Loading ...

Play interactive tourEdit tour

Analysis Report kelvinx.exe

Overview

General Information

Sample Name:kelvinx.exe
Analysis ID:322215
MD5:0e4ecbb7ebdd4c7341658b9e6471a0b7
SHA1:994026038fcbd0514d029c511f20bda6b0b17080
SHA256:20eb19ebf2de8995adbc740f2a797cc3119face8760885e7cb9e3a6f3d376d5d
Tags:exeNanoCore

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Yara detected Nanocore RAT
.NET source code references suspicious native API functions
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Antivirus or Machine Learning detection for unpacked file
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • kelvinx.exe (PID: 5332 cmdline: 'C:\Users\user\Desktop\kelvinx.exe' MD5: 0E4ECBB7EBDD4C7341658B9E6471A0B7)
    • kelvinx.exe (PID: 1556 cmdline: C:\Users\user\Desktop\kelvinx.exe MD5: 0E4ECBB7EBDD4C7341658B9E6471A0B7)
  • noteped.exe (PID: 5368 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exe' MD5: 0E4ECBB7EBDD4C7341658B9E6471A0B7)
    • noteped.exe (PID: 6312 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exe MD5: 0E4ECBB7EBDD4C7341658B9E6471A0B7)
  • noteped.exe (PID: 6360 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exe' MD5: 0E4ECBB7EBDD4C7341658B9E6471A0B7)
    • noteped.exe (PID: 6648 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exe MD5: 0E4ECBB7EBDD4C7341658B9E6471A0B7)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["185.140.53.132"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.306118461.0000000003AE9000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000C.00000002.306118461.0000000003AE9000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x42f15:$a: NanoCore
    • 0x42f6e:$a: NanoCore
    • 0x42fab:$a: NanoCore
    • 0x43024:$a: NanoCore
    • 0x566cf:$a: NanoCore
    • 0x566e4:$a: NanoCore
    • 0x56719:$a: NanoCore
    • 0x6f19b:$a: NanoCore
    • 0x6f1b0:$a: NanoCore
    • 0x6f1e5:$a: NanoCore
    • 0x42f77:$b: ClientPlugin
    • 0x42fb4:$b: ClientPlugin
    • 0x438b2:$b: ClientPlugin
    • 0x438bf:$b: ClientPlugin
    • 0x5648b:$b: ClientPlugin
    • 0x564a6:$b: ClientPlugin
    • 0x564d6:$b: ClientPlugin
    • 0x566ed:$b: ClientPlugin
    • 0x56722:$b: ClientPlugin
    • 0x6ef57:$b: ClientPlugin
    • 0x6ef72:$b: ClientPlugin
    00000001.00000002.492062764.00000000041A9000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000001.00000002.492062764.00000000041A9000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x2f15:$a: NanoCore
      • 0x2f6e:$a: NanoCore
      • 0x2fab:$a: NanoCore
      • 0x3024:$a: NanoCore
      • 0x166cf:$a: NanoCore
      • 0x166e4:$a: NanoCore
      • 0x16719:$a: NanoCore
      • 0x2f19b:$a: NanoCore
      • 0x2f1b0:$a: NanoCore
      • 0x2f1e5:$a: NanoCore
      • 0x2f77:$b: ClientPlugin
      • 0x2fb4:$b: ClientPlugin
      • 0x38b2:$b: ClientPlugin
      • 0x38bf:$b: ClientPlugin
      • 0x1648b:$b: ClientPlugin
      • 0x164a6:$b: ClientPlugin
      • 0x164d6:$b: ClientPlugin
      • 0x166ed:$b: ClientPlugin
      • 0x16722:$b: ClientPlugin
      • 0x2ef57:$b: ClientPlugin
      • 0x2ef72:$b: ClientPlugin
      00000001.00000002.493316264.0000000005A30000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xf7ad:$x1: NanoCore.ClientPluginHost
      • 0xf7da:$x2: IClientNetworkHost
      Click to see the 47 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      12.2.noteped.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      12.2.noteped.exe.400000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xff05:$x1: NanoCore Client.exe
      • 0x1018d:$x2: NanoCore.ClientPluginHost
      • 0x117c6:$s1: PluginCommand
      • 0x117ba:$s2: FileCommand
      • 0x1266b:$s3: PipeExists
      • 0x18422:$s4: PipeCreated
      • 0x101b7:$s5: IClientLoggingHost
      12.2.noteped.exe.400000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        12.2.noteped.exe.400000.0.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xfef5:$a: NanoCore
        • 0xff05:$a: NanoCore
        • 0x10139:$a: NanoCore
        • 0x1014d:$a: NanoCore
        • 0x1018d:$a: NanoCore
        • 0xff54:$b: ClientPlugin
        • 0x10156:$b: ClientPlugin
        • 0x10196:$b: ClientPlugin
        • 0x1007b:$c: ProjectData
        • 0x10a82:$d: DESCrypto
        • 0x1844e:$e: KeepAlive
        • 0x1643c:$g: LogClientMessage
        • 0x12637:$i: get_Connected
        • 0x10db8:$j: #=q
        • 0x10de8:$j: #=q
        • 0x10e04:$j: #=q
        • 0x10e34:$j: #=q
        • 0x10e50:$j: #=q
        • 0x10e6c:$j: #=q
        • 0x10e9c:$j: #=q
        • 0x10eb8:$j: #=q
        6.2.noteped.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x1018d:$x1: NanoCore.ClientPluginHost
        • 0x101ca:$x2: IClientNetworkHost
        • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        Click to see the 15 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\kelvinx.exe, ProcessId: 1556, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: noteped.exe.6648.12.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["185.140.53.132"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeReversingLabs: Detection: 52%
        Multi AV Scanner detection for submitted fileShow sources
        Source: kelvinx.exeVirustotal: Detection: 35%Perma Link
        Source: kelvinx.exeReversingLabs: Detection: 52%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000C.00000002.306118461.0000000003AE9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.492062764.00000000041A9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.493316264.0000000005A30000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.305164959.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.284681945.0000000002FB1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.284823064.0000000003FB9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.306051125.0000000002AE1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.240965816.0000000003B26000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.488239312.0000000003161000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.283332088.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.485264467.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.269811701.00000000035FB000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.289900545.0000000003C9C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: noteped.exe PID: 6360, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: noteped.exe PID: 6648, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: noteped.exe PID: 5368, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: noteped.exe PID: 6312, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: kelvinx.exe PID: 5332, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: kelvinx.exe PID: 1556, type: MEMORY
        Source: Yara matchFile source: 12.2.noteped.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.noteped.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.kelvinx.exe.5a30000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.kelvinx.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.kelvinx.exe.5a30000.4.raw.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: kelvinx.exeJoe Sandbox ML: detected
        Source: 12.2.noteped.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 6.2.noteped.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 1.2.kelvinx.exe.5a30000.4.unpackAvira: Label: TR/NanoCore.fadte
        Source: 1.2.kelvinx.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeFile opened: C:\Users\user\AppData\Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeFile opened: C:\Users\user\Jump to behavior
        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
        Source: global trafficTCP traffic: 192.168.2.5:49715 -> 185.140.53.132:7600
        Source: Joe Sandbox ViewIP Address: 185.140.53.132 185.140.53.132
        Source: Joe Sandbox ViewASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.132
        Source: kelvinx.exe, 00000000.00000003.220047831.00000000057E7000.00000004.00000001.sdmpString found in binary or memory: http://en.w
        Source: kelvinx.exe, 00000000.00000003.219897482.00000000057E6000.00000004.00000001.sdmpString found in binary or memory: http://en.wC
        Source: kelvinx.exe, 00000000.00000003.219971249.00000000057E7000.00000004.00000001.sdmpString found in binary or memory: http://en.wikipF
        Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
        Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, kelvinx.exe, 00000000.00000003.221048841.00000000057D7000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: kelvinx.exe, 00000000.00000003.221502115.00000000057D2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
        Source: kelvinx.exe, 00000000.00000003.221173652.00000000057CE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comimS
        Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: kelvinx.exe, 00000000.00000003.221173652.00000000057CE000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comper
        Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
        Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: kelvinx.exe, 00000000.00000003.237362642.00000000057C0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomo
        Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
        Source: kelvinx.exe, 00000000.00000003.220783733.00000000057F2000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: kelvinx.exe, 00000000.00000003.220824103.00000000057EC000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
        Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: kelvinx.exe, 00000000.00000003.220725135.00000000057EC000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cna-d
        Source: kelvinx.exe, 00000000.00000003.220725135.00000000057EC000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnd:
        Source: kelvinx.exe, 00000000.00000003.220911534.00000000057EC000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnude
        Source: kelvinx.exe, 00000000.00000003.220911534.00000000057EC000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn~
        Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: kelvinx.exe, 00000000.00000003.225402812.00000000057C4000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmNormalr
        Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: kelvinx.exe, 00000000.00000003.222115295.00000000057CE000.00000004.00000001.sdmp, kelvinx.exe, 00000000.00000003.221900652.00000000057D5000.00000004.00000001.sdmp, kelvinx.exe, 00000000.00000003.221985463.00000000057D5000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: kelvinx.exe, 00000000.00000003.221803128.00000000057C6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/0w
        Source: kelvinx.exe, 00000000.00000003.221900652.00000000057D5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/J
        Source: kelvinx.exe, 00000000.00000003.221900652.00000000057D5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Vwfz
        Source: kelvinx.exe, 00000000.00000003.221985463.00000000057D5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y01
        Source: kelvinx.exe, 00000000.00000003.222579187.00000000057CE000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
        Source: kelvinx.exe, 00000000.00000003.221900652.00000000057D5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/.w
        Source: kelvinx.exe, 00000000.00000003.221803128.00000000057C6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/qwCz
        Source: kelvinx.exe, 00000000.00000003.221985463.00000000057D5000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/xwtz
        Source: kelvinx.exe, 00000000.00000003.221803128.00000000057C6000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/z
        Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
        Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
        Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
        Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
        Source: kelvinx.exe, 00000001.00000002.492062764.00000000041A9000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000C.00000002.306118461.0000000003AE9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.492062764.00000000041A9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.493316264.0000000005A30000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.305164959.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.284681945.0000000002FB1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.284823064.0000000003FB9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.306051125.0000000002AE1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.240965816.0000000003B26000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.488239312.0000000003161000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.283332088.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.485264467.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000002.00000002.269811701.00000000035FB000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.289900545.0000000003C9C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: noteped.exe PID: 6360, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: noteped.exe PID: 6648, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: noteped.exe PID: 5368, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: noteped.exe PID: 6312, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: kelvinx.exe PID: 5332, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: kelvinx.exe PID: 1556, type: MEMORY
        Source: Yara matchFile source: 12.2.noteped.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 6.2.noteped.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.kelvinx.exe.5a30000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.kelvinx.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.kelvinx.exe.5a30000.4.raw.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 0000000C.00000002.306118461.0000000003AE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.492062764.00000000041A9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.493316264.0000000005A30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000002.305164959.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000002.305164959.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000006.00000002.284681945.0000000002FB1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000006.00000002.284823064.0000000003FB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000002.306051125.0000000002AE1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.493282549.00000000058E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.240965816.0000000003B26000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.240965816.0000000003B26000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000006.00000002.283332088.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000006.00000002.283332088.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.485264467.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000002.485264467.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000002.00000002.269811701.00000000035FB000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000002.00000002.269811701.00000000035FB000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000007.00000002.289900545.0000000003C9C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000007.00000002.289900545.0000000003C9C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: noteped.exe PID: 6360, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: noteped.exe PID: 6360, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: noteped.exe PID: 6648, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: noteped.exe PID: 6648, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: noteped.exe PID: 5368, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: noteped.exe PID: 5368, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: noteped.exe PID: 6312, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth</