Play interactive tour

Edit tour

Analysis Report e5bd3238d220c97cd4d6969abb3b33e0

Overview

General Information

Sample Name:	e5bd3238d220c97cd4d6969abb3b33e0 (renamed file extension from none to exe)
Analysis ID:	320085
MD5:	7b00ed250c793c95f4d98c637302fb6f
SHA1:	7f8d0c101fa8c5e875aa76c9a9c139d8800867b3
SHA256:	5108996bad93e37f7f6e003be1edf9dba10a99fafc3894f8d4fd01226e10b0a5
Tags:	NanoCore
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Yara detected Nanocore RAT

.NET source code contains potential unpacker

Allocates memory in foreign processes

AutoIt script contains suspicious strings

Binary is likely a compiled AutoIt script file

Contains functionality to inject code into remote processes

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Uses dynamic DNS services

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

OS version to string mapping found (often used in BOTs)

PE file contains an invalid checksum

PE file contains strange resources

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sleep loop found (likely to delay execution)

Stores files to the Windows start menu directory

Tries to load missing DLLs

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

e5bd3238d220c97cd4d6969abb3b33e0.exe (PID: 2152 cmdline: 'C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe' MD5: 7B00ED250C793C95F4D98C637302FB6F)

RegAsm.exe (PID: 4560 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe MD5: 529695608EAFBED00ACA9E61EF333A7C)

dhcpmon.exe (PID: 6488 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 529695608EAFBED00ACA9E61EF333A7C)

conhost.exe (PID: 6508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

DiagnosticsHub.StandardCollector.Service.exe.bat (PID: 6976 cmdline: 'C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat' MD5: E10CD6FAB33374FB1A0002F89D0BFE45)

RegAsm.exe (PID: 7108 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe MD5: 529695608EAFBED00ACA9E61EF333A7C)

cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["255.255.255.255", "87.65.28.27"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000E.00000002.323661021.00000000030F1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.323661021.00000000030F1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x23a47:$a: NanoCore 0x23aa0:$a: NanoCore 0x23add:$a: NanoCore 0x23b56:$a: NanoCore 0x23aa9:$b: ClientPlugin 0x23ae6:$b: ClientPlugin 0x243e4:$b: ClientPlugin 0x243f1:$b: ClientPlugin 0x1b2a5:$e: KeepAlive 0x23f31:$g: LogClientMessage 0x23eb1:$i: get_Connected 0x15a79:$j: #=q 0x15aa9:$j: #=q 0x15ae5:$j: #=q 0x15b0d:$j: #=q 0x15b3d:$j: #=q 0x15b6d:$j: #=q 0x15b9d:$j: #=q 0x15bcd:$j: #=q 0x15be9:$j: #=q 0x15c19:$j: #=q
0000000C.00000003.307122093.0000000000E1F000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x112dd:$x1: NanoCore.ClientPluginHost 0x43ce5:$x1: NanoCore.ClientPluginHost 0x766ed:$x1: NanoCore.ClientPluginHost 0x1131a:$x2: IClientNetworkHost 0x43d22:$x2: IClientNetworkHost 0x7672a:$x2: IClientNetworkHost 0x14e4d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x47855:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7a25d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000003.307122093.0000000000E1F000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000003.307122093.0000000000E1F000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x11045:$a: NanoCore 0x11055:$a: NanoCore 0x11289:$a: NanoCore 0x1129d:$a: NanoCore 0x112dd:$a: NanoCore 0x43a4d:$a: NanoCore 0x43a5d:$a: NanoCore 0x43c91:$a: NanoCore 0x43ca5:$a: NanoCore 0x43ce5:$a: NanoCore 0x76455:$a: NanoCore 0x76465:$a: NanoCore 0x76699:$a: NanoCore 0x766ad:$a: NanoCore 0x766ed:$a: NanoCore 0x110a4:$b: ClientPlugin 0x112a6:$b: ClientPlugin 0x112e6:$b: ClientPlugin 0x43aac:$b: ClientPlugin 0x43cae:$b: ClientPlugin 0x43cee:$b: ClientPlugin
0000000C.00000003.302592144.0000000000ED7000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xfc2d:$x1: NanoCore.ClientPluginHost 0xfc6a:$x2: IClientNetworkHost 0x1379d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000003.302592144.0000000000ED7000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000003.302592144.0000000000ED7000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf995:$a: NanoCore 0xf9a5:$a: NanoCore 0xfbd9:$a: NanoCore 0xfbed:$a: NanoCore 0xfc2d:$a: NanoCore 0xf9f4:$b: ClientPlugin 0xfbf6:$b: ClientPlugin 0xfc36:$b: ClientPlugin 0xfb1b:$c: ProjectData 0x10522:$d: DESCrypto 0x17eee:$e: KeepAlive 0x15edc:$g: LogClientMessage 0x120d7:$i: get_Connected 0x10858:$j: #=q 0x10888:$j: #=q 0x108a4:$j: #=q 0x108d4:$j: #=q 0x108f0:$j: #=q 0x1090c:$j: #=q 0x1093c:$j: #=q 0x10958:$j: #=q
0000000C.00000003.332037940.0000000000CDD000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x101a5:$x1: NanoCore.ClientPluginHost 0x101e2:$x2: IClientNetworkHost 0x13d15:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000003.332037940.0000000000CDD000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000003.332037940.0000000000CDD000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xff0d:$a: NanoCore 0xff1d:$a: NanoCore 0x10151:$a: NanoCore 0x10165:$a: NanoCore 0x101a5:$a: NanoCore 0xff6c:$b: ClientPlugin 0x1016e:$b: ClientPlugin 0x101ae:$b: ClientPlugin 0x10093:$c: ProjectData 0x10a9a:$d: DESCrypto 0x18466:$e: KeepAlive 0x16454:$g: LogClientMessage 0x1264f:$i: get_Connected 0x10dd0:$j: #=q 0x10e00:$j: #=q 0x10e1c:$j: #=q 0x10e4c:$j: #=q 0x10e68:$j: #=q 0x10e84:$j: #=q 0x10eb4:$j: #=q 0x10ed0:$j: #=q
0000000C.00000003.330103349.0000000000E21000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf2dd:$x1: NanoCore.ClientPluginHost 0xf31a:$x2: IClientNetworkHost 0x12e4d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000003.330103349.0000000000E21000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000003.330103349.0000000000E21000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf045:$a: NanoCore 0xf055:$a: NanoCore 0xf289:$a: NanoCore 0xf29d:$a: NanoCore 0xf2dd:$a: NanoCore 0xf0a4:$b: ClientPlugin 0xf2a6:$b: ClientPlugin 0xf2e6:$b: ClientPlugin 0xf1cb:$c: ProjectData 0xfbd2:$d: DESCrypto 0x1759e:$e: KeepAlive 0x1558c:$g: LogClientMessage 0x11787:$i: get_Connected 0xff08:$j: #=q 0xff38:$j: #=q 0xff54:$j: #=q 0xff84:$j: #=q 0xffa0:$j: #=q 0xffbc:$j: #=q 0xffec:$j: #=q 0x10008:$j: #=q
00000000.00000003.255245662.0000000001569000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1052d:$x1: NanoCore.ClientPluginHost 0x1056a:$x2: IClientNetworkHost 0x1409d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000003.255245662.0000000001569000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000003.255245662.0000000001569000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10295:$a: NanoCore 0x102a5:$a: NanoCore 0x104d9:$a: NanoCore 0x104ed:$a: NanoCore 0x1052d:$a: NanoCore 0x102f4:$b: ClientPlugin 0x104f6:$b: ClientPlugin 0x10536:$b: ClientPlugin 0x1041b:$c: ProjectData 0x10e22:$d: DESCrypto 0x187ee:$e: KeepAlive 0x167dc:$g: LogClientMessage 0x129d7:$i: get_Connected 0x11158:$j: #=q 0x11188:$j: #=q 0x111a4:$j: #=q 0x111d4:$j: #=q 0x111f0:$j: #=q 0x1120c:$j: #=q 0x1123c:$j: #=q 0x11258:$j: #=q
00000000.00000003.254485711.00000000015B3000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3cfcd:$x1: NanoCore.ClientPluginHost 0x3d00a:$x2: IClientNetworkHost 0xf00f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x40b3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000003.254485711.00000000015B3000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000003.254485711.00000000015B3000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3cd35:$a: NanoCore 0x3cd45:$a: NanoCore 0x3cf79:$a: NanoCore 0x3cf8d:$a: NanoCore 0x3cfcd:$a: NanoCore 0x3cd94:$b: ClientPlugin 0x3cf96:$b: ClientPlugin 0x3cfd6:$b: ClientPlugin 0x3cebb:$c: ProjectData 0x3d8c2:$d: DESCrypto 0x4528e:$e: KeepAlive 0x11604:$g: LogClientMessage 0x4327c:$g: LogClientMessage 0x3f477:$i: get_Connected 0xc1de:$j: #=q 0xc45d:$j: #=q 0xd419:$j: #=q 0xe32f:$j: #=q 0xe34b:$j: #=q 0xe37b:$j: #=q 0xe397:$j: #=q
00000000.00000003.254593335.00000000015B3000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3cfcd:$x1: NanoCore.ClientPluginHost 0x3d00a:$x2: IClientNetworkHost 0xf00f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x40b3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000003.254593335.00000000015B3000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000003.254593335.00000000015B3000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3cd35:$a: NanoCore 0x3cd45:$a: NanoCore 0x3cf79:$a: NanoCore 0x3cf8d:$a: NanoCore 0x3cfcd:$a: NanoCore 0x3cd94:$b: ClientPlugin 0x3cf96:$b: ClientPlugin 0x3cfd6:$b: ClientPlugin 0x3cebb:$c: ProjectData 0x3d8c2:$d: DESCrypto 0x4528e:$e: KeepAlive 0x11604:$g: LogClientMessage 0x4327c:$g: LogClientMessage 0x3f477:$i: get_Connected 0xc1de:$j: #=q 0xc45d:$j: #=q 0xd419:$j: #=q 0xe32f:$j: #=q 0xe34b:$j: #=q 0xe37b:$j: #=q 0xe397:$j: #=q
00000000.00000003.254905980.0000000001537000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xfb25:$x1: NanoCore.ClientPluginHost 0x4252d:$x1: NanoCore.ClientPluginHost 0xfb62:$x2: IClientNetworkHost 0x4256a:$x2: IClientNetworkHost 0x13695:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4609d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000003.254905980.0000000001537000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000003.254905980.0000000001537000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf88d:$a: NanoCore 0xf89d:$a: NanoCore 0xfad1:$a: NanoCore 0xfae5:$a: NanoCore 0xfb25:$a: NanoCore 0x42295:$a: NanoCore 0x422a5:$a: NanoCore 0x424d9:$a: NanoCore 0x424ed:$a: NanoCore 0x4252d:$a: NanoCore 0xf8ec:$b: ClientPlugin 0xfaee:$b: ClientPlugin 0xfb2e:$b: ClientPlugin 0x422f4:$b: ClientPlugin 0x424f6:$b: ClientPlugin 0x42536:$b: ClientPlugin 0xfa13:$c: ProjectData 0x4241b:$c: ProjectData 0x1041a:$d: DESCrypto 0x42e22:$d: DESCrypto 0x17de6:$e: KeepAlive
00000000.00000003.256228628.00000000040B2000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000003.256228628.00000000040B2000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000003.256228628.00000000040B2000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000C.00000003.302680442.0000000000E4D000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x67225:$x1: NanoCore.ClientPluginHost 0x67262:$x2: IClientNetworkHost 0xd377:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x39267:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x6ad95:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000003.302680442.0000000000E4D000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000003.302680442.0000000000E4D000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x66f8d:$a: NanoCore 0x66f9d:$a: NanoCore 0x671d1:$a: NanoCore 0x671e5:$a: NanoCore 0x67225:$a: NanoCore 0x66fec:$b: ClientPlugin 0x671ee:$b: ClientPlugin 0x6722e:$b: ClientPlugin 0x67113:$c: ProjectData 0x67b1a:$d: DESCrypto 0x6f4e6:$e: KeepAlive 0xf96c:$g: LogClientMessage 0x3b85c:$g: LogClientMessage 0x6d4d4:$g: LogClientMessage 0x696cf:$i: get_Connected 0xa546:$j: #=q 0xa7c5:$j: #=q 0xb781:$j: #=q 0xc697:$j: #=q 0xc6b3:$j: #=q 0xc6e3:$j: #=q
00000000.00000003.254259059.0000000001589000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x66fcd:$x1: NanoCore.ClientPluginHost 0x6700a:$x2: IClientNetworkHost 0xd11f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3900f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x6ab3d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000003.254259059.0000000001589000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000003.254259059.0000000001589000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x66d35:$a: NanoCore 0x66d45:$a: NanoCore 0x66f79:$a: NanoCore 0x66f8d:$a: NanoCore 0x66fcd:$a: NanoCore 0x66d94:$b: ClientPlugin 0x66f96:$b: ClientPlugin 0x66fd6:$b: ClientPlugin 0x66ebb:$c: ProjectData 0x678c2:$d: DESCrypto 0x6f28e:$e: KeepAlive 0xf714:$g: LogClientMessage 0x3b604:$g: LogClientMessage 0x6d27c:$g: LogClientMessage 0x69477:$i: get_Connected 0xa2ee:$j: #=q 0xa56d:$j: #=q 0xb529:$j: #=q 0xc43f:$j: #=q 0xc45b:$j: #=q 0xc48b:$j: #=q
00000001.00000002.521308096.0000000003B97000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000002.521308096.0000000003B97000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x33f5:$a: NanoCore 0x344e:$a: NanoCore 0x348b:$a: NanoCore 0x3504:$a: NanoCore 0x16baf:$a: NanoCore 0x16bc4:$a: NanoCore 0x16bf9:$a: NanoCore 0x2f683:$a: NanoCore 0x2f698:$a: NanoCore 0x2f6cd:$a: NanoCore 0x3457:$b: ClientPlugin 0x3494:$b: ClientPlugin 0x3d92:$b: ClientPlugin 0x3d9f:$b: ClientPlugin 0x1696b:$b: ClientPlugin 0x16986:$b: ClientPlugin 0x169b6:$b: ClientPlugin 0x16bcd:$b: ClientPlugin 0x16c02:$b: ClientPlugin 0x2f43f:$b: ClientPlugin 0x2f45a:$b: ClientPlugin
0000000C.00000003.329404748.0000000000E53000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xfce5:$x1: NanoCore.ClientPluginHost 0xfd22:$x2: IClientNetworkHost 0x13855:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000003.329404748.0000000000E53000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000003.329404748.0000000000E53000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfa4d:$a: NanoCore 0xfa5d:$a: NanoCore 0xfc91:$a: NanoCore 0xfca5:$a: NanoCore 0xfce5:$a: NanoCore 0xfaac:$b: ClientPlugin 0xfcae:$b: ClientPlugin 0xfcee:$b: ClientPlugin 0xfbd3:$c: ProjectData 0x105da:$d: DESCrypto 0x17fa6:$e: KeepAlive 0x15f94:$g: LogClientMessage 0x1218f:$i: get_Connected 0x10910:$j: #=q 0x10940:$j: #=q 0x1095c:$j: #=q 0x1098c:$j: #=q 0x109a8:$j: #=q 0x109c4:$j: #=q 0x109f4:$j: #=q 0x10a10:$j: #=q
00000001.00000002.514055091.0000000000402000.00000020.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000002.514055091.0000000000402000.00000020.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000002.514055091.0000000000402000.00000020.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000E.00000002.323744315.00000000040F1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.323744315.00000000040F1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x493f5:$a: NanoCore 0x4944e:$a: NanoCore 0x4948b:$a: NanoCore 0x49504:$a: NanoCore 0x5cbaf:$a: NanoCore 0x5cbc4:$a: NanoCore 0x5cbf9:$a: NanoCore 0x75683:$a: NanoCore 0x75698:$a: NanoCore 0x756cd:$a: NanoCore 0x49457:$b: ClientPlugin 0x49494:$b: ClientPlugin 0x49d92:$b: ClientPlugin 0x49d9f:$b: ClientPlugin 0x5c96b:$b: ClientPlugin 0x5c986:$b: ClientPlugin 0x5c9b6:$b: ClientPlugin 0x5cbcd:$b: ClientPlugin 0x5cc02:$b: ClientPlugin 0x7543f:$b: ClientPlugin 0x7545a:$b: ClientPlugin
0000000C.00000003.329250116.0000000000E86000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf6ed:$x1: NanoCore.ClientPluginHost 0xf72a:$x2: IClientNetworkHost 0x1325d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000003.329250116.0000000000E86000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000003.329250116.0000000000E86000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf455:$a: NanoCore 0xf465:$a: NanoCore 0xf699:$a: NanoCore 0xf6ad:$a: NanoCore 0xf6ed:$a: NanoCore 0xf4b4:$b: ClientPlugin 0xf6b6:$b: ClientPlugin 0xf6f6:$b: ClientPlugin 0xf5db:$c: ProjectData 0xffe2:$d: DESCrypto 0x179ae:$e: KeepAlive 0x1599c:$g: LogClientMessage 0x11b97:$i: get_Connected 0x10318:$j: #=q 0x10348:$j: #=q 0x10364:$j: #=q 0x10394:$j: #=q 0x103b0:$j: #=q 0x103cc:$j: #=q 0x103fc:$j: #=q 0x10418:$j: #=q
0000000C.00000003.307023573.0000000000BD2000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000003.307023573.0000000000BD2000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000003.307023573.0000000000BD2000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000C.00000003.330336797.0000000000CD9000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x141a5:$x1: NanoCore.ClientPluginHost 0x141e2:$x2: IClientNetworkHost 0x17d15:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000003.330336797.0000000000CD9000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000003.330336797.0000000000CD9000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x13f0d:$a: NanoCore 0x13f1d:$a: NanoCore 0x14151:$a: NanoCore 0x14165:$a: NanoCore 0x141a5:$a: NanoCore 0x13f6c:$b: ClientPlugin 0x1416e:$b: ClientPlugin 0x141ae:$b: ClientPlugin 0x14093:$c: ProjectData 0x14a9a:$d: DESCrypto 0x1c466:$e: KeepAlive 0x1a454:$g: LogClientMessage 0x1664f:$i: get_Connected 0x14dd0:$j: #=q 0x14e00:$j: #=q 0x14e1c:$j: #=q 0x14e4c:$j: #=q 0x14e68:$j: #=q 0x14e84:$j: #=q 0x14eb4:$j: #=q 0x14ed0:$j: #=q
00000000.00000003.254233252.0000000001613000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf9d5:$x1: NanoCore.ClientPluginHost 0xfa12:$x2: IClientNetworkHost 0x13545:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000003.254233252.0000000001613000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000003.254233252.0000000001613000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf73d:$a: NanoCore 0xf74d:$a: NanoCore 0xf981:$a: NanoCore 0xf995:$a: NanoCore 0xf9d5:$a: NanoCore 0xf79c:$b: ClientPlugin 0xf99e:$b: ClientPlugin 0xf9de:$b: ClientPlugin 0xf8c3:$c: ProjectData 0x102ca:$d: DESCrypto 0x17c96:$e: KeepAlive 0x15c84:$g: LogClientMessage 0x11e7f:$i: get_Connected 0x10600:$j: #=q 0x10630:$j: #=q 0x1064c:$j: #=q 0x1067c:$j: #=q 0x10698:$j: #=q 0x106b4:$j: #=q 0x106e4:$j: #=q 0x10700:$j: #=q
0000000C.00000003.330604075.0000000000CDC000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x111a5:$x1: NanoCore.ClientPluginHost 0x111e2:$x2: IClientNetworkHost 0x14d15:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000003.330604075.0000000000CDC000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000003.330604075.0000000000CDC000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10f0d:$a: NanoCore 0x10f1d:$a: NanoCore 0x11151:$a: NanoCore 0x11165:$a: NanoCore 0x111a5:$a: NanoCore 0x10f6c:$b: ClientPlugin 0x1116e:$b: ClientPlugin 0x111ae:$b: ClientPlugin 0x11093:$c: ProjectData 0x11a9a:$d: DESCrypto 0x19466:$e: KeepAlive 0x17454:$g: LogClientMessage 0x1364f:$i: get_Connected 0x11dd0:$j: #=q 0x11e00:$j: #=q 0x11e1c:$j: #=q 0x11e4c:$j: #=q 0x11e68:$j: #=q 0x11e84:$j: #=q 0x11eb4:$j: #=q 0x11ed0:$j: #=q
0000000E.00000002.322393731.0000000000402000.00000020.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000E.00000002.322393731.0000000000402000.00000020.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.322393731.0000000000402000.00000020.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000001.00000002.522748241.0000000005210000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000001.00000002.522748241.0000000005210000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000000.00000002.517282808.00000000014E1000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3311d:$x1: NanoCore.ClientPluginHost 0x3315a:$x2: IClientNetworkHost 0x36c8d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.517282808.00000000014E1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.517282808.00000000014E1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x32e85:$a: NanoCore 0x32e95:$a: NanoCore 0x330c9:$a: NanoCore 0x330dd:$a: NanoCore 0x3311d:$a: NanoCore 0x32ee4:$b: ClientPlugin 0x330e6:$b: ClientPlugin 0x33126:$b: ClientPlugin 0x3300b:$c: ProjectData 0x33a12:$d: DESCrypto 0x3b3de:$e: KeepAlive 0x393cc:$g: LogClientMessage 0x355c7:$i: get_Connected 0x33d48:$j: #=q 0x33d78:$j: #=q 0x33d94:$j: #=q 0x33dc4:$j: #=q 0x33de0:$j: #=q 0x33dfc:$j: #=q 0x33e2c:$j: #=q 0x33e48:$j: #=q
0000000C.00000003.305764787.0000000000EEB000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xfafd:$x1: NanoCore.ClientPluginHost 0x42505:$x1: NanoCore.ClientPluginHost 0xfb3a:$x2: IClientNetworkHost 0x42542:$x2: IClientNetworkHost 0x1366d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x46075:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000003.305764787.0000000000EEB000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000003.305764787.0000000000EEB000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf865:$a: NanoCore 0xf875:$a: NanoCore 0xfaa9:$a: NanoCore 0xfabd:$a: NanoCore 0xfafd:$a: NanoCore 0x4226d:$a: NanoCore 0x4227d:$a: NanoCore 0x424b1:$a: NanoCore 0x424c5:$a: NanoCore 0x42505:$a: NanoCore 0xf8c4:$b: ClientPlugin 0xfac6:$b: ClientPlugin 0xfb06:$b: ClientPlugin 0x422cc:$b: ClientPlugin 0x424ce:$b: ClientPlugin 0x4250e:$b: ClientPlugin 0xf9eb:$c: ProjectData 0x423f3:$c: ProjectData 0x103f2:$d: DESCrypto 0x42dfa:$d: DESCrypto 0x17dbe:$e: KeepAlive
0000000C.00000003.305449343.0000000000EA4000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10225:$x1: NanoCore.ClientPluginHost 0x10262:$x2: IClientNetworkHost 0x13d95:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000003.305449343.0000000000EA4000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000003.305449343.0000000000EA4000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xff8d:$a: NanoCore 0xff9d:$a: NanoCore 0x101d1:$a: NanoCore 0x101e5:$a: NanoCore 0x10225:$a: NanoCore 0xffec:$b: ClientPlugin 0x101ee:$b: ClientPlugin 0x1022e:$b: ClientPlugin 0x10113:$c: ProjectData 0x10b1a:$d: DESCrypto 0x184e6:$e: KeepAlive 0x164d4:$g: LogClientMessage 0x126cf:$i: get_Connected 0x10e50:$j: #=q 0x10e80:$j: #=q 0x10e9c:$j: #=q 0x10ecc:$j: #=q 0x10ee8:$j: #=q 0x10f04:$j: #=q 0x10f34:$j: #=q 0x10f50:$j: #=q
0000000C.00000003.305334763.0000000000EA4000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10225:$x1: NanoCore.ClientPluginHost 0x10262:$x2: IClientNetworkHost 0x13d95:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000003.305334763.0000000000EA4000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000003.305334763.0000000000EA4000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xff8d:$a: NanoCore 0xff9d:$a: NanoCore 0x101d1:$a: NanoCore 0x101e5:$a: NanoCore 0x10225:$a: NanoCore 0xffec:$b: ClientPlugin 0x101ee:$b: ClientPlugin 0x1022e:$b: ClientPlugin 0x10113:$c: ProjectData 0x10b1a:$d: DESCrypto 0x184e6:$e: KeepAlive 0x164d4:$g: LogClientMessage 0x126cf:$i: get_Connected 0x10e50:$j: #=q 0x10e80:$j: #=q 0x10e9c:$j: #=q 0x10ecc:$j: #=q 0x10ee8:$j: #=q 0x10f04:$j: #=q 0x10f34:$j: #=q 0x10f50:$j: #=q
00000001.00000002.522934984.00000000054B0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000001.00000002.522934984.00000000054B0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000001.00000002.522934984.00000000054B0000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000003.304708669.0000000000E78000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3c225:$x1: NanoCore.ClientPluginHost 0x3c262:$x2: IClientNetworkHost 0xe267:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3fd95:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000003.304708669.0000000000E78000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000003.304708669.0000000000E78000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3bf8d:$a: NanoCore 0x3bf9d:$a: NanoCore 0x3c1d1:$a: NanoCore 0x3c1e5:$a: NanoCore 0x3c225:$a: NanoCore 0x3bfec:$b: ClientPlugin 0x3c1ee:$b: ClientPlugin 0x3c22e:$b: ClientPlugin 0x3c113:$c: ProjectData 0x3cb1a:$d: DESCrypto 0x444e6:$e: KeepAlive 0x1085c:$g: LogClientMessage 0x424d4:$g: LogClientMessage 0x3e6cf:$i: get_Connected 0xb436:$j: #=q 0xb6b5:$j: #=q 0xc671:$j: #=q 0xd587:$j: #=q 0xd5a3:$j: #=q 0xd5d3:$j: #=q 0xd5ef:$j: #=q
0000000C.00000003.306011034.0000000000F1D000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10505:$x1: NanoCore.ClientPluginHost 0x10542:$x2: IClientNetworkHost 0x14075:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000003.306011034.0000000000F1D000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000003.306011034.0000000000F1D000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1026d:$a: NanoCore 0x1027d:$a: NanoCore 0x104b1:$a: NanoCore 0x104c5:$a: NanoCore 0x10505:$a: NanoCore 0x102cc:$b: ClientPlugin 0x104ce:$b: ClientPlugin 0x1050e:$b: ClientPlugin 0x103f3:$c: ProjectData 0x10dfa:$d: DESCrypto 0x187c6:$e: KeepAlive 0x167b4:$g: LogClientMessage 0x129af:$i: get_Connected 0x11130:$j: #=q 0x11160:$j: #=q 0x1117c:$j: #=q 0x111ac:$j: #=q 0x111c8:$j: #=q 0x111e4:$j: #=q 0x11214:$j: #=q 0x11230:$j: #=q
00000000.00000002.517388290.00000000015DF000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10195:$x1: NanoCore.ClientPluginHost 0x439d5:$x1: NanoCore.ClientPluginHost 0x763dd:$x1: NanoCore.ClientPluginHost 0x101d2:$x2: IClientNetworkHost 0x43a12:$x2: IClientNetworkHost 0x7641a:$x2: IClientNetworkHost 0x13d05:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x47545:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x79f4d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.517388290.00000000015DF000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.517388290.00000000015DF000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfefd:$a: NanoCore 0xff0d:$a: NanoCore 0x10141:$a: NanoCore 0x10155:$a: NanoCore 0x10195:$a: NanoCore 0x4373d:$a: NanoCore 0x4374d:$a: NanoCore 0x43981:$a: NanoCore 0x43995:$a: NanoCore 0x439d5:$a: NanoCore 0x76145:$a: NanoCore 0x76155:$a: NanoCore 0x76389:$a: NanoCore 0x7639d:$a: NanoCore 0x763dd:$a: NanoCore 0xff5c:$b: ClientPlugin 0x1015e:$b: ClientPlugin 0x1019e:$b: ClientPlugin 0x4379c:$b: ClientPlugin 0x4399e:$b: ClientPlugin 0x439de:$b: ClientPlugin
Process Memory Space: RegAsm.exe PID: 4560	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xaf044:$x1: NanoCore.ClientPluginHost 0x1545fd:$x1: NanoCore.ClientPluginHost 0x15a1bc:$x1: NanoCore.ClientPluginHost 0x16b04f:$x1: NanoCore.ClientPluginHost 0x221590:$x1: NanoCore.ClientPluginHost 0x262496:$x1: NanoCore.ClientPluginHost 0x2bc2ea:$x1: NanoCore.ClientPluginHost 0xaf06a:$x2: IClientNetworkHost 0x154623:$x2: IClientNetworkHost 0x15a201:$x2: IClientNetworkHost 0x16b094:$x2: IClientNetworkHost 0x2215f1:$x2: IClientNetworkHost 0x2624bc:$x2: IClientNetworkHost 0x2bc32f:$x2: IClientNetworkHost 0x2269f6:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x234968:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: RegAsm.exe PID: 4560	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: RegAsm.exe PID: 4560	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x40b0c:$a: NanoCore 0xaef36:$a: NanoCore 0xaefd7:$a: NanoCore 0xaf044:$a: NanoCore 0xaf105:$a: NanoCore 0xaffd6:$a: NanoCore 0xb0029:$a: NanoCore 0xb0062:$a: NanoCore 0xb00d5:$a: NanoCore 0x1544ef:$a: NanoCore 0x154590:$a: NanoCore 0x1545fd:$a: NanoCore 0x1546be:$a: NanoCore 0x15558f:$a: NanoCore 0x1555e2:$a: NanoCore 0x15561b:$a: NanoCore 0x15568e:$a: NanoCore 0x15a136:$a: NanoCore 0x15a163:$a: NanoCore 0x15a1bc:$a: NanoCore 0x1619cb:$a: NanoCore
Process Memory Space: DiagnosticsHub.StandardCollector.Service.exe.bat PID: 6976	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5d0e:$x1: NanoCore.ClientPluginHost 0x2461c:$x1: NanoCore.ClientPluginHost 0x42f2a:$x1: NanoCore.ClientPluginHost 0x1cab6a:$x1: NanoCore.ClientPluginHost 0x26ca50:$x1: NanoCore.ClientPluginHost 0x2e181f:$x1: NanoCore.ClientPluginHost 0x3a6ada:$x1: NanoCore.ClientPluginHost 0x425d1a:$x1: NanoCore.ClientPluginHost 0x45fd08:$x1: NanoCore.ClientPluginHost 0x47e790:$x1: NanoCore.ClientPluginHost 0x4a74f4:$x1: NanoCore.ClientPluginHost 0x51f9b3:$x1: NanoCore.ClientPluginHost 0x53e2c1:$x1: NanoCore.ClientPluginHost 0x5fdbc3:$x1: NanoCore.ClientPluginHost 0x61ce14:$x1: NanoCore.ClientPluginHost 0x65ccfb:$x1: NanoCore.ClientPluginHost 0x692ea6:$x1: NanoCore.ClientPluginHost 0x5d6f:$x2: IClientNetworkHost 0x2467d:$x2: IClientNetworkHost 0x42f8b:$x2: IClientNetworkHost 0x1cabcb:$x2: IClientNetworkHost
Process Memory Space: DiagnosticsHub.StandardCollector.Service.exe.bat PID: 6976	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: DiagnosticsHub.StandardCollector.Service.exe.bat PID: 6976	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x5813:$a: NanoCore 0x582f:$a: NanoCore 0x598a:$a: NanoCore 0x5999:$a: NanoCore 0x5c72:$a: NanoCore 0x5c9e:$a: NanoCore 0x5d0e:$a: NanoCore 0x15750:$a: NanoCore 0x15762:$a: NanoCore 0x1579e:$a: NanoCore 0x24121:$a: NanoCore 0x2413d:$a: NanoCore 0x24298:$a: NanoCore 0x242a7:$a: NanoCore 0x24580:$a: NanoCore 0x245ac:$a: NanoCore 0x2461c:$a: NanoCore 0x3405e:$a: NanoCore 0x34070:$a: NanoCore 0x340ac:$a: NanoCore 0x42a2f:$a: NanoCore
Process Memory Space: RegAsm.exe PID: 7108	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xda5d:$x1: NanoCore.ClientPluginHost 0x29e5f:$x1: NanoCore.ClientPluginHost 0x2fa1e:$x1: NanoCore.ClientPluginHost 0x4089b:$x1: NanoCore.ClientPluginHost 0x50ab9:$x1: NanoCore.ClientPluginHost 0xda83:$x2: IClientNetworkHost 0x29e85:$x2: IClientNetworkHost 0x2fa63:$x2: IClientNetworkHost 0x408e0:$x2: IClientNetworkHost 0x50b1a:$x2: IClientNetworkHost 0x55f1f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x63e91:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: RegAsm.exe PID: 7108	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: RegAsm.exe PID: 7108	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xd34:$a: NanoCore 0xdb9:$a: NanoCore 0xea4:$a: NanoCore 0xd94f:$a: NanoCore 0xd9f0:$a: NanoCore 0xda5d:$a: NanoCore 0xdb1e:$a: NanoCore 0xe9ef:$a: NanoCore 0xea42:$a: NanoCore 0xea7b:$a: NanoCore 0xeaee:$a: NanoCore 0x10073:$a: NanoCore 0x1037d:$a: NanoCore 0x1039b:$a: NanoCore 0x103dd:$a: NanoCore 0x10414:$a: NanoCore 0x10432:$a: NanoCore 0x29d51:$a: NanoCore 0x29df2:$a: NanoCore 0x29e5f:$a: NanoCore 0x29f20:$a: NanoCore
Process Memory Space: e5bd3238d220c97cd4d6969abb3b33e0.exe PID: 2152	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x92b24:$x1: NanoCore.ClientPluginHost 0xef9b0:$x1: NanoCore.ClientPluginHost 0x10e2bf:$x1: NanoCore.ClientPluginHost 0x14c181:$x1: NanoCore.ClientPluginHost 0x18a2f8:$x1: NanoCore.ClientPluginHost 0x1a9828:$x1: NanoCore.ClientPluginHost 0x204a47:$x1: NanoCore.ClientPluginHost 0x225a2c:$x1: NanoCore.ClientPluginHost 0x288491:$x1: NanoCore.ClientPluginHost 0x31ffbf:$x1: NanoCore.ClientPluginHost 0x33eca9:$x1: NanoCore.ClientPluginHost 0x35d5b7:$x1: NanoCore.ClientPluginHost 0x92b85:$x2: IClientNetworkHost 0xefa11:$x2: IClientNetworkHost 0x10e320:$x2: IClientNetworkHost 0x14c1e2:$x2: IClientNetworkHost 0x18a359:$x2: IClientNetworkHost 0x1a9889:$x2: IClientNetworkHost 0x204aa8:$x2: IClientNetworkHost 0x225a8d:$x2: IClientNetworkHost 0x2884f2:$x2: IClientNetworkHost
Process Memory Space: e5bd3238d220c97cd4d6969abb3b33e0.exe PID: 2152	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: e5bd3238d220c97cd4d6969abb3b33e0.exe PID: 2152	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x11321:$a: NanoCore 0x30798:$a: NanoCore 0x58a3f:$a: NanoCore 0x92629:$a: NanoCore 0x92645:$a: NanoCore 0x927a0:$a: NanoCore 0x927af:$a: NanoCore 0x92a88:$a: NanoCore 0x92ab4:$a: NanoCore 0x92b24:$a: NanoCore 0xa2566:$a: NanoCore 0xa2578:$a: NanoCore 0xa25b4:$a: NanoCore 0xb06b3:$a: NanoCore 0xcfa7e:$a: NanoCore 0xef4b5:$a: NanoCore 0xef4d1:$a: NanoCore 0xef62c:$a: NanoCore 0xef63b:$a: NanoCore 0xef914:$a: NanoCore 0xef940:$a: NanoCore
Click to see the 96 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.RegAsm.exe.5210000.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
1.2.RegAsm.exe.5210000.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
14.2.RegAsm.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.2.RegAsm.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
14.2.RegAsm.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.RegAsm.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
1.2.RegAsm.exe.54b0000.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
1.2.RegAsm.exe.54b0000.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
1.2.RegAsm.exe.54b0000.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.RegAsm.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.RegAsm.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
1.2.RegAsm.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.RegAsm.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
1.2.RegAsm.exe.54b0000.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
1.2.RegAsm.exe.54b0000.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
1.2.RegAsm.exe.54b0000.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Click to see the 19 entries

Sigma Overview

System Summary:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe, ProcessId: 4560, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	Avira: detected
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	Avira: detected

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Avira: detection malicious, Label: HEUR/AGEN.1100084
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Avira: detection malicious, Label: HEUR/AGEN.1100084

Found malware configuration

Show sources

Source: RegAsm.exe.7108.14.memstr	Malware Configuration Extractor: NanoCore {"C2: ": ["255.255.255.255", "87.65.28.27"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
Source: RegAsm.exe.7108.14.memstr	Malware Configuration Extractor: NanoCore {"C2: ": ["255.255.255.255", "87.65.28.27"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Multi AV Scanner detection for submitted file

Show sources

Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	ReversingLabs: Detection: 68%
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	ReversingLabs: Detection: 68%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000000E.00000002.323661021.00000000030F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.307122093.0000000000E1F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.302592144.0000000000ED7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.332037940.0000000000CDD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.330103349.0000000000E21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.255245662.0000000001569000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.254485711.00000000015B3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.254593335.00000000015B3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.254905980.0000000001537000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.256228628.00000000040B2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.302680442.0000000000E4D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.254259059.0000000001589000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.521308096.0000000003B97000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.329404748.0000000000E53000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.514055091.0000000000402000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.323744315.00000000040F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.329250116.0000000000E86000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.307023573.0000000000BD2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.330336797.0000000000CD9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.254233252.0000000001613000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.330604075.0000000000CDC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.322393731.0000000000402000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.517282808.00000000014E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.305764787.0000000000EEB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.305449343.0000000000EA4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.305334763.0000000000EA4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.522934984.00000000054B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.304708669.0000000000E78000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.306011034.0000000000F1D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.517388290.00000000015DF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4560, type: MEMORY
Source: Yara match	File source: Process Memory Space: DiagnosticsHub.StandardCollector.Service.exe.bat PID: 6976, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7108, type: MEMORY
Source: Yara match	File source: Process Memory Space: e5bd3238d220c97cd4d6969abb3b33e0.exe PID: 2152, type: MEMORY
Source: Yara match	File source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.54b0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.54b0000.5.unpack, type: UNPACKEDPE

Source: 1.2.RegAsm.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 14.2.RegAsm.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 1.2.RegAsm.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 14.2.RegAsm.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A24696 GetFileAttributesW,FindFirstFileW,FindClose,
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A23D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A2C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A2C93C FindFirstFileW,FindClose,
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A2F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A2F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A2F65E FindFirstFileW,Sleep,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A23A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A24696 GetFileAttributesW,FindFirstFileW,FindClose,
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A23D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A2C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A2C93C FindFirstFileW,FindClose,
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A2F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A2F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A2F65E FindFirstFileW,Sleep,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A23A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 12_2_009E4696 GetFileAttributesW,FindFirstFileW,FindClose,
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 12_2_009E3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 12_2_009EF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 12_2_009EF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 12_2_009EF65E FindFirstFileW,Sleep,FindNextFileW,FindClose,
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 12_2_009EC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 12_2_009EC93C FindFirstFileW,FindClose,
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 12_2_009E3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 12_2_009EBF27 FindFirstFileW,FindNextFileW,FindClose,

Networking:

Uses dynamic DNS services

Show sources

Source: unknown	DNS query: name: windowslivesoffice.ddns.net
Source: unknown	DNS query: name: windowslivesoffice.ddns.net

Source: global traffic	TCP traffic: 192.168.2.7:49715 -> 87.65.28.27:20377
Source: global traffic	TCP traffic: 192.168.2.7:49715 -> 87.65.28.27:20377

Source: Joe Sandbox View	IP Address: 87.65.28.27 87.65.28.27
Source: Joe Sandbox View	IP Address: 87.65.28.27 87.65.28.27

Source: Joe Sandbox View	ASN Name: PROXIMUS-ISP-ASBE PROXIMUS-ISP-ASBE
Source: Joe Sandbox View	ASN Name: PROXIMUS-ISP-ASBE PROXIMUS-ISP-ASBE

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A325E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A325E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

Source: unknown	DNS traffic detected: queries for: windowslivesoffice.ddns.net
Source: unknown	DNS traffic detected: queries for: windowslivesoffice.ddns.net

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A3425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A3425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A3425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A3425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A20219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A20219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

Source: RegAsm.exe, 00000001.00000002.521308096.0000000003B97000.00000004.00000001.sdmp	Binary or memory string: RegisterRawInputDevices
Source: RegAsm.exe, 00000001.00000002.521308096.0000000003B97000.00000004.00000001.sdmp	Binary or memory string: RegisterRawInputDevices

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A4CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: 0_2_00A4CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,
Source: C:\Users\user\hdwwiz\DiagnosticsHub.StandardCollector.Service.exe.bat	Code function: 12_2_00A0CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000000E.00000002.323661021.00000000030F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.307122093.0000000000E1F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.302592144.0000000000ED7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.332037940.0000000000CDD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.330103349.0000000000E21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.255245662.0000000001569000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.254485711.00000000015B3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.254593335.00000000015B3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.254905980.0000000001537000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.256228628.00000000040B2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.302680442.0000000000E4D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.254259059.0000000001589000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.521308096.0000000003B97000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.329404748.0000000000E53000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.514055091.0000000000402000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.323744315.00000000040F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.329250116.0000000000E86000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.307023573.0000000000BD2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.330336797.0000000000CD9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.254233252.0000000001613000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.330604075.0000000000CDC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.322393731.0000000000402000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.517282808.00000000014E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.305764787.0000000000EEB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.305449343.0000000000EA4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.305334763.0000000000EA4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.522934984.00000000054B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.304708669.0000000000E78000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.306011034.0000000000F1D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.517388290.00000000015DF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4560, type: MEMORY
Source: Yara match	File source: Process Memory Space: DiagnosticsHub.StandardCollector.Service.exe.bat PID: 6976, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7108, type: MEMORY
Source: Yara match	File source: Process Memory Space: e5bd3238d220c97cd4d6969abb3b33e0.exe PID: 2152, type: MEMORY
Source: Yara match	File source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.54b0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.RegAsm.exe.54b0000.5.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 0000000E.00000002.323661021.00000000030F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.307122093.0000000000E1F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.307122093.0000000000E1F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.302592144.0000000000ED7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.302592144.0000000000ED7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.332037940.0000000000CDD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.332037940.0000000000CDD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.330103349.0000000000E21000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.330103349.0000000000E21000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.255245662.0000000001569000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.255245662.0000000001569000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.254485711.00000000015B3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.254485711.00000000015B3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.254593335.00000000015B3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.254593335.00000000015B3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.254905980.0000000001537000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.254905980.0000000001537000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.256228628.00000000040B2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.256228628.00000000040B2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.302680442.0000000000E4D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.302680442.0000000000E4D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.254259059.0000000001589000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.254259059.0000000001589000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.521308096.0000000003B97000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.329404748.0000000000E53000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.329404748.0000000000E53000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.514055091.0000000000402000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.514055091.0000000000402000.00000020.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.323744315.00000000040F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.329250116.0000000000E86000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.329250116.0000000000E86000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.307023573.0000000000BD2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.307023573.0000000000BD2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.330336797.0000000000CD9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.330336797.0000000000CD9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.254233252.0000000001613000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.254233252.0000000001613000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.330604075.0000000000CDC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.330604075.0000000000CDC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.322393731.0000000000402000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.322393731.0000000000402000.00000020.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.522748241.0000000005210000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.517282808.00000000014E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.517282808.00000000014E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.305764787.0000000000EEB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.305764787.0000000000EEB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.305449343.0000000000EA4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.305449343.0000000000EA4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.305334763.0000000000EA4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.305334763.0000000000EA4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.522934984.00000000054B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.304708669.0000000000E78000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.304708669.0000000000E78000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.306011034.0000000000F1D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.306011034.0000000000F1D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.517388290.00000000015DF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.517388290.00000000015DF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegAsm.exe PID: 4560, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegAsm.exe PID: 4560, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: DiagnosticsHub.StandardCollector.Service.exe.bat PID: 6976, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: DiagnosticsHub.StandardCollector.Service.exe.bat PID: 6976, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegAsm.exe PID: 7108, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegAsm.exe PID: 7108, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: e5bd3238d220c97cd4d6969abb3b33e0.exe PID: 2152, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: e5bd3238d220c97cd4d6969abb3b33e0.exe PID: 2152, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.RegAsm.exe.5210000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.RegAsm.exe.54b0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.RegAsm.exe.54b0000.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.323661021.00000000030F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.307122093.0000000000E1F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.307122093.0000000000E1F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.302592144.0000000000ED7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.302592144.0000000000ED7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.332037940.0000000000CDD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.332037940.0000000000CDD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.330103349.0000000000E21000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.330103349.0000000000E21000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.255245662.0000000001569000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.255245662.0000000001569000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.254485711.00000000015B3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.254485711.00000000015B3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.254593335.00000000015B3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.254593335.00000000015B3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.254905980.0000000001537000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.254905980.0000000001537000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.256228628.00000000040B2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.256228628.00000000040B2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.302680442.0000000000E4D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.302680442.0000000000E4D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.254259059.0000000001589000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.254259059.0000000001589000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.521308096.0000000003B97000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.329404748.0000000000E53000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.329404748.0000000000E53000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.514055091.0000000000402000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.514055091.0000000000402000.00000020.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.323744315.00000000040F1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.329250116.0000000000E86000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.329250116.0000000000E86000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.307023573.0000000000BD2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.307023573.0000000000BD2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.330336797.0000000000CD9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.330336797.0000000000CD9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000003.254233252.0000000001613000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000003.254233252.0000000001613000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.330604075.0000000000CDC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.330604075.0000000000CDC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.322393731.0000000000402000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.322393731.0000000000402000.00000020.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.522748241.0000000005210000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.517282808.00000000014E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.517282808.00000000014E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.305764787.0000000000EEB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.305764787.0000000000EEB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.305449343.0000000000EA4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.305449343.0000000000EA4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.305334763.0000000000EA4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.305334763.0000000000EA4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.522934984.00000000054B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.304708669.0000000000E78000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.304708669.0000000000E78000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000003.306011034.0000000000F1D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000003.306011034.0000000000F1D000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.517388290.00000000015DF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.517388290.00000000015DF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegAsm.exe PID: 4560, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegAsm.exe PID: 4560, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: DiagnosticsHub.StandardCollector.Service.exe.bat PID: 6976, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: DiagnosticsHub.StandardCollector.Service.exe.bat PID: 6976, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RegAsm.exe PID: 7108, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegAsm.exe PID: 7108, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: e5bd3238d220c97cd4d6969abb3b33e0.exe PID: 2152, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: e5bd3238d220c97cd4d6969abb3b33e0.exe PID: 2152, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.RegAsm.exe.5210000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.3.e5bd3238d220c97cd4d6969abb3b33e0.exe.40b0000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.RegAsm.exe.54b0000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 12.3.DiagnosticsHub.StandardCollector.Service.exe.bat.bd0000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.RegAsm.exe.54b0000.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth

AutoIt script contains suspicious strings

Show sources

Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	AutoIt Script: 1 = 38669117 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	AutoIt Script: 792303 THEN LOCAL $LPSHELLCODE = $E ($B (ZVTZJDNXH
Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.dr	AutoIt Script: 1 = 38669117 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM
Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.dr	AutoIt Script: 792303 THEN LOCAL $LPSHELLCODE = $E ($B (ZVTZJDNXH
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	AutoIt Script: 1 = 38669117 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	AutoIt Script: 792303 THEN LOCAL $LPSHELLCODE = $E ($B (ZVTZJDNXH
Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.dr	AutoIt Script: 1 = 38669117 THEN $BIN_SHELLCODE &= ZVTZJDNXHRPQQIM
Source: DiagnosticsHub.StandardCollector.Service.exe.bat.0.dr	AutoIt Script: 792303 THEN LOCAL $LPSHELLCODE = $E ($B (ZVTZJDNXH

Binary is likely a compiled AutoIt script file

Show sources

Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: This is a third-party compiled AutoIt script.
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: C:\Users\user\Desktop\e5bd3238d220c97cd4d6969abb3b33e0.exe	Code function: This is a third-party compiled AutoIt script.
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: e5bd3238d220c97cd4d6969abb3b33e0.exe, 00000000.00000000.249216138.0000000000A75000.00000002.00020000.sdmp	String found

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report e5bd3238d220c97cd4d6969abb3b33e0

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary: