Play interactive tour

Edit tour

Analysis Report kelvinx.exe

Overview

General Information

Sample Name:	kelvinx.exe
Analysis ID:	322215
MD5:	0e4ecbb7ebdd4c7341658b9e6471a0b7
SHA1:	994026038fcbd0514d029c511f20bda6b0b17080
SHA256:	20eb19ebf2de8995adbc740f2a797cc3119face8760885e7cb9e3a6f3d376d5d
Tags:	exeNanoCore
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Yara detected Nanocore RAT

.NET source code references suspicious native API functions

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Antivirus or Machine Learning detection for unpacked file

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

kelvinx.exe (PID: 5332 cmdline: 'C:\Users\user\Desktop\kelvinx.exe' MD5: 0E4ECBB7EBDD4C7341658B9E6471A0B7)

kelvinx.exe (PID: 1556 cmdline: C:\Users\user\Desktop\kelvinx.exe MD5: 0E4ECBB7EBDD4C7341658B9E6471A0B7)

noteped.exe (PID: 5368 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exe' MD5: 0E4ECBB7EBDD4C7341658B9E6471A0B7)

noteped.exe (PID: 6312 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exe MD5: 0E4ECBB7EBDD4C7341658B9E6471A0B7)

noteped.exe (PID: 6360 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exe' MD5: 0E4ECBB7EBDD4C7341658B9E6471A0B7)

noteped.exe (PID: 6648 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exe MD5: 0E4ECBB7EBDD4C7341658B9E6471A0B7)

cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["185.140.53.132"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000C.00000002.306118461.0000000003AE9000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.306118461.0000000003AE9000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x42f15:$a: NanoCore 0x42f6e:$a: NanoCore 0x42fab:$a: NanoCore 0x43024:$a: NanoCore 0x566cf:$a: NanoCore 0x566e4:$a: NanoCore 0x56719:$a: NanoCore 0x6f19b:$a: NanoCore 0x6f1b0:$a: NanoCore 0x6f1e5:$a: NanoCore 0x42f77:$b: ClientPlugin 0x42fb4:$b: ClientPlugin 0x438b2:$b: ClientPlugin 0x438bf:$b: ClientPlugin 0x5648b:$b: ClientPlugin 0x564a6:$b: ClientPlugin 0x564d6:$b: ClientPlugin 0x566ed:$b: ClientPlugin 0x56722:$b: ClientPlugin 0x6ef57:$b: ClientPlugin 0x6ef72:$b: ClientPlugin
00000001.00000002.492062764.00000000041A9000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000002.492062764.00000000041A9000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2f15:$a: NanoCore 0x2f6e:$a: NanoCore 0x2fab:$a: NanoCore 0x3024:$a: NanoCore 0x166cf:$a: NanoCore 0x166e4:$a: NanoCore 0x16719:$a: NanoCore 0x2f19b:$a: NanoCore 0x2f1b0:$a: NanoCore 0x2f1e5:$a: NanoCore 0x2f77:$b: ClientPlugin 0x2fb4:$b: ClientPlugin 0x38b2:$b: ClientPlugin 0x38bf:$b: ClientPlugin 0x1648b:$b: ClientPlugin 0x164a6:$b: ClientPlugin 0x164d6:$b: ClientPlugin 0x166ed:$b: ClientPlugin 0x16722:$b: ClientPlugin 0x2ef57:$b: ClientPlugin 0x2ef72:$b: ClientPlugin
00000001.00000002.493316264.0000000005A30000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000001.00000002.493316264.0000000005A30000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000001.00000002.493316264.0000000005A30000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.305164959.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000002.305164959.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.305164959.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000006.00000002.284681945.0000000002FB1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000002.284681945.0000000002FB1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x698cf:$a: NanoCore 0x69928:$a: NanoCore 0x69965:$a: NanoCore 0x699de:$a: NanoCore 0x69931:$b: ClientPlugin 0x6996e:$b: ClientPlugin 0x6a26c:$b: ClientPlugin 0x6a279:$b: ClientPlugin 0x5f529:$e: KeepAlive 0x69db9:$g: LogClientMessage 0x69d39:$i: get_Connected 0x59d05:$j: #=q 0x59d35:$j: #=q 0x59d71:$j: #=q 0x59d99:$j: #=q 0x59dc9:$j: #=q 0x59df9:$j: #=q 0x59e29:$j: #=q 0x59e59:$j: #=q 0x59e75:$j: #=q 0x59ea5:$j: #=q
00000006.00000002.284823064.0000000003FB9000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000002.284823064.0000000003FB9000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x42f15:$a: NanoCore 0x42f6e:$a: NanoCore 0x42fab:$a: NanoCore 0x43024:$a: NanoCore 0x566cf:$a: NanoCore 0x566e4:$a: NanoCore 0x56719:$a: NanoCore 0x6f19b:$a: NanoCore 0x6f1b0:$a: NanoCore 0x6f1e5:$a: NanoCore 0x42f77:$b: ClientPlugin 0x42fb4:$b: ClientPlugin 0x438b2:$b: ClientPlugin 0x438bf:$b: ClientPlugin 0x5648b:$b: ClientPlugin 0x564a6:$b: ClientPlugin 0x564d6:$b: ClientPlugin 0x566ed:$b: ClientPlugin 0x56722:$b: ClientPlugin 0x6ef57:$b: ClientPlugin 0x6ef72:$b: ClientPlugin
0000000C.00000002.306051125.0000000002AE1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.306051125.0000000002AE1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x698cf:$a: NanoCore 0x69928:$a: NanoCore 0x69965:$a: NanoCore 0x699de:$a: NanoCore 0x69931:$b: ClientPlugin 0x6996e:$b: ClientPlugin 0x6a26c:$b: ClientPlugin 0x6a279:$b: ClientPlugin 0x5f529:$e: KeepAlive 0x69db9:$g: LogClientMessage 0x69d39:$i: get_Connected 0x59d05:$j: #=q 0x59d35:$j: #=q 0x59d71:$j: #=q 0x59d99:$j: #=q 0x59dc9:$j: #=q 0x59df9:$j: #=q 0x59e29:$j: #=q 0x59e59:$j: #=q 0x59e75:$j: #=q 0x59ea5:$j: #=q
00000001.00000002.493282549.00000000058E0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000001.00000002.493282549.00000000058E0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000000.00000002.240965816.0000000003B26000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1596e5:$x1: NanoCore.ClientPluginHost 0x18bf05:$x1: NanoCore.ClientPluginHost 0x159722:$x2: IClientNetworkHost 0x18bf42:$x2: IClientNetworkHost 0x15d255:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x18fa75:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.240965816.0000000003B26000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.240965816.0000000003B26000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x15944d:$a: NanoCore 0x15945d:$a: NanoCore 0x159691:$a: NanoCore 0x1596a5:$a: NanoCore 0x1596e5:$a: NanoCore 0x18bc6d:$a: NanoCore 0x18bc7d:$a: NanoCore 0x18beb1:$a: NanoCore 0x18bec5:$a: NanoCore 0x18bf05:$a: NanoCore 0x1594ac:$b: ClientPlugin 0x1596ae:$b: ClientPlugin 0x1596ee:$b: ClientPlugin 0x18bccc:$b: ClientPlugin 0x18bece:$b: ClientPlugin 0x18bf0e:$b: ClientPlugin 0x1595d3:$c: ProjectData 0x18bdf3:$c: ProjectData 0x159fda:$d: DESCrypto 0x18c7fa:$d: DESCrypto 0x1619a6:$e: KeepAlive
00000001.00000002.488239312.0000000003161000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000002.283332088.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000006.00000002.283332088.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000006.00000002.283332088.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000001.00000002.485264467.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000002.485264467.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000002.485264467.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000002.00000002.269811701.00000000035FB000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x365a5d:$x1: NanoCore.ClientPluginHost 0x39827d:$x1: NanoCore.ClientPluginHost 0x365a9a:$x2: IClientNetworkHost 0x3982ba:$x2: IClientNetworkHost 0x3695cd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x39bded:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000002.00000002.269811701.00000000035FB000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000002.00000002.269811701.00000000035FB000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3657c5:$a: NanoCore 0x3657d5:$a: NanoCore 0x365a09:$a: NanoCore 0x365a1d:$a: NanoCore 0x365a5d:$a: NanoCore 0x397fe5:$a: NanoCore 0x397ff5:$a: NanoCore 0x398229:$a: NanoCore 0x39823d:$a: NanoCore 0x39827d:$a: NanoCore 0x365824:$b: ClientPlugin 0x365a26:$b: ClientPlugin 0x365a66:$b: ClientPlugin 0x398044:$b: ClientPlugin 0x398246:$b: ClientPlugin 0x398286:$b: ClientPlugin 0x36594b:$c: ProjectData 0x39816b:$c: ProjectData 0x366352:$d: DESCrypto 0x398b72:$d: DESCrypto 0x36dd1e:$e: KeepAlive
00000007.00000002.289900545.0000000003C9C000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x365a65:$x1: NanoCore.ClientPluginHost 0x398285:$x1: NanoCore.ClientPluginHost 0x365aa2:$x2: IClientNetworkHost 0x3982c2:$x2: IClientNetworkHost 0x3695d5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x39bdf5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000007.00000002.289900545.0000000003C9C000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000002.289900545.0000000003C9C000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3657cd:$a: NanoCore 0x3657dd:$a: NanoCore 0x365a11:$a: NanoCore 0x365a25:$a: NanoCore 0x365a65:$a: NanoCore 0x397fed:$a: NanoCore 0x397ffd:$a: NanoCore 0x398231:$a: NanoCore 0x398245:$a: NanoCore 0x398285:$a: NanoCore 0x36582c:$b: ClientPlugin 0x365a2e:$b: ClientPlugin 0x365a6e:$b: ClientPlugin 0x39804c:$b: ClientPlugin 0x39824e:$b: ClientPlugin 0x39828e:$b: ClientPlugin 0x365953:$c: ProjectData 0x398173:$c: ProjectData 0x36635a:$d: DESCrypto 0x398b7a:$d: DESCrypto 0x36dd26:$e: KeepAlive
Process Memory Space: noteped.exe PID: 6360	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x543d6c:$x1: NanoCore.ClientPluginHost 0x56279d:$x1: NanoCore.ClientPluginHost 0x543dcd:$x2: IClientNetworkHost 0x5627fe:$x2: IClientNetworkHost 0x5491d2:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x557144:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x567c03:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x575b75:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: noteped.exe PID: 6360	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: noteped.exe PID: 6360	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x543871:$a: NanoCore 0x54388d:$a: NanoCore 0x5439e8:$a: NanoCore 0x5439f7:$a: NanoCore 0x543cd0:$a: NanoCore 0x543cfc:$a: NanoCore 0x543d6c:$a: NanoCore 0x5537ae:$a: NanoCore 0x5537c0:$a: NanoCore 0x5537fc:$a: NanoCore 0x5622a2:$a: NanoCore 0x5622be:$a: NanoCore 0x562419:$a: NanoCore 0x562428:$a: NanoCore 0x562701:$a: NanoCore 0x56272d:$a: NanoCore 0x56279d:$a: NanoCore 0x5721df:$a: NanoCore 0x5721f1:$a: NanoCore 0x57222d:$a: NanoCore 0x543918:$b: ClientPlugin
Process Memory Space: noteped.exe PID: 6648	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5c14:$x1: NanoCore.ClientPluginHost 0xb7d3:$x1: NanoCore.ClientPluginHost 0x1c646:$x1: NanoCore.ClientPluginHost 0x12b772:$x1: NanoCore.ClientPluginHost 0x171afc:$x1: NanoCore.ClientPluginHost 0x5c3a:$x2: IClientNetworkHost 0xb818:$x2: IClientNetworkHost 0x1c68b:$x2: IClientNetworkHost 0x12b7d3:$x2: IClientNetworkHost 0x171b22:$x2: IClientNetworkHost 0x130bd8:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x13eb4a:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: noteped.exe PID: 6648	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: noteped.exe PID: 6648	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x5b06:$a: NanoCore 0x5ba7:$a: NanoCore 0x5c14:$a: NanoCore 0x5cd5:$a: NanoCore 0x6ba6:$a: NanoCore 0x6bf9:$a: NanoCore 0x6c32:$a: NanoCore 0x6ca5:$a: NanoCore 0xb74d:$a: NanoCore 0xb77a:$a: NanoCore 0xb7d3:$a: NanoCore 0x12fe2:$a: NanoCore 0x12ff5:$a: NanoCore 0x13027:$a: NanoCore 0x1c5c0:$a: NanoCore 0x1c5ed:$a: NanoCore 0x1c646:$a: NanoCore 0x23e55:$a: NanoCore 0x23e68:$a: NanoCore 0x23e9a:$a: NanoCore 0x12b277:$a: NanoCore
Process Memory Space: noteped.exe PID: 5368	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3ce54d:$x1: NanoCore.ClientPluginHost 0x3ecf7e:$x1: NanoCore.ClientPluginHost 0x3ce5ae:$x2: IClientNetworkHost 0x3ecfdf:$x2: IClientNetworkHost 0x3d39b3:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3e1925:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3f23e4:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x400356:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: noteped.exe PID: 5368	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: noteped.exe PID: 5368	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3ce052:$a: NanoCore 0x3ce06e:$a: NanoCore 0x3ce1c9:$a: NanoCore 0x3ce1d8:$a: NanoCore 0x3ce4b1:$a: NanoCore 0x3ce4dd:$a: NanoCore 0x3ce54d:$a: NanoCore 0x3ddf8f:$a: NanoCore 0x3ddfa1:$a: NanoCore 0x3ddfdd:$a: NanoCore 0x3eca83:$a: NanoCore 0x3eca9f:$a: NanoCore 0x3ecbfa:$a: NanoCore 0x3ecc09:$a: NanoCore 0x3ecee2:$a: NanoCore 0x3ecf0e:$a: NanoCore 0x3ecf7e:$a: NanoCore 0x3fc9c0:$a: NanoCore 0x3fc9d2:$a: NanoCore 0x3fca0e:$a: NanoCore 0x3ce0f9:$b: ClientPlugin
Process Memory Space: noteped.exe PID: 6312	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1dde33:$x1: NanoCore.ClientPluginHost 0x1e5ae5:$x1: NanoCore.ClientPluginHost 0x1eb6a4:$x1: NanoCore.ClientPluginHost 0x1fc517:$x1: NanoCore.ClientPluginHost 0x2428bd:$x1: NanoCore.ClientPluginHost 0x1dde59:$x2: IClientNetworkHost 0x1e5b0b:$x2: IClientNetworkHost 0x1eb6e9:$x2: IClientNetworkHost 0x1fc55c:$x2: IClientNetworkHost 0x24291e:$x2: IClientNetworkHost 0x247d23:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x255c95:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: noteped.exe PID: 6312	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: noteped.exe PID: 6312	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1b5f3a:$a: NanoCore 0x1b5fa1:$a: NanoCore 0x1b6045:$a: NanoCore 0x1ddd25:$a: NanoCore 0x1dddc6:$a: NanoCore 0x1dde33:$a: NanoCore 0x1ddef4:$a: NanoCore 0x1dedc5:$a: NanoCore 0x1dee18:$a: NanoCore 0x1dee51:$a: NanoCore 0x1deec4:$a: NanoCore 0x1e02e5:$a: NanoCore 0x1e03e7:$a: NanoCore 0x1e0403:$a: NanoCore 0x1e041f:$a: NanoCore 0x1e043b:$a: NanoCore 0x1e59d7:$a: NanoCore 0x1e5a78:$a: NanoCore 0x1e5ae5:$a: NanoCore 0x1e5ba6:$a: NanoCore 0x1e6a77:$a: NanoCore
Process Memory Space: kelvinx.exe PID: 5332	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x430b90:$x1: NanoCore.ClientPluginHost 0x44f5c1:$x1: NanoCore.ClientPluginHost 0x430bf1:$x2: IClientNetworkHost 0x44f622:$x2: IClientNetworkHost 0x435ff6:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x443f68:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x454a27:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x462999:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: kelvinx.exe PID: 5332	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: kelvinx.exe PID: 5332	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x430695:$a: NanoCore 0x4306b1:$a: NanoCore 0x43080c:$a: NanoCore 0x43081b:$a: NanoCore 0x430af4:$a: NanoCore 0x430b20:$a: NanoCore 0x430b90:$a: NanoCore 0x4405d2:$a: NanoCore 0x4405e4:$a: NanoCore 0x440620:$a: NanoCore 0x44f0c6:$a: NanoCore 0x44f0e2:$a: NanoCore 0x44f23d:$a: NanoCore 0x44f24c:$a: NanoCore 0x44f525:$a: NanoCore 0x44f551:$a: NanoCore 0x44f5c1:$a: NanoCore 0x45f003:$a: NanoCore 0x45f015:$a: NanoCore 0x45f051:$a: NanoCore 0x43073c:$b: ClientPlugin
Process Memory Space: kelvinx.exe PID: 1556	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x267973:$x1: NanoCore.ClientPluginHost 0x26d532:$x1: NanoCore.ClientPluginHost 0x27e3a5:$x1: NanoCore.ClientPluginHost 0x351e82:$x1: NanoCore.ClientPluginHost 0x37bc9f:$x1: NanoCore.ClientPluginHost 0x267999:$x2: IClientNetworkHost 0x26d577:$x2: IClientNetworkHost 0x27e3ea:$x2: IClientNetworkHost 0x351ea8:$x2: IClientNetworkHost 0x37bd00:$x2: IClientNetworkHost 0x381105:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x38f077:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: kelvinx.exe PID: 1556	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: kelvinx.exe PID: 1556	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x267865:$a: NanoCore 0x267906:$a: NanoCore 0x267973:$a: NanoCore 0x267a34:$a: NanoCore 0x268905:$a: NanoCore 0x268958:$a: NanoCore 0x268991:$a: NanoCore 0x268a04:$a: NanoCore 0x26d4ac:$a: NanoCore 0x26d4d9:$a: NanoCore 0x26d532:$a: NanoCore 0x274d41:$a: NanoCore 0x274d54:$a: NanoCore 0x274d86:$a: NanoCore 0x27e31f:$a: NanoCore 0x27e34c:$a: NanoCore 0x27e3a5:$a: NanoCore 0x285bb4:$a: NanoCore 0x285bc7:$a: NanoCore 0x285bf9:$a: NanoCore 0x3035af:$a: NanoCore
Click to see the 47 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
12.2.noteped.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
12.2.noteped.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
12.2.noteped.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.noteped.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
6.2.noteped.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
6.2.noteped.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
6.2.noteped.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
6.2.noteped.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
1.2.kelvinx.exe.5a30000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
1.2.kelvinx.exe.5a30000.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
1.2.kelvinx.exe.5a30000.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.kelvinx.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.kelvinx.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
1.2.kelvinx.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.kelvinx.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
1.2.kelvinx.exe.5a30000.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
1.2.kelvinx.exe.5a30000.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
1.2.kelvinx.exe.5a30000.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.kelvinx.exe.58e0000.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
1.2.kelvinx.exe.58e0000.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
Click to see the 15 entries

Sigma Overview

System Summary:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\kelvinx.exe, ProcessId: 1556, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: noteped.exe.6648.12.memstr

Malware Configuration Extractor: NanoCore {"C2: ": ["185.140.53.132"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exe

ReversingLabs: Detection: 52%

Multi AV Scanner detection for submitted file

Show sources

Source: kelvinx.exe	Virustotal: Detection: 35%			Perma Link
Source: kelvinx.exe	ReversingLabs: Detection: 52%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000000C.00000002.306118461.0000000003AE9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.492062764.00000000041A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.493316264.0000000005A30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.305164959.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.284681945.0000000002FB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.284823064.0000000003FB9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.306051125.0000000002AE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.240965816.0000000003B26000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.488239312.0000000003161000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.283332088.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.485264467.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.269811701.00000000035FB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.289900545.0000000003C9C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: noteped.exe PID: 6360, type: MEMORY
Source: Yara match	File source: Process Memory Space: noteped.exe PID: 6648, type: MEMORY
Source: Yara match	File source: Process Memory Space: noteped.exe PID: 5368, type: MEMORY
Source: Yara match	File source: Process Memory Space: noteped.exe PID: 6312, type: MEMORY
Source: Yara match	File source: Process Memory Space: kelvinx.exe PID: 5332, type: MEMORY
Source: Yara match	File source: Process Memory Space: kelvinx.exe PID: 1556, type: MEMORY
Source: Yara match	File source: 12.2.noteped.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.noteped.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.kelvinx.exe.5a30000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.kelvinx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.kelvinx.exe.5a30000.4.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: kelvinx.exe

Joe Sandbox ML: detected

Source: 12.2.noteped.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 6.2.noteped.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 1.2.kelvinx.exe.5a30000.4.unpack	Avira: Label: TR/NanoCore.fadte
Source: 1.2.kelvinx.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepod\noteped.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior

Source: global traffic

TCP traffic: 192.168.2.5:49715 -> 185.140.53.132:7600

Source: Joe Sandbox View

IP Address: 185.140.53.132 185.140.53.132

Source: Joe Sandbox View

ASN Name: DAVID_CRAIGGG DAVID_CRAIGGG

Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.132
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.132
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.132
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.132
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.132
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.132
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.132
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.132
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.132
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.132
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.132
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.132
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.132
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.132
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.132
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.132
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.132
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.132
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.132
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.132
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.132
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.132
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.132
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.132
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.132
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.132
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.132
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.132
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.132
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.132
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.132
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.132
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.132
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.132
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.132
Source: unknown	TCP traffic detected without corresponding DNS query: 185.140.53.132

Source: kelvinx.exe, 00000000.00000003.220047831.00000000057E7000.00000004.00000001.sdmp	String found in binary or memory: http://en.w
Source: kelvinx.exe, 00000000.00000003.219897482.00000000057E6000.00000004.00000001.sdmp	String found in binary or memory: http://en.wC
Source: kelvinx.exe, 00000000.00000003.219971249.00000000057E7000.00000004.00000001.sdmp	String found in binary or memory: http://en.wikipF
Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, kelvinx.exe, 00000000.00000003.221048841.00000000057D7000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: kelvinx.exe, 00000000.00000003.221502115.00000000057D2000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: kelvinx.exe, 00000000.00000003.221173652.00000000057CE000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comimS
Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: kelvinx.exe, 00000000.00000003.221173652.00000000057CE000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comper
Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: kelvinx.exe, 00000000.00000003.237362642.00000000057C0000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comcomo
Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: kelvinx.exe, 00000000.00000003.220783733.00000000057F2000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: kelvinx.exe, 00000000.00000003.220824103.00000000057EC000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: kelvinx.exe, 00000000.00000003.220725135.00000000057EC000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cna-d
Source: kelvinx.exe, 00000000.00000003.220725135.00000000057EC000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnd:
Source: kelvinx.exe, 00000000.00000003.220911534.00000000057EC000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnude
Source: kelvinx.exe, 00000000.00000003.220911534.00000000057EC000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn~
Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: kelvinx.exe, 00000000.00000003.225402812.00000000057C4000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmNormalr
Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: kelvinx.exe, 00000000.00000003.222115295.00000000057CE000.00000004.00000001.sdmp, kelvinx.exe, 00000000.00000003.221900652.00000000057D5000.00000004.00000001.sdmp, kelvinx.exe, 00000000.00000003.221985463.00000000057D5000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: kelvinx.exe, 00000000.00000003.221803128.00000000057C6000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/0w
Source: kelvinx.exe, 00000000.00000003.221900652.00000000057D5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/J
Source: kelvinx.exe, 00000000.00000003.221900652.00000000057D5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Vwfz
Source: kelvinx.exe, 00000000.00000003.221985463.00000000057D5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/Y01
Source: kelvinx.exe, 00000000.00000003.222579187.00000000057CE000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: kelvinx.exe, 00000000.00000003.221900652.00000000057D5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/.w
Source: kelvinx.exe, 00000000.00000003.221803128.00000000057C6000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/qwCz
Source: kelvinx.exe, 00000000.00000003.221985463.00000000057D5000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/xwtz
Source: kelvinx.exe, 00000000.00000003.221803128.00000000057C6000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/z
Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: kelvinx.exe, 00000000.00000002.244011097.0000000006A52000.00000004.00000001.sdmp, noteped.exe, 00000002.00000002.274192762.00000000055C0000.00000002.00000001.sdmp, noteped.exe, 00000007.00000002.296939599.0000000005BD0000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: kelvinx.exe, 00000001.00000002.492062764.00000000041A9000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000000C.00000002.306118461.0000000003AE9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.492062764.00000000041A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.493316264.0000000005A30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.305164959.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.284681945.0000000002FB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.284823064.0000000003FB9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.306051125.0000000002AE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.240965816.0000000003B26000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.488239312.0000000003161000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.283332088.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.485264467.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.269811701.00000000035FB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.289900545.0000000003C9C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: noteped.exe PID: 6360, type: MEMORY
Source: Yara match	File source: Process Memory Space: noteped.exe PID: 6648, type: MEMORY
Source: Yara match	File source: Process Memory Space: noteped.exe PID: 5368, type: MEMORY
Source: Yara match	File source: Process Memory Space: noteped.exe PID: 6312, type: MEMORY
Source: Yara match	File source: Process Memory Space: kelvinx.exe PID: 5332, type: MEMORY
Source: Yara match	File source: Process Memory Space: kelvinx.exe PID: 1556, type: MEMORY
Source: Yara match	File source: 12.2.noteped.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.noteped.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.kelvinx.exe.5a30000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.kelvinx.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.kelvinx.exe.5a30000.4.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 0000000C.00000002.306118461.0000000003AE9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.492062764.00000000041A9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.493316264.0000000005A30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.305164959.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000C.00000002.305164959.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.284681945.0000000002FB1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.284823064.0000000003FB9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000C.00000002.306051125.0000000002AE1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.493282549.00000000058E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.240965816.0000000003B26000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.240965816.0000000003B26000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.283332088.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000006.00000002.283332088.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.485264467.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.485264467.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000002.00000002.269811701.00000000035FB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000002.00000002.269811701.00000000035FB000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.289900545.0000000003C9C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.289900545.0000000003C9C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: noteped.exe PID: 6360, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: noteped.exe PID: 6360, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: noteped.exe PID: 6648, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: noteped.exe PID: 6648, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: noteped.exe PID: 5368, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: noteped.exe PID: 5368, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: noteped.exe PID: 6312, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth</

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report kelvinx.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary: