Play interactive tour

Edit tour

Analysis Report Package_details.exe

Overview

General Information

Sample Name:	Package_details.exe
Analysis ID:	321402
MD5:	ce3c5367fb067a45f5fa10c35ca23a28
SHA1:	9d0f4d746747a6fd13a48b1a867eb8d103d9daec
SHA256:	e4fc20492ed4f4750766382f6578d84f38bf680646eb6b5193c5733925941f67
Tags:	NanoCore
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Detected unpacking (creates a PE file in dynamic memory)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Nanocore RAT

.NET source code contains potential unpacker

Connects to many ports of the same IP (likely port scanning)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Uses schtasks.exe or at.exe to add and modify task schedules

Antivirus or Machine Learning detection for unpacked file

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

Package_details.exe (PID: 1092 cmdline: 'C:\Users\user\Desktop\Package_details.exe' MD5: CE3C5367FB067A45F5FA10C35CA23A28)

cmd.exe (PID: 4092 cmdline: cmd /c schtasks /Create /TN fonts /XML 'C:\Users\user\AppData\Local\Temp\3b53dd4f8dbc40fcb4ebf67bcf9e21d3.xml' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 2296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 5464 cmdline: schtasks /Create /TN fonts /XML 'C:\Users\user\AppData\Local\Temp\3b53dd4f8dbc40fcb4ebf67bcf9e21d3.xml' MD5: 15FF7D8324231381BAD48A052F85DF04)

Package_details.exe (PID: 4156 cmdline: C:\Users\user\Desktop\Package_details.exe MD5: CE3C5367FB067A45F5FA10C35CA23A28)

schtasks.exe (PID: 5592 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp30A7.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 5108 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp33C5.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 1560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Package_details.exe (PID: 5804 cmdline: C:\Users\user\Desktop\Package_details.exe 0 MD5: CE3C5367FB067A45F5FA10C35CA23A28)

Package_details.exe (PID: 4168 cmdline: C:\Users\user\Desktop\Package_details.exe MD5: CE3C5367FB067A45F5FA10C35CA23A28)

Package_details.exe (PID: 2140 cmdline: C:\Users\user\Desktop\Package_details.exe MD5: CE3C5367FB067A45F5FA10C35CA23A28)

Package_details.exe (PID: 6304 cmdline: C:\Users\user\Desktop\Package_details.exe MD5: CE3C5367FB067A45F5FA10C35CA23A28)

dhcpmon.exe (PID: 4112 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: CE3C5367FB067A45F5FA10C35CA23A28)

dhcpmon.exe (PID: 5712 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: CE3C5367FB067A45F5FA10C35CA23A28)

dhcpmon.exe (PID: 4604 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: CE3C5367FB067A45F5FA10C35CA23A28)

dhcpmon.exe (PID: 6236 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: CE3C5367FB067A45F5FA10C35CA23A28)

dhcpmon.exe (PID: 6296 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: CE3C5367FB067A45F5FA10C35CA23A28)

dhcpmon.exe (PID: 6532 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: CE3C5367FB067A45F5FA10C35CA23A28)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000C.00000002.254234385.0000000000400000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x251e5:$x1: NanoCore.ClientPluginHost 0x25222:$x2: IClientNetworkHost 0x28d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000002.254234385.0000000000400000.00000040.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x24f5d:$x1: NanoCore Client.exe 0x251e5:$x2: NanoCore.ClientPluginHost 0x2681e:$s1: PluginCommand 0x26812:$s2: FileCommand 0x276c3:$s3: PipeExists 0x2d47a:$s4: PipeCreated 0x2520f:$s5: IClientLoggingHost
0000000C.00000002.254234385.0000000000400000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.254234385.0000000000400000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x24f4d:$a: NanoCore 0x24f5d:$a: NanoCore 0x25191:$a: NanoCore 0x251a5:$a: NanoCore 0x251e5:$a: NanoCore 0x24fac:$b: ClientPlugin 0x251ae:$b: ClientPlugin 0x251ee:$b: ClientPlugin 0x250d3:$c: ProjectData 0x25ada:$d: DESCrypto 0x2d4a6:$e: KeepAlive 0x2b494:$g: LogClientMessage 0x2768f:$i: get_Connected 0x25e10:$j: #=q 0x25e40:$j: #=q 0x25e5c:$j: #=q 0x25e8c:$j: #=q 0x25ea8:$j: #=q 0x25ec4:$j: #=q 0x25ef4:$j: #=q 0x25f10:$j: #=q
00000015.00000002.279047270.0000000002F10000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000015.00000002.279047270.0000000002F10000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
00000015.00000002.279047270.0000000002F10000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000015.00000002.279047270.0000000002F10000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
00000012.00000002.265645463.0000000000BA0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000012.00000002.265645463.0000000000BA0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
00000012.00000002.265645463.0000000000BA0000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000012.00000002.265645463.0000000000BA0000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
0000000E.00000002.256685765.0000000001110000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000E.00000002.256685765.0000000001110000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
0000000E.00000002.256685765.0000000001110000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.256685765.0000000001110000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
00000015.00000002.279458357.00000000042D1000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x123e5:$x1: NanoCore.ClientPluginHost 0x7c73b:$x1: NanoCore.ClientPluginHost 0x8fea9:$x1: NanoCore.ClientPluginHost 0xa8e8d:$x1: NanoCore.ClientPluginHost 0x12422:$x2: IClientNetworkHost 0x7c755:$x2: IClientNetworkHost 0x8fed6:$x2: IClientNetworkHost 0xa8eba:$x2: IClientNetworkHost 0x15f55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000015.00000002.279458357.00000000042D1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000015.00000002.279458357.00000000042D1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1214d:$a: NanoCore 0x1215d:$a: NanoCore 0x12391:$a: NanoCore 0x123a5:$a: NanoCore 0x123e5:$a: NanoCore 0x7c6a5:$a: NanoCore 0x7c6fe:$a: NanoCore 0x7c73b:$a: NanoCore 0x7c7b4:$a: NanoCore 0x8fe5f:$a: NanoCore 0x8fe74:$a: NanoCore 0x8fea9:$a: NanoCore 0xa8e43:$a: NanoCore 0xa8e58:$a: NanoCore 0xa8e8d:$a: NanoCore 0x121ac:$b: ClientPlugin 0x123ae:$b: ClientPlugin 0x123ee:$b: ClientPlugin 0x7c707:$b: ClientPlugin 0x7c744:$b: ClientPlugin 0x7d042:$b: ClientPlugin
0000000C.00000002.255480144.00000000057B2000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000002.255480144.00000000057B2000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.255480144.00000000057B2000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000013.00000002.273459332.0000000003EC1000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x123e5:$x1: NanoCore.ClientPluginHost 0x7c73b:$x1: NanoCore.ClientPluginHost 0x8fea9:$x1: NanoCore.ClientPluginHost 0xa8e8d:$x1: NanoCore.ClientPluginHost 0x12422:$x2: IClientNetworkHost 0x7c755:$x2: IClientNetworkHost 0x8fed6:$x2: IClientNetworkHost 0xa8eba:$x2: IClientNetworkHost 0x15f55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000013.00000002.273459332.0000000003EC1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000013.00000002.273459332.0000000003EC1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1214d:$a: NanoCore 0x1215d:$a: NanoCore 0x12391:$a: NanoCore 0x123a5:$a: NanoCore 0x123e5:$a: NanoCore 0x7c6a5:$a: NanoCore 0x7c6fe:$a: NanoCore 0x7c73b:$a: NanoCore 0x7c7b4:$a: NanoCore 0x8fe5f:$a: NanoCore 0x8fe74:$a: NanoCore 0x8fea9:$a: NanoCore 0xa8e43:$a: NanoCore 0xa8e58:$a: NanoCore 0xa8e8d:$a: NanoCore 0x121ac:$b: ClientPlugin 0x123ae:$b: ClientPlugin 0x123ee:$b: ClientPlugin 0x7c707:$b: ClientPlugin 0x7c744:$b: ClientPlugin 0x7d042:$b: ClientPlugin
00000013.00000002.270080502.0000000002970000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000013.00000002.270080502.0000000002970000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
00000013.00000002.270080502.0000000002970000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000013.00000002.270080502.0000000002970000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
00000013.00000002.269469613.0000000000400000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x251e5:$x1: NanoCore.ClientPluginHost 0x25222:$x2: IClientNetworkHost 0x28d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000013.00000002.269469613.0000000000400000.00000040.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x24f5d:$x1: NanoCore Client.exe 0x251e5:$x2: NanoCore.ClientPluginHost 0x2681e:$s1: PluginCommand 0x26812:$s2: FileCommand 0x276c3:$s3: PipeExists 0x2d47a:$s4: PipeCreated 0x2520f:$s5: IClientLoggingHost
00000013.00000002.269469613.0000000000400000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000013.00000002.269469613.0000000000400000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x24f4d:$a: NanoCore 0x24f5d:$a: NanoCore 0x25191:$a: NanoCore 0x251a5:$a: NanoCore 0x251e5:$a: NanoCore 0x24fac:$b: ClientPlugin 0x251ae:$b: ClientPlugin 0x251ee:$b: ClientPlugin 0x250d3:$c: ProjectData 0x25ada:$d: DESCrypto 0x2d4a6:$e: KeepAlive 0x2b494:$g: LogClientMessage 0x2768f:$i: get_Connected 0x25e10:$j: #=q 0x25e40:$j: #=q 0x25e5c:$j: #=q 0x25e8c:$j: #=q 0x25ea8:$j: #=q 0x25ec4:$j: #=q 0x25ef4:$j: #=q 0x25f10:$j: #=q
00000015.00000002.278607358.0000000000400000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x251e5:$x1: NanoCore.ClientPluginHost 0x25222:$x2: IClientNetworkHost 0x28d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000015.00000002.278607358.0000000000400000.00000040.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x24f5d:$x1: NanoCore Client.exe 0x251e5:$x2: NanoCore.ClientPluginHost 0x2681e:$s1: PluginCommand 0x26812:$s2: FileCommand 0x276c3:$s3: PipeExists 0x2d47a:$s4: PipeCreated 0x2520f:$s5: IClientLoggingHost
00000015.00000002.278607358.0000000000400000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000015.00000002.278607358.0000000000400000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x24f4d:$a: NanoCore 0x24f5d:$a: NanoCore 0x25191:$a: NanoCore 0x251a5:$a: NanoCore 0x251e5:$a: NanoCore 0x24fac:$b: ClientPlugin 0x251ae:$b: ClientPlugin 0x251ee:$b: ClientPlugin 0x250d3:$c: ProjectData 0x25ada:$d: DESCrypto 0x2d4a6:$e: KeepAlive 0x2b494:$g: LogClientMessage 0x2768f:$i: get_Connected 0x25e10:$j: #=q 0x25e40:$j: #=q 0x25e5c:$j: #=q 0x25e8c:$j: #=q 0x25ea8:$j: #=q 0x25ec4:$j: #=q 0x25ef4:$j: #=q 0x25f10:$j: #=q
00000015.00000002.278916305.0000000001444000.00000004.00000020.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f74d:$x1: NanoCore.ClientPluginHost 0x1f78a:$x2: IClientNetworkHost 0x232bd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000015.00000002.278916305.0000000001444000.00000004.00000020.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000015.00000002.278916305.0000000001444000.00000004.00000020.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x6210:$a: NanoCore 0x1f4b5:$a: NanoCore 0x1f4c5:$a: NanoCore 0x1f6f9:$a: NanoCore 0x1f70d:$a: NanoCore 0x1f74d:$a: NanoCore 0x1f514:$b: ClientPlugin 0x1f716:$b: ClientPlugin 0x1f756:$b: ClientPlugin 0x1f63b:$c: ProjectData 0x20042:$d: DESCrypto 0x27a0e:$e: KeepAlive 0x259fc:$g: LogClientMessage 0x21bf7:$i: get_Connected 0x20378:$j: #=q 0x203a8:$j: #=q 0x203c4:$j: #=q 0x203f4:$j: #=q 0x20410:$j: #=q 0x2042c:$j: #=q 0x2045c:$j: #=q
00000000.00000002.216025049.0000000001890000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.216025049.0000000001890000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
00000000.00000002.216025049.0000000001890000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.216025049.0000000001890000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
00000013.00000002.269644528.0000000000966000.00000004.00000020.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1dfc5:$x1: NanoCore.ClientPluginHost 0x1e002:$x2: IClientNetworkHost 0x21b35:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000013.00000002.269644528.0000000000966000.00000004.00000020.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000013.00000002.269644528.0000000000966000.00000004.00000020.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x60b0:$a: NanoCore 0x1dd2d:$a: NanoCore 0x1dd3d:$a: NanoCore 0x1df71:$a: NanoCore 0x1df85:$a: NanoCore 0x1dfc5:$a: NanoCore 0x1dd8c:$b: ClientPlugin 0x1df8e:$b: ClientPlugin 0x1dfce:$b: ClientPlugin 0x1deb3:$c: ProjectData 0x1e8ba:$d: DESCrypto 0x26286:$e: KeepAlive 0x24274:$g: LogClientMessage 0x2046f:$i: get_Connected 0x1ebf0:$j: #=q 0x1ec20:$j: #=q 0x1ec3c:$j: #=q 0x1ec6c:$j: #=q 0x1ec88:$j: #=q 0x1eca4:$j: #=q 0x1ecd4:$j: #=q
0000000D.00000002.250138622.00000000024A0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000D.00000002.250138622.00000000024A0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
0000000D.00000002.250138622.00000000024A0000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000D.00000002.250138622.00000000024A0000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
0000000C.00000002.254375322.00000000013D8000.00000004.00000020.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d675:$x1: NanoCore.ClientPluginHost 0x1d6b2:$x2: IClientNetworkHost 0x211e5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000002.254375322.00000000013D8000.00000004.00000020.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.254375322.00000000013D8000.00000004.00000020.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3ec8:$a: NanoCore 0x1d3dd:$a: NanoCore 0x1d3ed:$a: NanoCore 0x1d621:$a: NanoCore 0x1d635:$a: NanoCore 0x1d675:$a: NanoCore 0x1d43c:$b: ClientPlugin 0x1d63e:$b: ClientPlugin 0x1d67e:$b: ClientPlugin 0x1d563:$c: ProjectData 0x1df6a:$d: DESCrypto 0x25936:$e: KeepAlive 0x23924:$g: LogClientMessage 0x1fb1f:$i: get_Connected 0x1e2a0:$j: #=q 0x1e2d0:$j: #=q 0x1e2ec:$j: #=q 0x1e31c:$j: #=q 0x1e338:$j: #=q 0x1e354:$j: #=q 0x1e384:$j: #=q
0000000C.00000002.255256887.000000000365E000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1965b:$a: NanoCore 0x196b4:$a: NanoCore 0x196f1:$a: NanoCore 0x1976a:$a: NanoCore 0x196bd:$b: ClientPlugin 0x196fa:$b: ClientPlugin 0x19ff8:$b: ClientPlugin 0x1a005:$b: ClientPlugin 0x113cd:$e: KeepAlive 0x19b45:$g: LogClientMessage 0x19ac5:$i: get_Connected 0xb68d:$j: #=q 0xb6bd:$j: #=q 0xb6f9:$j: #=q 0xb721:$j: #=q 0xb751:$j: #=q 0xb781:$j: #=q 0xb7b1:$j: #=q 0xb7e1:$j: #=q 0xb7fd:$j: #=q 0xb82d:$j: #=q
0000000A.00000002.243043280.0000000002970000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000A.00000002.243043280.0000000002970000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
0000000A.00000002.243043280.0000000002970000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000A.00000002.243043280.0000000002970000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
0000000C.00000002.255432280.0000000005760000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000002.255432280.0000000005760000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0000000C.00000002.255432280.0000000005760000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.255432280.0000000005760000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
00000013.00000002.273427338.0000000002ECE000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x19603:$a: NanoCore 0x1965c:$a: NanoCore 0x19699:$a: NanoCore 0x19712:$a: NanoCore 0x19665:$b: ClientPlugin 0x196a2:$b: ClientPlugin 0x19fa0:$b: ClientPlugin 0x19fad:$b: ClientPlugin 0x11375:$e: KeepAlive 0x19aed:$g: LogClientMessage 0x19a6d:$i: get_Connected 0xb635:$j: #=q 0xb665:$j: #=q 0xb6a1:$j: #=q 0xb6c9:$j: #=q 0xb6f9:$j: #=q 0xb729:$j: #=q 0xb759:$j: #=q 0xb789:$j: #=q 0xb7a5:$j: #=q 0xb7d5:$j: #=q
00000002.00000003.223529798.0000000004BEB000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1dc2:$a: NanoCore 0x1de7:$a: NanoCore 0x1e40:$a: NanoCore 0x11fdd:$a: NanoCore 0x12003:$a: NanoCore 0x1205f:$a: NanoCore 0x1eeb4:$a: NanoCore 0x1ef0d:$a: NanoCore 0x1ef40:$a: NanoCore 0x1f16c:$a: NanoCore 0x1f1e8:$a: NanoCore 0x1f801:$a: NanoCore 0x1f94a:$a: NanoCore 0x1fe1e:$a: NanoCore 0x20105:$a: NanoCore 0x2011c:$a: NanoCore 0x234a5:$a: NanoCore 0x2485f:$a: NanoCore 0x248a9:$a: NanoCore 0x25503:$a: NanoCore 0x2aae8:$a: NanoCore
00000009.00000002.239365689.00000000024E0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000009.00000002.239365689.00000000024E0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
00000009.00000002.239365689.00000000024E0000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000009.00000002.239365689.00000000024E0000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
00000013.00000002.270811037.0000000002AD2000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000013.00000002.270811037.0000000002AD2000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000013.00000002.270811037.0000000002AD2000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000015.00000002.279548840.0000000005472000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000015.00000002.279548840.0000000005472000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000015.00000002.279548840.0000000005472000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000C.00000002.255293475.0000000004651000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x123e5:$x1: NanoCore.ClientPluginHost 0x7c73b:$x1: NanoCore.ClientPluginHost 0x8fea9:$x1: NanoCore.ClientPluginHost 0xa8e8d:$x1: NanoCore.ClientPluginHost 0x12422:$x2: IClientNetworkHost 0x7c755:$x2: IClientNetworkHost 0x8fed6:$x2: IClientNetworkHost 0xa8eba:$x2: IClientNetworkHost 0x15f55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000002.255293475.0000000004651000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.255293475.0000000004651000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1214d:$a: NanoCore 0x1215d:$a: NanoCore 0x12391:$a: NanoCore 0x123a5:$a: NanoCore 0x123e5:$a: NanoCore 0x7c6a5:$a: NanoCore 0x7c6fe:$a: NanoCore 0x7c73b:$a: NanoCore 0x7c7b4:$a: NanoCore 0x8fe5f:$a: NanoCore 0x8fe74:$a: NanoCore 0x8fea9:$a: NanoCore 0xa8e43:$a: NanoCore 0xa8e58:$a: NanoCore 0xa8e8d:$a: NanoCore 0x121ac:$b: ClientPlugin 0x123ae:$b: ClientPlugin 0x123ee:$b: ClientPlugin 0x7c707:$b: ClientPlugin 0x7c744:$b: ClientPlugin 0x7d042:$b: ClientPlugin
00000015.00000002.279433728.00000000032DE000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1965b:$a: NanoCore 0x196b4:$a: NanoCore 0x196f1:$a: NanoCore 0x1976a:$a: NanoCore 0x196bd:$b: ClientPlugin 0x196fa:$b: ClientPlugin 0x19ff8:$b: ClientPlugin 0x1a005:$b: ClientPlugin 0x113cd:$e: KeepAlive 0x19b45:$g: LogClientMessage 0x19ac5:$i: get_Connected 0xb68d:$j: #=q 0xb6bd:$j: #=q 0xb6f9:$j: #=q 0xb721:$j: #=q 0xb751:$j: #=q 0xb781:$j: #=q 0xb7b1:$j: #=q 0xb7e1:$j: #=q 0xb7fd:$j: #=q 0xb82d:$j: #=q
Process Memory Space: dhcpmon.exe PID: 6532	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1c8e:$x1: NanoCore.ClientPluginHost 0x1a7bc:$x1: NanoCore.ClientPluginHost 0x3a590:$x1: NanoCore.ClientPluginHost 0x5c691:$x1: NanoCore.ClientPluginHost 0x62250:$x1: NanoCore.ClientPluginHost 0x735fb:$x1: NanoCore.ClientPluginHost 0x95bb4:$x1: NanoCore.ClientPluginHost 0xbb746:$x1: NanoCore.ClientPluginHost 0xe9e9e:$x1: NanoCore.ClientPluginHost 0x110306:$x1: NanoCore.ClientPluginHost 0x2a59:$x2: IClientNetworkHost 0x1a81d:$x2: IClientNetworkHost 0x3a5f1:$x2: IClientNetworkHost 0x5c6b7:$x2: IClientNetworkHost 0x62295:$x2: IClientNetworkHost 0x73640:$x2: IClientNetworkHost 0x95c15:$x2: IClientNetworkHost 0xbb7a7:$x2: IClientNetworkHost 0xe9eff:$x2: IClientNetworkHost 0x11032c:$x2: IClientNetworkHost 0xedba:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: dhcpmon.exe PID: 6532	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dhcpmon.exe PID: 6532	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1c8e:$a: NanoCore 0x200f:$a: NanoCore 0x2160:$a: NanoCore 0x11078:$a: NanoCore 0x11167:$a: NanoCore 0x1a2c1:$a: NanoCore 0x1a2dd:$a: NanoCore 0x1a438:$a: NanoCore 0x1a447:$a: NanoCore 0x1a720:$a: NanoCore 0x1a74c:$a: NanoCore 0x1a7bc:$a: NanoCore 0x2a1fe:$a: NanoCore 0x2a210:$a: NanoCore 0x2a24c:$a: NanoCore 0x3a095:$a: NanoCore 0x3a0b1:$a: NanoCore 0x3a20c:$a: NanoCore 0x3a21b:$a: NanoCore 0x3a4f4:$a: NanoCore 0x3a520:$a: NanoCore
Process Memory Space: Package_details.exe PID: 4156	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x33732:$a: NanoCore 0xb1f87:$a: NanoCore 0xf3b59:$a: NanoCore 0xf8fec:$a: NanoCore 0x160cc7:$a: NanoCore 0x27757c:$a: NanoCore 0x28192f:$a: NanoCore 0x28196c:$a: NanoCore 0x2819f5:$a: NanoCore 0x286d8d:$a: NanoCore 0x286db0:$a: NanoCore 0x286e05:$a: NanoCore 0x28c248:$a: NanoCore 0x28c286:$a: NanoCore 0x28c312:$a: NanoCore 0x296caf:$a: NanoCore 0x296cd3:$a: NanoCore 0x296d2b:$a: NanoCore 0x29e947:$a: NanoCore 0x29e9e8:$a: NanoCore 0x29ea4b:$a: NanoCore
Process Memory Space: Package_details.exe PID: 5804	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x12f315:$x1: NanoCore.ClientPluginHost 0x12f376:$x2: IClientNetworkHost 0x13477b:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1426ed:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: Package_details.exe PID: 5804	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: Package_details.exe PID: 5804	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x12ee1a:$a: NanoCore 0x12ee36:$a: NanoCore 0x12ef91:$a: NanoCore 0x12efa0:$a: NanoCore 0x12f279:$a: NanoCore 0x12f2a5:$a: NanoCore 0x12f315:$a: NanoCore 0x13ed57:$a: NanoCore 0x13ed69:$a: NanoCore 0x13eda5:$a: NanoCore 0x12eec1:$b: ClientPlugin 0x12efea:$b: ClientPlugin 0x12f2ae:$b: ClientPlugin 0x12f31e:$b: ClientPlugin 0x13ed72:$b: ClientPlugin 0x13edae:$b: ClientPlugin 0x12f137:$c: ProjectData 0x13eca4:$c: ProjectData 0x130273:$d: DESCrypto 0x13f602:$d: DESCrypto 0x13a600:$e: KeepAlive
Process Memory Space: dhcpmon.exe PID: 4604	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe7632:$x1: NanoCore.ClientPluginHost 0xe7693:$x2: IClientNetworkHost 0xeca98:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xfaa0a:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: dhcpmon.exe PID: 4604	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dhcpmon.exe PID: 4604	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe7137:$a: NanoCore 0xe7153:$a: NanoCore 0xe72ae:$a: NanoCore 0xe72bd:$a: NanoCore 0xe7596:$a: NanoCore 0xe75c2:$a: NanoCore 0xe7632:$a: NanoCore 0xf7074:$a: NanoCore 0xf7086:$a: NanoCore 0xf70c2:$a: NanoCore 0xe71de:$b: ClientPlugin 0xe7307:$b: ClientPlugin 0xe75cb:$b: ClientPlugin 0xe763b:$b: ClientPlugin 0xf708f:$b: ClientPlugin 0xf70cb:$b: ClientPlugin 0xe7454:$c: ProjectData 0xf6fc1:$c: ProjectData 0xe8590:$d: DESCrypto 0xf791f:$d: DESCrypto 0xf291d:$e: KeepAlive
Process Memory Space: dhcpmon.exe PID: 5712	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2473:$x1: NanoCore.ClientPluginHost 0x20303:$x1: NanoCore.ClientPluginHost 0x46c3a:$x1: NanoCore.ClientPluginHost 0x7a7e7:$x1: NanoCore.ClientPluginHost 0xb7c8e:$x1: NanoCore.ClientPluginHost 0xd9fd1:$x1: NanoCore.ClientPluginHost 0xfc0be:$x1: NanoCore.ClientPluginHost 0x101c7d:$x1: NanoCore.ClientPluginHost 0x113026:$x1: NanoCore.ClientPluginHost 0x323e:$x2: IClientNetworkHost 0x20364:$x2: IClientNetworkHost 0x46c9b:$x2: IClientNetworkHost 0x7a80d:$x2: IClientNetworkHost 0xb7cef:$x2: IClientNetworkHost 0xda032:$x2: IClientNetworkHost 0xfc0e4:$x2: IClientNetworkHost 0x101cc2:$x2: IClientNetworkHost 0x11306b:$x2: IClientNetworkHost 0xf59f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x25769:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x336db:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: dhcpmon.exe PID: 5712	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dhcpmon.exe PID: 5712	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2473:$a: NanoCore 0x27f4:$a: NanoCore 0x2945:$a: NanoCore 0x1185d:$a: NanoCore 0x1194c:$a: NanoCore 0x1fe08:$a: NanoCore 0x1fe24:$a: NanoCore 0x1ff7f:$a: NanoCore 0x1ff8e:$a: NanoCore 0x20267:$a: NanoCore 0x20293:$a: NanoCore 0x20303:$a: NanoCore 0x2fd45:$a: NanoCore 0x2fd57:$a: NanoCore 0x2fd93:$a: NanoCore 0x428b1:$a: NanoCore 0x42937:$a: NanoCore 0x42ad4:$a: NanoCore 0x4673f:$a: NanoCore 0x4675b:$a: NanoCore 0x468b6:$a: NanoCore
Process Memory Space: Package_details.exe PID: 2140	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xdb30c:$x1: NanoCore.ClientPluginHost 0xdb36d:$x2: IClientNetworkHost 0xe0772:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xee6e4:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: Package_details.exe PID: 2140	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: Package_details.exe PID: 2140	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xdae11:$a: NanoCore 0xdae2d:$a: NanoCore 0xdaf88:$a: NanoCore 0xdaf97:$a: NanoCore 0xdb270:$a: NanoCore 0xdb29c:$a: NanoCore 0xdb30c:$a: NanoCore 0xead4e:$a: NanoCore 0xead60:$a: NanoCore 0xead9c:$a: NanoCore 0xdaeb8:$b: ClientPlugin 0xdafe1:$b: ClientPlugin 0xdb2a5:$b: ClientPlugin 0xdb315:$b: ClientPlugin 0xead69:$b: ClientPlugin 0xeada5:$b: ClientPlugin 0xdb12e:$c: ProjectData 0xeac9b:$c: ProjectData 0xdc26a:$d: DESCrypto 0xeb5f9:$d: DESCrypto 0xe65f7:$e: KeepAlive
Process Memory Space: dhcpmon.exe PID: 4112	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1326d1:$x1: NanoCore.ClientPluginHost 0x132732:$x2: IClientNetworkHost 0x137b37:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x145aa9:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: dhcpmon.exe PID: 4112	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dhcpmon.exe PID: 4112	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1321d6:$a: NanoCore 0x1321f2:$a: NanoCore 0x13234d:$a: NanoCore 0x13235c:$a: NanoCore 0x132635:$a: NanoCore 0x132661:$a: NanoCore 0x1326d1:$a: NanoCore 0x142113:$a: NanoCore 0x142125:$a: NanoCore 0x142161:$a: NanoCore 0x13227d:$b: ClientPlugin 0x1323a6:$b: ClientPlugin 0x13266a:$b: ClientPlugin 0x1326da:$b: ClientPlugin 0x14212e:$b: ClientPlugin 0x14216a:$b: ClientPlugin 0x1324f3:$c: ProjectData 0x142060:$c: ProjectData 0x13362f:$d: DESCrypto 0x1429be:$d: DESCrypto 0x13d9bc:$e: KeepAlive
Process Memory Space: Package_details.exe PID: 6304	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1c8e:$x1: NanoCore.ClientPluginHost 0x1b533:$x1: NanoCore.ClientPluginHost 0x3d5be:$x1: NanoCore.ClientPluginHost 0x4317d:$x1: NanoCore.ClientPluginHost 0x54511:$x1: NanoCore.ClientPluginHost 0x634ad:$x1: NanoCore.ClientPluginHost 0x877fa:$x1: NanoCore.ClientPluginHost 0xf590a:$x1: NanoCore.ClientPluginHost 0x10299d:$x1: NanoCore.ClientPluginHost 0x2a59:$x2: IClientNetworkHost 0x1b594:$x2: IClientNetworkHost 0x3d5e4:$x2: IClientNetworkHost 0x431c2:$x2: IClientNetworkHost 0x54556:$x2: IClientNetworkHost 0x6350e:$x2: IClientNetworkHost 0x8785b:$x2: IClientNetworkHost 0xf5930:$x2: IClientNetworkHost 0x1029fe:$x2: IClientNetworkHost 0xf4c9:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x20999:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2e90b:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: Package_details.exe PID: 6304	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: Package_details.exe PID: 6304	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1c8e:$a: NanoCore 0x200f:$a: NanoCore 0x2160:$a: NanoCore 0x117c8:$a: NanoCore 0x118b7:$a: NanoCore 0x1b038:$a: NanoCore 0x1b054:$a: NanoCore 0x1b1af:$a: NanoCore 0x1b1be:$a: NanoCore 0x1b497:$a: NanoCore 0x1b4c3:$a: NanoCore 0x1b533:$a: NanoCore 0x2af75:$a: NanoCore 0x2af87:$a: NanoCore 0x2afc3:$a: NanoCore 0x3d4b0:$a: NanoCore 0x3d551:$a: NanoCore 0x3d5be:$a: NanoCore 0x3d67f:$a: NanoCore 0x3e550:$a: NanoCore 0x3e5a3:$a: NanoCore
Click to see the 96 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
12.2.dhcpmon.exe.5760000.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
12.2.dhcpmon.exe.5760000.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
12.2.dhcpmon.exe.5760000.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.dhcpmon.exe.5760000.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
19.2.Package_details.exe.2970000.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
19.2.Package_details.exe.2970000.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
19.2.Package_details.exe.2970000.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
19.2.Package_details.exe.2970000.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
14.2.Package_details.exe.1110000.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d9e5:$x1: NanoCore.ClientPluginHost 0x1da22:$x2: IClientNetworkHost 0x21555:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.2.Package_details.exe.1110000.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d75d:$x1: NanoCore Client.exe 0x1d9e5:$x2: NanoCore.ClientPluginHost 0x1f01e:$s1: PluginCommand 0x1f012:$s2: FileCommand 0x1fec3:$s3: PipeExists 0x25c7a:$s4: PipeCreated 0x1da0f:$s5: IClientLoggingHost
14.2.Package_details.exe.1110000.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.Package_details.exe.1110000.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1d74d:$a: NanoCore 0x1d75d:$a: NanoCore 0x1d991:$a: NanoCore 0x1d9a5:$a: NanoCore 0x1d9e5:$a: NanoCore 0x1d7ac:$b: ClientPlugin 0x1d9ae:$b: ClientPlugin 0x1d9ee:$b: ClientPlugin 0x1d8d3:$c: ProjectData 0x1e2da:$d: DESCrypto 0x25ca6:$e: KeepAlive 0x23c94:$g: LogClientMessage 0x1fe8f:$i: get_Connected 0x1e610:$j: #=q 0x1e640:$j: #=q 0x1e65c:$j: #=q 0x1e68c:$j: #=q 0x1e6a8:$j: #=q 0x1e6c4:$j: #=q 0x1e6f4:$j: #=q 0x1e710:$j: #=q
9.2.Package_details.exe.24e0000.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
9.2.Package_details.exe.24e0000.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
9.2.Package_details.exe.24e0000.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.2.Package_details.exe.24e0000.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
13.2.dhcpmon.exe.24a0000.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d9e5:$x1: NanoCore.ClientPluginHost 0x1da22:$x2: IClientNetworkHost 0x21555:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
13.2.dhcpmon.exe.24a0000.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d75d:$x1: NanoCore Client.exe 0x1d9e5:$x2: NanoCore.ClientPluginHost 0x1f01e:$s1: PluginCommand 0x1f012:$s2: FileCommand 0x1fec3:$s3: PipeExists 0x25c7a:$s4: PipeCreated 0x1da0f:$s5: IClientLoggingHost
18.2.dhcpmon.exe.ba0000.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
18.2.dhcpmon.exe.ba0000.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
13.2.dhcpmon.exe.24a0000.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
18.2.dhcpmon.exe.ba0000.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
18.2.dhcpmon.exe.ba0000.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
13.2.dhcpmon.exe.24a0000.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1d74d:$a: NanoCore 0x1d75d:$a: NanoCore 0x1d991:$a: NanoCore 0x1d9a5:$a: NanoCore 0x1d9e5:$a: NanoCore 0x1d7ac:$b: ClientPlugin 0x1d9ae:$b: ClientPlugin 0x1d9ee:$b: ClientPlugin 0x1d8d3:$c: ProjectData 0x1e2da:$d: DESCrypto 0x25ca6:$e: KeepAlive 0x23c94:$g: LogClientMessage 0x1fe8f:$i: get_Connected 0x1e610:$j: #=q 0x1e640:$j: #=q 0x1e65c:$j: #=q 0x1e68c:$j: #=q 0x1e6a8:$j: #=q 0x1e6c4:$j: #=q 0x1e6f4:$j: #=q 0x1e710:$j: #=q
10.2.dhcpmon.exe.2970000.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
10.2.dhcpmon.exe.2970000.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
10.2.dhcpmon.exe.2970000.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
10.2.dhcpmon.exe.2970000.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
21.2.dhcpmon.exe.5470000.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
21.2.dhcpmon.exe.5470000.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
21.2.dhcpmon.exe.5470000.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
21.2.dhcpmon.exe.5470000.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
19.2.Package_details.exe.400000.0.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x251e5:$x1: NanoCore.ClientPluginHost 0x25222:$x2: IClientNetworkHost 0x28d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
19.2.Package_details.exe.400000.0.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x24f5d:$x1: NanoCore Client.exe 0x251e5:$x2: NanoCore.ClientPluginHost 0x2681e:$s1: PluginCommand 0x26812:$s2: FileCommand 0x276c3:$s3: PipeExists 0x2d47a:$s4: PipeCreated 0x2520f:$s5: IClientLoggingHost
19.2.Package_details.exe.400000.0.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
19.2.Package_details.exe.400000.0.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x24f4d:$a: NanoCore 0x24f5d:$a: NanoCore 0x25191:$a: NanoCore 0x251a5:$a: NanoCore 0x251e5:$a: NanoCore 0x24fac:$b: ClientPlugin 0x251ae:$b: ClientPlugin 0x251ee:$b: ClientPlugin 0x250d3:$c: ProjectData 0x25ada:$d: DESCrypto 0x2d4a6:$e: KeepAlive 0x2b494:$g: LogClientMessage 0x2768f:$i: get_Connected 0x25e10:$j: #=q 0x25e40:$j: #=q 0x25e5c:$j: #=q 0x25e8c:$j: #=q 0x25ea8:$j: #=q 0x25ec4:$j: #=q 0x25ef4:$j: #=q 0x25f10:$j: #=q
0.2.Package_details.exe.1890000.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d9e5:$x1: NanoCore.ClientPluginHost 0x1da22:$x2: IClientNetworkHost 0x21555:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.Package_details.exe.1890000.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d75d:$x1: NanoCore Client.exe 0x1d9e5:$x2: NanoCore.ClientPluginHost 0x1f01e:$s1: PluginCommand 0x1f012:$s2: FileCommand 0x1fec3:$s3: PipeExists 0x25c7a:$s4: PipeCreated 0x1da0f:$s5: IClientLoggingHost
0.2.Package_details.exe.1890000.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.Package_details.exe.1890000.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1d74d:$a: NanoCore 0x1d75d:$a: NanoCore 0x1d991:$a: NanoCore 0x1d9a5:$a: NanoCore 0x1d9e5:$a: NanoCore 0x1d7ac:$b: ClientPlugin 0x1d9ae:$b: ClientPlugin 0x1d9ee:$b: ClientPlugin 0x1d8d3:$c: ProjectData 0x1e2da:$d: DESCrypto 0x25ca6:$e: KeepAlive 0x23c94:$g: LogClientMessage 0x1fe8f:$i: get_Connected 0x1e610:$j: #=q 0x1e640:$j: #=q 0x1e65c:$j: #=q 0x1e68c:$j: #=q 0x1e6a8:$j: #=q 0x1e6c4:$j: #=q 0x1e6f4:$j: #=q 0x1e710:$j: #=q
12.2.dhcpmon.exe.400000.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x251e5:$x1: NanoCore.ClientPluginHost 0x25222:$x2: IClientNetworkHost 0x28d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
12.2.dhcpmon.exe.400000.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x24f5d:$x1: NanoCore Client.exe 0x251e5:$x2: NanoCore.ClientPluginHost 0x2681e:$s1: PluginCommand 0x26812:$s2: FileCommand 0x276c3:$s3: PipeExists 0x2d47a:$s4: PipeCreated 0x2520f:$s5: IClientLoggingHost
12.2.dhcpmon.exe.400000.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.dhcpmon.exe.400000.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x24f4d:$a: NanoCore 0x24f5d:$a: NanoCore 0x25191:$a: NanoCore 0x251a5:$a: NanoCore 0x251e5:$a: NanoCore 0x24fac:$b: ClientPlugin 0x251ae:$b: ClientPlugin 0x251ee:$b: ClientPlugin 0x250d3:$c: ProjectData 0x25ada:$d: DESCrypto 0x2d4a6:$e: KeepAlive 0x2b494:$g: LogClientMessage 0x2768f:$i: get_Connected 0x25e10:$j: #=q 0x25e40:$j: #=q 0x25e5c:$j: #=q 0x25e8c:$j: #=q 0x25ea8:$j: #=q 0x25ec4:$j: #=q 0x25ef4:$j: #=q 0x25f10:$j: #=q
21.2.dhcpmon.exe.400000.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x251e5:$x1: NanoCore.ClientPluginHost 0x25222:$x2: IClientNetworkHost 0x28d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
21.2.dhcpmon.exe.400000.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x24f5d:$x1: NanoCore Client.exe 0x251e5:$x2: NanoCore.ClientPluginHost 0x2681e:$s1: PluginCommand 0x26812:$s2: FileCommand 0x276c3:$s3: PipeExists 0x2d47a:$s4: PipeCreated 0x2520f:$s5: IClientLoggingHost
21.2.dhcpmon.exe.400000.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
21.2.dhcpmon.exe.400000.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x24f4d:$a: NanoCore 0x24f5d:$a: NanoCore 0x25191:$a: NanoCore 0x251a5:$a: NanoCore 0x251e5:$a: NanoCore 0x24fac:$b: ClientPlugin 0x251ae:$b: ClientPlugin 0x251ee:$b: ClientPlugin 0x250d3:$c: ProjectData 0x25ada:$d: DESCrypto 0x2d4a6:$e: KeepAlive 0x2b494:$g: LogClientMessage 0x2768f:$i: get_Connected 0x25e10:$j: #=q 0x25e40:$j: #=q 0x25e5c:$j: #=q 0x25e8c:$j: #=q 0x25ea8:$j: #=q 0x25ec4:$j: #=q 0x25ef4:$j: #=q 0x25f10:$j: #=q
21.2.dhcpmon.exe.2f10000.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
21.2.dhcpmon.exe.2f10000.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
21.2.dhcpmon.exe.2f10000.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
21.2.dhcpmon.exe.2f10000.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
18.2.dhcpmon.exe.ba0000.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d9e5:$x1: NanoCore.ClientPluginHost 0x1da22:$x2: IClientNetworkHost 0x21555:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
18.2.dhcpmon.exe.ba0000.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d75d:$x1: NanoCore Client.exe 0x1d9e5:$x2: NanoCore.ClientPluginHost 0x1f01e:$s1: PluginCommand 0x1f012:$s2: FileCommand 0x1fec3:$s3: PipeExists 0x25c7a:$s4: PipeCreated 0x1da0f:$s5: IClientLoggingHost
18.2.dhcpmon.exe.ba0000.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
18.2.dhcpmon.exe.ba0000.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1d74d:$a: NanoCore 0x1d75d:$a: NanoCore 0x1d991:$a: NanoCore 0x1d9a5:$a: NanoCore 0x1d9e5:$a: NanoCore 0x1d7ac:$b: ClientPlugin 0x1d9ae:$b: ClientPlugin 0x1d9ee:$b: ClientPlugin 0x1d8d3:$c: ProjectData 0x1e2da:$d: DESCrypto 0x25ca6:$e: KeepAlive 0x23c94:$g: LogClientMessage 0x1fe8f:$i: get_Connected 0x1e610:$j: #=q 0x1e640:$j: #=q 0x1e65c:$j: #=q 0x1e68c:$j: #=q 0x1e6a8:$j: #=q 0x1e6c4:$j: #=q 0x1e6f4:$j: #=q 0x1e710:$j: #=q
13.2.dhcpmon.exe.24a0000.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
13.2.dhcpmon.exe.24a0000.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
13.2.dhcpmon.exe.24a0000.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.dhcpmon.exe.24a0000.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
19.2.Package_details.exe.2970000.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
19.2.Package_details.exe.2970000.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
19.2.Package_details.exe.2970000.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
19.2.Package_details.exe.2970000.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
12.2.dhcpmon.exe.5760000.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
12.2.dhcpmon.exe.5760000.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
12.2.dhcpmon.exe.5760000.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.dhcpmon.exe.5760000.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
19.2.Package_details.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
19.2.Package_details.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
19.2.Package_details.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
19.2.Package_details.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
10.2.dhcpmon.exe.2970000.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d9e5:$x1: NanoCore.ClientPluginHost 0x1da22:$x2: IClientNetworkHost 0x21555:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
10.2.dhcpmon.exe.2970000.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d75d:$x1: NanoCore Client.exe 0x1d9e5:$x2: NanoCore.ClientPluginHost 0x1f01e:$s1: PluginCommand 0x1f012:$s2: FileCommand 0x1fec3:$s3: PipeExists 0x25c7a:$s4: PipeCreated 0x1da0f:$s5: IClientLoggingHost
10.2.dhcpmon.exe.2970000.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
10.2.dhcpmon.exe.2970000.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1d74d:$a: NanoCore 0x1d75d:$a: NanoCore 0x1d991:$a: NanoCore 0x1d9a5:$a: NanoCore 0x1d9e5:$a: NanoCore 0x1d7ac:$b: ClientPlugin 0x1d9ae:$b: ClientPlugin 0x1d9ee:$b: ClientPlugin 0x1d8d3:$c: ProjectData 0x1e2da:$d: DESCrypto 0x25ca6:$e: KeepAlive 0x23c94:$g: LogClientMessage 0x1fe8f:$i: get_Connected 0x1e610:$j: #=q 0x1e640:$j: #=q 0x1e65c:$j: #=q 0x1e68c:$j: #=q 0x1e6a8:$j: #=q 0x1e6c4:$j: #=q 0x1e6f4:$j: #=q 0x1e710:$j: #=q
0.2.Package_details.exe.1890000.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.Package_details.exe.1890000.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
0.2.Package_details.exe.1890000.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.Package_details.exe.1890000.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
14.2.Package_details.exe.1110000.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.2.Package_details.exe.1110000.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
14.2.Package_details.exe.1110000.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.Package_details.exe.1110000.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
12.2.dhcpmon.exe.400000.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
12.2.dhcpmon.exe.400000.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
12.2.dhcpmon.exe.400000.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.dhcpmon.exe.400000.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
9.2.Package_details.exe.24e0000.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d9e5:$x1: NanoCore.ClientPluginHost 0x1da22:$x2: IClientNetworkHost 0x21555:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
9.2.Package_details.exe.24e0000.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d75d:$x1: NanoCore Client.exe 0x1d9e5:$x2: NanoCore.ClientPluginHost 0x1f01e:$s1: PluginCommand 0x1f012:$s2: FileCommand 0x1fec3:$s3: PipeExists 0x25c7a:$s4: PipeCreated 0x1da0f:$s5: IClientLoggingHost
9.2.Package_details.exe.24e0000.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.2.Package_details.exe.24e0000.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1d74d:$a: NanoCore 0x1d75d:$a: NanoCore 0x1d991:$a: NanoCore 0x1d9a5:$a: NanoCore 0x1d9e5:$a: NanoCore 0x1d7ac:$b: ClientPlugin 0x1d9ae:$b: ClientPlugin 0x1d9ee:$b: ClientPlugin 0x1d8d3:$c: ProjectData 0x1e2da:$d: DESCrypto 0x25ca6:$e: KeepAlive 0x23c94:$g: LogClientMessage 0x1fe8f:$i: get_Connected 0x1e610:$j: #=q 0x1e640:$j: #=q 0x1e65c:$j: #=q 0x1e68c:$j: #=q 0x1e6a8:$j: #=q 0x1e6c4:$j: #=q 0x1e6f4:$j: #=q 0x1e710:$j: #=q
12.2.dhcpmon.exe.57b0000.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
12.2.dhcpmon.exe.57b0000.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
12.2.dhcpmon.exe.57b0000.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.dhcpmon.exe.57b0000.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
21.2.dhcpmon.exe.400000.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x215e5:$x1: NanoCore.ClientPluginHost 0x21622:$x2: IClientNetworkHost 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
21.2.dhcpmon.exe.400000.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2135d:$x1: NanoCore Client.exe 0x215e5:$x2: NanoCore.ClientPluginHost 0x22c1e:$s1: PluginCommand 0x22c12:$s2: FileCommand 0x23ac3:$s3: PipeExists 0x2987a:$s4: PipeCreated 0x2160f:$s5: IClientLoggingHost
21.2.dhcpmon.exe.400000.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
21.2.dhcpmon.exe.400000.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2134d:$a: NanoCore 0x2135d:$a: NanoCore 0x21591:$a: NanoCore 0x215a5:$a: NanoCore 0x215e5:$a: NanoCore 0x213ac:$b: ClientPlugin 0x215ae:$b: ClientPlugin 0x215ee:$b: ClientPlugin 0x214d3:$c: ProjectData 0x21eda:$d: DESCrypto 0x298a6:$e: KeepAlive 0x27894:$g: LogClientMessage 0x23a8f:$i: get_Connected 0x22210:$j: #=q 0x22240:$j: #=q 0x2225c:$j: #=q 0x2228c:$j: #=q 0x222a8:$j: #=q 0x222c4:$j: #=q 0x222f4:$j: #=q 0x22310:$j: #=q
21.2.dhcpmon.exe.2f10000.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
21.2.dhcpmon.exe.2f10000.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
21.2.dhcpmon.exe.2f10000.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
21.2.dhcpmon.exe.2f10000.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
19.2.Package_details.exe.2ad0000.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
19.2.Package_details.exe.2ad0000.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
19.2.Package_details.exe.2ad0000.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
19.2.Package_details.exe.2ad0000.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
Click to see the 103 entries

Sigma Overview

System Summary:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Package_details.exe, ProcessId: 4156, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp30A7.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp30A7.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\Package_details.exe, ParentImage: C:\Users\user\Desktop\Package_details.exe, ParentProcessId: 4156, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp30A7.tmp', ProcessId: 5592

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Virustotal: Detection: 34%			Perma Link
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	ReversingLabs: Detection: 25%

Multi AV Scanner detection for submitted file

Show sources

Source: Package_details.exe

ReversingLabs: Detection: 25%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000000C.00000002.254234385.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.279047270.0000000002F10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.265645463.0000000000BA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.256685765.0000000001110000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.279458357.00000000042D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.255480144.00000000057B2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.273459332.0000000003EC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.270080502.0000000002970000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.269469613.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.278607358.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.278916305.0000000001444000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.216025049.0000000001890000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.269644528.0000000000966000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.250138622.00000000024A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.254375322.00000000013D8000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.243043280.0000000002970000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.255432280.0000000005760000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.239365689.00000000024E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.270811037.0000000002AD2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.279548840.0000000005472000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.255293475.0000000004651000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6532, type: MEMORY
Source: Yara match	File source: Process Memory Space: Package_details.exe PID: 5804, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 4604, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 5712, type: MEMORY
Source: Yara match	File source: Process Memory Space: Package_details.exe PID: 2140, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 4112, type: MEMORY
Source: Yara match	File source: Process Memory Space: Package_details.exe PID: 6304, type: MEMORY
Source: Yara match	File source: 12.2.dhcpmon.exe.5760000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Package_details.exe.2970000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.Package_details.exe.1110000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Package_details.exe.24e0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.dhcpmon.exe.24a0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dhcpmon.exe.ba0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.dhcpmon.exe.2970000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.dhcpmon.exe.5470000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Package_details.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Package_details.exe.1890000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.dhcpmon.exe.2f10000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.dhcpmon.exe.ba0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.dhcpmon.exe.24a0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Package_details.exe.2970000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.dhcpmon.exe.5760000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Package_details.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.dhcpmon.exe.2970000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Package_details.exe.1890000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.Package_details.exe.1110000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.Package_details.exe.24e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.dhcpmon.exe.57b0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.dhcpmon.exe.2f10000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Package_details.exe.2ad0000.3.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\AppData\sysfonts.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: Package_details.exe

Joe Sandbox ML: detected

Source: 0.2.Package_details.exe.3160000.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 13.2.dhcpmon.exe.2420000.2.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 9.2.Package_details.exe.25c0000.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 21.2.dhcpmon.exe.5470000.3.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 0.2.Package_details.exe.1910000.3.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 14.2.Package_details.exe.2fb0000.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.2.dhcpmon.exe.df0000.2.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 14.2.Package_details.exe.2db0000.3.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 19.2.Package_details.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 18.2.dhcpmon.exe.2a40000.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 13.2.dhcpmon.exe.2600000.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 12.2.dhcpmon.exe.400000.1.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 12.2.dhcpmon.exe.57b0000.3.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 9.2.Package_details.exe.d10000.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.2.dhcpmon.exe.2ae0000.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 21.2.dhcpmon.exe.400000.1.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 18.2.dhcpmon.exe.1040000.3.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 19.2.Package_details.exe.2ad0000.3.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 12_2_00404A29 FindFirstFileExW,
Source: C:\Users\user\Desktop\Package_details.exe	Code function: 19_2_00404A29 FindFirstFileExW,
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 21_2_00404A29 FindFirstFileExW,

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49706 -> 209.159.151.5:24980

Connects to many ports of the same IP (likely port scanning)

Show sources

Source: global traffic

TCP traffic: 209.159.151.5 ports 0,2,4,24980,8,9

Source: global traffic

TCP traffic: 192.168.2.3:49706 -> 209.159.151.5:24980

Source: Joe Sandbox View

ASN Name: IS-AS-1US IS-AS-1US

Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5
Source: unknown	TCP traffic detected without corresponding DNS query: 209.159.151.5

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Package_details.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Spreading:

Networking: