Loading ...

Play interactive tourEdit tour

Analysis Report Quotation ATB-PR28500KINH.exe

Overview

General Information

Sample Name:Quotation ATB-PR28500KINH.exe
Analysis ID:321011
MD5:d17a52d8263a29f0afffc30761720be6
SHA1:ff9fa32a78a32e735ea679041af9346947c0e6de
SHA256:96a34a59ffd94ac128d876e672507847b2ca5261b5819ae1db1402ff641375ad
Tags:exe

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Drops PE files to the startup folder
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Stores large binary data to the registry
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Yara signature match

Classification

Startup

  • System is w10x64
  • Quotation ATB-PR28500KINH.exe (PID: 6964 cmdline: 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe' MD5: D17A52D8263A29F0AFFFC30761720BE6)
    • Quotation ATB-PR28500KINH.exe (PID: 5776 cmdline: Quotation ATB-PR28500KINH.exe MD5: D17A52D8263A29F0AFFFC30761720BE6)
      • schtasks.exe (PID: 1556 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp5BDB.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 1744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 6444 cmdline: 'schtasks.exe' /delete /f /tn 'DHCP Monitor' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 6668 cmdline: 'schtasks.exe' /delete /f /tn 'DHCP Monitor Task' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 5264 cmdline: 'cmd.exe' /C taskkill /f /im 'Quotation ATB-PR28500KINH.exe' & ping -n 1 -w 3000 1.1.1.1 & type nul > 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe' & del /f /q 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 5440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • taskkill.exe (PID: 5476 cmdline: taskkill /f /im 'Quotation ATB-PR28500KINH.exe' MD5: 15E2E0ACD891510C6268CB8899F2A1A1)
        • PING.EXE (PID: 5704 cmdline: ping -n 1 -w 3000 1.1.1.1 MD5: 70C24A306F768936563ABDADB9CA9108)
  • Quotation ATB-PR28500KINH.exe (PID: 5904 cmdline: 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe' 0 MD5: D17A52D8263A29F0AFFFC30761720BE6)
    • WerFault.exe (PID: 6796 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5904 -s 7804 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["185.140.53.139"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.829938927.0000000004311000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000003.00000002.829938927.0000000004311000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x4b59d:$a: NanoCore
    • 0x4b5f6:$a: NanoCore
    • 0x4b633:$a: NanoCore
    • 0x4b6ac:$a: NanoCore
    • 0x5ed57:$a: NanoCore
    • 0x5ed6c:$a: NanoCore
    • 0x5eda1:$a: NanoCore
    • 0x77d3b:$a: NanoCore
    • 0x77d50:$a: NanoCore
    • 0x77d85:$a: NanoCore
    • 0x4b5ff:$b: ClientPlugin
    • 0x4b63c:$b: ClientPlugin
    • 0x4bf3a:$b: ClientPlugin
    • 0x4bf47:$b: ClientPlugin
    • 0x5eb13:$b: ClientPlugin
    • 0x5eb2e:$b: ClientPlugin
    • 0x5eb5e:$b: ClientPlugin
    • 0x5ed75:$b: ClientPlugin
    • 0x5edaa:$b: ClientPlugin
    • 0x77af7:$b: ClientPlugin
    • 0x77b12:$b: ClientPlugin
    00000003.00000002.836886578.0000000007450000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x350b:$x1: NanoCore.ClientPluginHost
    • 0x3525:$x2: IClientNetworkHost
    00000003.00000002.836886578.0000000007450000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x350b:$x2: NanoCore.ClientPluginHost
    • 0x52b6:$s4: PipeCreated
    • 0x34f8:$s5: IClientLoggingHost
    00000003.00000002.830299030.0000000004BE3000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 48 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.Quotation ATB-PR28500KINH.exe.7450000.10.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x170b:$x1: NanoCore.ClientPluginHost
      • 0x1725:$x2: IClientNetworkHost
      3.2.Quotation ATB-PR28500KINH.exe.7450000.10.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0x170b:$x2: NanoCore.ClientPluginHost
      • 0x34b6:$s4: PipeCreated
      • 0x16f8:$s5: IClientLoggingHost
      3.2.Quotation ATB-PR28500KINH.exe.7410000.8.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x6da5:$x1: NanoCore.ClientPluginHost
      • 0x6dd2:$x2: IClientNetworkHost
      3.2.Quotation ATB-PR28500KINH.exe.7410000.8.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0x6da5:$x2: NanoCore.ClientPluginHost
      • 0x7d74:$s2: FileCommand
      • 0xc776:$s4: PipeCreated
      • 0x6dbf:$s5: IClientLoggingHost
      3.2.Quotation ATB-PR28500KINH.exe.7490000.12.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x41ee:$x1: NanoCore.ClientPluginHost
      • 0x422b:$x2: IClientNetworkHost
      Click to see the 35 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe, ProcessId: 5776, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
      Sigma detected: Scheduled temp file as task from temp locationShow sources
      Source: Process startedAuthor: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp5BDB.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp5BDB.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: Quotation ATB-PR28500KINH.exe, ParentImage: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe, ParentProcessId: 5776, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp5BDB.tmp', ProcessId: 1556

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: Quotation ATB-PR28500KINH.exe.5776.3.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["185.140.53.139"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000003.00000002.829938927.0000000004311000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.830299030.0000000004BE3000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.831913535.0000000004EBB000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.825812769.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.831344680.0000000004D5A000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.835747938.0000000005362000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.827301666.0000000003311000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.829501611.0000000003B71000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.799678207.0000000003C51000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.835934677.000000000544C000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.806053332.00000000054EC000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.835358110.0000000005CB0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 5776, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6964, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 5904, type: MEMORY
      Source: Yara matchFile source: 3.2.Quotation ATB-PR28500KINH.exe.5cb0000.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Quotation ATB-PR28500KINH.exe.5cb0000.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Quotation ATB-PR28500KINH.exe.5360000.1.unpack, type: UNPACKEDPE
      Machine Learning detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\4esdJoe Sandbox ML: detected
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exeJoe Sandbox ML: detected
      Machine Learning detection for sampleShow sources
      Source: Quotation ATB-PR28500KINH.exeJoe Sandbox ML: detected
      Source: 3.2.Quotation ATB-PR28500KINH.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 0.2.Quotation ATB-PR28500KINH.exe.5360000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7

      Networking:

      barindex
      Uses ping.exe to check the status of other devices and networksShow sources
      Source: unknownProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 1 -w 3000 1.1.1.1
      Source: global trafficTCP traffic: 192.168.2.4:49746 -> 185.140.53.139:1430
      Source: Joe Sandbox ViewIP Address: 1.1.1.1 1.1.1.1
      Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
      Source: Joe Sandbox ViewASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
      Source: unknownDNS traffic detected: queries for: petroleum.sytes.net
      Source: WerFault.exe, 0000000C.00000003.762392239.0000000005200000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
      Source: WerFault.exe, 0000000C.00000003.762392239.0000000005200000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
      Source: WerFault.exe, 0000000C.00000003.762392239.0000000005200000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
      Source: WerFault.exe, 0000000C.00000003.762392239.0000000005200000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
      Source: WerFault.exe, 0000000C.00000003.762392239.0000000005200000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
      Source: WerFault.exe, 0000000C.00000003.762392239.0000000005200000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
      Source: WerFault.exe, 0000000C.00000003.762392239.0000000005200000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
      Source: WerFault.exe, 0000000C.00000003.762392239.0000000005200000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: WerFault.exe, 0000000C.00000003.762392239.0000000005200000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
      Source: WerFault.exe, 0000000C.00000003.762392239.0000000005200000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
      Source: WerFault.exe, 0000000C.00000003.762392239.0000000005200000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
      Source: WerFault.exe, 0000000C.00000003.762392239.0000000005200000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
      Source: WerFault.exe, 0000000C.00000003.762392239.0000000005200000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
      Source: WerFault.exe, 0000000C.00000003.762392239.0000000005200000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
      Source: WerFault.exe, 0000000C.00000003.762392239.0000000005200000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
      Source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.829938927.0000000004311000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000003.00000002.829938927.0000000004311000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.830299030.0000000004BE3000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.831913535.0000000004EBB000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.825812769.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.831344680.0000000004D5A000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.835747938.0000000005362000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.827301666.0000000003311000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.829501611.0000000003B71000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.799678207.0000000003C51000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.835934677.000000000544C000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.806053332.00000000054EC000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.835358110.0000000005CB0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 5776, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6964, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 5904, type: MEMORY
      Source: Yara matchFile source: 3.2.Quotation ATB-PR28500KINH.exe.5cb0000.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Quotation ATB-PR28500KINH.exe.5cb0000.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Quotation ATB-PR28500KINH.exe.5360000.1.unpack, type: UNPACKEDPE

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000003.00000002.829938927.0000000004311000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000003.00000002.836886578.0000000007450000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000003.00000002.830299030.0000000004BE3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000003.00000002.831913535.0000000004EBB000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000003.00000002.825812769.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000003.00000002.825812769.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000003.00000002.831344680.0000000004D5A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000002.835747938.0000000005362000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.835747938.0000000005362000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000003.00000002.837010195.0000000007490000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000003.00000002.836861456.0000000007440000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.829501611.0000000003B71000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.829501611.0000000003B71000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000003.00000002.836791554.0000000007410000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000007.00000002.799678207.0000000003C51000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000007.00000002.799678207.0000000003C51000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000002.835934677.000000000544C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.835934677.000000000544C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000003.00000002.835558421.0000000006320000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000003.00000002.836910738.0000000007460000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000007.00000002.806053332.00000000054EC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000007.00000002.806053332.00000000054EC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000003.00000002.834879559.00000000059A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000003.00000002.835358110.0000000005CB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 5776, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 5776, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6964, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6964, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 5904, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 5904, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 3.2.Quotation ATB-PR28500KINH.exe.7450000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Quotation ATB-PR28500KINH.exe.7410000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Quotation ATB-PR28500KINH.exe.7490000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Quotation ATB-PR28500KINH.exe.7490000.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Quotation ATB-PR28500KINH.exe.6320000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Quotation ATB-PR28500KINH.exe.5cb0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Quotation ATB-PR28500KINH.exe.7460000.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Quotation ATB-PR28500KINH.exe.7440000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Quotation ATB-PR28500KINH.exe.7410000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 3.2.Quotation ATB-PR28500KINH.exe.7460000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Quotation ATB-PR28500KINH.exe.7450000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Quotation ATB-PR28500KINH.exe.59a0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Quotation ATB-PR28500KINH.exe.6320000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Quotation ATB-PR28500KINH.exe.7440000.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Quotation ATB-PR28500KINH.exe.5cb0000.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.Quotation ATB-PR28500KINH.exe.5360000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.Quotation ATB-PR28500KINH.exe.5360000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Initial sample is a PE file and has a suspicious nameShow sources
      Source: initial sampleStatic PE information: Filename: Quotation ATB-PR28500KINH.exe
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 0_2_00746ED10_2_00746ED1
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 3_2_00F86ED13_2_00F86ED1
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 3_2_0311E4713_2_0311E471
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 3_2_0311E4803_2_0311E480
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 3_2_0311BBD43_2_0311BBD4
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 3_2_05CDEC593_2_05CDEC59
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 3_2_05CDF8D03_2_05CDF8D0
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 3_2_05CD85783_2_05CD8578
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 3_2_05CD86463_2_05CD8646
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 3_2_05CD12C03_2_05CD12C0
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 3_2_05CD02403_2_05CD0240
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 3_2_05CDD2583_2_05CDD258
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 3_2_05CDBD603_2_05CDBD60
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 3_2_05CD8F733_2_05CD8F73
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 3_2_05CDC9783_2_05CDC978
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 3_2_05CD79703_2_05CD7970
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 3_2_05CD88C83_2_05CD88C8
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 3_2_05CDCA363_2_05CDCA36
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 3_2_074BAF683_2_074BAF68
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 3_2_074B75483_2_074B7548
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 3_2_074B6C783_2_074B6C78
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 3_2_074B03783_2_074B0378
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 3_2_074B00403_2_074B0040
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 3_2_074B25F03_2_074B25F0
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 3_2_074B09203_2_074B0920
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 3_2_074B69303_2_074B6930
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 3_2_074B00FE3_2_074B00FE
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 7_2_008E6ED17_2_008E6ED1
      Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5904 -s 7804
      Source: Quotation ATB-PR28500KINH.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: 4esd.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: HJdyTuap.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: Quotation ATB-PR28500KINH.exe, 00000000.00000002.836297647.0000000005660000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameINFmfMfZgCqnbcnu.bounce.exe4 vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 00000003.00000003.716656516.00000000017D8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.829938927.0000000004311000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.829938927.0000000004311000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.829938927.0000000004311000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.831913535.0000000004EBB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.831913535.0000000004EBB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.831913535.0000000004EBB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.831913535.0000000004EBB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.831913535.0000000004EBB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.831913535.0000000004EBB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.831913535.0000000004EBB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.835818804.0000000006560000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.826732674.00000000016FA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 00000007.00000002.806393399.0000000005700000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameINFmfMfZgCqnbcnu.bounce.exe4 vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 00000007.00000002.805904969.0000000005300000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Quotation ATB-PR28500KINH.exe
      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: sfc.dll
      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dll
      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
      Source: 00000003.00000002.829938927.0000000004311000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000003.00000002.836886578.0000000007450000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000003.00000002.836886578.0000000007450000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000003.00000002.830299030.0000000004BE3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000003.00000002.831913535.0000000004EBB000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000003.00000002.825812769.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000003.00000002.825812769.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000003.00000002.831344680.0000000004D5A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000000.00000002.835747938.0000000005362000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.835747938.0000000005362000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000003.00000002.837010195.0000000007490000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000003.00000002.837010195.0000000007490000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000003.00000002.836861456.0000000007440000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000003.00000002.836861456.0000000007440000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000000.00000002.829501611.0000000003B71000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.829501611.0000000003B71000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000003.00000002.836791554.0000000007410000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000003.00000002.836791554.0000000007410000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000007.00000002.799678207.0000000003C51000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000007.00000002.799678207.0000000003C51000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000000.00000002.835934677.000000000544C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.835934677.000000000544C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000003.00000002.835558421.0000000006320000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000003.00000002.835558421.0000000006320000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000003.00000002.836910738.0000000007460000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000003.00000002.836910738.0000000007460000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000007.00000002.806053332.00000000054EC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000007.00000002.806053332.00000000054EC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000003.00000002.834879559.00000000059A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000003.00000002.834879559.00000000059A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000003.00000002.835358110.0000000005CB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000003.00000002.835358110.0000000005CB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 5776, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 5776, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6964, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6964, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 5904, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 5904, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 3.2.Quotation ATB-PR28500KINH.exe.7450000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Quotation ATB-PR28500KINH.exe.7450000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 3.2.Quotation ATB-PR28500KINH.exe.7410000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Quotation ATB-PR28500KINH.exe.7410000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 3.2.Quotation ATB-PR28500KINH.exe.7490000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Quotation ATB-PR28500KINH.exe.7490000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 3.2.Quotation ATB-PR28500KINH.exe.7490000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Quotation ATB-PR28500KINH.exe.7490000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 3.2.Quotation ATB-PR28500KINH.exe.6320000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Quotation ATB-PR28500KINH.exe.6320000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 3.2.Quotation ATB-PR28500KINH.exe.5cb0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Quotation ATB-PR28500KINH.exe.5cb0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 3.2.Quotation ATB-PR28500KINH.exe.7460000.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Quotation ATB-PR28500KINH.exe.7460000.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 3.2.Quotation ATB-PR28500KINH.exe.7440000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Quotation ATB-PR28500KINH.exe.7440000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 3.2.Quotation ATB-PR28500KINH.exe.7410000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Quotation ATB-PR28500KINH.exe.7410000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 3.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 3.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 3.2.Quotation ATB-PR28500KINH.exe.7460000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Quotation ATB-PR28500KINH.exe.7460000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 3.2.Quotation ATB-PR28500KINH.exe.7450000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Quotation ATB-PR28500KINH.exe.7450000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 3.2.Quotation ATB-PR28500KINH.exe.59a0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Quotation ATB-PR28500KINH.exe.59a0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 3.2.Quotation ATB-PR28500KINH.exe.6320000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Quotation ATB-PR28500KINH.exe.6320000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 3.2.Quotation ATB-PR28500KINH.exe.7440000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Quotation ATB-PR28500KINH.exe.7440000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 3.2.Quotation ATB-PR28500KINH.exe.5cb0000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Quotation ATB-PR28500KINH.exe.5cb0000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.Quotation ATB-PR28500KINH.exe.5360000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.Quotation ATB-PR28500KINH.exe.5360000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.Quotation ATB-PR28500KINH.exe.5360000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Quotation ATB-PR28500KINH.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: 4esd.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: HJdyTuap.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: 0.2.Quotation ATB-PR28500KINH.exe.5360000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 0.2.Quotation ATB-PR28500KINH.exe.5360000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 0.2.Quotation ATB-PR28500KINH.exe.5360000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: 3.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 3.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 3.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: 3.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 3.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 0.2.Quotation ATB-PR28500KINH.exe.5360000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 0.2.Quotation ATB-PR28500KINH.exe.5360000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: classification engineClassification label: mal100.troj.adwa.evad.winEXE@45818/14@1/3
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeFile created: C:\Users\user\AppData\Roaming\4esdJump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1744:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6492:120:WilError_01
      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5904
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6504:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5440:120:WilError_01
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeMutant created: \Sessions\1\BaseNamedObjects\Startup_shellcode_006
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{c7093f5f-20e4-4efa-a2b8-e96b9af4ad8c}
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeFile created: C:\Users\user\AppData\Local\Temp\tmp5BDB.tmpJump to behavior
      Source: Quotation ATB-PR28500KINH.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;Quotation ATB-PR28500KINH.exe&quot;)
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeFile read: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Quotation ATB-PR28500KINH.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp5BDB.tmp'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe' 0
      Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5904 -s 7804
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /delete /f /tn 'DHCP Monitor'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /delete /f /tn 'DHCP Monitor Task'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C taskkill /f /im 'Quotation ATB-PR28500KINH.exe' & ping -n 1 -w 3000 1.1.1.1 & type nul > 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe' & del /f /q 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im 'Quotation ATB-PR28500KINH.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 1 -w 3000 1.1.1.1
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess created: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Quotation ATB-PR28500KINH.exeJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp5BDB.tmp'Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im 'Quotation ATB-PR28500KINH.exe'
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 1 -w 3000 1.1.1.1
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: Quotation ATB-PR28500KINH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: Quotation ATB-PR28500KINH.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: (PGo0C:\Windows\mscorlib.pdb source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.836776558.00000000072CC000.00000004.00000010.sdmp
      Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.836393028.0000000006A70000.00000004.00000001.sdmp
      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.836393028.0000000006A70000.00000004.00000001.sdmp
      Source: Binary string: System.pdb" source: WerFault.exe, 0000000C.00000003.764619043.0000000004F42000.00000004.00000001.sdmp
      Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000C.00000003.755396910.0000000000DCE000.00000004.00000001.sdmp
      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000C.00000003.764133803.0000000005012000.00000004.00000040.sdmp
      Source: Binary string: mscoreei.pdbk source: WerFault.exe, 0000000C.00000003.764133803.0000000005012000.00000004.00000040.sdmp
      Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000C.00000003.764182591.0000000004F11000.00000004.00000001.sdmp
      Source: Binary string: mscorlib.pdbx source: WerFault.exe, 0000000C.00000002.794748527.00000000051C0000.00000004.00000001.sdmp
      Source: Binary string: powrprof.pdbO source: WerFault.exe, 0000000C.00000003.764146679.0000000005019000.00000004.00000040.sdmp
      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000C.00000003.764182591.0000000004F11000.00000004.00000001.sdmp
      Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000C.00000003.754559178.0000000000DC3000.00000004.00000001.sdmp
      Source: Binary string: profapi.pdb4 source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
      Source: Binary string: shcore.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
      Source: Binary string: clr.pdb source: WerFault.exe, 0000000C.00000003.764739559.0000000005010000.00000004.00000040.sdmp
      Source: Binary string: oleaut32.pdb* source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
      Source: Binary string: mscorlib.pdbi source: WerFault.exe, 0000000C.00000003.764262805.0000000004F42000.00000004.00000001.sdmp
      Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000C.00000003.764739559.0000000005010000.00000004.00000040.sdmp
      Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
      Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000C.00000003.764182591.0000000004F11000.00000004.00000001.sdmp
      Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000C.00000003.764182591.0000000004F11000.00000004.00000001.sdmp
      Source: Binary string: mscorlib.ni.pdbL source: WerFault.exe, 0000000C.00000003.764262805.0000000004F42000.00000004.00000001.sdmp
      Source: Binary string: shell32.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000C.00000003.764739559.0000000005010000.00000004.00000040.sdmp
      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000C.00000003.755538728.0000000000DD4000.00000004.00000001.sdmp
      Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
      Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000C.00000003.764133803.0000000005012000.00000004.00000040.sdmp
      Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
      Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000000C.00000003.764619043.0000000004F42000.00000004.00000001.sdmp, WERD2B1.tmp.dmp.12.dr
      Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
      Source: Binary string: i.pdb source: WerFault.exe, 0000000C.00000003.764684181.0000000005023000.00000004.00000040.sdmp
      Source: Binary string: gdiplus.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
      Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 0000000C.00000002.794748527.00000000051C0000.00000004.00000001.sdmp
      Source: Binary string: mscoree.pdb source: WerFault.exe, 0000000C.00000003.764182591.0000000004F11000.00000004.00000001.sdmp
      Source: Binary string: System.pdbx source: WerFault.exe, 0000000C.00000002.794748527.00000000051C0000.00000004.00000001.sdmp
      Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000C.00000003.754559178.0000000000DC3000.00000004.00000001.sdmp
      Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
      Source: Binary string: profapi.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
      Source: Binary string: WindowsCodecs.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000C.00000003.764739559.0000000005010000.00000004.00000040.sdmp
      Source: Binary string: WLDP.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
      Source: Binary string: symbols\dll\mscorlib.pdb source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.836776558.00000000072CC000.00000004.00000010.sdmp
      Source: Binary string: shlwapi.pdbk source: WerFault.exe, 0000000C.00000003.764133803.0000000005012000.00000004.00000040.sdmp
      Source: Binary string: mscorlib.ni.pdb" source: WerFault.exe, 0000000C.00000003.764619043.0000000004F42000.00000004.00000001.sdmp
      Source: Binary string: sechost.pdb source: WerFault.exe, 0000000C.00000003.764182591.0000000004F11000.00000004.00000001.sdmp
      Source: Binary string: System.ni.pdbRSDS source: WERD2B1.tmp.dmp.12.dr
      Source: Binary string: clrjit.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
      Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 0000000C.00000003.764133803.0000000005012000.00000004.00000040.sdmp
      Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
      Source: Binary string: mscorlib.pdb2 source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.827053234.00000000017CF000.00000004.00000001.sdmp
      Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
      Source: Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
      Source: Binary string: mscorlib.ni.pdbRSDS source: WERD2B1.tmp.dmp.12.dr
      Source: Binary string: msctf.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
      Source: Binary string: ole32.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
      Source: Binary string: version.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
      Source: Binary string: wintrust.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
      Source: Binary string: System.pdb source: WerFault.exe, 0000000C.00000003.764619043.0000000004F42000.00000004.00000001.sdmp, WERD2B1.tmp.dmp.12.dr
      Source: Binary string: System.ni.pdbj source: WerFault.exe, 0000000C.00000003.764414638.0000000005023000.00000004.00000040.sdmp
      Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000000C.00000002.794748527.00000000051C0000.00000004.00000001.sdmp
      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000C.00000003.764739559.0000000005010000.00000004.00000040.sdmp
      Source: Binary string: msctf.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
      Source: Binary string: msasn1.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
      Source: Binary string: psapi.pdb source: WerFault.exe, 0000000C.00000003.764684181.0000000005023000.00000004.00000040.sdmp
      Source: Binary string: mscorlib.pdb source: WerFault.exe, 0000000C.00000003.764619043.0000000004F42000.00000004.00000001.sdmp, WERD2B1.tmp.dmp.12.dr
      Source: Binary string: System.pdbL source: WerFault.exe, 0000000C.00000003.764262805.0000000004F42000.00000004.00000001.sdmp
      Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000C.00000003.764182591.0000000004F11000.00000004.00000001.sdmp
      Source: Binary string: mscoreei.pdb source: WerFault.exe, 0000000C.00000003.764133803.0000000005012000.00000004.00000040.sdmp
      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000C.00000003.755538728.0000000000DD4000.00000004.00000001.sdmp
      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000C.00000003.764182591.0000000004F11000.00000004.00000001.sdmp
      Source: Binary string: System.Drawing.pdb source: WerFault.exe, 0000000C.00000003.764684181.0000000005023000.00000004.00000040.sdmp, WERD2B1.tmp.dmp.12.dr
      Source: Binary string: combase.pdb source: WerFault.exe, 0000000C.00000003.764133803.0000000005012000.00000004.00000040.sdmp
      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
      Source: