Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Quotation ATB-PR28500KINH.exe

Overview

General Information

Sample Name:Quotation ATB-PR28500KINH.exe
Analysis ID:321077
MD5:5a6b8a02021146dbe686b9a5eb628d9a
SHA1:7dc888c1f8a38a4a7385f666fcee60bab258a869
SHA256:7fa804f096ed67a239a1fa164ba4a63f06b6fd52f3163c82f096cc12082acca9
Tags:exeNanoCoreRAT

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Drops PE files to the startup folder
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Tries to load missing DLLs
Yara signature match

Classification

Startup

  • System is w10x64
  • Quotation ATB-PR28500KINH.exe (PID: 6620 cmdline: 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe' MD5: 5A6B8A02021146DBE686B9A5EB628D9A)
    • RegAsm.exe (PID: 6880 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • RegAsm.exe (PID: 6916 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
      • schtasks.exe (PID: 7012 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp21A1.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 7036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Quotation ATB-PR28500KINH.exe (PID: 6988 cmdline: 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe' MD5: 5A6B8A02021146DBE686B9A5EB628D9A)
      • RegAsm.exe (PID: 7048 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 6FD7592411112729BF6B1F2F6C34899F)
  • RegAsm.exe (PID: 7088 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 0 MD5: 6FD7592411112729BF6B1F2F6C34899F)
    • conhost.exe (PID: 7132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000012.00000002.315767298.0000000002F81000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000012.00000002.315767298.0000000002F81000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x6b44f:$a: NanoCore
    • 0x6b4a8:$a: NanoCore
    • 0x6b4e5:$a: NanoCore
    • 0x6b55e:$a: NanoCore
    • 0x6b4b1:$b: ClientPlugin
    • 0x6b4ee:$b: ClientPlugin
    • 0x6bdec:$b: ClientPlugin
    • 0x6bdf9:$b: ClientPlugin
    • 0x615ba:$e: KeepAlive
    • 0x6b939:$g: LogClientMessage
    • 0x6b8b9:$i: get_Connected
    • 0x5b885:$j: #=q
    • 0x5b8b5:$j: #=q
    • 0x5b8f1:$j: #=q
    • 0x5b919:$j: #=q
    • 0x5b949:$j: #=q
    • 0x5b979:$j: #=q
    • 0x5b9a9:$j: #=q
    • 0x5b9d9:$j: #=q
    • 0x5b9f5:$j: #=q
    • 0x5ba25:$j: #=q
    00000000.00000002.512937029.00000000059E2000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000000.00000002.512937029.00000000059E2000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000000.00000002.512937029.00000000059E2000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0xfcf5:$a: NanoCore
      • 0xfd05:$a: NanoCore
      • 0xff39:$a: NanoCore
      • 0xff4d:$a: NanoCore
      • 0xff8d:$a: NanoCore
      • 0xfd54:$b: ClientPlugin
      • 0xff56:$b: ClientPlugin
      • 0xff96:$b: ClientPlugin
      • 0xfe7b:$c: ProjectData
      • 0x10882:$d: DESCrypto
      • 0x1824e:$e: KeepAlive
      • 0x1623c:$g: LogClientMessage
      • 0x12437:$i: get_Connected
      • 0x10bb8:$j: #=q
      • 0x10be8:$j: #=q
      • 0x10c04:$j: #=q
      • 0x10c34:$j: #=q
      • 0x10c50:$j: #=q
      • 0x10c6c:$j: #=q
      • 0x10c9c:$j: #=q
      • 0x10cb8:$j: #=q
      Click to see the 43 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.RegAsm.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      4.2.RegAsm.exe.400000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xff05:$x1: NanoCore Client.exe
      • 0x1018d:$x2: NanoCore.ClientPluginHost
      • 0x117c6:$s1: PluginCommand
      • 0x117ba:$s2: FileCommand
      • 0x1266b:$s3: PipeExists
      • 0x18422:$s4: PipeCreated
      • 0x101b7:$s5: IClientLoggingHost
      4.2.RegAsm.exe.400000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        4.2.RegAsm.exe.400000.0.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xfef5:$a: NanoCore
        • 0xff05:$a: NanoCore
        • 0x10139:$a: NanoCore
        • 0x1014d:$a: NanoCore
        • 0x1018d:$a: NanoCore
        • 0xff54:$b: ClientPlugin
        • 0x10156:$b: ClientPlugin
        • 0x10196:$b: ClientPlugin
        • 0x1007b:$c: ProjectData
        • 0x10a82:$d: DESCrypto
        • 0x1844e:$e: KeepAlive
        • 0x1643c:$g: LogClientMessage
        • 0x12637:$i: get_Connected
        • 0x10db8:$j: #=q
        • 0x10de8:$j: #=q
        • 0x10e04:$j: #=q
        • 0x10e34:$j: #=q
        • 0x10e50:$j: #=q
        • 0x10e6c:$j: #=q
        • 0x10e9c:$j: #=q
        • 0x10eb8:$j: #=q
        0.2.Quotation ATB-PR28500KINH.exe.59e0000.1.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x1018d:$x1: NanoCore.ClientPluginHost
        • 0x101ca:$x2: IClientNetworkHost
        • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        Click to see the 19 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 6916, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: Scheduled temp file as task from temp locationShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp21A1.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp21A1.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentProcessId: 6916, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp21A1.tmp', ProcessId: 7012

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Antivirus / Scanner detection for submitted sampleShow sources
        Source: Quotation ATB-PR28500KINH.exeAvira: detected
        Antivirus detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exeAvira: detection malicious, Label: TR/AD.Nanocore.bbyez
        Source: C:\Users\user\AppData\Roaming\5thncvAvira: detection malicious, Label: TR/AD.Nanocore.bbyez
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\5thncvReversingLabs: Detection: 27%
        Multi AV Scanner detection for submitted fileShow sources
        Source: Quotation ATB-PR28500KINH.exeReversingLabs: Detection: 27%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000012.00000002.315767298.0000000002F81000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.512937029.00000000059E2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.511416569.0000000003FF1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.511598900.0000000004299000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.514616448.00000000068A0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.504689843.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.517841818.0000000005A82000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.511212576.0000000004381000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.513612076.0000000005D3C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.315860307.0000000003F89000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.506085283.0000000001233000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.315053355.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.507695159.0000000003291000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6916, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6620, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7048, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6988, type: MEMORY
        Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Quotation ATB-PR28500KINH.exe.59e0000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.Quotation ATB-PR28500KINH.exe.5a80000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.RegAsm.exe.68a0000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.RegAsm.exe.68a0000.4.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exeJoe Sandbox ML: detected
        Source: C:\Users\user\AppData\Roaming\5thncvJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: Quotation ATB-PR28500KINH.exeJoe Sandbox ML: detected
        Source: 5.2.Quotation ATB-PR28500KINH.exe.5a80000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 18.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 4.2.RegAsm.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 0.2.Quotation ATB-PR28500KINH.exe.59e0000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 4.2.RegAsm.exe.68a0000.4.unpackAvira: Label: TR/NanoCore.fadte
        Source: global trafficTCP traffic: 192.168.2.5:49726 -> 194.5.97.9:6184
        Source: unknownDNS traffic detected: queries for: kengeorge.zapto.org
        Source: RegAsm.exe, 00000004.00000002.511598900.0000000004299000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000012.00000002.315767298.0000000002F81000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.512937029.00000000059E2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.511416569.0000000003FF1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.511598900.0000000004299000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.514616448.00000000068A0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.504689843.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.517841818.0000000005A82000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.511212576.0000000004381000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.513612076.0000000005D3C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.315860307.0000000003F89000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.506085283.0000000001233000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.315053355.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.507695159.0000000003291000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6916, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6620, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7048, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6988, type: MEMORY
        Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Quotation ATB-PR28500KINH.exe.59e0000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.Quotation ATB-PR28500KINH.exe.5a80000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.RegAsm.exe.68a0000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.RegAsm.exe.68a0000.4.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000012.00000002.315767298.0000000002F81000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.512937029.00000000059E2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.512937029.00000000059E2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000005.00000002.511416569.0000000003FF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000005.00000002.511416569.0000000003FF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000002.511598900.0000000004299000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000002.514616448.00000000068A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000002.504689843.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000002.504689843.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000005.00000002.517841818.0000000005A82000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000005.00000002.517841818.0000000005A82000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.511212576.0000000004381000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.511212576.0000000004381000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.513612076.0000000005D3C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.513612076.0000000005D3C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000012.00000002.315860307.0000000003F89000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000002.513526465.0000000005940000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000005.00000002.506085283.0000000001233000.00000004.00000020.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000005.00000002.506085283.0000000001233000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000012.00000002.315053355.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000012.00000002.315053355.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: RegAsm.exe PID: 6916, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: RegAsm.exe PID: 6916, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6620, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6620, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: RegAsm.exe PID: 7048, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: RegAsm.exe PID: 7048, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6988, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6988, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.Quotation ATB-PR28500KINH.exe.59e0000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.Quotation ATB-PR28500KINH.exe.59e0000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 18.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 18.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 5.2.Quotation ATB-PR28500KINH.exe.5a80000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.Quotation ATB-PR28500KINH.exe.5a80000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4.2.RegAsm.exe.68a0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.RegAsm.exe.5940000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4.2.RegAsm.exe.68a0000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Initial sample is a PE file and has a suspicious nameShow sources
        Source: initial sampleStatic PE information: Filename: Quotation ATB-PR28500KINH.exe
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 0_2_059C1D7F NtOpenFile,NtCreateFile,NtWriteFile,
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 0_2_059C00AD NtOpenSection,NtMapViewOfSection,
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 0_2_059C1C09 NtDelayExecution,
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 0_2_059C1C2B NtQueryInformationProcess,NtOpenFile,NtAllocateVirtualMemory,NtReadFile,
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 0_2_059D00AD NtOpenSection,NtMapViewOfSection,
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 0_2_059D1C09 CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtTerminateProcess,NtUnmapViewOfSection,NtWriteVirtualMemory,NtGetContextThread,NtSetContextThread,NtResumeThread,
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 5_2_057C1D7F NtOpenFile,GetMessageA,NtCreateFile,NtWriteFile,
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 5_2_057C1C2B NtQueryInformationProcess,NtOpenFile,NtAllocateVirtualMemory,NtReadFile,
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 5_2_057C1C09 NtDelayExecution,
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 5_2_057C00AD NtOpenSection,NtMapViewOfSection,
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 5_2_057D1C09 CreateProcessW,NtQueryInformationProcess,NtReadVirtualMemory,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtWriteVirtualMemory,NtGetContextThread,NtSetContextThread,NtResumeThread,
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 5_2_057D00AD NtOpenSection,NtMapViewOfSection,
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 0_2_010270C9
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 0_2_01799620
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 0_2_017904F0
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 0_2_017904E1
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0315E471
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0315E480
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0315BBD4
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 5_2_00CE70C9
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 5_2_016A9482
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 5_2_016A04E1
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 5_2_016A04F0
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_0544E471
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_0544E480
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 18_2_0544BBD4
        Source: Quotation ATB-PR28500KINH.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: 5thncv.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: HJdyTuap.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: Quotation ATB-PR28500KINH.exe, 00000000.00000003.469467692.0000000004F15000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameBHERuwclNdxgvdjq.bounce.exe4 vs Quotation ATB-PR28500KINH.exe
        Source: Quotation ATB-PR28500KINH.exe, 00000000.00000002.514669635.0000000006A70000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Quotation ATB-PR28500KINH.exe
        Source: Quotation ATB-PR28500KINH.exe, 00000000.00000002.514669635.0000000006A70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Quotation ATB-PR28500KINH.exe
        Source: Quotation ATB-PR28500KINH.exe, 00000000.00000002.515184056.00000000079F0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Quotation ATB-PR28500KINH.exe
        Source: Quotation ATB-PR28500KINH.exe, 00000005.00000002.516060257.0000000004CDE000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameBHERuwclNdxgvdjq.bounce.exe4 vs Quotation ATB-PR28500KINH.exe
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
        Source: 00000012.00000002.315767298.0000000002F81000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.512937029.00000000059E2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.512937029.00000000059E2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000005.00000002.511416569.0000000003FF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000005.00000002.511416569.0000000003FF1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000002.511598900.0000000004299000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000002.514616448.00000000068A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000002.514616448.00000000068A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000004.00000002.504689843.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000002.504689843.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000005.00000002.517841818.0000000005A82000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000005.00000002.517841818.0000000005A82000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.511212576.0000000004381000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.511212576.0000000004381000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.513612076.0000000005D3C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.513612076.0000000005D3C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000012.00000002.315860307.0000000003F89000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000002.513526465.0000000005940000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000002.513526465.0000000005940000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000005.00000002.506085283.0000000001233000.00000004.00000020.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000005.00000002.506085283.0000000001233000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000012.00000002.315053355.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000012.00000002.315053355.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: RegAsm.exe PID: 6916, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: RegAsm.exe PID: 6916, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6620, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6620, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: RegAsm.exe PID: 7048, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: RegAsm.exe PID: 7048, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6988, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6988, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.Quotation ATB-PR28500KINH.exe.59e0000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.Quotation ATB-PR28500KINH.exe.59e0000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.Quotation ATB-PR28500KINH.exe.59e0000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 18.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 18.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 18.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 5.2.Quotation ATB-PR28500KINH.exe.5a80000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.Quotation ATB-PR28500KINH.exe.5a80000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 5.2.Quotation ATB-PR28500KINH.exe.5a80000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4.2.RegAsm.exe.68a0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.RegAsm.exe.68a0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 4.2.RegAsm.exe.5940000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.RegAsm.exe.5940000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 4.2.RegAsm.exe.68a0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4.2.RegAsm.exe.68a0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: Quotation ATB-PR28500KINH.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: 5thncv.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: HJdyTuap.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: 0.2.Quotation ATB-PR28500KINH.exe.59e0000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 0.2.Quotation ATB-PR28500KINH.exe.59e0000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.2.Quotation ATB-PR28500KINH.exe.59e0000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 4.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 4.2.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 4.2.RegAsm.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 5.2.Quotation ATB-PR28500KINH.exe.5a80000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 5.2.Quotation ATB-PR28500KINH.exe.5a80000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 5.2.Quotation ATB-PR28500KINH.exe.5a80000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 18.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 18.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 5.2.Quotation ATB-PR28500KINH.exe.5a80000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 5.2.Quotation ATB-PR28500KINH.exe.5a80000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 4.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 4.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 0.2.Quotation ATB-PR28500KINH.exe.59e0000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 0.2.Quotation ATB-PR28500KINH.exe.59e0000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: classification engineClassification label: mal100.troj.adwa.evad.winEXE@14/8@21/1
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeFile created: C:\Users\user\AppData\Roaming\5thncvJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7036:120:WilError_01
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{a69adb5e-9e05-4144-8e58-f506b6f9f16f}
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7132:120:WilError_01
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeMutant created: \Sessions\1\BaseNamedObjects\Startup_shellcode_006
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\tmp21A1.tmpJump to behavior
        Source: Quotation ATB-PR28500KINH.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: Quotation ATB-PR28500KINH.exeReversingLabs: Detection: 27%
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeFile read: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe'
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        Source: unknownProcess created: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp21A1.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 0
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess created: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe'
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp21A1.tmp'
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
        Source: Quotation ATB-PR28500KINH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: Quotation ATB-PR28500KINH.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: RegAsm.pdb source: RegAsm.exe, 00000004.00000003.338308664.000000000167C000.00000004.00000001.sdmp
        Source: Binary string: RegAsm.pdb4 source: RegAsm.exe, 00000004.00000003.338308664.000000000167C000.00000004.00000001.sdmp

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: 0.2.Quotation ATB-PR28500KINH.exe.59e0000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 0.2.Quotation ATB-PR28500KINH.exe.59e0000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 4.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 4.2.RegAsm.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 5.2.Quotation ATB-PR28500KINH.exe.5a80000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 5.2.Quotation ATB-PR28500KINH.exe.5a80000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 18.2.RegAsm.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 18.2.RegAsm.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: HJdyTuap.exe.0.drStatic PE information: real checksum: 0x104824 should be: 0x105424
        Source: initial sampleStatic PE information: section name: .text entropy: 7.86217054502
        Source: initial sampleStatic PE information: section name: .text entropy: 7.86217054502
        Source: initial sampleStatic PE information: section name: .text entropy: 7.86217054502
        Source: 0.2.Quotation ATB-PR28500KINH.exe.59e0000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 0.2.Quotation ATB-PR28500KINH.exe.59e0000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 4.2.RegAsm.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 4.2.RegAsm.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 5.2.Quotation ATB-PR28500KINH.exe.5a80000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 5.2.Quotation ATB-PR28500KINH.exe.5a80000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 18.2.RegAsm.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 18.2.RegAsm.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeFile created: C:\Users\user\AppData\Roaming\5thncvJump to dropped file
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exeJump to dropped file
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeFile created: C:\Users\user\AppData\Roaming\5thncvJump to dropped file

        Boot Survival:

        barindex
        Drops PE files to the startup folderShow sources
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exeJump to dropped file
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp21A1.tmp'
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exeJump to behavior
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exeJump to behavior

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeFile opened: C:\Users\user\AppData\Roaming\5thncv:Zone.Identifier read attributes | delete
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeWindow / User API: threadDelayed 396
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeWindow / User API: threadDelayed 2028
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 5626
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 3986
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: foregroundWindowGot 828
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeWindow / User API: threadDelayed 1230
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exeJump to dropped file
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe TID: 6624Thread sleep time: -40560s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7084Thread sleep time: -20291418481080494s >= -30000s
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe TID: 7044Thread sleep count: 247 > 30
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe TID: 6992Thread sleep count: 1230 > 30
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6212Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7012Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: RegAsm.exe, 00000004.00000002.515160362.0000000007120000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
        Source: RegAsm.exe, 00000004.00000002.515160362.0000000007120000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
        Source: RegAsm.exe, 00000004.00000002.515160362.0000000007120000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
        Source: RegAsm.exe, 00000004.00000003.329460319.00000000016A3000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: RegAsm.exe, 00000004.00000002.515160362.0000000007120000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information queried: ProcessInformation
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 0_2_059C01CB mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 0_2_059C1D7F mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 0_2_059C1D7F mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 0_2_059C00AD mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 0_2_059C00AD mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 0_2_059C1C2B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 0_2_059D00AD mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 0_2_059D00AD mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 0_2_059D01CB mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 5_2_057C1D7F mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 5_2_057C1D7F mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 5_2_057C01CB mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 5_2_057C1C2B mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 5_2_057C00AD mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 5_2_057C00AD mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 5_2_057D01CB mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 5_2_057D00AD mov ecx, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 5_2_057D00AD mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess token adjusted: Debug
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeMemory allocated: page read and write | page guard

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Maps a DLL or memory area into another processShow sources
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeSection loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and write
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeSection loaded: unknown target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and write
        Writes to foreign memory regionsShow sources
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 110B008
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: F78008
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess created: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe'
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp21A1.tmp'
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        Source: RegAsm.exe, 00000004.00000002.508158113.000000000337F000.00000004.00000001.sdmpBinary or memory string: Program Manager
        Source: Quotation ATB-PR28500KINH.exe, 00000000.00000002.507497314.0000000001E50000.00000002.00000001.sdmp, RegAsm.exe, 00000004.00000002.507030206.0000000001B70000.00000002.00000001.sdmp, Quotation ATB-PR28500KINH.exe, 00000005.00000002.507778484.0000000001AA0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: Quotation ATB-PR28500KINH.exe, 00000000.00000002.507497314.0000000001E50000.00000002.00000001.sdmp, RegAsm.exe, 00000004.00000002.507030206.0000000001B70000.00000002.00000001.sdmp, Quotation ATB-PR28500KINH.exe, 00000005.00000002.507778484.0000000001AA0000.00000002.00000001.sdmpBinary or memory string: Progman
        Source: Quotation ATB-PR28500KINH.exe, 00000000.00000002.507497314.0000000001E50000.00000002.00000001.sdmp, RegAsm.exe, 00000004.00000002.507030206.0000000001B70000.00000002.00000001.sdmp, Quotation ATB-PR28500KINH.exe, 00000005.00000002.507778484.0000000001AA0000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
        Source: RegAsm.exe, 00000004.00000002.508026222.00000000032FD000.00000004.00000001.sdmpBinary or memory string: Program ManagerD$
        Source: RegAsm.exe, 00000004.00000002.508158113.000000000337F000.00000004.00000001.sdmpBinary or memory string: Program Managerl
        Source: Quotation ATB-PR28500KINH.exe, 00000000.00000002.507497314.0000000001E50000.00000002.00000001.sdmp, RegAsm.exe, 00000004.00000002.507030206.0000000001B70000.00000002.00000001.sdmp, Quotation ATB-PR28500KINH.exe, 00000005.00000002.507778484.0000000001AA0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
        Source: Quotation ATB-PR28500KINH.exe, 00000000.00000002.507497314.0000000001E50000.00000002.00000001.sdmp, RegAsm.exe, 00000004.00000002.507030206.0000000001B70000.00000002.00000001.sdmp, Quotation ATB-PR28500KINH.exe, 00000005.00000002.507778484.0000000001AA0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeQueries volume information: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe VolumeInformation
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeQueries volume information: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe VolumeInformation
        Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000012.00000002.315767298.0000000002F81000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.512937029.00000000059E2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.511416569.0000000003FF1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.511598900.0000000004299000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.514616448.00000000068A0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.504689843.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.517841818.0000000005A82000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.511212576.0000000004381000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.513612076.0000000005D3C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.315860307.0000000003F89000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.506085283.0000000001233000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.315053355.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.507695159.0000000003291000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6916, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6620, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7048, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6988, type: MEMORY
        Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Quotation ATB-PR28500KINH.exe.59e0000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.Quotation ATB-PR28500KINH.exe.5a80000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.RegAsm.exe.68a0000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.RegAsm.exe.68a0000.4.unpack, type: UNPACKEDPE

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: Quotation ATB-PR28500KINH.exe, 00000000.00000002.512937029.00000000059E2000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: RegAsm.exe, 00000004.00000002.511598900.0000000004299000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: RegAsm.exe, 00000004.00000002.511598900.0000000004299000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: Quotation ATB-PR28500KINH.exe, 00000005.00000002.511416569.0000000003FF1000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: RegAsm.exe, 00000012.00000002.315767298.0000000002F81000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: RegAsm.exe, 00000012.00000002.315767298.0000000002F81000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000012.00000002.315767298.0000000002F81000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.512937029.00000000059E2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.511416569.0000000003FF1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.511598900.0000000004299000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.514616448.00000000068A0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.504689843.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.517841818.0000000005A82000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.511212576.0000000004381000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.513612076.0000000005D3C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.315860307.0000000003F89000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.506085283.0000000001233000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000012.00000002.315053355.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.507695159.0000000003291000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6916, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6620, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7048, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6988, type: MEMORY
        Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.Quotation ATB-PR28500KINH.exe.59e0000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 18.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.Quotation ATB-PR28500KINH.exe.5a80000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.RegAsm.exe.68a0000.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 4.2.RegAsm.exe.68a0000.4.unpack, type: UNPACKEDPE

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsScheduled Task/Job1Startup Items1Startup Items1Masquerading11Input Capture11Security Software Discovery111Remote ServicesInput Capture11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobScheduled Task/Job1Process Injection212Virtualization/Sandbox Evasion3LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolArchive Collected Data11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Registry Run Keys / Startup Folder12Scheduled Task/Job1Disable or Modify Tools1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)DLL Side-Loading1Registry Run Keys / Startup Folder12Process Injection212NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptDLL Side-Loading1Deobfuscate/Decode Files or Information1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)DLL Side-Loading1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 321077 Sample: Quotation ATB-PR28500KINH.exe Startdate: 20/11/2020 Architecture: WINDOWS Score: 100 42 kengeorge.zapto.org 2->42 44 g.msn.com 2->44 48 Malicious sample detected (through community Yara rule) 2->48 50 Antivirus detection for dropped file 2->50 52 Antivirus / Scanner detection for submitted sample 2->52 54 12 other signatures 2->54 9 Quotation ATB-PR28500KINH.exe 4 2->9         started        13 RegAsm.exe 2 2->13         started        signatures3 process4 file5 36 C:\Users\user\AppData\...\HJdyTuap.exe, PE32 9->36 dropped 38 C:\Users\user\AppData\Roaming\5thncv, PE32 9->38 dropped 40 C:\Users\user\...\5thncv:Zone.Identifier, ASCII 9->40 dropped 56 Writes to foreign memory regions 9->56 58 Maps a DLL or memory area into another process 9->58 60 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->60 15 Quotation ATB-PR28500KINH.exe 9->15         started        18 RegAsm.exe 8 9->18         started        22 RegAsm.exe 9->22         started        24 conhost.exe 13->24         started        signatures6 process7 dnsIp8 62 Writes to foreign memory regions 15->62 64 Maps a DLL or memory area into another process 15->64 26 RegAsm.exe 2 15->26         started        46 kengeorge.zapto.org 194.5.97.9, 49726, 49729, 49730 DANILENKODE Netherlands 18->46 32 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 18->32 dropped 34 C:\Users\user\AppData\Local\...\tmp21A1.tmp, XML 18->34 dropped 28 schtasks.exe 1 18->28         started        file9 signatures10 process11 process12 30 conhost.exe 28->30         started       

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        Quotation ATB-PR28500KINH.exe27%ReversingLabsByteCode-MSIL.Trojan.Wacatac
        Quotation ATB-PR28500KINH.exe100%AviraTR/AD.Nanocore.bbyez
        Quotation ATB-PR28500KINH.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe100%AviraTR/AD.Nanocore.bbyez
        C:\Users\user\AppData\Roaming\5thncv100%AviraTR/AD.Nanocore.bbyez
        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Roaming\5thncv100%Joe Sandbox ML
        C:\Users\user\AppData\Roaming\5thncv27%ReversingLabsByteCode-MSIL.Trojan.Wacatac

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        5.2.Quotation ATB-PR28500KINH.exe.5a80000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        18.2.RegAsm.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        4.2.RegAsm.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        0.2.Quotation ATB-PR28500KINH.exe.59e0000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        4.2.RegAsm.exe.68a0000.4.unpack100%AviraTR/NanoCore.fadteDownload File

        Domains

        No Antivirus matches

        URLs

        No Antivirus matches

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        kengeorge.zapto.org
        		194.5.97.9
        		truefalse
          		unknown
          g.msn.com
          		unknown
          		unknownfalse
            		high

            Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public

            IPDomainCountryFlagASNASN NameMalicious
            194.5.97.9
            		unknownNetherlands
            		208476DANILENKODEfalse

            General Information

            Joe Sandbox Version:31.0.0 Red Diamond
            Analysis ID:321077
            Start date:20.11.2020
            Start time:10:50:48
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 9m 55s
            Hypervisor based Inspection enabled:false
            Report type:light
            Sample file name:Quotation ATB-PR28500KINH.exe
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:30
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal100.troj.adwa.evad.winEXE@14/8@21/1
            EGA Information:Failed
            HDC Information:
            • Successful, ratio: 0.1% (good quality ratio 0%)
            • Quality average: 12.7%
            • Quality standard deviation: 9%
            HCA Information:
            • Successful, ratio: 100%
            • Number of executed functions: 0
            • Number of non-executed functions: 0
            Cookbook Comments:
            • Adjust boot time
            • Enable AMSI
            • Found application associated with file extension: .exe
            Warnings:
            Show All
            • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
            • TCP Packets have been reduced to 100
            • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
            • Excluded IPs from analysis (whitelisted): 13.88.21.125, 52.255.188.83, 23.210.248.85, 51.104.139.180, 51.103.5.159, 8.241.9.254, 8.253.204.120, 8.248.119.254, 8.248.113.254, 8.241.11.254, 8.241.11.126, 8.248.125.254, 8.248.117.254, 67.26.137.254, 52.155.217.156, 20.54.26.129, 52.142.114.176, 95.101.22.125, 95.101.22.134, 51.11.168.160
            • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wns.notify.windows.com.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, g-msn-com-nsatc.trafficmanager.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, par02p.wns.notify.windows.com.akadns.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, ris.api.iris.microsoft.com, umwatsonrouting.trafficmanager.net, skypedataprdcoleus17.cloudapp.net, skypedataprdcolwus15.cloudapp.net
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.
            • VT rate limit hit for: /opt/package/joesandbox/database/analysis/321077/sample/Quotation ATB-PR28500KINH.exe

            Simulations

            Behavior and APIs

            TimeTypeDescription
            10:51:51AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe
            10:51:57Task SchedulerRun new task: DHCP Monitor path: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" s>$(Arg0)
            10:51:57API Interceptor917x Sleep call for process: RegAsm.exe modified

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            kengeorge.zapto.orgQuotation ATB-PR28500KINH.exeGet hashmaliciousBrowse
            • 185.140.53.139

            ASN

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            DANILENKODE19112020778IMG78487784.exeGet hashmaliciousBrowse
            • 194.5.97.249
            PaymentConformation.exeGet hashmaliciousBrowse
            • 194.5.97.202
            bGtm3bQKUj.exeGet hashmaliciousBrowse
            • 194.5.98.122
            IMAGE-18112020.exeGet hashmaliciousBrowse
            • 194.5.97.17
            Covid-19 relief.exeGet hashmaliciousBrowse
            • 194.5.97.21
            tax-relief.exeGet hashmaliciousBrowse
            • 194.5.97.166
            Ref-BID PRICE.exeGet hashmaliciousBrowse
            • 194.5.98.252
            1ttmgYD97B.exeGet hashmaliciousBrowse
            • 194.5.99.163
            2mtUEXin7W.exeGet hashmaliciousBrowse
            • 194.5.99.163
            wk59hOo880.exeGet hashmaliciousBrowse
            • 194.5.99.163
            BCVaSYrgmG.exeGet hashmaliciousBrowse
            • 194.5.99.163
            30203490666.exeGet hashmaliciousBrowse
            • 194.5.98.199
            InSppuoN2s.exeGet hashmaliciousBrowse
            • 194.5.98.196
            Av01vC7kS1.exeGet hashmaliciousBrowse
            • 194.5.97.155
            yb1rlaFJuO.exeGet hashmaliciousBrowse
            • 194.5.99.163
            1MwYrZqjEy.exeGet hashmaliciousBrowse
            • 194.5.99.163
            IRS-RELIEF.exeGet hashmaliciousBrowse
            • 194.5.97.21
            Jvdivmn_Signed_.exeGet hashmaliciousBrowse
            • 194.5.97.38
            myupsfile.exeGet hashmaliciousBrowse
            • 194.5.97.38
            dO50wcBKmS.exeGet hashmaliciousBrowse
            • 194.5.97.155

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            File Type:ASCII text, with CRLF line terminators
            Category:modified
            Size (bytes):42
            Entropy (8bit):4.0050635535766075
            Encrypted:false
            SSDEEP:3:QHXMKa/xwwUy:Q3La/xwQ
            MD5:84CFDB4B995B1DBF543B26B86C863ADC
            SHA1:D2F47764908BF30036CF8248B9FF5541E2711FA2
            SHA-256:D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
            SHA-512:485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
            Malicious:false
            Reputation:moderate, very likely benign file
            Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..
            C:\Users\user\AppData\Local\Temp\tmp21A1.tmp
            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):1319
            Entropy (8bit):5.134254141338449
            Encrypted:false
            SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0mxz5xtn:cbk4oL600QydbQxIYODOLedq3Zxz5j
            MD5:48EF7FA9033389AD7929D7A6B9D10298
            SHA1:9DB6CB7325C8BDF66A15F7B5F34703709A45AEB6
            SHA-256:0C1B5F67EEB276D1D4205B138CE32BC6149924E02281A2DB8E4623A700E88F15
            SHA-512:AC8BD104ECBACC9BCCCE9E087F67E5B18072D59367CCD31D4E66132B6BAAEA520CBA5B9B59464483D86ABF74826B382C402F12E9A586C99BDA8C78A0DE33944E
            Malicious:true
            Reputation:moderate, very likely benign file
            Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
            C:\Users\user\AppData\Roaming\5thncv
            Process:C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):1020928
            Entropy (8bit):6.7450135182284585
            Encrypted:false
            SSDEEP:12288:95B/zCKY12RnzFAsKibDzxr3Cz2GG3tjNI91JgE8Itd4Y0pnx1ld8C:dbC+z8i/zxrSz2FO91JgE8a4TFxH
            MD5:5A6B8A02021146DBE686B9A5EB628D9A
            SHA1:7DC888C1F8A38A4A7385F666FCEE60BAB258A869
            SHA-256:7FA804F096ED67A239A1FA164BA4A63F06B6FD52F3163C82F096CC12082ACCA9
            SHA-512:DD30026FEF52A4A5700144980C7805D1710E0A5EA504A167FDBC59129A781BE6CEA3DD565D95B2EAFE4D57A8991FEC00D121FD5ACFBB316690BCDB60719CFF9F
            Malicious:true
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: ReversingLabs, Detection: 27%
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p._................................. ... ....@.. ..............................$H....@.................................t...W.... ..N............................................................................ ............... ..H............text........ ...................... ..`.rsrc...N.... ......................@..@.reloc..............................@..B........................H........d...............q..............................................a.b.d.c.e.f.g.h.i.j.k.l.m.n.p.r.q.s.t.u.v.w.z.y.x.0.1.2.3.4.5.6.7.8.9.A.B.C.D.E.F.G.H.I.J.K.L.M.N.Q.P.R.T.S.V.U.W.X.Y.Z.6..(....o....*B...(.....o....&*2.(....t....*.(....&*2.t....o....*F~....~....(.....*..*..(....*.(.........(....(.........(....(....o.........*&...o....*.(....*.(....*.r9..p.....*6..{b...(^...*..o.....{a...{c....{b...oZ...(^...*.so....p...*..oq...*V.{....od....(...+...*J.{....o1....ov...*J
            C:\Users\user\AppData\Roaming\5thncv:Zone.Identifier
            Process:C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe
            File Type:ASCII text, with CRLF line terminators
            Category:modified
            Size (bytes):26
            Entropy (8bit):3.95006375643621
            Encrypted:false
            SSDEEP:3:ggPYV:rPYV
            MD5:187F488E27DB4AF347237FE461A079AD
            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
            Malicious:true
            Preview: [ZoneTransfer]....ZoneId=0
            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            File Type:Non-ISO extended-ASCII text, with NEL line terminators
            Category:dropped
            Size (bytes):8
            Entropy (8bit):3.0
            Encrypted:false
            SSDEEP:3:F3t:F3t
            MD5:D137D5B6421522A3D19236A56ACCFF51
            SHA1:AE22E7372035E11079F2D03F1ADA51F98E2DA19E
            SHA-256:EF685074F06CB6D1AA010756AF124480A2621EBF53E542036F5A267BB2FEC86A
            SHA-512:405D130E38D0275E57DF0CAF6032923A5CA1C2D3E7D846B46AE04EC831C96D1CACDBBCC071F5C7F4D1AC46540CC6C26CE1EA7729680A8E979918650E5DF47D22
            Malicious:true
            Preview: .D.Z...H
            C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            File Type:ASCII text, with no line terminators
            Category:dropped
            Size (bytes):56
            Entropy (8bit):4.823079645651109
            Encrypted:false
            SSDEEP:3:oMty8WddSWAnPL4A:oMLW6WAnPL4A
            MD5:743A1D76D284D8E42E19061A3F13A723
            SHA1:D6BBE641CBAC7B46C0922F32DCC89F8F5B87F98C
            SHA-256:86093BF03032ACFCEF934A0D8363B66AAF4ADEE58015DA0172E13635B1DD1FE8
            SHA-512:DF687DCD985D1F6127624220083DFD93A39FEBCE02A869F4126787DF3724890ECC10FF18077BFDEF02FCC802440F3F83545E4DA4BD826DC84E59B26A105F6567
            Malicious:false
            Preview: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe
            Process:C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):1024000
            Entropy (8bit):6.738941723536787
            Encrypted:false
            SSDEEP:12288:95B/zCKY12RnzFAsKibDzxr3Cz2GG3tjNI91JgE8Itd4Y0pnx1ld8C:dbC+z8i/zxrSz2FO91JgE8a4TFxH
            MD5:5F6F43FE7C5BDB4D77EFF131C8536E9B
            SHA1:3ED423034972EDF3518B97AFC64632FD4DC8419B
            SHA-256:82660B3E8BA370C6FAA0BF5ACB7C425F9C2D8CACC4194A0E9EE35F68D76D3239
            SHA-512:F61EF23DB4DAC90155D772E22E638CFE7D2C15BF37CE7DB7B0A79468F2489F921CD9E5E7281C96C5FB56A37B34631DCF745E4FF8B35BD9FF0F11FF009ADFDC81
            Malicious:true
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p._................................. ... ....@.. ..............................$H....@.................................t...W.... ..N............................................................................ ............... ..H............text........ ...................... ..`.rsrc...N.... ......................@..@.reloc..............................@..B........................H........d...............q..............................................a.b.d.c.e.f.g.h.i.j.k.l.m.n.p.r.q.s.t.u.v.w.z.y.x.0.1.2.3.4.5.6.7.8.9.A.B.C.D.E.F.G.H.I.J.K.L.M.N.Q.P.R.T.S.V.U.W.X.Y.Z.6..(....o....*B...(.....o....&*2.(....t....*.(....&*2.t....o....*F~....~....(.....*..*..(....*.(.........(....(.........(....(....o.........*&...o....*.(....*.(....*.r9..p.....*6..{b...(^...*..o.....{a...{c....{b...oZ...(^...*.so....p...*..oq...*V.{....od....(...+...*J.{....o1....ov...*J
            \Device\ConDrv
            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):275
            Entropy (8bit):4.839531074781769
            Encrypted:false
            SSDEEP:6:z30qJ5tUI+30qobtUmYRZBXVNYL0dxKaRFfnYJin:z30mc30b4BFNY4xNYU
            MD5:1B648D405C15ECA8CF1B9B0469B5627E
            SHA1:C6BBAEDE7AE2353E15271F1FBAA18588BEF0E922
            SHA-256:52FF7329D9E47BF7366892E79338FEE702C60D1F3ADB2EDDB601DFAEC8F170A0
            SHA-512:086EC3F608C80CDB6DC844366CFBBA5237ABCEB5306C0EF7C91600003F1A169CD94EB07D3680E943C9AC498CBA3845857756C5D745A66999BE78C263E5C4405F
            Malicious:false
            Preview: Microsoft .NET Framework Assembly Registration Utility version 4.7.3056.0..for Microsoft .NET Framework version 4.7.3056.0..Copyright (C) Microsoft Corporation. All rights reserved.....RegAsm : error RA0000 : Unable to locate input assembly '0' or one of its dependencies...

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Entropy (8bit):6.7450135182284585
            TrID:
            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            • Win32 Executable (generic) a (10002005/4) 49.78%
            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
            • Generic Win/DOS Executable (2004/3) 0.01%
            • DOS Executable Generic (2002/1) 0.01%
            File name:Quotation ATB-PR28500KINH.exe
            File size:1020928
            MD5:5a6b8a02021146dbe686b9a5eb628d9a
            SHA1:7dc888c1f8a38a4a7385f666fcee60bab258a869
            SHA256:7fa804f096ed67a239a1fa164ba4a63f06b6fd52f3163c82f096cc12082acca9
            SHA512:dd30026fef52a4a5700144980c7805d1710e0a5ea504a167fdbc59129a781be6cea3dd565d95b2eafe4d57a8991fec00d121fd5acfbb316690bcdb60719cff9f
            SSDEEP:12288:95B/zCKY12RnzFAsKibDzxr3Cz2GG3tjNI91JgE8Itd4Y0pnx1ld8C:dbC+z8i/zxrSz2FO91JgE8a4TFxH
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p.._................................. ... ....@.. ..............................$H....@................................

            File Icon

            Icon Hash:905ada12e9cc368b

            Static PE Info

            General

            Entrypoint:0x4a04ce
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Time Stamp:0x5FB6F070 [Thu Nov 19 22:23:44 2020 UTC]
            TLS Callbacks:
            CLR (.Net) Version:v4.0.30319
            OS Version Major:4
            OS Version Minor:0
            File Version Major:4
            File Version Minor:0
            Subsystem Version Major:4
            Subsystem Version Minor:0
            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

            Entrypoint Preview

            Instruction
            jmp dword ptr [00402000h]
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0xa04740x57.text
            IMAGE_DIRECTORY_ENTRY_RESOURCE0xa20000x5a94e.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0xfe0000xc.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x20000x9e4d40x9e600False0.921844169298data7.86217054502IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            .rsrc0xa20000x5a94e0x5aa00False0.0372737068966data2.71520754372IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0xfe0000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountry
            RT_ICON0xa21d80x42028dBase III DBT, version number 0, next free block index 40EnglishUnited States
            RT_ICON0xe42000x468GLS_BINARY_LSB_FIRSTEnglishUnited States
            RT_ICON0xe46680x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 2699173413, next used block 2699173413EnglishUnited States
            RT_ICON0xe6c100x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 3236110116, next used block 3236110116EnglishUnited States
            RT_ICON0xe7cb80x10828dBase III DBT, version number 0, next free block index 40EnglishUnited States
            RT_ICON0xf84e00x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 2162368036, next used block 2162368036EnglishUnited States
            RT_GROUP_ICON0xfc7080x5adataEnglishUnited States
            RT_MANIFEST0xfc7640x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

            Imports

            DLLImport
            mscoree.dll_CorExeMain

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            EnglishUnited States

            Network Behavior

            Network Port Distribution

            TCP Packets

            TimestampSource PortDest PortSource IPDest IP
            Nov 20, 2020 10:52:02.466367960 CET497266184192.168.2.5194.5.97.9
            Nov 20, 2020 10:52:02.496193886 CET618449726194.5.97.9192.168.2.5
            Nov 20, 2020 10:52:03.184657097 CET497266184192.168.2.5194.5.97.9
            Nov 20, 2020 10:52:03.214612007 CET618449726194.5.97.9192.168.2.5
            Nov 20, 2020 10:52:03.784126043 CET497266184192.168.2.5194.5.97.9
            Nov 20, 2020 10:52:03.813864946 CET618449726194.5.97.9192.168.2.5
            Nov 20, 2020 10:52:08.033576965 CET497296184192.168.2.5194.5.97.9
            Nov 20, 2020 10:52:08.064066887 CET618449729194.5.97.9192.168.2.5
            Nov 20, 2020 10:52:08.723309994 CET497296184192.168.2.5194.5.97.9
            Nov 20, 2020 10:52:08.753233910 CET618449729194.5.97.9192.168.2.5
            Nov 20, 2020 10:52:09.410831928 CET497296184192.168.2.5194.5.97.9
            Nov 20, 2020 10:52:09.441014051 CET618449729194.5.97.9192.168.2.5
            Nov 20, 2020 10:52:13.485429049 CET497306184192.168.2.5194.5.97.9
            Nov 20, 2020 10:52:13.515448093 CET618449730194.5.97.9192.168.2.5
            Nov 20, 2020 10:52:14.020757914 CET497306184192.168.2.5194.5.97.9
            Nov 20, 2020 10:52:14.050601959 CET618449730194.5.97.9192.168.2.5
            Nov 20, 2020 10:52:14.551795959 CET497306184192.168.2.5194.5.97.9
            Nov 20, 2020 10:52:14.581655025 CET618449730194.5.97.9192.168.2.5
            Nov 20, 2020 10:52:18.705220938 CET497316184192.168.2.5194.5.97.9
            Nov 20, 2020 10:52:18.735104084 CET618449731194.5.97.9192.168.2.5
            Nov 20, 2020 10:52:19.239630938 CET497316184192.168.2.5194.5.97.9
            Nov 20, 2020 10:52:19.269522905 CET618449731194.5.97.9192.168.2.5
            Nov 20, 2020 10:52:19.770930052 CET497316184192.168.2.5194.5.97.9
            Nov 20, 2020 10:52:19.800921917 CET618449731194.5.97.9192.168.2.5
            Nov 20, 2020 10:52:23.858556032 CET497326184192.168.2.5194.5.97.9
            Nov 20, 2020 10:52:23.888431072 CET618449732194.5.97.9192.168.2.5
            Nov 20, 2020 10:52:24.396251917 CET497326184192.168.2.5194.5.97.9
            Nov 20, 2020 10:52:24.426213026 CET618449732194.5.97.9192.168.2.5
            Nov 20, 2020 10:52:24.927702904 CET497326184192.168.2.5194.5.97.9
            Nov 20, 2020 10:52:24.957645893 CET618449732194.5.97.9192.168.2.5
            Nov 20, 2020 10:52:29.029927015 CET497366184192.168.2.5194.5.97.9
            Nov 20, 2020 10:52:29.059813023 CET618449736194.5.97.9192.168.2.5
            Nov 20, 2020 10:52:29.568558931 CET497366184192.168.2.5194.5.97.9
            Nov 20, 2020 10:52:29.598489046 CET618449736194.5.97.9192.168.2.5
            Nov 20, 2020 10:52:30.099837065 CET497366184192.168.2.5194.5.97.9
            Nov 20, 2020 10:52:30.129645109 CET618449736194.5.97.9192.168.2.5
            Nov 20, 2020 10:52:34.375207901 CET497436184192.168.2.5194.5.97.9
            Nov 20, 2020 10:52:34.405150890 CET618449743194.5.97.9192.168.2.5
            Nov 20, 2020 10:52:35.007620096 CET497436184192.168.2.5194.5.97.9
            Nov 20, 2020 10:52:35.037687063 CET618449743194.5.97.9192.168.2.5
            Nov 20, 2020 10:52:35.620990038 CET497436184192.168.2.5194.5.97.9
            Nov 20, 2020 10:52:35.650985956 CET618449743194.5.97.9192.168.2.5
            Nov 20, 2020 10:52:39.703183889 CET497496184192.168.2.5194.5.97.9
            Nov 20, 2020 10:52:39.733134031 CET618449749194.5.97.9192.168.2.5
            Nov 20, 2020 10:52:40.241233110 CET497496184192.168.2.5194.5.97.9
            Nov 20, 2020 10:52:40.271064997 CET618449749194.5.97.9192.168.2.5
            Nov 20, 2020 10:52:40.772504091 CET497496184192.168.2.5194.5.97.9
            Nov 20, 2020 10:52:40.802356958 CET618449749194.5.97.9192.168.2.5
            Nov 20, 2020 10:52:44.845530033 CET497566184192.168.2.5194.5.97.9
            Nov 20, 2020 10:52:47.851152897 CET497566184192.168.2.5194.5.97.9
            Nov 20, 2020 10:52:53.867326021 CET497566184192.168.2.5194.5.97.9
            Nov 20, 2020 10:52:54.051198959 CET618449756194.5.97.9192.168.2.5
            Nov 20, 2020 10:52:58.141248941 CET497576184192.168.2.5194.5.97.9
            Nov 20, 2020 10:52:58.330878973 CET618449757194.5.97.9192.168.2.5
            Nov 20, 2020 10:52:58.836340904 CET497576184192.168.2.5194.5.97.9
            Nov 20, 2020 10:52:59.020982981 CET618449757194.5.97.9192.168.2.5
            Nov 20, 2020 10:52:59.523906946 CET497576184192.168.2.5194.5.97.9
            Nov 20, 2020 10:52:59.709059000 CET618449757194.5.97.9192.168.2.5
            Nov 20, 2020 10:53:03.754981995 CET497606184192.168.2.5194.5.97.9
            Nov 20, 2020 10:53:03.946958065 CET618449760194.5.97.9192.168.2.5
            Nov 20, 2020 10:53:04.461786985 CET497606184192.168.2.5194.5.97.9
            Nov 20, 2020 10:53:04.668989897 CET618449760194.5.97.9192.168.2.5
            Nov 20, 2020 10:53:05.180625916 CET497606184192.168.2.5194.5.97.9
            Nov 20, 2020 10:53:05.370690107 CET618449760194.5.97.9192.168.2.5
            Nov 20, 2020 10:53:09.424768925 CET497616184192.168.2.5194.5.97.9
            Nov 20, 2020 10:53:09.610785961 CET618449761194.5.97.9192.168.2.5
            Nov 20, 2020 10:53:10.119046926 CET497616184192.168.2.5194.5.97.9
            Nov 20, 2020 10:53:10.300734997 CET618449761194.5.97.9192.168.2.5
            Nov 20, 2020 10:53:10.806098938 CET497616184192.168.2.5194.5.97.9
            Nov 20, 2020 10:53:10.990715027 CET618449761194.5.97.9192.168.2.5
            Nov 20, 2020 10:53:15.088957071 CET497626184192.168.2.5194.5.97.9
            Nov 20, 2020 10:53:15.280740976 CET618449762194.5.97.9192.168.2.5
            Nov 20, 2020 10:53:15.790833950 CET497626184192.168.2.5194.5.97.9
            Nov 20, 2020 10:53:15.998838902 CET618449762194.5.97.9192.168.2.5
            Nov 20, 2020 10:53:16.509627104 CET497626184192.168.2.5194.5.97.9
            Nov 20, 2020 10:53:16.690829992 CET618449762194.5.97.9192.168.2.5
            Nov 20, 2020 10:53:20.757941008 CET497636184192.168.2.5194.5.97.9
            Nov 20, 2020 10:53:20.940715075 CET618449763194.5.97.9192.168.2.5
            Nov 20, 2020 10:53:21.447537899 CET497636184192.168.2.5194.5.97.9
            Nov 20, 2020 10:53:21.640497923 CET618449763194.5.97.9192.168.2.5
            Nov 20, 2020 10:53:22.150638103 CET497636184192.168.2.5194.5.97.9
            Nov 20, 2020 10:53:22.350904942 CET618449763194.5.97.9192.168.2.5
            Nov 20, 2020 10:53:26.629566908 CET497646184192.168.2.5194.5.97.9
            Nov 20, 2020 10:53:26.818627119 CET618449764194.5.97.9192.168.2.5
            Nov 20, 2020 10:53:27.447866917 CET497646184192.168.2.5194.5.97.9
            Nov 20, 2020 10:53:27.648524046 CET618449764194.5.97.9192.168.2.5
            Nov 20, 2020 10:53:28.151122093 CET497646184192.168.2.5194.5.97.9
            Nov 20, 2020 10:53:28.350675106 CET618449764194.5.97.9192.168.2.5
            Nov 20, 2020 10:53:32.552192926 CET497656184192.168.2.5194.5.97.9
            Nov 20, 2020 10:53:32.748727083 CET618449765194.5.97.9192.168.2.5
            Nov 20, 2020 10:53:33.260946035 CET497656184192.168.2.5194.5.97.9
            Nov 20, 2020 10:53:33.460822105 CET618449765194.5.97.9192.168.2.5
            Nov 20, 2020 10:53:33.964111090 CET497656184192.168.2.5194.5.97.9
            Nov 20, 2020 10:53:34.140450001 CET618449765194.5.97.9192.168.2.5
            Nov 20, 2020 10:53:38.247296095 CET497666184192.168.2.5194.5.97.9
            Nov 20, 2020 10:53:38.430479050 CET618449766194.5.97.9192.168.2.5
            Nov 20, 2020 10:53:38.933101892 CET497666184192.168.2.5194.5.97.9
            Nov 20, 2020 10:53:39.131073952 CET618449766194.5.97.9192.168.2.5
            Nov 20, 2020 10:53:39.636411905 CET497666184192.168.2.5194.5.97.9
            Nov 20, 2020 10:53:39.820441008 CET618449766194.5.97.9192.168.2.5

            UDP Packets

            TimestampSource PortDest PortSource IPDest IP
            Nov 20, 2020 10:51:38.788116932 CET4999253192.168.2.58.8.8.8
            Nov 20, 2020 10:51:38.815205097 CET53499928.8.8.8192.168.2.5
            Nov 20, 2020 10:51:39.880928993 CET6007553192.168.2.58.8.8.8
            Nov 20, 2020 10:51:39.908036947 CET53600758.8.8.8192.168.2.5
            Nov 20, 2020 10:51:55.739993095 CET5501653192.168.2.58.8.8.8
            Nov 20, 2020 10:51:55.777512074 CET53550168.8.8.8192.168.2.5
            Nov 20, 2020 10:52:02.374857903 CET6434553192.168.2.58.8.8.8
            Nov 20, 2020 10:52:02.412364006 CET53643458.8.8.8192.168.2.5
            Nov 20, 2020 10:52:06.545293093 CET5712853192.168.2.58.8.8.8
            Nov 20, 2020 10:52:06.572278976 CET53571288.8.8.8192.168.2.5
            Nov 20, 2020 10:52:07.995281935 CET5479153192.168.2.58.8.8.8
            Nov 20, 2020 10:52:08.032438040 CET53547918.8.8.8192.168.2.5
            Nov 20, 2020 10:52:13.445796967 CET5046353192.168.2.58.8.8.8
            Nov 20, 2020 10:52:13.483804941 CET53504638.8.8.8192.168.2.5
            Nov 20, 2020 10:52:18.668350935 CET5039453192.168.2.58.8.8.8
            Nov 20, 2020 10:52:18.703979015 CET53503948.8.8.8192.168.2.5
            Nov 20, 2020 10:52:23.822185040 CET5853053192.168.2.58.8.8.8
            Nov 20, 2020 10:52:23.857530117 CET53585308.8.8.8192.168.2.5
            Nov 20, 2020 10:52:25.016227961 CET5381353192.168.2.58.8.8.8
            Nov 20, 2020 10:52:25.053634882 CET53538138.8.8.8192.168.2.5
            Nov 20, 2020 10:52:25.163535118 CET6373253192.168.2.58.8.8.8
            Nov 20, 2020 10:52:25.190555096 CET53637328.8.8.8192.168.2.5
            Nov 20, 2020 10:52:25.247749090 CET5734453192.168.2.58.8.8.8
            Nov 20, 2020 10:52:25.274890900 CET53573448.8.8.8192.168.2.5
            Nov 20, 2020 10:52:28.992866993 CET5445053192.168.2.58.8.8.8
            Nov 20, 2020 10:52:29.028661966 CET53544508.8.8.8192.168.2.5
            Nov 20, 2020 10:52:31.312700033 CET5926153192.168.2.58.8.8.8
            Nov 20, 2020 10:52:31.348434925 CET53592618.8.8.8192.168.2.5
            Nov 20, 2020 10:52:31.952512980 CET5715153192.168.2.58.8.8.8
            Nov 20, 2020 10:52:31.979826927 CET53571518.8.8.8192.168.2.5
            Nov 20, 2020 10:52:32.442549944 CET5941353192.168.2.58.8.8.8
            Nov 20, 2020 10:52:32.478214025 CET53594138.8.8.8192.168.2.5
            Nov 20, 2020 10:52:32.830388069 CET6051653192.168.2.58.8.8.8
            Nov 20, 2020 10:52:32.857480049 CET53605168.8.8.8192.168.2.5
            Nov 20, 2020 10:52:33.274805069 CET5164953192.168.2.58.8.8.8
            Nov 20, 2020 10:52:33.310241938 CET53516498.8.8.8192.168.2.5
            Nov 20, 2020 10:52:33.727365971 CET6508653192.168.2.58.8.8.8
            Nov 20, 2020 10:52:33.763178110 CET53650868.8.8.8192.168.2.5
            Nov 20, 2020 10:52:34.332396984 CET5643253192.168.2.58.8.8.8
            Nov 20, 2020 10:52:34.368335009 CET53564328.8.8.8192.168.2.5
            Nov 20, 2020 10:52:34.549232006 CET5292953192.168.2.58.8.8.8
            Nov 20, 2020 10:52:34.595470905 CET53529298.8.8.8192.168.2.5
            Nov 20, 2020 10:52:35.678245068 CET6431753192.168.2.58.8.8.8
            Nov 20, 2020 10:52:35.714148998 CET53643178.8.8.8192.168.2.5
            Nov 20, 2020 10:52:37.744891882 CET6100453192.168.2.58.8.8.8
            Nov 20, 2020 10:52:37.780716896 CET53610048.8.8.8192.168.2.5
            Nov 20, 2020 10:52:38.269572020 CET5689553192.168.2.58.8.8.8
            Nov 20, 2020 10:52:38.280118942 CET6237253192.168.2.58.8.8.8
            Nov 20, 2020 10:52:38.305378914 CET53568958.8.8.8192.168.2.5
            Nov 20, 2020 10:52:38.323765039 CET53623728.8.8.8192.168.2.5
            Nov 20, 2020 10:52:39.666395903 CET6151553192.168.2.58.8.8.8
            Nov 20, 2020 10:52:39.702186108 CET53615158.8.8.8192.168.2.5
            Nov 20, 2020 10:52:40.541301012 CET5667553192.168.2.58.8.8.8
            Nov 20, 2020 10:52:40.585426092 CET53566758.8.8.8192.168.2.5
            Nov 20, 2020 10:52:40.723639011 CET5717253192.168.2.58.8.8.8
            Nov 20, 2020 10:52:40.761017084 CET53571728.8.8.8192.168.2.5
            Nov 20, 2020 10:52:44.808027983 CET5526753192.168.2.58.8.8.8
            Nov 20, 2020 10:52:44.843740940 CET53552678.8.8.8192.168.2.5
            Nov 20, 2020 10:52:58.099848986 CET5096953192.168.2.58.8.8.8
            Nov 20, 2020 10:52:58.135505915 CET53509698.8.8.8192.168.2.5
            Nov 20, 2020 10:53:00.573663950 CET6436253192.168.2.58.8.8.8
            Nov 20, 2020 10:53:00.600734949 CET53643628.8.8.8192.168.2.5
            Nov 20, 2020 10:53:01.550841093 CET5476653192.168.2.58.8.8.8
            Nov 20, 2020 10:53:01.594623089 CET53547668.8.8.8192.168.2.5
            Nov 20, 2020 10:53:03.715306997 CET6144653192.168.2.58.8.8.8
            Nov 20, 2020 10:53:03.753169060 CET53614468.8.8.8192.168.2.5
            Nov 20, 2020 10:53:09.388045073 CET5751553192.168.2.58.8.8.8
            Nov 20, 2020 10:53:09.423793077 CET53575158.8.8.8192.168.2.5
            Nov 20, 2020 10:53:15.049813032 CET5819953192.168.2.58.8.8.8
            Nov 20, 2020 10:53:15.087260008 CET53581998.8.8.8192.168.2.5
            Nov 20, 2020 10:53:20.718812943 CET6522153192.168.2.58.8.8.8
            Nov 20, 2020 10:53:20.756669998 CET53652218.8.8.8192.168.2.5
            Nov 20, 2020 10:53:26.427288055 CET6157353192.168.2.58.8.8.8
            Nov 20, 2020 10:53:26.463021040 CET53615738.8.8.8192.168.2.5
            Nov 20, 2020 10:53:32.515227079 CET5656253192.168.2.58.8.8.8
            Nov 20, 2020 10:53:32.550981045 CET53565628.8.8.8192.168.2.5
            Nov 20, 2020 10:53:38.155330896 CET5359153192.168.2.58.8.8.8
            Nov 20, 2020 10:53:38.190993071 CET53535918.8.8.8192.168.2.5
            Nov 20, 2020 10:53:43.952354908 CET5968853192.168.2.58.8.8.8
            Nov 20, 2020 10:53:43.990181923 CET53596888.8.8.8192.168.2.5
            Nov 20, 2020 10:53:49.701139927 CET5603253192.168.2.58.8.8.8
            Nov 20, 2020 10:53:49.736870050 CET53560328.8.8.8192.168.2.5
            Nov 20, 2020 10:53:55.361381054 CET6115053192.168.2.58.8.8.8
            Nov 20, 2020 10:53:55.396862030 CET53611508.8.8.8192.168.2.5

            DNS Queries

            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
            Nov 20, 2020 10:52:02.374857903 CET192.168.2.58.8.8.80xc3a3Standard query (0)kengeorge.zapto.orgA (IP address)IN (0x0001)
            Nov 20, 2020 10:52:07.995281935 CET192.168.2.58.8.8.80x1d8bStandard query (0)kengeorge.zapto.orgA (IP address)IN (0x0001)
            Nov 20, 2020 10:52:13.445796967 CET192.168.2.58.8.8.80xc2aaStandard query (0)kengeorge.zapto.orgA (IP address)IN (0x0001)
            Nov 20, 2020 10:52:18.668350935 CET192.168.2.58.8.8.80xd980Standard query (0)kengeorge.zapto.orgA (IP address)IN (0x0001)
            Nov 20, 2020 10:52:23.822185040 CET192.168.2.58.8.8.80x638bStandard query (0)kengeorge.zapto.orgA (IP address)IN (0x0001)
            Nov 20, 2020 10:52:28.992866993 CET192.168.2.58.8.8.80x7c40Standard query (0)kengeorge.zapto.orgA (IP address)IN (0x0001)
            Nov 20, 2020 10:52:34.332396984 CET192.168.2.58.8.8.80x62faStandard query (0)kengeorge.zapto.orgA (IP address)IN (0x0001)
            Nov 20, 2020 10:52:39.666395903 CET192.168.2.58.8.8.80x6f9fStandard query (0)kengeorge.zapto.orgA (IP address)IN (0x0001)
            Nov 20, 2020 10:52:40.541301012 CET192.168.2.58.8.8.80xb80aStandard query (0)g.msn.comA (IP address)IN (0x0001)
            Nov 20, 2020 10:52:44.808027983 CET192.168.2.58.8.8.80x89cdStandard query (0)kengeorge.zapto.orgA (IP address)IN (0x0001)
            Nov 20, 2020 10:52:58.099848986 CET192.168.2.58.8.8.80xb049Standard query (0)kengeorge.zapto.orgA (IP address)IN (0x0001)
            Nov 20, 2020 10:53:03.715306997 CET192.168.2.58.8.8.80xab7cStandard query (0)kengeorge.zapto.orgA (IP address)IN (0x0001)
            Nov 20, 2020 10:53:09.388045073 CET192.168.2.58.8.8.80x963bStandard query (0)kengeorge.zapto.orgA (IP address)IN (0x0001)
            Nov 20, 2020 10:53:15.049813032 CET192.168.2.58.8.8.80x78b1Standard query (0)kengeorge.zapto.orgA (IP address)IN (0x0001)
            Nov 20, 2020 10:53:20.718812943 CET192.168.2.58.8.8.80x9c6bStandard query (0)kengeorge.zapto.orgA (IP address)IN (0x0001)
            Nov 20, 2020 10:53:26.427288055 CET192.168.2.58.8.8.80xbcfcStandard query (0)kengeorge.zapto.orgA (IP address)IN (0x0001)
            Nov 20, 2020 10:53:32.515227079 CET192.168.2.58.8.8.80xa06bStandard query (0)kengeorge.zapto.orgA (IP address)IN (0x0001)
            Nov 20, 2020 10:53:38.155330896 CET192.168.2.58.8.8.80xa01Standard query (0)kengeorge.zapto.orgA (IP address)IN (0x0001)
            Nov 20, 2020 10:53:43.952354908 CET192.168.2.58.8.8.80x91feStandard query (0)kengeorge.zapto.orgA (IP address)IN (0x0001)
            Nov 20, 2020 10:53:49.701139927 CET192.168.2.58.8.8.80x4484Standard query (0)kengeorge.zapto.orgA (IP address)IN (0x0001)
            Nov 20, 2020 10:53:55.361381054 CET192.168.2.58.8.8.80x3fceStandard query (0)kengeorge.zapto.orgA (IP address)IN (0x0001)

            DNS Answers

            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
            Nov 20, 2020 10:52:02.412364006 CET8.8.8.8192.168.2.50xc3a3No error (0)kengeorge.zapto.org194.5.97.9A (IP address)IN (0x0001)
            Nov 20, 2020 10:52:08.032438040 CET8.8.8.8192.168.2.50x1d8bNo error (0)kengeorge.zapto.org194.5.97.9A (IP address)IN (0x0001)
            Nov 20, 2020 10:52:13.483804941 CET8.8.8.8192.168.2.50xc2aaNo error (0)kengeorge.zapto.org194.5.97.9A (IP address)IN (0x0001)
            Nov 20, 2020 10:52:18.703979015 CET8.8.8.8192.168.2.50xd980No error (0)kengeorge.zapto.org194.5.97.9A (IP address)IN (0x0001)
            Nov 20, 2020 10:52:23.857530117 CET8.8.8.8192.168.2.50x638bNo error (0)kengeorge.zapto.org194.5.97.9A (IP address)IN (0x0001)
            Nov 20, 2020 10:52:29.028661966 CET8.8.8.8192.168.2.50x7c40No error (0)kengeorge.zapto.org194.5.97.9A (IP address)IN (0x0001)
            Nov 20, 2020 10:52:34.368335009 CET8.8.8.8192.168.2.50x62faNo error (0)kengeorge.zapto.org194.5.97.9A (IP address)IN (0x0001)
            Nov 20, 2020 10:52:39.702186108 CET8.8.8.8192.168.2.50x6f9fNo error (0)kengeorge.zapto.org194.5.97.9A (IP address)IN (0x0001)
            Nov 20, 2020 10:52:40.585426092 CET8.8.8.8192.168.2.50xb80aNo error (0)g.msn.comg-msn-com-nsatc.trafficmanager.netCNAME (Canonical name)IN (0x0001)
            Nov 20, 2020 10:52:44.843740940 CET8.8.8.8192.168.2.50x89cdNo error (0)kengeorge.zapto.org194.5.97.9A (IP address)IN (0x0001)
            Nov 20, 2020 10:52:58.135505915 CET8.8.8.8192.168.2.50xb049No error (0)kengeorge.zapto.org194.5.97.9A (IP address)IN (0x0001)
            Nov 20, 2020 10:53:03.753169060 CET8.8.8.8192.168.2.50xab7cNo error (0)kengeorge.zapto.org194.5.97.9A (IP address)IN (0x0001)
            Nov 20, 2020 10:53:09.423793077 CET8.8.8.8192.168.2.50x963bNo error (0)kengeorge.zapto.org194.5.97.9A (IP address)IN (0x0001)
            Nov 20, 2020 10:53:15.087260008 CET8.8.8.8192.168.2.50x78b1No error (0)kengeorge.zapto.org194.5.97.9A (IP address)IN (0x0001)
            Nov 20, 2020 10:53:20.756669998 CET8.8.8.8192.168.2.50x9c6bNo error (0)kengeorge.zapto.org194.5.97.9A (IP address)IN (0x0001)
            Nov 20, 2020 10:53:26.463021040 CET8.8.8.8192.168.2.50xbcfcNo error (0)kengeorge.zapto.org194.5.97.9A (IP address)IN (0x0001)
            Nov 20, 2020 10:53:32.550981045 CET8.8.8.8192.168.2.50xa06bNo error (0)kengeorge.zapto.org194.5.97.9A (IP address)IN (0x0001)
            Nov 20, 2020 10:53:38.190993071 CET8.8.8.8192.168.2.50xa01No error (0)kengeorge.zapto.org194.5.97.9A (IP address)IN (0x0001)
            Nov 20, 2020 10:53:43.990181923 CET8.8.8.8192.168.2.50x91feNo error (0)kengeorge.zapto.org194.5.97.9A (IP address)IN (0x0001)
            Nov 20, 2020 10:53:49.736870050 CET8.8.8.8192.168.2.50x4484No error (0)kengeorge.zapto.org194.5.97.9A (IP address)IN (0x0001)
            Nov 20, 2020 10:53:55.396862030 CET8.8.8.8192.168.2.50x3fceNo error (0)kengeorge.zapto.org194.5.97.9A (IP address)IN (0x0001)

            Code Manipulations

            Statistics

            Behavior

            Click to jump to process

            System Behavior

            Analysis Process: Quotation ATB-PR28500KINH.exe PID: 6620 Parent PID: 5672

            General

            Start time:10:51:43
            Start date:20/11/2020
            Path:C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe
            Wow64 process (32bit):true
            Commandline:'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe'
            Imagebase:0xf90000
            File size:1020928 bytes
            MD5 hash:5A6B8A02021146DBE686B9A5EB628D9A
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Yara matches:
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.512937029.00000000059E2000.00000040.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.512937029.00000000059E2000.00000040.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.512937029.00000000059E2000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.511212576.0000000004381000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.511212576.0000000004381000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.511212576.0000000004381000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.513612076.0000000005D3C000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.513612076.0000000005D3C000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.513612076.0000000005D3C000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            Reputation:low

            Analysis Process: RegAsm.exe PID: 6880 Parent PID: 6620

            General

            Start time:10:51:54
            Start date:20/11/2020
            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            Imagebase:0x150000
            File size:64616 bytes
            MD5 hash:6FD7592411112729BF6B1F2F6C34899F
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:moderate

            Analysis Process: RegAsm.exe PID: 6916 Parent PID: 6620

            General

            Start time:10:51:55
            Start date:20/11/2020
            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            Imagebase:0xf50000
            File size:64616 bytes
            MD5 hash:6FD7592411112729BF6B1F2F6C34899F
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Yara matches:
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.511598900.0000000004299000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.511598900.0000000004299000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.514616448.00000000068A0000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.514616448.00000000068A0000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.514616448.00000000068A0000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.504689843.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.504689843.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.504689843.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.513526465.0000000005940000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.513526465.0000000005940000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.507695159.0000000003291000.00000004.00000001.sdmp, Author: Joe Security
            Reputation:moderate

            Analysis Process: Quotation ATB-PR28500KINH.exe PID: 6988 Parent PID: 6620

            General

            Start time:10:51:56
            Start date:20/11/2020
            Path:C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe
            Wow64 process (32bit):true
            Commandline:'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe'
            Imagebase:0xc50000
            File size:1020928 bytes
            MD5 hash:5A6B8A02021146DBE686B9A5EB628D9A
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Yara matches:
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.511416569.0000000003FF1000.00000004.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.511416569.0000000003FF1000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000005.00000002.511416569.0000000003FF1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.517841818.0000000005A82000.00000040.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.517841818.0000000005A82000.00000040.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000005.00000002.517841818.0000000005A82000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000005.00000002.506085283.0000000001233000.00000004.00000020.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000005.00000002.506085283.0000000001233000.00000004.00000020.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000005.00000002.506085283.0000000001233000.00000004.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            Reputation:low

            Analysis Process: schtasks.exe PID: 7012 Parent PID: 6916

            General

            Start time:10:51:56
            Start date:20/11/2020
            Path:C:\Windows\SysWOW64\schtasks.exe
            Wow64 process (32bit):true
            Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp21A1.tmp'
            Imagebase:0xb50000
            File size:185856 bytes
            MD5 hash:15FF7D8324231381BAD48A052F85DF04
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Analysis Process: conhost.exe PID: 7036 Parent PID: 7012

            General

            Start time:10:51:57
            Start date:20/11/2020
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7ecfc0000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Analysis Process: RegAsm.exe PID: 7088 Parent PID: 904

            General

            Start time:10:51:57
            Start date:20/11/2020
            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 0
            Imagebase:0x7ff797770000
            File size:64616 bytes
            MD5 hash:6FD7592411112729BF6B1F2F6C34899F
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Reputation:moderate

            Analysis Process: conhost.exe PID: 7132 Parent PID: 7088

            General

            Start time:10:51:58
            Start date:20/11/2020
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7ecfc0000
            File size:625664 bytes
            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Analysis Process: RegAsm.exe PID: 7048 Parent PID: 6988

            General

            Start time:10:52:11
            Start date:20/11/2020
            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            Wow64 process (32bit):true
            Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            Imagebase:0xc50000
            File size:64616 bytes
            MD5 hash:6FD7592411112729BF6B1F2F6C34899F
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Yara matches:
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000002.315767298.0000000002F81000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000012.00000002.315767298.0000000002F81000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000002.315860307.0000000003F89000.00000004.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000012.00000002.315860307.0000000003F89000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000012.00000002.315053355.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000012.00000002.315053355.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
            • Rule: NanoCore, Description: unknown, Source: 00000012.00000002.315053355.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
            Reputation:moderate

            Disassembly

            Code Analysis

            Reset < >