Loading ...

Play interactive tourEdit tour

Analysis Report 4yGRcXEf.exe

Overview

General Information

Sample Name:4yGRcXEf.exe
Analysis ID:321681
MD5:87e77797615466baa21cde3f7bb347f2
SHA1:9cd228af2ea1f503fe76ed0ead2cfaab8ce7f08a
SHA256:d50a35f05df59b5b35e07dd204e5312629b3670b09da6801c56f89c5aef8ff6b
Tags:exeNanoCore

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
Uses dynamic DNS services
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample file is different than original file name gathered from version info
Yara signature match

Classification

Startup

  • System is w10x64
  • 4yGRcXEf.exe (PID: 6748 cmdline: 'C:\Users\user\Desktop\4yGRcXEf.exe' MD5: 87E77797615466BAA21CDE3F7BB347F2)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
4yGRcXEf.exeNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x1018d:$x1: NanoCore.ClientPluginHost
  • 0x101ca:$x2: IClientNetworkHost
  • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4yGRcXEf.exeNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xff05:$x1: NanoCore Client.exe
  • 0x1018d:$x2: NanoCore.ClientPluginHost
  • 0x117c6:$s1: PluginCommand
  • 0x117ba:$s2: FileCommand
  • 0x1266b:$s3: PipeExists
  • 0x18422:$s4: PipeCreated
  • 0x101b7:$s5: IClientLoggingHost
4yGRcXEf.exeJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    4yGRcXEf.exeNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfef5:$a: NanoCore
    • 0xff05:$a: NanoCore
    • 0x10139:$a: NanoCore
    • 0x1014d:$a: NanoCore
    • 0x1018d:$a: NanoCore
    • 0xff54:$b: ClientPlugin
    • 0x10156:$b: ClientPlugin
    • 0x10196:$b: ClientPlugin
    • 0x1007b:$c: ProjectData
    • 0x10a82:$d: DESCrypto
    • 0x1844e:$e: KeepAlive
    • 0x1643c:$g: LogClientMessage
    • 0x12637:$i: get_Connected
    • 0x10db8:$j: #=q
    • 0x10de8:$j: #=q
    • 0x10e04:$j: #=q
    • 0x10e34:$j: #=q
    • 0x10e50:$j: #=q
    • 0x10e6c:$j: #=q
    • 0x10e9c:$j: #=q
    • 0x10eb8:$j: #=q

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000000.224571570.00000000002B2000.00000002.00020000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000000.00000000.224571570.00000000002B2000.00000002.00020000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000000.00000000.224571570.00000000002B2000.00000002.00020000.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0xfcf5:$a: NanoCore
      • 0xfd05:$a: NanoCore
      • 0xff39:$a: NanoCore
      • 0xff4d:$a: NanoCore
      • 0xff8d:$a: NanoCore
      • 0xfd54:$b: ClientPlugin
      • 0xff56:$b: ClientPlugin
      • 0xff96:$b: ClientPlugin
      • 0xfe7b:$c: ProjectData
      • 0x10882:$d: DESCrypto
      • 0x1824e:$e: KeepAlive
      • 0x1623c:$g: LogClientMessage
      • 0x12437:$i: get_Connected
      • 0x10bb8:$j: #=q
      • 0x10be8:$j: #=q
      • 0x10c04:$j: #=q
      • 0x10c34:$j: #=q
      • 0x10c50:$j: #=q
      • 0x10c6c:$j: #=q
      • 0x10c9c:$j: #=q
      • 0x10cb8:$j: #=q
      00000000.00000003.233132403.0000000004534000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x5cc77:$a: NanoCore
      • 0x5cc9c:$a: NanoCore
      • 0x5ccf5:$a: NanoCore
      • 0x6ce94:$a: NanoCore
      • 0x6ceba:$a: NanoCore
      • 0x6cf16:$a: NanoCore
      • 0x79d6d:$a: NanoCore
      • 0x79dc6:$a: NanoCore
      • 0x79df9:$a: NanoCore
      • 0x7a025:$a: NanoCore
      • 0x7a0a1:$a: NanoCore
      • 0x7a6ba:$a: NanoCore
      • 0x7a803:$a: NanoCore
      • 0x7acd7:$a: NanoCore
      • 0x7afbe:$a: NanoCore
      • 0x7afd5:$a: NanoCore
      • 0x83e79:$a: NanoCore
      • 0x83ef5:$a: NanoCore
      • 0x867d8:$a: NanoCore
      • 0x8bda1:$a: NanoCore
      • 0x8be1b:$a: NanoCore
      Process Memory Space: 4yGRcXEf.exe PID: 6748Nanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x16ecd8:$x1: NanoCore.ClientPluginHost
      • 0x20fc2b:$x1: NanoCore.ClientPluginHost
      • 0x21a545:$x1: NanoCore.ClientPluginHost
      • 0x22d0c0:$x1: NanoCore.ClientPluginHost
      • 0x23010f:$x1: NanoCore.ClientPluginHost
      • 0x2354c3:$x1: NanoCore.ClientPluginHost
      • 0x238918:$x1: NanoCore.ClientPluginHost
      • 0x23b503:$x1: NanoCore.ClientPluginHost
      • 0x2426a7:$x1: NanoCore.ClientPluginHost
      • 0x247502:$x1: NanoCore.ClientPluginHost
      • 0x253cdc:$x1: NanoCore.ClientPluginHost
      • 0x26f67c:$x1: NanoCore.ClientPluginHost
      • 0x27e037:$x1: NanoCore.ClientPluginHost
      • 0x16ed39:$x2: IClientNetworkHost
      • 0x20fc6d:$x2: IClientNetworkHost
      • 0x21a58a:$x2: IClientNetworkHost
      • 0x22d11d:$x2: IClientNetworkHost
      • 0x23016c:$x2: IClientNetworkHost
      • 0x235520:$x2: IClientNetworkHost
      • 0x23b76f:$x2: IClientNetworkHost
      • 0x242704:$x2: IClientNetworkHost
      Click to see the 2 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.0.4yGRcXEf.exe.2b0000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      0.0.4yGRcXEf.exe.2b0000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xff05:$x1: NanoCore Client.exe
      • 0x1018d:$x2: NanoCore.ClientPluginHost
      • 0x117c6:$s1: PluginCommand
      • 0x117ba:$s2: FileCommand
      • 0x1266b:$s3: PipeExists
      • 0x18422:$s4: PipeCreated
      • 0x101b7:$s5: IClientLoggingHost
      0.0.4yGRcXEf.exe.2b0000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        0.0.4yGRcXEf.exe.2b0000.0.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xfef5:$a: NanoCore
        • 0xff05:$a: NanoCore
        • 0x10139:$a: NanoCore
        • 0x1014d:$a: NanoCore
        • 0x1018d:$a: NanoCore
        • 0xff54:$b: ClientPlugin
        • 0x10156:$b: ClientPlugin
        • 0x10196:$b: ClientPlugin
        • 0x1007b:$c: ProjectData
        • 0x10a82:$d: DESCrypto
        • 0x1844e:$e: KeepAlive
        • 0x1643c:$g: LogClientMessage
        • 0x12637:$i: get_Connected
        • 0x10db8:$j: #=q
        • 0x10de8:$j: #=q
        • 0x10e04:$j: #=q
        • 0x10e34:$j: #=q
        • 0x10e50:$j: #=q
        • 0x10e6c:$j: #=q
        • 0x10e9c:$j: #=q
        • 0x10eb8:$j: #=q

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\4yGRcXEf.exe, ProcessId: 6748, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Antivirus / Scanner detection for submitted sampleShow sources
        Source: 4yGRcXEf.exeAvira: detected
        Multi AV Scanner detection for submitted fileShow sources
        Source: 4yGRcXEf.exeVirustotal: Detection: 77%Perma Link
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 4yGRcXEf.exe, type: SAMPLE
        Source: Yara matchFile source: 00000000.00000000.224571570.00000000002B2000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 4yGRcXEf.exe PID: 6748, type: MEMORY
        Source: Yara matchFile source: 0.0.4yGRcXEf.exe.2b0000.0.unpack, type: UNPACKEDPE
        Machine Learning detection for sampleShow sources
        Source: 4yGRcXEf.exeJoe Sandbox ML: detected
        Source: 0.0.4yGRcXEf.exe.2b0000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7

        Networking:

        barindex
        Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49714 -> 79.134.225.77:3606
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: poseidon99.duckdns.org
        Source: global trafficTCP traffic: 192.168.2.5:49714 -> 79.134.225.77:3606
        Source: Joe Sandbox ViewASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH
        Source: unknownDNS traffic detected: queries for: poseidon99.duckdns.org
        Source: 4yGRcXEf.exe, 00000000.00000003.233132403.0000000004534000.00000004.00000001.sdmpString found in binary or memory: http://google.com

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 4yGRcXEf.exe, type: SAMPLE
        Source: Yara matchFile source: 00000000.00000000.224571570.00000000002B2000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 4yGRcXEf.exe PID: 6748, type: MEMORY
        Source: Yara matchFile source: 0.0.4yGRcXEf.exe.2b0000.0.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 4yGRcXEf.exe, type: SAMPLEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 4yGRcXEf.exe, type: SAMPLEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000000.224571570.00000000002B2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000000.224571570.00000000002B2000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000003.233132403.0000000004534000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: 4yGRcXEf.exe PID: 6748, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: 4yGRcXEf.exe PID: 6748, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.0.4yGRcXEf.exe.2b0000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.0.4yGRcXEf.exe.2b0000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 4yGRcXEf.exe, 00000000.00000003.233132403.0000000004534000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs 4yGRcXEf.exe
        Source: 4yGRcXEf.exe, 00000000.00000003.233132403.0000000004534000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs 4yGRcXEf.exe
        Source: 4yGRcXEf.exe, 00000000.00000003.233132403.0000000004534000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs 4yGRcXEf.exe
        Source: 4yGRcXEf.exe, 00000000.00000003.233132403.0000000004534000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs 4yGRcXEf.exe
        Source: 4yGRcXEf.exe, 00000000.00000003.233132403.0000000004534000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs 4yGRcXEf.exe
        Source: 4yGRcXEf.exe, 00000000.00000003.233132403.0000000004534000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs 4yGRcXEf.exe
        Source: 4yGRcXEf.exe, 00000000.00000003.233132403.0000000004534000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs 4yGRcXEf.exe
        Source: 4yGRcXEf.exe, 00000000.00000003.233132403.0000000004534000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs 4yGRcXEf.exe
        Source: 4yGRcXEf.exe, 00000000.00000003.233132403.0000000004534000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs 4yGRcXEf.exe
        Source: 4yGRcXEf.exe, 00000000.00000003.233132403.0000000004534000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs 4yGRcXEf.exe
        Source: 4yGRcXEf.exe, 00000000.00000003.233132403.0000000004534000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs 4yGRcXEf.exe
        Source: 4yGRcXEf.exe, 00000000.00000003.233132403.0000000004534000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs 4yGRcXEf.exe
        Source: 4yGRcXEf.exe, 00000000.00000003.233132403.0000000004534000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs 4yGRcXEf.exe
        Source: 4yGRcXEf.exe, 00000000.00000003.233132403.0000000004534000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs 4yGRcXEf.exe
        Source: 4yGRcXEf.exe, type: SAMPLEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 4yGRcXEf.exe, type: SAMPLEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 4yGRcXEf.exe, type: SAMPLEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000000.224571570.00000000002B2000.00000002.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000000.224571570.00000000002B2000.00000002.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000003.233132403.0000000004534000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: 4yGRcXEf.exe PID: 6748, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: 4yGRcXEf.exe PID: 6748, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.0.4yGRcXEf.exe.2b0000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.0.4yGRcXEf.exe.2b0000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.0.4yGRcXEf.exe.2b0000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 4yGRcXEf.exeStatic PE information: Section: .rsrc ZLIB complexity 0.996569113757
        Source: 4yGRcXEf.exe, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 4yGRcXEf.exe, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 4yGRcXEf.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 0.0.4yGRcXEf.exe.2b0000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 0.0.4yGRcXEf.exe.2b0000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 0.0.4yGRcXEf.exe.2b0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 4yGRcXEf.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 4yGRcXEf.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 0.0.4yGRcXEf.exe.2b0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 0.0.4yGRcXEf.exe.2b0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: classification engineClassification label: mal100.troj.evad.winEXE@1/4@2/1
        Source: C:\Users\user\Desktop\4yGRcXEf.exeFile created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9AJump to behavior
        Source: C:\Users\user\Desktop\4yGRcXEf.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{fc89967f-3919-4601-99a8-f8b96018b643}
        Source: C:\Users\user\Desktop\4yGRcXEf.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
        Source: 4yGRcXEf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\4yGRcXEf.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\4yGRcXEf.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
        Source: C:\Users\user\Desktop\4yGRcXEf.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
        Source: C:\Users\user\Desktop\4yGRcXEf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: 4yGRcXEf.exeVirustotal: Detection: 77%
        Source: C:\Users\user\Desktop\4yGRcXEf.exeFile read: C:\Users\user\Desktop\4yGRcXEf.exeJump to behavior
        Source: C:\Users\user\Desktop\4yGRcXEf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
        Source: C:\Users\user\Desktop\4yGRcXEf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
        Source: 4yGRcXEf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: C:\Users\user\Desktop\4yGRcXEf.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
        Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: 4yGRcXEf.exe, 00000000.00000003.233132403.0000000004534000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: 4yGRcXEf.exe, 00000000.00000003.233132403.0000000004534000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: 4yGRcXEf.exe, 00000000.00000003.233132403.0000000004534000.00000004.00000001.sdmp
        Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: 4yGRcXEf.exe, 00000000.00000003.233132403.0000000004534000.00000004.00000001.sdmp
        Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: 4yGRcXEf.exe, 00000000.00000003.233132403.0000000004534000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: 4yGRcXEf.exe, 00000000.00000003.233132403.0000000004534000.00000004.00000001.sdmp

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: 4yGRcXEf.exe, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 4yGRcXEf.exe, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 0.0.4yGRcXEf.exe.2b0000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 0.0.4yGRcXEf.exe.2b0000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 4yGRcXEf.exe, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 4yGRcXEf.exe, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 0.0.4yGRcXEf.exe.2b0000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 0.0.4yGRcXEf.exe.2b0000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\4yGRcXEf.exeFile opened: C:\Users\user\Desktop\4yGRcXEf.exe:Zone.Identifier read attributes | delete
        Source: C:\Users\user\Desktop\4yGRcXEf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\4yGRcXEf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\4yGRcXEf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\4yGRcXEf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\4yGRcXEf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\4yGRcXEf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\4yGRcXEf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\4yGRcXEf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\4yGRcXEf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\4yGRcXEf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\4yGRcXEf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\4yGRcXEf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\4yGRcXEf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\4yGRcXEf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\4yGRcXEf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\4yGRcXEf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\4yGRcXEf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\4yGRcXEf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\4yGRcXEf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\4yGRcXEf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\4yGRcXEf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\4yGRcXEf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\4yGRcXEf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\4yGRcXEf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\4yGRcXEf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\4yGRcXEf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\4yGRcXEf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\4yGRcXEf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\4yGRcXEf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\4yGRcXEf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\4yGRcXEf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\4yGRcXEf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\4yGRcXEf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\4yGRcXEf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\4yGRcXEf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\4yGRcXEf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\4yGRcXEf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\4yGRcXEf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\4yGRcXEf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\4yGRcXEf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\4yGRcXEf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\4yGRcXEf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\4yGRcXEf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\4yGRcXEf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\4yGRcXEf.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Users\user\Desktop\4yGRcXEf.exeThread delayed: delay time: 922337203685477
        Source: C:\Users\user\Desktop\4yGRcXEf.exeWindow / User API: threadDelayed 795
        Source: C:\Users\user\Desktop\4yGRcXEf.exeWindow / User API: threadDelayed 583
        Source: C:\Users\user\Desktop\4yGRcXEf.exeWindow / User API: foregroundWindowGot 699
        Source: C:\Users\user\Desktop\4yGRcXEf.exeWindow / User API: foregroundWindowGot 704
        Source: C:\Users\user\Desktop\4yGRcXEf.exe TID: 6780Thread sleep time: -1844674407370954s >= -30000s
        Source: C:\Users\user\Desktop\4yGRcXEf.exe TID: 6776Thread sleep time: -40000s >= -30000s
        Source: C:\Users\user\Desktop\4yGRcXEf.exeProcess information queried: ProcessInformation
        Source: C:\Users\user\Desktop\4yGRcXEf.exeProcess token adjusted: Debug
        Source: C:\Users\user\Desktop\4yGRcXEf.exeMemory allocated: page read and write | page guard
        Source: 4yGRcXEf.exe, 00000000.00000003.232009545.00000000009AD000.00000004.00000001.sdmpBinary or memory string: Program Manager
        Source: C:\Users\user\Desktop\4yGRcXEf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
        Source: C:\Users\user\Desktop\4yGRcXEf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\4yGRcXEf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\4yGRcXEf.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 4yGRcXEf.exe, type: SAMPLE
        Source: Yara matchFile source: 00000000.00000000.224571570.00000000002B2000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 4yGRcXEf.exe PID: 6748, type: MEMORY
        Source: Yara matchFile source: 0.0.4yGRcXEf.exe.2b0000.0.unpack, type: UNPACKEDPE

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: 4yGRcXEf.exe, 00000000.00000000.224571570.00000000002B2000.00000002.00020000.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: 4yGRcXEf.exe, 00000000.00000003.233132403.0000000004534000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
        Source: 4yGRcXEf.exe, 00000000.00000003.233132403.0000000004534000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
        Source: 4yGRcXEf.exe, 00000000.00000003.233132403.0000000004534000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
        Source: 4yGRcXEf.exe, 00000000.00000003.233132403.0000000004534000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
        Source: 4yGRcXEf.exeString found in binary or memory: NanoCore.ClientPluginHost
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 4yGRcXEf.exe, type: SAMPLE
        Source: Yara matchFile source: 00000000.00000000.224571570.00000000002B2000.00000002.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 4yGRcXEf.exe PID: 6748, type: MEMORY
        Source: Yara matchFile source: 0.0.4yGRcXEf.exe.2b0000.0.unpack, type: UNPACKEDPE

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management Instrumentation1Path InterceptionProcess Injection1Masquerading1OS Credential DumpingSecurity Software Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumNon-Standard Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion2LSASS MemoryVirtualization/Sandbox Evasion2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothRemote Access Software1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Information Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing12DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        4yGRcXEf.exe78%VirustotalBrowse
        4yGRcXEf.exe100%AviraTR/Dropper.MSIL.Gen7
        4yGRcXEf.exe100%Joe Sandbox ML

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        0.0.4yGRcXEf.exe.2b0000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

        Domains

        SourceDetectionScannerLabelLink
        poseidon99.duckdns.org1%VirustotalBrowse

        URLs

        No Antivirus matches

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        poseidon99.duckdns.org
        79.134.225.77
        truetrueunknown
        g.msn.com
        unknown
        unknownfalse
          high

          Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public

          IPDomainCountryFlagASNASN NameMalicious
          79.134.225.77
          unknownSwitzerland
          6775FINK-TELECOM-SERVICESCHtrue

          General Information

          Joe Sandbox Version:31.0.0 Red Diamond
          Analysis ID:321681
          Start date:23.11.2020
          Start time:14:48:24
          Joe Sandbox Product:CloudBasic
          Overall analysis duration:0h 4m 28s
          Hypervisor based Inspection enabled:false
          Report type:light
          Sample file name:4yGRcXEf.exe
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
          Number of analysed new started processes analysed:18
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • HDC enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Detection:MAL
          Classification:mal100.troj.evad.winEXE@1/4@2/1
          EGA Information:Failed
          HDC Information:Failed
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 0
          • Number of non-executed functions: 0
          Cookbook Comments:
          • Adjust boot time
          • Enable AMSI
          • Found application associated with file extension: .exe
          Warnings:
          Show All
          • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
          • TCP Packets have been reduced to 100
          • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
          • Excluded IPs from analysis (whitelisted): 104.42.151.234, 104.43.139.144, 52.255.188.83, 23.210.248.85, 51.104.144.132, 20.54.26.129, 67.26.83.254, 8.248.131.254, 67.26.81.254, 8.253.95.121, 8.241.9.126, 40.67.254.36, 51.104.139.180, 52.142.114.176, 92.122.213.247, 92.122.213.194
          • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wns.notify.windows.com.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, g-msn-com-nsatc.trafficmanager.net, par02p.wns.notify.windows.com.akadns.net, db5p.wns.notify.windows.com.akadns.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, client.wns.windows.com, fs.microsoft.com, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.

          Simulations

          Behavior and APIs

          TimeTypeDescription
          14:49:13API Interceptor1051x Sleep call for process: 4yGRcXEf.exe modified

          Joe Sandbox View / Context

          IPs

          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
          79.134.225.77v#Uacac#Uc801#Uc694#Uccad_#Ud574#Uc131 _PO_55956999.exeGet hashmaliciousBrowse
            Transacion_CUS_REF_referencia es 000008223084566.vbeGet hashmaliciousBrowse
              https://onedrive.live.com/download?cid=7FA2284F7D5167FA&resid=7FA2284F7D5167FA%21107&authkey=AIqIeyp5gnwLAeYGet hashmaliciousBrowse

                Domains

                No context

                ASN

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                FINK-TELECOM-SERVICESCHORDER #201120A.exeGet hashmaliciousBrowse
                • 79.134.225.92
                sSz5RnWs7F.exeGet hashmaliciousBrowse
                • 79.134.225.40
                Scan_202011200113(1)xls.exeGet hashmaliciousBrowse
                • 79.134.225.9
                3CAUxk3Je9.exeGet hashmaliciousBrowse
                • 79.134.225.40
                Fl0aIIH39W.exeGet hashmaliciousBrowse
                • 79.134.225.40
                NEW ORDER_8876630.exeGet hashmaliciousBrowse
                • 79.134.225.9
                9Pimjl3jyq.exeGet hashmaliciousBrowse
                • 79.134.225.40
                7tRM7RUC.exeGet hashmaliciousBrowse
                • 79.134.225.99
                PURCHASE_ORDER.exeGet hashmaliciousBrowse
                • 79.134.225.87
                YW2l1lBx5p2U84V.exeGet hashmaliciousBrowse
                • 79.134.225.54
                ORDER #201006.exeGet hashmaliciousBrowse
                • 79.134.225.92
                2HchQQHbc3.exeGet hashmaliciousBrowse
                • 79.134.225.40
                https://uc13b1859d0dd1d287abe11849bc.dl.dropboxusercontent.com/cd/0/get/BDYpKT2DghcT8k6q6ivr3Z10tH2fIzZ-quVnhNkvIaMzr65_x9Jb73dlKfp9-u2XxKjvY5mHqB-sTtfsf3X_DzOrS8DLCyWkeoM0ivsy2MmAb_UnT8m5tcbdlCmtPw__0Gg/file?dl=1Get hashmaliciousBrowse
                • 79.134.225.8
                JfBrVoAbZJ.exeGet hashmaliciousBrowse
                • 79.134.225.12
                hLP6IkkrSG.exeGet hashmaliciousBrowse
                • 79.134.225.45
                Payment Confirmation NOV-85869983TGTTAS.exeGet hashmaliciousBrowse
                • 79.134.225.14
                P9hBKKQw3T.exeGet hashmaliciousBrowse
                • 79.134.225.110
                uqR1VNxNJn.exeGet hashmaliciousBrowse
                • 79.134.225.52
                ORDER-#00654.doc.....exeGet hashmaliciousBrowse
                • 79.134.225.92
                7GAi7ZFQz8.exeGet hashmaliciousBrowse
                • 79.134.225.92

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                Process:C:\Users\user\Desktop\4yGRcXEf.exe
                File Type:data
                Category:dropped
                Size (bytes):248
                Entropy (8bit):7.094528505897445
                Encrypted:false
                SSDEEP:6:X4LDAnybgCFcpJSQwP4d7r3l3TmKEt5mT1DhFtMhXvvHOxHB3GDq:X4LEnybgCFCtvd7bl3ThE4T19FtMhXvs
                MD5:061E700FE27D852034A5A44BF5985CCF
                SHA1:15B072DE6D6FDD92AE36F074345FA41985833E8D
                SHA-256:4BBB88AF530693EB4A710B0591D4BAF585837242C5690F5A821BF2FC9CC587CD
                SHA-512:CF6C5458AB50C859740490985D1E7E887D1116F3FA947FF2EC49AF9997A42F3402C63EF42B93498544195D9859FBB19CCC295966564B30F5ADB4A36D4E8886C6
                Malicious:false
                Reputation:low
                Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL....f.Z#.|...@HkG....G..O*V..........pz...."....r...w&&|..c..3}~.....~...os..f.......4..1.gJ.'.d".L...A.t...F.{....C.|&.w
                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                Process:C:\Users\user\Desktop\4yGRcXEf.exe
                File Type:data
                Category:dropped
                Size (bytes):8
                Entropy (8bit):3.0
                Encrypted:false
                SSDEEP:3:rV:Z
                MD5:0F05952A6BB6C5B4C2017E0EBF8B67D9
                SHA1:0553EE2EBE7C542B6F063452E85248D8FF8DD8B0
                SHA-256:989124C5F8B84DCBD642AA1CA3811E5ACF5166D34093E64E51706D63F8EF50BA
                SHA-512:D9828A7219D5385F5B703230073EE9CAA08E9B14DDE7FC0A7D811ACEF745AFF1BAFE94D7F457223065559F30E1D25DA12A4A3662C8761DBA5C778957E95288AF
                Malicious:true
                Reputation:low
                Preview: .(.....H
                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                Process:C:\Users\user\Desktop\4yGRcXEf.exe
                File Type:data
                Category:dropped
                Size (bytes):40
                Entropy (8bit):5.153055907333276
                Encrypted:false
                SSDEEP:3:9bzY6oRDT6P2bfVn1:RzWDT621
                MD5:4E5E92E2369688041CC82EF9650EDED2
                SHA1:15E44F2F3194EE232B44E9684163B6F66472C862
                SHA-256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
                SHA-512:1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
                Malicious:false
                Reputation:moderate, very likely benign file
                Preview: 9iH...}Z.4..f.~a........~.~.......3.U.
                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                Process:C:\Users\user\Desktop\4yGRcXEf.exe
                File Type:data
                Category:dropped
                Size (bytes):433680
                Entropy (8bit):7.999538095926698
                Encrypted:true
                SSDEEP:6144:lkuIpKmbvDHg+8RprJBRtt1pH6ZbnFowauxaeTg7hzzMK+gsCQX7SLB8KKV5B2Ny:FYbLHD8RJ3R12nUuQhzHAolSH
                MD5:7F0642B40D7F2EE4CF9D08601762F280
                SHA1:DB0A55E900FB8AB637F84815E8100DE9BA391810
                SHA-256:E6A52CF6101CD8A5B0B276BA0507AB1FA3203267B842C4534F28F37ADA40C02A
                SHA-512:108EB480E9AD78B3DD9783ED536B1406EB390F10CAFE0E95F26DA86D08B4E006FFFCE8EA389F87F4E6D92B0BFDA20EA8FD0BD6094D7E6EA773807D0ADBE1C2E1
                Malicious:false
                Reputation:low
                Preview: .........O.......\8..5N..`S.]..[r.$*>.\.#v&..$.......Z.i..M.Mn5.@..@...3.R..Y...}>C.b....Z........K..^.d...Z...K.#...dn$e ..XP.^.#.......V...dB.Kn.Y.c..-k....M.D...Q.S..R.X.........._...Zz...#.=<.V.NHZq.h..ON..oq.:...,7H....../..Q..R.u6.."....<.`..z.5b($..9.CF.F1...o?.h.}....;Ay....kL}7...I.-.}..D&...C....%.J..+..1.5.a..Ih....s........G..?..9^0e...p..FCvNt.e...B/...y.h.G.0..o,Q.2[..........e.P8.....yr...*..Q..*..../..S..m.......\.wA.a1.]...oW........PY..h....f:.....Ss.....\.8...@R._A...M..X....V.f).]z..u{.z-....W...NaT+.&:...1.D../.7..\.S..z..!.....#..F.d......*.m'..........6.2....:H...bd].._......}.n.=...l.7%r.>...B.Q.K..q...Ex.6.6....P..^...i...Mx...;g...,t..fCd.\.b....e{.\...Y=4......+..T....j}..|66g.s...z...Y.kTi..?Xy...5\...SO..W.U.3A.$.l..{.D...no.E..v.2.:..a..hdhO..t.w.k..T|Po.....D?..mG.[.2.;....+...8.6.h!..w.3...w.o.....|....f.v.to.B.{`o..a.....f.cu..........?......"...u..EA...^)W..z..jtU{^......5#....y.s.......e.l..&...%...

                Static File Info

                General

                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Entropy (8bit):7.474968778910399
                TrID:
                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                • Win32 Executable (generic) a (10002005/4) 49.78%
                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                • Generic Win/DOS Executable (2004/3) 0.01%
                • DOS Executable Generic (2002/1) 0.01%
                File name:4yGRcXEf.exe
                File size:214528
                MD5:87e77797615466baa21cde3f7bb347f2
                SHA1:9cd228af2ea1f503fe76ed0ead2cfaab8ce7f08a
                SHA256:d50a35f05df59b5b35e07dd204e5312629b3670b09da6801c56f89c5aef8ff6b
                SHA512:cb88a2bfffec3ba7002e7d845e9d40f78285b822f17c24c21ec8c34ea488546466b4f1cddbed355f124dd8443004deb34d02dce3a7a6e591c4f2590d1858c58c
                SSDEEP:6144:ELV6Bta6dtJmakIM55LTS/szPqJ6T8oXb4t:ELV6BtpmkiY6hbc
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'.T.....................|........... ........@.. .....................................................................

                File Icon

                Icon Hash:00828e8e8686b000

                Static PE Info

                General

                Entrypoint:0x41e792
                Entrypoint Section:.text
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                DLL Characteristics:
                Time Stamp:0x54E927A1 [Sun Feb 22 00:49:37 2015 UTC]
                TLS Callbacks:
                CLR (.Net) Version:v2.0.50727
                OS Version Major:4
                OS Version Minor:0
                File Version Major:4
                File Version Minor:0
                Subsystem Version Major:4
                Subsystem Version Minor:0
                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                Entrypoint Preview

                Instruction
                jmp dword ptr [00402000h]
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0x1e7380x57.text
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x220000x17860.rsrc
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x200000xc.reloc
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x20000x1c7980x1c800False0.594512404057data6.59805753854IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                .reloc0x200000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                .rsrc0x220000x178600x17a00False0.996569113757data7.99724840992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                Resources

                NameRVASizeTypeLanguageCountry
                RT_RCDATA0x220580x17808TIM image, Pixel at (43704,20504) Size=15294x49224

                Imports

                DLLImport
                mscoree.dll_CorExeMain

                Network Behavior

                Snort IDS Alerts

                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                11/23/20-14:49:14.930830TCP2025019ET TROJAN Possible NanoCore C2 60B497143606192.168.2.579.134.225.77

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Nov 23, 2020 14:49:14.832304001 CET497143606192.168.2.579.134.225.77
                Nov 23, 2020 14:49:14.898083925 CET36064971479.134.225.77192.168.2.5
                Nov 23, 2020 14:49:14.898237944 CET497143606192.168.2.579.134.225.77
                Nov 23, 2020 14:49:14.930830002 CET497143606192.168.2.579.134.225.77
                Nov 23, 2020 14:49:15.015213966 CET36064971479.134.225.77192.168.2.5
                Nov 23, 2020 14:49:15.022927999 CET497143606192.168.2.579.134.225.77
                Nov 23, 2020 14:49:15.088774920 CET36064971479.134.225.77192.168.2.5
                Nov 23, 2020 14:49:15.109869957 CET497143606192.168.2.579.134.225.77
                Nov 23, 2020 14:49:15.211261034 CET36064971479.134.225.77192.168.2.5
                Nov 23, 2020 14:49:15.263433933 CET36064971479.134.225.77192.168.2.5
                Nov 23, 2020 14:49:15.263497114 CET36064971479.134.225.77192.168.2.5
                Nov 23, 2020 14:49:15.263549089 CET36064971479.134.225.77192.168.2.5
                Nov 23, 2020 14:49:15.263632059 CET497143606192.168.2.579.134.225.77
                Nov 23, 2020 14:49:15.263778925 CET36064971479.134.225.77192.168.2.5
                Nov 23, 2020 14:49:15.263856888 CET497143606192.168.2.579.134.225.77
                Nov 23, 2020 14:49:15.328131914 CET36064971479.134.225.77192.168.2.5
                Nov 23, 2020 14:49:15.328198910 CET36064971479.134.225.77192.168.2.5
                Nov 23, 2020 14:49:15.328237057 CET36064971479.134.225.77192.168.2.5
                Nov 23, 2020 14:49:15.328345060 CET497143606192.168.2.579.134.225.77
                Nov 23, 2020 14:49:15.328351974 CET36064971479.134.225.77192.168.2.5
                Nov 23, 2020 14:49:15.328409910 CET497143606192.168.2.579.134.225.77
                Nov 23, 2020 14:49:15.329319000 CET36064971479.134.225.77192.168.2.5
                Nov 23, 2020 14:49:15.329368114 CET36064971479.134.225.77192.168.2.5
                Nov 23, 2020 14:49:15.329443932 CET36064971479.134.225.77192.168.2.5
                Nov 23, 2020 14:49:15.329444885 CET497143606192.168.2.579.134.225.77
                Nov 23, 2020 14:49:15.329457998 CET497143606192.168.2.579.134.225.77
                Nov 23, 2020 14:49:15.329485893 CET36064971479.134.225.77192.168.2.5
                Nov 23, 2020 14:49:15.329538107 CET497143606192.168.2.579.134.225.77
                Nov 23, 2020 14:49:15.390315056 CET36064971479.134.225.77192.168.2.5
                Nov 23, 2020 14:49:15.390382051 CET36064971479.134.225.77192.168.2.5
                Nov 23, 2020 14:49:15.390420914 CET36064971479.134.225.77192.168.2.5
                Nov 23, 2020 14:49:15.390460014 CET36064971479.134.225.77192.168.2.5
                Nov 23, 2020 14:49:15.390501976 CET497143606192.168.2.579.134.225.77
                Nov 23, 2020 14:49:15.390589952 CET497143606192.168.2.579.134.225.77
                Nov 23, 2020 14:49:15.390695095 CET36064971479.134.225.77192.168.2.5
                Nov 23, 2020 14:49:15.390779972 CET36064971479.134.225.77192.168.2.5
                Nov 23, 2020 14:49:15.390841961 CET497143606192.168.2.579.134.225.77
                Nov 23, 2020 14:49:15.391269922 CET36064971479.134.225.77192.168.2.5
                Nov 23, 2020 14:49:15.391311884 CET36064971479.134.225.77192.168.2.5
                Nov 23, 2020 14:49:15.391349077 CET36064971479.134.225.77192.168.2.5
                Nov 23, 2020 14:49:15.391369104 CET497143606192.168.2.579.134.225.77
                Nov 23, 2020 14:49:15.391467094 CET36064971479.134.225.77192.168.2.5
                Nov 23, 2020 14:49:15.391510010 CET36064971479.134.225.77192.168.2.5
                Nov 23, 2020 14:49:15.391535044 CET497143606192.168.2.579.134.225.77
                Nov 23, 2020 14:49:15.392153978 CET36064971479.134.225.77192.168.2.5
                Nov 23, 2020 14:49:15.392196894 CET36064971479.134.225.77192.168.2.5
                Nov 23, 2020 14:49:15.392245054 CET497143606192.168.2.579.134.225.77
                Nov 23, 2020 14:49:15.392297029 CET36064971479.134.225.77192.168.2.5
                Nov 23, 2020 14:49:15.392355919 CET497143606192.168.2.579.134.225.77
                Nov 23, 2020 14:49:15.392370939 CET36064971479.134.225.77192.168.2.5
                Nov 23, 2020 14:49:15.392442942 CET36064971479.134.225.77192.168.2.5
                Nov 23, 2020 14:49:15.392908096 CET497143606192.168.2.579.134.225.77
                Nov 23, 2020 14:49:15.483490944 CET36064971479.134.225.77192.168.2.5
                Nov 23, 2020 14:49:15.483525991 CET36064971479.134.225.77192.168.2.5
                Nov 23, 2020 14:49:15.483629942 CET497143606192.168.2.579.134.225.77
                Nov 23, 2020 14:49:15.483668089 CET497143606192.168.2.579.134.225.77
                Nov 23, 2020 14:49:15.483756065 CET36064971479.134.225.77192.168.2.5
                Nov 23, 2020 14:49:15.483819962 CET36064971479.134.225.77192.168.2.5
                Nov 23, 2020 14:49:15.483884096 CET497143606192.168.2.579.134.225.77
                Nov 23, 2020 14:49:15.484009027 CET36064971479.134.225.77192.168.2.5
                Nov 23, 2020 14:49:15.484545946 CET36064971479.134.225.77192.168.2.5
                Nov 23, 2020 14:49:15.484606981 CET497143606192.168.2.579.134.225.77
                Nov 23, 2020 14:49:15.485165119 CET36064971479.134.225.77192.168.2.5
                Nov 23, 2020 14:49:15.485222101 CET36064971479.134.225.77192.168.2.5
                Nov 23, 2020 14:49:15.485270977 CET497143606192.168.2.579.134.225.77
                Nov 23, 2020 14:49:15.485311031 CET36064971479.134.225.77192.168.2.5
                Nov 23, 2020 14:49:15.485420942 CET36064971479.134.225.77192.168.2.5
                Nov 23, 2020 14:49:15.485438108 CET36064971479.134.225.77192.168.2.5
                Nov 23, 2020 14:49:15.485502005 CET497143606192.168.2.579.134.225.77
                Nov 23, 2020 14:49:15.485538006 CET36064971479.134.225.77192.168.2.5
                Nov 23, 2020 14:49:15.485591888 CET497143606192.168.2.579.134.225.77
                Nov 23, 2020 14:49:15.485657930 CET36064971479.134.225.77192.168.2.5
                Nov 23, 2020 14:49:15.485774994 CET36064971479.134.225.77192.168.2.5
                Nov 23, 2020 14:49:15.485824108 CET497143606192.168.2.579.134.225.77
                Nov 23, 2020 14:49:15.486059904 CET36064971479.134.225.77192.168.2.5
                Nov 23, 2020 14:49:15.486135006 CET36064971479.134.225.77192.168.2.5
                Nov 23, 2020 14:49:15.486186028 CET497143606192.168.2.579.134.225.77
                Nov 23, 2020 14:49:15.486571074 CET36064971479.134.225.77192.168.2.5
                Nov 23, 2020 14:49:15.486596107 CET36064971479.134.225.77192.168.2.5
                Nov 23, 2020 14:49:15.486639977 CET497143606192.168.2.579.134.225.77
                Nov 23, 2020 14:49:15.486654043 CET497143606192.168.2.579.134.225.77
                Nov 23, 2020 14:49:15.487369061 CET36064971479.134.225.77192.168.2.5
                Nov 23, 2020 14:49:15.487413883 CET36064971479.134.225.77192.168.2.5
                Nov 23, 2020 14:49:15.487497091 CET36064971479.134.225.77192.168.2.5
                Nov 23, 2020 14:49:15.487495899 CET497143606192.168.2.579.134.225.77
                Nov 23, 2020 14:49:15.487580061 CET36064971479.134.225.77192.168.2.5
                Nov 23, 2020 14:49:15.487642050 CET497143606192.168.2.579.134.225.77
                Nov 23, 2020 14:49:15.487652063 CET36064971479.134.225.77192.168.2.5
                Nov 23, 2020 14:49:15.487720966 CET497143606192.168.2.579.134.225.77
                Nov 23, 2020 14:49:15.487739086 CET36064971479.134.225.77192.168.2.5
                Nov 23, 2020 14:49:15.487804890 CET497143606192.168.2.579.134.225.77
                Nov 23, 2020 14:49:15.487816095 CET36064971479.134.225.77192.168.2.5
                Nov 23, 2020 14:49:15.488360882 CET36064971479.134.225.77192.168.2.5
                Nov 23, 2020 14:49:15.488415956 CET36064971479.134.225.77192.168.2.5
                Nov 23, 2020 14:49:15.488440990 CET497143606192.168.2.579.134.225.77
                Nov 23, 2020 14:49:15.488468885 CET497143606192.168.2.579.134.225.77
                Nov 23, 2020 14:49:15.488501072 CET36064971479.134.225.77192.168.2.5
                Nov 23, 2020 14:49:15.488557100 CET497143606192.168.2.579.134.225.77
                Nov 23, 2020 14:49:15.488579035 CET36064971479.134.225.77192.168.2.5
                Nov 23, 2020 14:49:15.488635063 CET497143606192.168.2.579.134.225.77

                UDP Packets

                TimestampSource PortDest PortSource IPDest IP
                Nov 23, 2020 14:49:07.519119978 CET6217653192.168.2.58.8.8.8
                Nov 23, 2020 14:49:07.546571016 CET53621768.8.8.8192.168.2.5
                Nov 23, 2020 14:49:08.520585060 CET5959653192.168.2.58.8.8.8
                Nov 23, 2020 14:49:08.548017979 CET53595968.8.8.8192.168.2.5
                Nov 23, 2020 14:49:09.325131893 CET6529653192.168.2.58.8.8.8
                Nov 23, 2020 14:49:09.352310896 CET53652968.8.8.8192.168.2.5
                Nov 23, 2020 14:49:10.111037970 CET6318353192.168.2.58.8.8.8
                Nov 23, 2020 14:49:10.146804094 CET53631838.8.8.8192.168.2.5
                Nov 23, 2020 14:49:14.593347073 CET6015153192.168.2.58.8.8.8
                Nov 23, 2020 14:49:14.794558048 CET53601518.8.8.8192.168.2.5
                Nov 23, 2020 14:49:21.864090919 CET5696953192.168.2.58.8.8.8
                Nov 23, 2020 14:49:21.891264915 CET53569698.8.8.8192.168.2.5
                Nov 23, 2020 14:49:26.181978941 CET5516153192.168.2.58.8.8.8
                Nov 23, 2020 14:49:26.209361076 CET53551618.8.8.8192.168.2.5
                Nov 23, 2020 14:49:28.627365112 CET5475753192.168.2.58.8.8.8
                Nov 23, 2020 14:49:28.654541969 CET53547578.8.8.8192.168.2.5
                Nov 23, 2020 14:49:32.446141005 CET4999253192.168.2.58.8.8.8
                Nov 23, 2020 14:49:32.483717918 CET53499928.8.8.8192.168.2.5
                Nov 23, 2020 14:49:32.656059980 CET6007553192.168.2.58.8.8.8
                Nov 23, 2020 14:49:32.683330059 CET53600758.8.8.8192.168.2.5
                Nov 23, 2020 14:49:34.956657887 CET5501653192.168.2.58.8.8.8
                Nov 23, 2020 14:49:34.983906031 CET53550168.8.8.8192.168.2.5
                Nov 23, 2020 14:49:50.141324043 CET6434553192.168.2.58.8.8.8
                Nov 23, 2020 14:49:50.185213089 CET53643458.8.8.8192.168.2.5
                Nov 23, 2020 14:49:58.106753111 CET5712853192.168.2.58.8.8.8
                Nov 23, 2020 14:49:58.133982897 CET53571288.8.8.8192.168.2.5
                Nov 23, 2020 14:49:58.191653967 CET5479153192.168.2.58.8.8.8
                Nov 23, 2020 14:49:58.196798086 CET5046353192.168.2.58.8.8.8
                Nov 23, 2020 14:49:58.219096899 CET53547918.8.8.8192.168.2.5
                Nov 23, 2020 14:49:58.246877909 CET53504638.8.8.8192.168.2.5
                Nov 23, 2020 14:49:59.724205971 CET5039453192.168.2.58.8.8.8
                Nov 23, 2020 14:49:59.751271963 CET53503948.8.8.8192.168.2.5
                Nov 23, 2020 14:50:02.246965885 CET5853053192.168.2.58.8.8.8
                Nov 23, 2020 14:50:02.290695906 CET53585308.8.8.8192.168.2.5
                Nov 23, 2020 14:50:02.919893980 CET5381353192.168.2.58.8.8.8
                Nov 23, 2020 14:50:02.957252026 CET53538138.8.8.8192.168.2.5
                Nov 23, 2020 14:50:34.158631086 CET6373253192.168.2.58.8.8.8
                Nov 23, 2020 14:50:34.186028957 CET53637328.8.8.8192.168.2.5

                DNS Queries

                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                Nov 23, 2020 14:49:14.593347073 CET192.168.2.58.8.8.80x675aStandard query (0)poseidon99.duckdns.orgA (IP address)IN (0x0001)
                Nov 23, 2020 14:50:02.246965885 CET192.168.2.58.8.8.80x4aStandard query (0)g.msn.comA (IP address)IN (0x0001)

                DNS Answers

                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                Nov 23, 2020 14:49:14.794558048 CET8.8.8.8192.168.2.50x675aNo error (0)poseidon99.duckdns.org79.134.225.77A (IP address)IN (0x0001)
                Nov 23, 2020 14:50:02.290695906 CET8.8.8.8192.168.2.50x4aNo error (0)g.msn.comg-msn-com-nsatc.trafficmanager.netCNAME (Canonical name)IN (0x0001)

                Code Manipulations

                Statistics

                System Behavior

                General

                Start time:14:49:12
                Start date:23/11/2020
                Path:C:\Users\user\Desktop\4yGRcXEf.exe
                Wow64 process (32bit):true
                Commandline:'C:\Users\user\Desktop\4yGRcXEf.exe'
                Imagebase:0x2b0000
                File size:214528 bytes
                MD5 hash:87E77797615466BAA21CDE3F7BB347F2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:.Net C# or VB.NET
                Yara matches:
                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000000.224571570.00000000002B2000.00000002.00020000.sdmp, Author: Florian Roth
                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000000.224571570.00000000002B2000.00000002.00020000.sdmp, Author: Joe Security
                • Rule: NanoCore, Description: unknown, Source: 00000000.00000000.224571570.00000000002B2000.00000002.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                • Rule: NanoCore, Description: unknown, Source: 00000000.00000003.233132403.0000000004534000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                Reputation:low

                Disassembly

                Code Analysis

                Reset < >