.SecuriteInfo.com.Trojan.Nanocore.23.19592.exe.5680000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.SecuriteInfo.com.Trojan.Nanocore.23.19592.exe.5680000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 11.2.dhcpmon.exe.5c0000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 11.2.dhcpmon.exe.5c0000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 11.2.dhcpmon.exe.5c0000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.SecuriteInfo.com.Trojan.Nanocore.23.19592.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.SecuriteInfo.com.Trojan.Nanocore.23.19592.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.SecuriteInfo.com.Trojan.Nanocore.23.19592.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: dhcpmon.exe.2.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: 11.2.dhcpmon.exe.5c0000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 11.2.dhcpmon.exe.5c0000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 11.2.dhcpmon.exe.5c0000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: classification engineClassification label: mal100.troj.evad.winEXE@6/5@24/1
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeCode function: 0_2_079B1072 AdjustTokenPrivileges,0_2_079B1072
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeCode function: 0_2_079B103B AdjustTokenPrivileges,0_2_079B103B
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeCode function: 2_2_050715B2 AdjustTokenPrivileges,2_2_050715B2
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeCode function: 2_2_0507157B AdjustTokenPrivileges,2_2_0507157B
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_04B51072 AdjustTokenPrivileges,9_2_04B51072
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_04B5103B AdjustTokenPrivileges,9_2_04B5103B
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\SecuriteInfo.com.Trojan.Nanocore.23.19592.exe.logJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{acff71f2-8ba5-4986-af0d-749d374b4532}
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exe
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
      Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
      Source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000002.00000002.521875809.00000000028F5000.00000004.00000040.sdmp
      Source: Binary string: mscorrc.pdb source: SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000000.00000002.277664211.000000000A9E0000.00000002.00000001.sdmp, SecuriteInfo.com.Trojan.Nanocore.23.19592.exe, 00000002.00000002.527658695.0000000005380000.00000002.00000001.sdmp, dhcpmon.exe, 00000009.00000002.311993561.0000000009A00000.00000002.00000001.sdmp

      Data Obfuscation:

      barindex
      .NET source code contains potential unpackerShow sources
      Source: 11.2.dhcpmon.exe.5c0000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 11.2.dhcpmon.exe.5c0000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeCode function: 0_2_05497137 push E8FFFFFFh; iretd 0_2_05497148
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_024A7137 push E8FFFFFFh; iretd 9_2_024A7148
      Source: initial sampleStatic PE information: section name: .text entropy: 7.83533554297
      Source: initial sampleStatic PE information: section name: .text entropy: 7.83533554297
      Source: 11.2.dhcpmon.exe.5c0000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 11.2.dhcpmon.exe.5c0000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeFile opened: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exe:Zone.Identifier read attributes | deleteJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Nanocore.23.19592.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOX