Analysis Report Quotation ATB-PR28500KINH.exe

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: Quotation ATB-PR28500KINH.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	Avira: detection malicious, Label: TR/AD.Nanocore.qhfnr
Source: C:\Users\user\AppData\Roaming\45678	Avira: detection malicious, Label: TR/AD.Nanocore.qhfnr

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\45678	ReversingLabs: Detection: 27%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	ReversingLabs: Detection: 33%

Multi AV Scanner detection for submitted file

Source: Quotation ATB-PR28500KINH.exe

ReversingLabs: Detection: 27%

Yara detected Nanocore RAT

Source: Yara match	File source: 00000006.00000002.320687638.000000000409E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.316582541.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.320831164.0000000003961000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.321093889.000000000418C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.321624483.0000000003B61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.318700397.0000000003041000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.317796226.0000000000E64000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.325804891.00000000057F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.330776176.00000000054E2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.317682512.0000000000DA5000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6148, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 3980, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6424, type: MEMORY
Source: Yara match	File source: 2.2.Quotation ATB-PR28500KINH.exe.54e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Quotation ATB-PR28500KINH.exe.57f0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Quotation ATB-PR28500KINH.exe.57f0000.4.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\45678	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Quotation ATB-PR28500KINH.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 6.2.Quotation ATB-PR28500KINH.exe.57f0000.4.unpack	Avira: Label: TR/NanoCore.fadte
Source: 2.2.Quotation ATB-PR28500KINH.exe.54e0000.1.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 6.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Networking:

Uses ping.exe to check the status of other devices and networks

Source: unknown

Process created: C:\Windows\SysWOW64\PING.EXE ping -n 1 -w 3000 1.1.1.1

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.3:49725 -> 194.5.97.9:1430

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 1.1.1.1 1.1.1.1

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: petroleum.sytes.net

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: Quotation ATB-PR28500KINH.exe, 00000002.00000002.317601897.0000000000DE8000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Installs a raw input device (often for capturing keystrokes)

Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.320687638.000000000409E000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Source: Yara match	File source: 00000006.00000002.320687638.000000000409E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.316582541.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.320831164.0000000003961000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.321093889.000000000418C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.321624483.0000000003B61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.318700397.0000000003041000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.317796226.0000000000E64000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.325804891.00000000057F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.330776176.00000000054E2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.317682512.0000000000DA5000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6148, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 3980, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6424, type: MEMORY
Source: Yara match	File source: 2.2.Quotation ATB-PR28500KINH.exe.54e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Quotation ATB-PR28500KINH.exe.57f0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Quotation ATB-PR28500KINH.exe.57f0000.4.raw.unpack, type: UNPACKEDPE

Operating System Destruction:

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe

Process information set: 00 00 00 00

Jump to behavior

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000006.00000002.328310332.00000000073C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.316582541.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.316582541.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.328240077.0000000007380000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.328269653.0000000007390000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000A.00000002.320831164.0000000003961000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000A.00000002.320831164.0000000003961000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.321093889.000000000418C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.327974006.00000000071E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.325787678.00000000057E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000002.321624483.0000000003B61000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000002.321624483.0000000003B61000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.317796226.0000000000E64000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000002.317796226.0000000000E64000.00000004.00000020.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.325804891.00000000057F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.328184231.0000000007370000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000002.330776176.00000000054E2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000002.330776176.00000000054E2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.326037509.00000000058C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000A.00000002.317682512.0000000000DA5000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000A.00000002.317682512.0000000000DA5000.00000004.00000020.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6148, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6148, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 3980, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 3980, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6424, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6424, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.Quotation ATB-PR28500KINH.exe.7380000.11.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.Quotation ATB-PR28500KINH.exe.73c0000.13.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.Quotation ATB-PR28500KINH.exe.54e0000.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 2.2.Quotation ATB-PR28500KINH.exe.54e0000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.Quotation ATB-PR28500KINH.exe.7370000.10.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.Quotation ATB-PR28500KINH.exe.71e0000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.Quotation ATB-PR28500KINH.exe.7370000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.Quotation ATB-PR28500KINH.exe.57f0000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.Quotation ATB-PR28500KINH.exe.71e0000.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.Quotation ATB-PR28500KINH.exe.73c0000.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.Quotation ATB-PR28500KINH.exe.58c0000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.Quotation ATB-PR28500KINH.exe.7390000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.Quotation ATB-PR28500KINH.exe.57e0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.Quotation ATB-PR28500KINH.exe.7380000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.Quotation ATB-PR28500KINH.exe.57f0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.Quotation ATB-PR28500KINH.exe.7390000.12.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 6.2.Quotation ATB-PR28500KINH.exe.58c0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Quotation ATB-PR28500KINH.exe

Contains functionality to call native functions

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 6_2_0740E180 NtSetInformationProcess,		6_2_0740E180
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 6_2_0740E178 NtSetInformationProcess,		6_2_0740E178

Detected potential crypto function

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 2_2_00747241		2_2_00747241
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 6_2_00C67241		6_2_00C67241
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 6_2_016DE471		6_2_016DE471
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 6_2_016DE480		6_2_016DE480
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 6_2_016DBBD4		6_2_016DBBD4
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 6_2_074077A0		6_2_074077A0
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 6_2_07400298		6_2_07400298
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 6_2_07406ED0		6_2_07406ED0
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 6_2_0740B920		6_2_0740B920
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 6_2_07400356		6_2_07400356
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 6_2_07406B88		6_2_07406B88
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 10_2_00647241		10_2_00647241

PE file contains strange resources

Source: Quotation ATB-PR28500KINH.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 45678.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: HJdyTuap.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: Quotation ATB-PR28500KINH.exe, 00000002.00000002.317601897.0000000000DE8000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Quotation ATB-PR28500KINH.exe
Source: Quotation ATB-PR28500KINH.exe, 00000002.00000002.326733163.00000000046F5000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameafHVuOgBCjbjgXKF.bounce.exe4 vs Quotation ATB-PR28500KINH.exe
Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.321759485.00000000042E3000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs Quotation ATB-PR28500KINH.exe
Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.321759485.00000000042E3000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs Quotation ATB-PR28500KINH.exe
Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.321759485.00000000042E3000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs Quotation ATB-PR28500KINH.exe
Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.321759485.00000000042E3000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNAudio.dll4 vs Quotation ATB-PR28500KINH.exe
Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.321759485.00000000042E3000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs Quotation ATB-PR28500KINH.exe
Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.321759485.00000000042E3000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs Quotation ATB-PR28500KINH.exe
Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.320687638.000000000409E000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Quotation ATB-PR28500KINH.exe
Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.320687638.000000000409E000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs Quotation ATB-PR28500KINH.exe
Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.321093889.000000000418C000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs Quotation ATB-PR28500KINH.exe
Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.321093889.000000000418C000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs Quotation ATB-PR28500KINH.exe
Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.321093889.000000000418C000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs Quotation ATB-PR28500KINH.exe
Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.327299358.0000000006FB0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs Quotation ATB-PR28500KINH.exe
Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.326304055.0000000006240000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs Quotation ATB-PR28500KINH.exe
Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.317789934.000000000138A000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Quotation ATB-PR28500KINH.exe
Source: Quotation ATB-PR28500KINH.exe, 0000000A.00000002.323134586.0000000003F2E000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameafHVuOgBCjbjgXKF.bounce.exe4 vs Quotation ATB-PR28500KINH.exe
Source: Quotation ATB-PR28500KINH.exe, 0000000A.00000002.317624491.0000000000D7A000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Quotation ATB-PR28500KINH.exe
Source: Quotation ATB-PR28500KINH.exe, 0000000A.00000002.332027361.0000000073FE0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs Quotation ATB-PR28500KINH.exe

Yara signature match

Source: 00000006.00000002.328310332.00000000073C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.328310332.00000000073C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000006.00000002.316582541.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.316582541.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.328240077.0000000007380000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.328240077.0000000007380000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000006.00000002.328269653.0000000007390000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.328269653.0000000007390000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000002.320831164.0000000003961000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000A.00000002.320831164.0000000003961000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.321093889.000000000418C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.327974006.00000000071E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.327974006.00000000071E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000006.00000002.325787678.00000000057E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.325787678.00000000057E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000002.321624483.0000000003B61000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000002.321624483.0000000003B61000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000002.00000002.317796226.0000000000E64000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000002.317796226.0000000000E64000.00000004.00000020.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.325804891.00000000057F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.325804891.00000000057F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000006.00000002.328184231.0000000007370000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.328184231.0000000007370000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000002.330776176.00000000054E2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000002.00000002.330776176.00000000054E2000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000006.00000002.326037509.00000000058C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000006.00000002.326037509.00000000058C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000002.317682512.0000000000DA5000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000A.00000002.317682512.0000000000DA5000.00000004.00000020.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6148, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6148, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 3980, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 3980, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6424, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6424, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.Quotation ATB-PR28500KINH.exe.7380000.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.Quotation ATB-PR28500KINH.exe.7380000.11.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.Quotation ATB-PR28500KINH.exe.73c0000.13.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.Quotation ATB-PR28500KINH.exe.73c0000.13.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.Quotation ATB-PR28500KINH.exe.54e0000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 2.2.Quotation ATB-PR28500KINH.exe.54e0000.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.Quotation ATB-PR28500KINH.exe.54e0000.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.Quotation ATB-PR28500KINH.exe.7370000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.Quotation ATB-PR28500KINH.exe.7370000.10.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.Quotation ATB-PR28500KINH.exe.71e0000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.Quotation ATB-PR28500KINH.exe.71e0000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.Quotation ATB-PR28500KINH.exe.7370000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.Quotation ATB-PR28500KINH.exe.7370000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.Quotation ATB-PR28500KINH.exe.57f0000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.Quotation ATB-PR28500KINH.exe.57f0000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.Quotation ATB-PR28500KINH.exe.71e0000.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.Quotation ATB-PR28500KINH.exe.71e0000.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.Quotation ATB-PR28500KINH.exe.73c0000.13.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.Quotation ATB-PR28500KINH.exe.73c0000.13.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.Quotation ATB-PR28500KINH.exe.58c0000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.Quotation ATB-PR28500KINH.exe.58c0000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.Quotation ATB-PR28500KINH.exe.7390000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.Quotation ATB-PR28500KINH.exe.7390000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 6.2.Quotation ATB-PR28500KINH.exe.57e0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.Quotation ATB-PR28500KINH.exe.57e0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.Quotation ATB-PR28500KINH.exe.7380000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.Quotation ATB-PR28500KINH.exe.7380000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.Quotation ATB-PR28500KINH.exe.57f0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.Quotation ATB-PR28500KINH.exe.57f0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.Quotation ATB-PR28500KINH.exe.7390000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.Quotation ATB-PR28500KINH.exe.7390000.12.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.Quotation ATB-PR28500KINH.exe.58c0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 6.2.Quotation ATB-PR28500KINH.exe.58c0000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/

PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)

Source: Quotation ATB-PR28500KINH.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 45678.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: HJdyTuap.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

.NET source code contains calls to encryption/decryption functions

Source: 2.2.Quotation ATB-PR28500KINH.exe.54e0000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 2.2.Quotation ATB-PR28500KINH.exe.54e0000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.Quotation ATB-PR28500KINH.exe.54e0000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 6.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 6.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

.NET source code contains many API calls related to security

Source: 6.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 6.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 2.2.Quotation ATB-PR28500KINH.exe.54e0000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 2.2.Quotation ATB-PR28500KINH.exe.54e0000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Classification label

Source: classification engine

Classification label: mal100.troj.adwa.evad.winEXE@43520/9@2/3

Creates files inside the user directory

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe

File created: C:\Users\user\AppData\Roaming\45678

Jump to behavior

Creates mutexes

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1256:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5908:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6300:120:WilError_01
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Mutant created: \Sessions\1\BaseNamedObjects\Startup_shellcode_006
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{c7093f5f-20e4-4efa-a2b8-e96b9af4ad8c}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1140:120:WilError_01

Creates temporary files

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe

File created: C:\Users\user\AppData\Local\Temp\tmpECB7.tmp

Jump to behavior

PE file has an executable .text section and no other executable section

Source: Quotation ATB-PR28500KINH.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Parts of this applications are using the .NET runtime (Probably coded in C#)

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Queries process information (via WMI, Win32_Process)

Source: C:\Windows\SysWOW64\taskkill.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "Quotation ATB-PR28500KINH.exe")

Reads software policies

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Sample is known by Antivirus

Source: Quotation ATB-PR28500KINH.exe

ReversingLabs: Detection: 27%

Sample reads its own file content

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe

File read: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe'
Source: unknown	Process created: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Quotation ATB-PR28500KINH.exe
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpECB7.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe' 0
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /delete /f /tn 'DHCP Monitor'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /delete /f /tn 'DHCP Monitor Task'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C taskkill /f /im 'Quotation ATB-PR28500KINH.exe' & ping -n 1 -w 3000 1.1.1.1 & type nul > 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe' & del /f /q 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im 'Quotation ATB-PR28500KINH.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 1 -w 3000 1.1.1.1
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process created: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Quotation ATB-PR28500KINH.exe			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpECB7.tmp'			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /delete /f /tn 'DHCP Monitor'			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /delete /f /tn 'DHCP Monitor Task'			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C taskkill /f /im 'Quotation ATB-PR28500KINH.exe' & ping -n 1 -w 3000 1.1.1.1 & type nul > 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe' & del /f /q 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe'			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im 'Quotation ATB-PR28500KINH.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 1 -w 3000 1.1.1.1

Uses an in-process (OLE) Automation server

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Uses Microsoft Silverlight

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

PE file contains a COM descriptor data directory

Source: Quotation ATB-PR28500KINH.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: Quotation ATB-PR28500KINH.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: \??\C:\Windows\mscorlib.pdb6e source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.317842225.00000000013B2000.00000004.00000020.sdmp
Source:	Binary string: symbols\dll\mscorlib.pdb source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.327278299.0000000006FAC000.00000004.00000010.sdmp
Source:	Binary string: mscorlib.pdb source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.327183574.0000000006D8F000.00000004.00000001.sdmp
Source:	Binary string: p0C:\Windows\mscorlib.pdb source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.327278299.0000000006FAC000.00000004.00000010.sdmp
Source:	Binary string: mscorlib.pdb853321935-2125563209-4053062332-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32 source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.317842225.00000000013B2000.00000004.00000020.sdmp
Source:	Binary string: mscorlib.pdbH source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.327127110.0000000006D70000.00000004.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Source: 2.2.Quotation ATB-PR28500KINH.exe.54e0000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.Quotation ATB-PR28500KINH.exe.54e0000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

PE file contains an invalid checksum

Source: HJdyTuap.exe.2.dr

Static PE information: real checksum: 0x108e0c should be: 0x10980c

Binary may include packed or encrypted code

Source: initial sample	Static PE information: section name: .text entropy: 7.8618274721
Source: initial sample	Static PE information: section name: .text entropy: 7.8618274721
Source: initial sample	Static PE information: section name: .text entropy: 7.8618274721

.NET source code contains many randomly named methods

Source: 2.2.Quotation ATB-PR28500KINH.exe.54e0000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 2.2.Quotation ATB-PR28500KINH.exe.54e0000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 6.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 6.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe			Jump to dropped file
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	File created: C:\Users\user\AppData\Roaming\45678			Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe

File created: C:\Users\user\AppData\Roaming\45678

Jump to dropped file

Boot Survival:

Drops PE files to the startup folder

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe

Jump to dropped file

Uses schtasks.exe or at.exe to add and modify task schedules

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpECB7.tmp'

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe

File opened: C:\Users\user\AppData\Roaming\45678:Zone.Identifier read attributes | delete

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Uses ping.exe to sleep

Source: unknown	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 1 -w 3000 1.1.1.1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 1 -w 3000 1.1.1.1

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Window / User API: threadDelayed 3215			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Window / User API: threadDelayed 6337			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe

Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe TID: 6392	Thread sleep time: -6456360425798339s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe TID: 6464	Thread sleep count: 50 > 30

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.327299358.0000000006FB0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.327299358.0000000006FB0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.327299358.0000000006FB0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.317842225.00000000013B2000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.327299358.0000000006FB0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Queries a list of all running processes

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 2_2_050300AD mov ecx, dword ptr fs:[00000030h]		2_2_050300AD
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Code function: 2_2_050300AD mov eax, dword ptr fs:[00000030h]		2_2_050300AD

Enables debug privileges

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug

Creates guard pages, often used to prevent reverse engineering and debugging

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe

Section loaded: unknown target: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe protection: execute and read and write

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process created: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Quotation ATB-PR28500KINH.exe			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpECB7.tmp'			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /delete /f /tn 'DHCP Monitor'			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /delete /f /tn 'DHCP Monitor Task'			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C taskkill /f /im 'Quotation ATB-PR28500KINH.exe' & ping -n 1 -w 3000 1.1.1.1 & type nul > 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe' & del /f /q 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe'			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im 'Quotation ATB-PR28500KINH.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 1 -w 3000 1.1.1.1

Uses taskkill to terminate processes

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im 'Quotation ATB-PR28500KINH.exe'

May try to detect the Windows Explorer process (often used for injection)

Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.328052753.000000000733E000.00000004.00000010.sdmp	Binary or memory string: Program Manager
Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.320469818.0000000003371000.00000004.00000001.sdmp	Binary or memory string: Program ManagerHa+l
Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.318986123.00000000030AB000.00000004.00000001.sdmp	Binary or memory string: Program ManagerD$+l
Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.319565462.00000000031B9000.00000004.00000001.sdmp	Binary or memory string: Program Managerx
Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.320153837.00000000032EB000.00000004.00000001.sdmp	Binary or memory string: Program Managert
Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.327030641.00000000069AB000.00000004.00000010.sdmp	Binary or memory string: Program Manager@

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Queries volume information: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Queries volume information: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Queries volume information: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation			Jump to behavior

Queries the cryptographic machine GUID

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Source: Yara match	File source: 00000006.00000002.320687638.000000000409E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.316582541.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.320831164.0000000003961000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.321093889.000000000418C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.321624483.0000000003B61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.318700397.0000000003041000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.317796226.0000000000E64000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.325804891.00000000057F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.330776176.00000000054E2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.317682512.0000000000DA5000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6148, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 3980, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6424, type: MEMORY
Source: Yara match	File source: 2.2.Quotation ATB-PR28500KINH.exe.54e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Quotation ATB-PR28500KINH.exe.57f0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Quotation ATB-PR28500KINH.exe.57f0000.4.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Source: Quotation ATB-PR28500KINH.exe, 00000002.00000002.321624483.0000000003B61000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.321759485.00000000042E3000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Quotation ATB-PR28500KINH.exe, 00000006.00000002.321093889.000000000418C000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: Quotation ATB-PR28500KINH.exe, 0000000A.00000002.320831164.0000000003961000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Source: Yara match	File source: 00000006.00000002.320687638.000000000409E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.316582541.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.320831164.0000000003961000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.321093889.000000000418C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.321624483.0000000003B61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.318700397.0000000003041000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.317796226.0000000000E64000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.325804891.00000000057F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.330776176.00000000054E2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.317682512.0000000000DA5000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6148, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 3980, type: MEMORY
Source: Yara match	File source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6424, type: MEMORY
Source: Yara match	File source: 2.2.Quotation ATB-PR28500KINH.exe.54e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Quotation ATB-PR28500KINH.exe.57f0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.Quotation ATB-PR28500KINH.exe.57f0000.4.raw.unpack, type: UNPACKEDPE