Loading ...

Play interactive tourEdit tour

Analysis Report Inv200232A.exe

Overview

General Information

Sample Name:Inv200232A.exe
Analysis ID:280487
MD5:226ab9fc487672edcf6d0f8ab5362fb5
SHA1:76de591f6dde502e5702c4fbcc30e523ae4d563c
SHA256:50b1b95d0cdad9d20c9b958a282f20b2335cbbb68718475fbdb94752addb8a07

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Binary contains a suspicious time stamp
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Inv200232A.exe (PID: 6880 cmdline: 'C:\Users\user\Desktop\Inv200232A.exe' MD5: 226AB9FC487672EDCF6D0F8AB5362FB5)
    • schtasks.exe (PID: 6944 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\aTngXNkno' /XML 'C:\Users\user\AppData\Local\Temp\tmp71DF.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Inv200232A.exe (PID: 6992 cmdline: C:\Users\user\Desktop\Inv200232A.exe MD5: 226AB9FC487672EDCF6D0F8AB5362FB5)
      • schtasks.exe (PID: 7028 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7F8B.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 7036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 7084 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp824C.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 7092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • Inv200232A.exe (PID: 7100 cmdline: C:\Users\user\Desktop\Inv200232A.exe 0 MD5: 226AB9FC487672EDCF6D0F8AB5362FB5)
    • schtasks.exe (PID: 6104 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\aTngXNkno' /XML 'C:\Users\user\AppData\Local\Temp\tmp945C.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Inv200232A.exe (PID: 6320 cmdline: C:\Users\user\Desktop\Inv200232A.exe MD5: 226AB9FC487672EDCF6D0F8AB5362FB5)
  • dhcpmon.exe (PID: 1460 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 226AB9FC487672EDCF6D0F8AB5362FB5)
  • dhcpmon.exe (PID: 6476 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 226AB9FC487672EDCF6D0F8AB5362FB5)
    • schtasks.exe (PID: 5508 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\aTngXNkno' /XML 'C:\Users\user\AppData\Local\Temp\tmpB8AC.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • dhcpmon.exe (PID: 5544 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 226AB9FC487672EDCF6D0F8AB5362FB5)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["38.25.63.10"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.248007892.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000002.248007892.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000C.00000002.248007892.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    00000011.00000002.265755308.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000011.00000002.265755308.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 60 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      17.2.dhcpmon.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      17.2.dhcpmon.exe.400000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xff05:$x1: NanoCore Client.exe
      • 0x1018d:$x2: NanoCore.ClientPluginHost
      • 0x117c6:$s1: PluginCommand
      • 0x117ba:$s2: FileCommand
      • 0x1266b:$s3: PipeExists
      • 0x18422:$s4: PipeCreated
      • 0x101b7:$s5: IClientLoggingHost
      17.2.dhcpmon.exe.400000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        17.2.dhcpmon.exe.400000.0.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xfef5:$a: NanoCore
        • 0xff05:$a: NanoCore
        • 0x10139:$a: NanoCore
        • 0x1014d:$a: NanoCore
        • 0x1018d:$a: NanoCore
        • 0xff54:$b: ClientPlugin
        • 0x10156:$b: ClientPlugin
        • 0x10196:$b: ClientPlugin
        • 0x1007b:$c: ProjectData
        • 0x10a82:$d: DESCrypto
        • 0x1844e:$e: KeepAlive
        • 0x1643c:$g: LogClientMessage
        • 0x12637:$i: get_Connected
        • 0x10db8:$j: #=q
        • 0x10de8:$j: #=q
        • 0x10e04:$j: #=q
        • 0x10e34:$j: #=q
        • 0x10e50:$j: #=q
        • 0x10e6c:$j: #=q
        • 0x10e9c:$j: #=q
        • 0x10eb8:$j: #=q
        12.2.Inv200232A.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x1018d:$x1: NanoCore.ClientPluginHost
        • 0x101ca:$x2: IClientNetworkHost
        • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        Click to see the 3 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Inv200232A.exe, ProcessId: 6992, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: Scheduled temp file as task from temp locationShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\aTngXNkno' /XML 'C:\Users\user\AppData\Local\Temp\tmp71DF.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\aTngXNkno' /XML 'C:\Users\user\AppData\Local\Temp\tmp71DF.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\Inv200232A.exe' , ParentImage: C:\Users\user\Desktop\Inv200232A.exe, ParentProcessId: 6880, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\aTngXNkno' /XML 'C:\Users\user\AppData\Local\Temp\tmp71DF.tmp', ProcessId: 6944

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: Inv200232A.exe.6992.3.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["38.25.63.10"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeVirustotal: Detection: 19%Perma Link
        Source: C:\Users\user\AppData\Roaming\aTngXNkno.exeVirustotal: Detection: 19%Perma Link
        Multi AV Scanner detection for submitted fileShow sources
        Source: Inv200232A.exeVirustotal: Detection: 19%Perma Link
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000C.00000002.248007892.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.265755308.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.238863827.00000000041D4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.267583628.0000000004109000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.213661423.00000000039F9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.253476803.0000000004074000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.215422816.0000000003CB4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.267443845.0000000003101000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.250208868.0000000003E99000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.238135835.0000000003F19000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.234501340.0000000003729000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.249987869.0000000002E91000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.250863709.0000000003DB9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Inv200232A.exe PID: 6880, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6476, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Inv200232A.exe PID: 7100, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5544, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Inv200232A.exe PID: 6320, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 1460, type: MEMORY
        Source: Yara matchFile source: 17.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.Inv200232A.exe.400000.0.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\aTngXNkno.exeJoe Sandbox ML: detected
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: Inv200232A.exeJoe Sandbox ML: detected
        Source: 17.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 12.2.Inv200232A.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: C:\Users\user\Desktop\Inv200232A.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h8_2_0612C570
        Source: C:\Users\user\Desktop\Inv200232A.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h8_2_0612C560
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h9_2_05ADA827
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h9_2_05ADA838
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h14_2_05F7C530
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h14_2_05F7C521

        Networking:

        barindex
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: benardsmith8.duckdns.org
        Source: unknownDNS traffic detected: query: benardsmith8.duckdns.org replaycode: Name error (3)
        Source: unknownDNS traffic detected: queries for: benardsmith8.duckdns.org
        Source: Inv200232A.exe, 00000000.00000002.213661423.00000000039F9000.00000004.00000001.sdmp, Inv200232A.exe, 00000008.00000002.238135835.0000000003F19000.00000004.00000001.sdmp, dhcpmon.exe, 00000009.00000002.234501340.0000000003729000.00000004.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.250863709.0000000003DB9000.00000004.00000001.sdmpString found in binary or memory: http://schemas.microsP
        Source: Inv200232A.exe, 00000000.00000002.213213793.00000000029F1000.00000004.00000001.sdmp, Inv200232A.exe, 00000008.00000002.234355001.0000000002F11000.00000004.00000001.sdmp, dhcpmon.exe, 00000009.00000002.229077746.0000000002721000.00000004.00000001.sdmp, dhcpmon.exe, 0000000E.00000002.249443318.0000000002DB1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: dhcpmon.exe, 00000009.00000002.228169904.0000000000A78000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
        Source: Inv200232A.exe, 0000000C.00000002.250208868.0000000003E99000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000C.00000002.248007892.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.265755308.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.238863827.00000000041D4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.267583628.0000000004109000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.213661423.00000000039F9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.253476803.0000000004074000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.215422816.0000000003CB4000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000011.00000002.267443845.0000000003101000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.250208868.0000000003E99000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.238135835.0000000003F19000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.234501340.0000000003729000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.249987869.0000000002E91000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.250863709.0000000003DB9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Inv200232A.exe PID: 6880, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6476, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Inv200232A.exe PID: 7100, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5544, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Inv200232A.exe PID: 6320, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 1460, type: MEMORY
        Source: Yara matchFile source: 17.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.Inv200232A.exe.400000.0.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 0000000C.00000002.248007892.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000002.248007892.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000011.00000002.265755308.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000011.00000002.265755308.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000008.00000002.238863827.00000000041D4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000008.00000002.238863827.00000000041D4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000011.00000002.267583628.0000000004109000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.213661423.00000000039F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.213661423.00000000039F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000E.00000002.253476803.0000000004074000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000E.00000002.253476803.0000000004074000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.215422816.0000000003CB4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.215422816.0000000003CB4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000011.00000002.267443845.0000000003101000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000002.250208868.0000000003E99000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000008.00000002.238135835.0000000003F19000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000008.00000002.238135835.0000000003F19000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000009.00000002.234501340.0000000003729000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000009.00000002.234501340.0000000003729000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000002.249987869.0000000002E91000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000E.00000002.250863709.0000000003DB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000E.00000002.250863709.0000000003DB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: Inv200232A.exe PID: 6880, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: Inv200232A.exe PID: 6880, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 6476, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 6476, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: Inv200232A.exe PID: 7100, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: Inv200232A.exe PID: 7100, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 5544, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 5544, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: Inv200232A.exe PID: 6320, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: Inv200232A.exe PID: 6320, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 1460, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 1460, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 17.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 17.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.Inv200232A.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.Inv200232A.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: C:\Users\user\Desktop\Inv200232A.exeCode function: 0_2_00EE94A80_2_00EE94A8
        Source: C:\Users\user\Desktop\Inv200232A.exeCode function: 0_2_00EEC3A00_2_00EEC3A0
        Source: C:\Users\user\Desktop\Inv200232A.exeCode function: 0_2_00EEA7580_2_00EEA758
        Source: C:\Users\user\Desktop\Inv200232A.exeCode function: 0_2_05C06C780_2_05C06C78
        Source: C:\Users\user\Desktop\Inv200232A.exeCode function: 0_2_05C0C5810_2_05C0C581
        Source: C:\Users\user\Desktop\Inv200232A.exeCode function: 0_2_05C046070_2_05C04607
        Source: C:\Users\user\Desktop\Inv200232A.exeCode function: 0_2_05C061400_2_05C06140
        Source: C:\Users\user\Desktop\Inv200232A.exeCode function: 0_2_05C061500_2_05C06150
        Source: C:\Users\user\Desktop\Inv200232A.exeCode function: 0_2_05C022730_2_05C02273
        Source: C:\Users\user\Desktop\Inv200232A.exeCode function: 0_2_05C06C6A0_2_05C06C6A
        Source: C:\Users\user\Desktop\Inv200232A.exeCode function: 0_2_00522AB50_2_00522AB5
        Source: C:\Users\user\Desktop\Inv200232A.exeCode function: 8_2_0112C1488_2_0112C148
        Source: C:\Users\user\Desktop\Inv200232A.exeCode function: 8_2_0112A7588_2_0112A758
        Source: C:\Users\user\Desktop\Inv200232A.exeCode function: 8_2_05506F788_2_05506F78
        Source: C:\Users\user\Desktop\Inv200232A.exeCode function: 8_2_05506F688_2_05506F68
        Source: C:\Users\user\Desktop\Inv200232A.exeCode function: 8_2_05503B418_2_05503B41
        Source: C:\Users\user\Desktop\Inv200232A.exeCode function: 8_2_05503B788_2_05503B78
        Source: C:\Users\user\Desktop\Inv200232A.exeCode function: 8_2_05503B678_2_05503B67
        Source: C:\Users\user\Desktop\Inv200232A.exeCode function: 8_2_06126C788_2_06126C78
        Source: C:\Users\user\Desktop\Inv200232A.exeCode function: 8_2_0612D1608_2_0612D160
        Source: C:\Users\user\Desktop\Inv200232A.exeCode function: 8_2_061246078_2_06124607
        Source: C:\Users\user\Desktop\Inv200232A.exeCode function: 8_2_06126C6A8_2_06126C6A
        Source: C:\Users\user\Desktop\Inv200232A.exeCode function: 8_2_061222738_2_06122273
        Source: C:\Users\user\Desktop\Inv200232A.exeCode function: 8_2_061261508_2_06126150
        Source: C:\Users\user\Desktop\Inv200232A.exeCode function: 8_2_061261408_2_06126140
        Source: C:\Users\user\Desktop\Inv200232A.exeCode function: 8_2_00A12AB58_2_00A12AB5
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_027094A89_2_027094A8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_0270C3A09_2_0270C3A0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_0270A7589_2_0270A758
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_05AD6C789_2_05AD6C78
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_05ADB1F89_2_05ADB1F8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_05AD6C6B9_2_05AD6C6B
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_05AD46079_2_05AD4607
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_05AD61409_2_05AD6140
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_05AD61509_2_05AD6150
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_05AD22739_2_05AD2273
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_002B2AB59_2_002B2AB5
        Source: C:\Users\user\Desktop\Inv200232A.exeCode function: 12_2_013CE47112_2_013CE471
        Source: C:\Users\user\Desktop\Inv200232A.exeCode function: 12_2_013CE48012_2_013CE480
        Source: C:\Users\user\Desktop\Inv200232A.exeCode function: 12_2_013CBBD412_2_013CBBD4
        Source: C:\Users\user\Desktop\Inv200232A.exeCode function: 12_2_05503E3012_2_05503E30
        Source: C:\Users\user\Desktop\Inv200232A.exeCode function: 12_2_05504A5012_2_05504A50
        Source: C:\Users\user\Desktop\Inv200232A.exeCode function: 12_2_05504B0812_2_05504B08
        Source: C:\Users\user\Desktop\Inv200232A.exeCode function: 12_2_00AB2AB512_2_00AB2AB5
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_0118C3A014_2_0118C3A0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_0118A75814_2_0118A758
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_05F7D13014_2_05F7D130
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_05F76C7814_2_05F76C78
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_05F7460714_2_05F74607
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_05F7615014_2_05F76150
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_05F7614014_2_05F76140
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_05F7227314_2_05F72273
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_05F76C6A14_2_05F76C6A
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_00872AB514_2_00872AB5
        Source: Inv200232A.exe, 00000000.00000002.219684556.00000000063F0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Inv200232A.exe
        Source: Inv200232A.exe, 00000000.00000002.219684556.00000000063F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Inv200232A.exe
        Source: Inv200232A.exe, 00000000.00000002.213213793.00000000029F1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameBillie.dll< vs Inv200232A.exe
        Source: Inv200232A.exe, 00000000.00000002.218759901.00000000062F0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Inv200232A.exe
        Source: Inv200232A.exe, 00000000.00000002.215422816.0000000003CB4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCrashReportClient.exeD vs Inv200232A.exe
        Source: Inv200232A.exe, 00000000.00000000.199167077.00000000005C0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameeQxO.exe8 vs Inv200232A.exe
        Source: Inv200232A.exe, 00000003.00000000.207387480.00000000006F0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameeQxO.exe8 vs Inv200232A.exe
        Source: Inv200232A.exe, 00000008.00000000.214822064.0000000000AB0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameeQxO.exe8 vs Inv200232A.exe
        Source: Inv200232A.exe, 00000008.00000002.243338224.0000000006730000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Inv200232A.exe
        Source: Inv200232A.exe, 00000008.00000002.242585454.0000000006010000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCrashReportClient.exeD vs Inv200232A.exe
        Source: Inv200232A.exe, 00000008.00000002.234548931.0000000002F96000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameBillie.dll< vs Inv200232A.exe
        Source: Inv200232A.exe, 00000008.00000002.231075857.000000000115A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Inv200232A.exe
        Source: Inv200232A.exe, 00000008.00000002.243561444.0000000006820000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Inv200232A.exe
        Source: Inv200232A.exe, 00000008.00000002.243561444.0000000006820000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Inv200232A.exe
        Source: Inv200232A.exe, 0000000C.00000000.226562626.0000000000B50000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameeQxO.exe8 vs Inv200232A.exe
        Source: Inv200232A.exe, 0000000C.00000002.250208868.0000000003E99000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs Inv200232A.exe
        Source: Inv200232A.exe, 0000000C.00000002.250208868.0000000003E99000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs Inv200232A.exe
        Source: Inv200232A.exe, 0000000C.00000002.250208868.0000000003E99000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Inv200232A.exe
        Source: Inv200232A.exe, 0000000C.00000002.253331750.00000000054D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs Inv200232A.exe
        Source: Inv200232A.exeBinary or memory string: OriginalFilenameeQxO.exe8 vs Inv200232A.exe
        Source: 0000000C.00000002.248007892.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000002.248007892.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000011.00000002.265755308.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000011.00000002.265755308.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000008.00000002.238863827.00000000041D4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000008.00000002.238863827.00000000041D4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000011.00000002.267583628.0000000004109000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.213661423.00000000039F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.213661423.00000000039F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000E.00000002.253476803.0000000004074000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000E.00000002.253476803.0000000004074000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.215422816.0000000003CB4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.215422816.0000000003CB4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000011.00000002.267443845.0000000003101000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000002.250208868.0000000003E99000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000008.00000002.238135835.0000000003F19000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000008.00000002.238135835.0000000003F19000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000009.00000002.234501340.0000000003729000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000009.00000002.234501340.0000000003729000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000002.249987869.0000000002E91000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000E.00000002.250863709.0000000003DB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000E.00000002.250863709.0000000003DB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: Inv200232A.exe PID: 6880, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: Inv200232A.exe PID: 6880, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 6476, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 6476, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: Inv200232A.exe PID: 7100, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: Inv200232A.exe PID: 7100, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 5544, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 5544, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: Inv200232A.exe PID: 6320, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: Inv200232A.exe PID: 6320, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 1460, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 1460, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 17.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 17.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 17.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.Inv200232A.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.Inv200232A.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.Inv200232A.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Inv200232A.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: aTngXNkno.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: dhcpmon.exe.3.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: 12.2.Inv200232A.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 12.2.Inv200232A.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 12.2.Inv200232A.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: classification engineClassification label: mal100.troj.evad.winEXE@25/13@100/2
        Source: C:\Users\user\Desktop\Inv200232A.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
        Source: C:\Users\user\Desktop\Inv200232A.exeFile created: C:\Users\user\AppData\Roaming\aTngXNkno.exeJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5972:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6952:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6248:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7036:120:WilError_01
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMutant created: \Sessions\1\BaseNamedObjects\SWGwEg
        Source: C:\Users\user\Desktop\Inv200232A.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{e8de1022-16ce-4ebc-8610-8034477395ef}
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7092:120:WilError_01
        Source: C:\Users\user\Desktop\Inv200232A.exeFile created: C:\Users\user\AppData\Local\Temp\tmp71DF.tmpJump to behavior
        Source: Inv200232A.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\Inv200232A.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\Inv200232A.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\Inv200232A.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\Inv200232A.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\Inv200232A.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\Inv200232A.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Users\user\Desktop\Inv200232A.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\Inv200232A.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: Inv200232A.exeVirustotal: Detection: 19%
        Source: C:\Users\user\Desktop\Inv200232A.exeFile read: C:\Users\user\Desktop\Inv200232A.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\Inv200232A.exe 'C:\Users\user\Desktop\Inv200232A.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\aTngXNkno' /XML 'C:\Users\user\AppData\Local\Temp\tmp71DF.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\Inv200232A.exe C:\Users\user\Desktop\Inv200232A.exe
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7F8B.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp824C.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\Inv200232A.exe C:\Users\user\Desktop\Inv200232A.exe 0
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\aTngXNkno' /XML 'C:\Users\user\AppData\Local\Temp\tmp945C.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\Inv200232A.exe C:\Users\user\Desktop\Inv200232A.exe
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\aTngXNkno' /XML 'C:\Users\user\AppData\Local\Temp\tmpB8AC.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Users\user\Desktop\Inv200232A.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\aTngXNkno' /XML 'C:\Users\user\AppData\Local\Temp\tmp71DF.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\Inv200232A.exeProcess created: C:\Users\user\Desktop\Inv200232A.exe C:\Users\user\Desktop\Inv200232A.exeJump to behavior
        Source: C:\Users\user\Desktop\Inv200232A.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp7F8B.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\Inv200232A.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp824C.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\Inv200232A.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\aTngXNkno' /XML 'C:\Users\user\AppData\Local\Temp\tmp945C.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\Inv200232A.exeProcess created: C:\Users\user\Desktop\Inv200232A.exe C:\Users\user\Desktop\Inv200232A.exeJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\aTngXNkno' /XML 'C:\Users\user\AppData\Local\Temp\tmpB8AC.tmp'
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Users\user\Desktop\Inv200232A.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
        Source: C:\Users\user\Desktop\Inv200232A.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: Inv200232A.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: Inv200232A.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Inv200232A.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb^ source: Inv200232A.exe, 00000003.00000003.337597128.0000000000D77000.00000004.00000001.sdmp

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: 12.2.Inv200232A.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 12.2.Inv200232A.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Binary contains a suspicious time stampShow sources
        Source: initial sampleStatic PE information: 0x82DF97EF [Sun Jul 31 02:18:23 2039 UTC]
        Source: C:\Users\user\Desktop\Inv200232A.exeCode function: 0_2_005270EF push es; retf 0000h0_2_005270FE
        Source: C:\Users\user\Desktop\Inv200232A.exeCode function: 8_2_00A170EF push es; retf 0000h8_2_00A170FE
        Source: C:\Users\user\Desktop\Inv200232A.exeCode function: 8_2_0550623C push C400005Eh; ret 8_2_05506241
        Source: C:\Users\user\Desktop\Inv200232A.exeCode function: 8_2_0550622C push 3000005Eh; ret 8_2_05506231
        Source: C:\Users\user\Desktop\Inv200232A.exeCode function: 8_2_0612B4AF push es; iretd 8_2_0612B4D4
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_002B70EF push es; retf 0000h9_2_002B70FE
        Source: C:\Users\user\Desktop\Inv200232A.exeCode function: 12_2_00AB70EF push es; retf 0000h12_2_00AB70FE
        Source: C:\Users\user\Desktop\Inv200232A.exeCode function: 12_2_05506E56 push dword ptr [edx+ebp*2-75h]; iretd 12_2_05506E5F
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_008770EF push es; retf 0000h14_2_008770FE
        Source: initial sampleStatic PE information: section name: .text entropy: 7.64222906411
        Source: initial sampleStatic PE information: section name: .text entropy: 7.64222906411
        Source: initial sampleStatic PE information: section name: .text entropy: 7.64222906411
        Source: 12.2.Inv200232A.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 12.2.Inv200232A.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: C:\Users\user\Desktop\Inv200232A.exeFile created: C:\Users\user\AppData\Roaming\aTngXNkno.exeJump to dropped file
        Source: C:\Users\user\Desktop\Inv200232A.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\aTngXNkno' /XML 'C:\Users\user\AppData\Local\Temp\tmp71DF.tmp'