Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report BFSV-1F(N)_1B-8B_ANSI.exe

Overview

General Information

Sample Name:BFSV-1F(N)_1B-8B_ANSI.exe
Analysis ID:336687
MD5:157d3320cafb9799ed5d996692e8bea7
SHA1:b8dc9d3720b84695bc18a4310a5f34e2603fc829
SHA256:5b474ca6fc8158bd6f14d53bca8962f25db3392dfe324f49ddf376610bd785e4
Tags:exeNanoCoreRAT

Most interesting Screenshot:

Detection

Nanocore
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Nanocore RAT
Machine Learning detection for sample
Antivirus or Machine Learning detection for unpacked file
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • BFSV-1F(N)_1B-8B_ANSI.exe (PID: 5812 cmdline: 'C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe' MD5: 157D3320CAFB9799ED5D996692E8BEA7)
    • BFSV-1F(N)_1B-8B_ANSI.exe (PID: 6560 cmdline: 'C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe' MD5: 157D3320CAFB9799ED5D996692E8BEA7)
    • BFSV-1F(N)_1B-8B_ANSI.exe (PID: 5748 cmdline: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe MD5: 157D3320CAFB9799ED5D996692E8BEA7)
      • BFSV-1F(N)_1B-8B_ANSI.exe (PID: 5728 cmdline: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe MD5: 157D3320CAFB9799ED5D996692E8BEA7)
      • BFSV-1F(N)_1B-8B_ANSI.exe (PID: 4544 cmdline: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe MD5: 157D3320CAFB9799ED5D996692E8BEA7)
        • BFSV-1F(N)_1B-8B_ANSI.exe (PID: 2228 cmdline: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe MD5: 157D3320CAFB9799ED5D996692E8BEA7)
        • BFSV-1F(N)_1B-8B_ANSI.exe (PID: 6592 cmdline: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe MD5: 157D3320CAFB9799ED5D996692E8BEA7)
          • BFSV-1F(N)_1B-8B_ANSI.exe (PID: 6584 cmdline: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe MD5: 157D3320CAFB9799ED5D996692E8BEA7)
          • BFSV-1F(N)_1B-8B_ANSI.exe (PID: 4944 cmdline: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe MD5: 157D3320CAFB9799ED5D996692E8BEA7)
            • BFSV-1F(N)_1B-8B_ANSI.exe (PID: 6980 cmdline: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe MD5: 157D3320CAFB9799ED5D996692E8BEA7)
            • BFSV-1F(N)_1B-8B_ANSI.exe (PID: 6648 cmdline: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe MD5: 157D3320CAFB9799ED5D996692E8BEA7)
              • BFSV-1F(N)_1B-8B_ANSI.exe (PID: 6884 cmdline: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe MD5: 157D3320CAFB9799ED5D996692E8BEA7)
              • BFSV-1F(N)_1B-8B_ANSI.exe (PID: 6644 cmdline: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe MD5: 157D3320CAFB9799ED5D996692E8BEA7)
                • BFSV-1F(N)_1B-8B_ANSI.exe (PID: 7140 cmdline: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe MD5: 157D3320CAFB9799ED5D996692E8BEA7)
                • BFSV-1F(N)_1B-8B_ANSI.exe (PID: 7100 cmdline: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe MD5: 157D3320CAFB9799ED5D996692E8BEA7)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.691981291.0000000000D00000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x215e5:$x1: NanoCore.ClientPluginHost
  • 0x21622:$x2: IClientNetworkHost
  • 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000A.00000002.691981291.0000000000D00000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x2135d:$x1: NanoCore Client.exe
  • 0x215e5:$x2: NanoCore.ClientPluginHost
  • 0x22c1e:$s1: PluginCommand
  • 0x22c12:$s2: FileCommand
  • 0x23ac3:$s3: PipeExists
  • 0x2987a:$s4: PipeCreated
  • 0x2160f:$s5: IClientLoggingHost
0000000A.00000002.691981291.0000000000D00000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000A.00000002.691981291.0000000000D00000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x2134d:$a: NanoCore
    • 0x2135d:$a: NanoCore
    • 0x21591:$a: NanoCore
    • 0x215a5:$a: NanoCore
    • 0x215e5:$a: NanoCore
    • 0x213ac:$b: ClientPlugin
    • 0x215ae:$b: ClientPlugin
    • 0x215ee:$b: ClientPlugin
    • 0x214d3:$c: ProjectData
    • 0x21eda:$d: DESCrypto
    • 0x298a6:$e: KeepAlive
    • 0x27894:$g: LogClientMessage
    • 0x23a8f:$i: get_Connected
    • 0x22210:$j: #=q
    • 0x22240:$j: #=q
    • 0x2225c:$j: #=q
    • 0x2228c:$j: #=q
    • 0x222a8:$j: #=q
    • 0x222c4:$j: #=q
    • 0x222f4:$j: #=q
    • 0x22310:$j: #=q
    00000008.00000002.686570986.0000000002870000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x215e5:$x1: NanoCore.ClientPluginHost
    • 0x21622:$x2: IClientNetworkHost
    • 0x25155:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    Click to see the 38 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    8.2.BFSV-1F(N)_1B-8B_ANSI.exe.2870000.2.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1d9e5:$x1: NanoCore.ClientPluginHost
    • 0x1da22:$x2: IClientNetworkHost
    • 0x21555:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    8.2.BFSV-1F(N)_1B-8B_ANSI.exe.2870000.2.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x1d75d:$x1: NanoCore Client.exe
    • 0x1d9e5:$x2: NanoCore.ClientPluginHost
    • 0x1f01e:$s1: PluginCommand
    • 0x1f012:$s2: FileCommand
    • 0x1fec3:$s3: PipeExists
    • 0x25c7a:$s4: PipeCreated
    • 0x1da0f:$s5: IClientLoggingHost
    8.2.BFSV-1F(N)_1B-8B_ANSI.exe.2870000.2.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      8.2.BFSV-1F(N)_1B-8B_ANSI.exe.2870000.2.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x1d74d:$a: NanoCore
      • 0x1d75d:$a: NanoCore
      • 0x1d991:$a: NanoCore
      • 0x1d9a5:$a: NanoCore
      • 0x1d9e5:$a: NanoCore
      • 0x1d7ac:$b: ClientPlugin
      • 0x1d9ae:$b: ClientPlugin
      • 0x1d9ee:$b: ClientPlugin
      • 0x1d8d3:$c: ProjectData
      • 0x1e2da:$d: DESCrypto
      • 0x25ca6:$e: KeepAlive
      • 0x23c94:$g: LogClientMessage
      • 0x1fe8f:$i: get_Connected
      • 0x1e610:$j: #=q
      • 0x1e640:$j: #=q
      • 0x1e65c:$j: #=q
      • 0x1e68c:$j: #=q
      • 0x1e6a8:$j: #=q
      • 0x1e6c4:$j: #=q
      • 0x1e6f4:$j: #=q
      • 0x1e710:$j: #=q
      13.2.BFSV-1F(N)_1B-8B_ANSI.exe.a10000.1.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1d9e5:$x1: NanoCore.ClientPluginHost
      • 0x1da22:$x2: IClientNetworkHost
      • 0x21555:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      Click to see the 51 entries

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Antivirus / Scanner detection for submitted sampleShow sources
      Source: BFSV-1F(N)_1B-8B_ANSI.exeAvira: detected
      Multi AV Scanner detection for submitted fileShow sources
      Source: BFSV-1F(N)_1B-8B_ANSI.exeReversingLabs: Detection: 43%
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 0000000A.00000002.691981291.0000000000D00000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.686570986.0000000002870000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.675497262.0000000002F40000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.1018854481.0000000000A10000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.658023980.0000000000D70000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.664101566.0000000001430000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.670372139.0000000001530000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 6648, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 5748, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 4944, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 4544, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 6592, type: MEMORY
      Source: Yara matchFile source: 8.2.BFSV-1F(N)_1B-8B_ANSI.exe.2870000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.BFSV-1F(N)_1B-8B_ANSI.exe.a10000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d70000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.BFSV-1F(N)_1B-8B_ANSI.exe.2870000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.BFSV-1F(N)_1B-8B_ANSI.exe.a10000.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.BFSV-1F(N)_1B-8B_ANSI.exe.1530000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.BFSV-1F(N)_1B-8B_ANSI.exe.2f40000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.BFSV-1F(N)_1B-8B_ANSI.exe.1430000.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.BFSV-1F(N)_1B-8B_ANSI.exe.d00000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.BFSV-1F(N)_1B-8B_ANSI.exe.1430000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.BFSV-1F(N)_1B-8B_ANSI.exe.1530000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.BFSV-1F(N)_1B-8B_ANSI.exe.2f40000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d70000.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.BFSV-1F(N)_1B-8B_ANSI.exe.d00000.2.unpack, type: UNPACKEDPE
      Machine Learning detection for sampleShow sources
      Source: BFSV-1F(N)_1B-8B_ANSI.exeJoe Sandbox ML: detected
      Source: 10.2.BFSV-1F(N)_1B-8B_ANSI.exe.c90000.1.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: 6.0.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpackAvira: Label: TR/Dropper.Gen
      Source: 7.0.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpackAvira: Label: TR/Dropper.Gen
      Source: 2.0.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpackAvira: Label: TR/Dropper.Gen
      Source: 0.0.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpackAvira: Label: TR/Dropper.Gen
      Source: 10.0.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpackAvira: Label: TR/Dropper.Gen
      Source: 4.0.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpackAvira: Label: TR/Dropper.Gen
      Source: 5.0.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpackAvira: Label: TR/Dropper.Gen
      Source: 6.2.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpackAvira: Label: TR/Dropper.Gen
      Source: 13.2.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpackAvira: Label: TR/Dropper.Gen
      Source: 10.2.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpackAvira: Label: TR/Dropper.Gen
      Source: 6.2.BFSV-1F(N)_1B-8B_ANSI.exe.1430000.1.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: 3.2.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpackAvira: Label: TR/Dropper.Gen
      Source: 4.2.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpackAvira: Label: TR/Dropper.Gen
      Source: 16.2.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpackAvira: Label: TR/Dropper.Gen
      Source: 17.0.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpackAvira: Label: TR/Dropper.Gen
      Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.2910000.2.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: 5.2.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpackAvira: Label: TR/Dropper.Gen
      Source: 8.0.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpackAvira: Label: TR/Dropper.Gen
      Source: 4.2.BFSV-1F(N)_1B-8B_ANSI.exe.14c0000.1.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: 12.2.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpackAvira: Label: TR/Dropper.Gen
      Source: 13.0.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpackAvira: Label: TR/Dropper.Gen
      Source: 13.2.BFSV-1F(N)_1B-8B_ANSI.exe.d60000.2.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: 8.2.BFSV-1F(N)_1B-8B_ANSI.exe.d60000.1.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: 2.2.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpackAvira: Label: TR/Dropper.Gen
      Source: 2.2.BFSV-1F(N)_1B-8B_ANSI.exe.2c40000.2.unpackAvira: Label: TR/Patched.Ren.Gen
      Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpackAvira: Label: TR/Dropper.Gen
      Source: 8.2.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpackAvira: Label: TR/Dropper.Gen
      Source: 16.0.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpackAvira: Label: TR/Dropper.Gen
      Source: 9.2.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpackAvira: Label: TR/Dropper.Gen
      Source: 12.0.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpackAvira: Label: TR/Dropper.Gen
      Source: 9.0.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpackAvira: Label: TR/Dropper.Gen
      Source: 1.2.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpackAvira: Label: TR/Dropper.Gen
      Source: 7.2.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpackAvira: Label: TR/Dropper.Gen
      Source: 17.2.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpackAvira: Label: TR/Dropper.Gen
      Source: 3.0.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpackAvira: Label: TR/Dropper.Gen
      Source: 1.0.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpackAvira: Label: TR/Dropper.Gen
      Source: BFSV-1F(N)_1B-8B_ANSI.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: BFSV-1F(N)_1B-8B_ANSI.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: wntdll.pdbUGP source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000000.00000003.656376001.0000000002980000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 00000002.00000003.661875522.0000000002CD0000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 00000004.00000003.667666790.0000000002ED0000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 00000006.00000003.673425665.00000000030D0000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 00000008.00000003.678621047.0000000002A50000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 0000000A.00000003.687772999.0000000002560000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 0000000D.00000003.695772930.0000000002810000.00000004.00000001.sdmp
      Source: Binary string: wntdll.pdb source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000000.00000003.656376001.0000000002980000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 00000002.00000003.661875522.0000000002CD0000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 00000004.00000003.667666790.0000000002ED0000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 00000006.00000003.673425665.00000000030D0000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 00000008.00000003.678621047.0000000002A50000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 0000000A.00000003.687772999.0000000002560000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 0000000D.00000003.695772930.0000000002810000.00000004.00000001.sdmp
      Source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000000.00000002.658811495.0000000000E0A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 0000000A.00000002.691981291.0000000000D00000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.686570986.0000000002870000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.675497262.0000000002F40000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.1018854481.0000000000A10000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.658023980.0000000000D70000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.664101566.0000000001430000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.670372139.0000000001530000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 6648, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 5748, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 4944, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 4544, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 6592, type: MEMORY
      Source: Yara matchFile source: 8.2.BFSV-1F(N)_1B-8B_ANSI.exe.2870000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.BFSV-1F(N)_1B-8B_ANSI.exe.a10000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d70000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.BFSV-1F(N)_1B-8B_ANSI.exe.2870000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.BFSV-1F(N)_1B-8B_ANSI.exe.a10000.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.BFSV-1F(N)_1B-8B_ANSI.exe.1530000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.BFSV-1F(N)_1B-8B_ANSI.exe.2f40000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.BFSV-1F(N)_1B-8B_ANSI.exe.1430000.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.BFSV-1F(N)_1B-8B_ANSI.exe.d00000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.BFSV-1F(N)_1B-8B_ANSI.exe.1430000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.BFSV-1F(N)_1B-8B_ANSI.exe.1530000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.BFSV-1F(N)_1B-8B_ANSI.exe.2f40000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d70000.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.BFSV-1F(N)_1B-8B_ANSI.exe.d00000.2.unpack, type: UNPACKEDPE

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 0000000A.00000002.691981291.0000000000D00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000A.00000002.691981291.0000000000D00000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000008.00000002.686570986.0000000002870000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000008.00000002.686570986.0000000002870000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000006.00000002.675497262.0000000002F40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000006.00000002.675497262.0000000002F40000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0000000D.00000002.1018854481.0000000000A10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0000000D.00000002.1018854481.0000000000A10000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000002.658023980.0000000000D70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.658023980.0000000000D70000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000002.664101566.0000000001430000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000002.00000002.664101566.0000000001430000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000004.00000002.670372139.0000000001530000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000004.00000002.670372139.0000000001530000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 6648, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 6648, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 5748, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 5748, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 4944, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 4944, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 4544, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 4544, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 6592, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 6592, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 8.2.BFSV-1F(N)_1B-8B_ANSI.exe.2870000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.BFSV-1F(N)_1B-8B_ANSI.exe.2870000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 13.2.BFSV-1F(N)_1B-8B_ANSI.exe.a10000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 13.2.BFSV-1F(N)_1B-8B_ANSI.exe.a10000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d70000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d70000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 8.2.BFSV-1F(N)_1B-8B_ANSI.exe.2870000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.BFSV-1F(N)_1B-8B_ANSI.exe.2870000.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 13.2.BFSV-1F(N)_1B-8B_ANSI.exe.a10000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 13.2.BFSV-1F(N)_1B-8B_ANSI.exe.a10000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 4.2.BFSV-1F(N)_1B-8B_ANSI.exe.1530000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.BFSV-1F(N)_1B-8B_ANSI.exe.1530000.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 6.2.BFSV-1F(N)_1B-8B_ANSI.exe.2f40000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.BFSV-1F(N)_1B-8B_ANSI.exe.2f40000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.BFSV-1F(N)_1B-8B_ANSI.exe.1430000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.BFSV-1F(N)_1B-8B_ANSI.exe.1430000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.BFSV-1F(N)_1B-8B_ANSI.exe.d00000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.BFSV-1F(N)_1B-8B_ANSI.exe.d00000.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.BFSV-1F(N)_1B-8B_ANSI.exe.1430000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.BFSV-1F(N)_1B-8B_ANSI.exe.1430000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 4.2.BFSV-1F(N)_1B-8B_ANSI.exe.1530000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 4.2.BFSV-1F(N)_1B-8B_ANSI.exe.1530000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 6.2.BFSV-1F(N)_1B-8B_ANSI.exe.2f40000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 6.2.BFSV-1F(N)_1B-8B_ANSI.exe.2f40000.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d70000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d70000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 10.2.BFSV-1F(N)_1B-8B_ANSI.exe.d00000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 10.2.BFSV-1F(N)_1B-8B_ANSI.exe.d00000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 0_2_003ED580
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 1_2_003ED580
      Source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000000.00000003.656792236.0000000002C2F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs BFSV-1F(N)_1B-8B_ANSI.exe
      Source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000002.00000003.662135152.0000000002F7F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs BFSV-1F(N)_1B-8B_ANSI.exe
      Source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000004.00000003.667765526.0000000002FEF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs BFSV-1F(N)_1B-8B_ANSI.exe
      Source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000006.00000003.673368529.000000000337F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs BFSV-1F(N)_1B-8B_ANSI.exe
      Source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000008.00000003.678962378.00000000029D6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs BFSV-1F(N)_1B-8B_ANSI.exe
      Source: BFSV-1F(N)_1B-8B_ANSI.exe, 0000000A.00000003.688343785.000000000280F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs BFSV-1F(N)_1B-8B_ANSI.exe
      Source: BFSV-1F(N)_1B-8B_ANSI.exe, 0000000D.00000003.695713586.0000000002796000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs BFSV-1F(N)_1B-8B_ANSI.exe
      Source: BFSV-1F(N)_1B-8B_ANSI.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: 0000000A.00000002.691981291.0000000000D00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000A.00000002.691981291.0000000000D00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000A.00000002.691981291.0000000000D00000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000008.00000002.686570986.0000000002870000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.686570986.0000000002870000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000008.00000002.686570986.0000000002870000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000006.00000002.675497262.0000000002F40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000006.00000002.675497262.0000000002F40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000006.00000002.675497262.0000000002F40000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0000000D.00000002.1018854481.0000000000A10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0000000D.00000002.1018854481.0000000000A10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000D.00000002.1018854481.0000000000A10000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000000.00000002.658023980.0000000000D70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.658023980.0000000000D70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000000.00000002.658023980.0000000000D70000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000002.664101566.0000000001430000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000002.00000002.664101566.0000000001430000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000002.00000002.664101566.0000000001430000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000004.00000002.670372139.0000000001530000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000004.00000002.670372139.0000000001530000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000004.00000002.670372139.0000000001530000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 6648, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 6648, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 5748, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 5748, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 4944, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 4944, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 4544, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 4544, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 6592, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 6592, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 8.2.BFSV-1F(N)_1B-8B_ANSI.exe.2870000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.BFSV-1F(N)_1B-8B_ANSI.exe.2870000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.BFSV-1F(N)_1B-8B_ANSI.exe.2870000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 13.2.BFSV-1F(N)_1B-8B_ANSI.exe.a10000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 13.2.BFSV-1F(N)_1B-8B_ANSI.exe.a10000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.2.BFSV-1F(N)_1B-8B_ANSI.exe.a10000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d70000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d70000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d70000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 8.2.BFSV-1F(N)_1B-8B_ANSI.exe.2870000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.BFSV-1F(N)_1B-8B_ANSI.exe.2870000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.BFSV-1F(N)_1B-8B_ANSI.exe.2870000.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 13.2.BFSV-1F(N)_1B-8B_ANSI.exe.a10000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 13.2.BFSV-1F(N)_1B-8B_ANSI.exe.a10000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 13.2.BFSV-1F(N)_1B-8B_ANSI.exe.a10000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 4.2.BFSV-1F(N)_1B-8B_ANSI.exe.1530000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.BFSV-1F(N)_1B-8B_ANSI.exe.1530000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.2.BFSV-1F(N)_1B-8B_ANSI.exe.1530000.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 6.2.BFSV-1F(N)_1B-8B_ANSI.exe.2f40000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.BFSV-1F(N)_1B-8B_ANSI.exe.2f40000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.2.BFSV-1F(N)_1B-8B_ANSI.exe.2f40000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.BFSV-1F(N)_1B-8B_ANSI.exe.1430000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.BFSV-1F(N)_1B-8B_ANSI.exe.1430000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.BFSV-1F(N)_1B-8B_ANSI.exe.1430000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.BFSV-1F(N)_1B-8B_ANSI.exe.d00000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.BFSV-1F(N)_1B-8B_ANSI.exe.d00000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.BFSV-1F(N)_1B-8B_ANSI.exe.d00000.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.BFSV-1F(N)_1B-8B_ANSI.exe.1430000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.BFSV-1F(N)_1B-8B_ANSI.exe.1430000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.BFSV-1F(N)_1B-8B_ANSI.exe.1430000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 4.2.BFSV-1F(N)_1B-8B_ANSI.exe.1530000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 4.2.BFSV-1F(N)_1B-8B_ANSI.exe.1530000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 4.2.BFSV-1F(N)_1B-8B_ANSI.exe.1530000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 6.2.BFSV-1F(N)_1B-8B_ANSI.exe.2f40000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 6.2.BFSV-1F(N)_1B-8B_ANSI.exe.2f40000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 6.2.BFSV-1F(N)_1B-8B_ANSI.exe.2f40000.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d70000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d70000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d70000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 10.2.BFSV-1F(N)_1B-8B_ANSI.exe.d00000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 10.2.BFSV-1F(N)_1B-8B_ANSI.exe.d00000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 10.2.BFSV-1F(N)_1B-8B_ANSI.exe.d00000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: classification engineClassification label: mal84.troj.winEXE@29/0@0/0
      Source: BFSV-1F(N)_1B-8B_ANSI.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: BFSV-1F(N)_1B-8B_ANSI.exeReversingLabs: Detection: 43%
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeFile read: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe 'C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe 'C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Source: unknownProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Source: unknownProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Source: unknownProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Source: unknownProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Source: unknownProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Source: unknownProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Source: unknownProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Source: unknownProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Source: unknownProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Source: unknownProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Source: unknownProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Source: unknownProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe 'C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe'
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Source: BFSV-1F(N)_1B-8B_ANSI.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: wntdll.pdbUGP source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000000.00000003.656376001.0000000002980000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 00000002.00000003.661875522.0000000002CD0000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 00000004.00000003.667666790.0000000002ED0000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 00000006.00000003.673425665.00000000030D0000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 00000008.00000003.678621047.0000000002A50000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 0000000A.00000003.687772999.0000000002560000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 0000000D.00000003.695772930.0000000002810000.00000004.00000001.sdmp
      Source: Binary string: wntdll.pdb source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000000.00000003.656376001.0000000002980000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 00000002.00000003.661875522.0000000002CD0000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 00000004.00000003.667666790.0000000002ED0000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 00000006.00000003.673425665.00000000030D0000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 00000008.00000003.678621047.0000000002A50000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 0000000A.00000003.687772999.0000000002560000.00000004.00000001.sdmp, BFSV-1F(N)_1B-8B_ANSI.exe, 0000000D.00000003.695772930.0000000002810000.00000004.00000001.sdmp
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 0_2_00405EC0 push eax; ret
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 1_2_00405EC0 push eax; ret
      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 0_2_00405CA0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 0_2_00B8ECBE mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 0_2_00B8F5D4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 0_2_00B8F534 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 0_2_00B8F715 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 0_2_00B8F571 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 1_2_00405CA0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 2_2_00F5F87D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 2_2_00F5F8E0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 2_2_00F5F840 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 2_2_00F5EFCA mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 2_2_00F5FA21 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 4_2_00DDF9C1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 4_2_00DDEF6A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 4_2_00DDF7E0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 4_2_00DDF81D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 4_2_00DDF880 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 6_2_012FF980 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 6_2_012FF91D mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 6_2_012FF06A mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 6_2_012FF8E0 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 6_2_012FFAC1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 8_2_00B3F529 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 8_2_00B3F58C mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 8_2_00B3EC76 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 8_2_00B3F4EC mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 8_2_00B3F6CD mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 10_2_0054FB54 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 10_2_0054F2DE mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 10_2_0054FBF4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 10_2_0054FB91 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 10_2_0054FD35 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 13_2_005DFAD4 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 13_2_005DFA71 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 13_2_005DFC15 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 13_2_005DF1BE mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeCode function: 13_2_005DFA34 mov eax, dword ptr fs:[00000030h]
      Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe 'C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe'
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Source: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exeProcess created: C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Source: BFSV-1F(N)_1B-8B_ANSI.exe, 0000000D.00000002.1018992662.0000000001270000.00000002.00000001.sdmpBinary or memory string: Program Manager
      Source: BFSV-1F(N)_1B-8B_ANSI.exe, 0000000D.00000002.1018992662.0000000001270000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: BFSV-1F(N)_1B-8B_ANSI.exe, 0000000D.00000002.1018992662.0000000001270000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: BFSV-1F(N)_1B-8B_ANSI.exe, 0000000D.00000002.1018992662.0000000001270000.00000002.00000001.sdmpBinary or memory string: Progmanlock

      Stealing of Sensitive Information:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 0000000A.00000002.691981291.0000000000D00000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.686570986.0000000002870000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.675497262.0000000002F40000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.1018854481.0000000000A10000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.658023980.0000000000D70000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.664101566.0000000001430000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.670372139.0000000001530000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 6648, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 5748, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 4944, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 4544, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 6592, type: MEMORY
      Source: Yara matchFile source: 8.2.BFSV-1F(N)_1B-8B_ANSI.exe.2870000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.BFSV-1F(N)_1B-8B_ANSI.exe.a10000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d70000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.BFSV-1F(N)_1B-8B_ANSI.exe.2870000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.BFSV-1F(N)_1B-8B_ANSI.exe.a10000.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.BFSV-1F(N)_1B-8B_ANSI.exe.1530000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.BFSV-1F(N)_1B-8B_ANSI.exe.2f40000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.BFSV-1F(N)_1B-8B_ANSI.exe.1430000.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.BFSV-1F(N)_1B-8B_ANSI.exe.d00000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.BFSV-1F(N)_1B-8B_ANSI.exe.1430000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.BFSV-1F(N)_1B-8B_ANSI.exe.1530000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.BFSV-1F(N)_1B-8B_ANSI.exe.2f40000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d70000.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.BFSV-1F(N)_1B-8B_ANSI.exe.d00000.2.unpack, type: UNPACKEDPE

      Remote Access Functionality:

      barindex
      Detected Nanocore RatShow sources
      Source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000002.00000002.664101566.0000000001430000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000004.00000002.670372139.0000000001530000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000006.00000002.675497262.0000000002F40000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: BFSV-1F(N)_1B-8B_ANSI.exe, 00000008.00000002.686570986.0000000002870000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: BFSV-1F(N)_1B-8B_ANSI.exe, 0000000A.00000002.691981291.0000000000D00000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 0000000A.00000002.691981291.0000000000D00000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.686570986.0000000002870000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000006.00000002.675497262.0000000002F40000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000D.00000002.1018854481.0000000000A10000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.658023980.0000000000D70000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.664101566.0000000001430000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.670372139.0000000001530000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 6648, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 5748, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 4944, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 4544, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: BFSV-1F(N)_1B-8B_ANSI.exe PID: 6592, type: MEMORY
      Source: Yara matchFile source: 8.2.BFSV-1F(N)_1B-8B_ANSI.exe.2870000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.BFSV-1F(N)_1B-8B_ANSI.exe.a10000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d70000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.BFSV-1F(N)_1B-8B_ANSI.exe.2870000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 13.2.BFSV-1F(N)_1B-8B_ANSI.exe.a10000.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.BFSV-1F(N)_1B-8B_ANSI.exe.1530000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.BFSV-1F(N)_1B-8B_ANSI.exe.2f40000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.BFSV-1F(N)_1B-8B_ANSI.exe.1430000.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.BFSV-1F(N)_1B-8B_ANSI.exe.d00000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.BFSV-1F(N)_1B-8B_ANSI.exe.1430000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 4.2.BFSV-1F(N)_1B-8B_ANSI.exe.1530000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 6.2.BFSV-1F(N)_1B-8B_ANSI.exe.2f40000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.BFSV-1F(N)_1B-8B_ANSI.exe.d70000.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 10.2.BFSV-1F(N)_1B-8B_ANSI.exe.d00000.2.unpack, type: UNPACKEDPE

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection12Software Packing1Input Capture1Process Discovery1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection12LSASS MemorySystem Information Discovery2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothRemote Access Software1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 336687 Sample: BFSV-1F(N)_1B-8B_ANSI.exe Startdate: 06/01/2021 Architecture: WINDOWS Score: 84 42 Malicious sample detected (through community Yara rule) 2->42 44 Antivirus / Scanner detection for submitted sample 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 3 other signatures 2->48 12 BFSV-1F(N)_1B-8B_ANSI.exe 2->12         started        process3 process4 14 BFSV-1F(N)_1B-8B_ANSI.exe 12->14         started        16 BFSV-1F(N)_1B-8B_ANSI.exe 12->16         started        process5 18 BFSV-1F(N)_1B-8B_ANSI.exe 14->18         started        20 BFSV-1F(N)_1B-8B_ANSI.exe 14->20         started        process6 22 BFSV-1F(N)_1B-8B_ANSI.exe 18->22         started        24 BFSV-1F(N)_1B-8B_ANSI.exe 18->24         started        process7 26 BFSV-1F(N)_1B-8B_ANSI.exe 22->26         started        28 BFSV-1F(N)_1B-8B_ANSI.exe 22->28         started        process8 30 BFSV-1F(N)_1B-8B_ANSI.exe 26->30         started        32 BFSV-1F(N)_1B-8B_ANSI.exe 26->32         started        process9 34 BFSV-1F(N)_1B-8B_ANSI.exe 30->34         started        36 BFSV-1F(N)_1B-8B_ANSI.exe 30->36         started        process10 38 BFSV-1F(N)_1B-8B_ANSI.exe 34->38         started        40 BFSV-1F(N)_1B-8B_ANSI.exe 34->40         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      BFSV-1F(N)_1B-8B_ANSI.exe43%ReversingLabsWin32.Trojan.Generic
      BFSV-1F(N)_1B-8B_ANSI.exe100%AviraTR/Dropper.Gen
      BFSV-1F(N)_1B-8B_ANSI.exe100%Joe Sandbox ML

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      10.2.BFSV-1F(N)_1B-8B_ANSI.exe.c90000.1.unpack100%AviraTR/Patched.Ren.GenDownload File
      6.0.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpack100%AviraTR/Dropper.GenDownload File
      7.0.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpack100%AviraTR/Dropper.GenDownload File
      2.0.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpack100%AviraTR/Dropper.GenDownload File
      0.0.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpack100%AviraTR/Dropper.GenDownload File
      10.0.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpack100%AviraTR/Dropper.GenDownload File
      4.0.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpack100%AviraTR/Dropper.GenDownload File
      5.0.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpack100%AviraTR/Dropper.GenDownload File
      6.2.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpack100%AviraTR/Dropper.GenDownload File
      13.2.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpack100%AviraTR/Dropper.GenDownload File
      10.2.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpack100%AviraTR/Dropper.GenDownload File
      6.2.BFSV-1F(N)_1B-8B_ANSI.exe.1430000.1.unpack100%AviraTR/Patched.Ren.GenDownload File
      3.2.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpack100%AviraTR/Dropper.GenDownload File
      4.2.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpack100%AviraTR/Dropper.GenDownload File
      16.2.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpack100%AviraTR/Dropper.GenDownload File
      17.0.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpack100%AviraTR/Dropper.GenDownload File
      0.2.BFSV-1F(N)_1B-8B_ANSI.exe.2910000.2.unpack100%AviraTR/Patched.Ren.GenDownload File
      5.2.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpack100%AviraTR/Dropper.GenDownload File
      8.0.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpack100%AviraTR/Dropper.GenDownload File
      4.2.BFSV-1F(N)_1B-8B_ANSI.exe.14c0000.1.unpack100%AviraTR/Patched.Ren.GenDownload File
      12.2.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpack100%AviraTR/Dropper.GenDownload File
      13.0.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpack100%AviraTR/Dropper.GenDownload File
      13.2.BFSV-1F(N)_1B-8B_ANSI.exe.d60000.2.unpack100%AviraTR/Patched.Ren.GenDownload File
      8.2.BFSV-1F(N)_1B-8B_ANSI.exe.d60000.1.unpack100%AviraTR/Patched.Ren.GenDownload File
      2.2.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpack100%AviraTR/Dropper.GenDownload File
      2.2.BFSV-1F(N)_1B-8B_ANSI.exe.2c40000.2.unpack100%AviraTR/Patched.Ren.GenDownload File
      0.2.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpack100%AviraTR/Dropper.GenDownload File
      8.2.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpack100%AviraTR/Dropper.GenDownload File
      16.0.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpack100%AviraTR/Dropper.GenDownload File
      9.2.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpack100%AviraTR/Dropper.GenDownload File
      12.0.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpack100%AviraTR/Dropper.GenDownload File
      9.0.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpack100%AviraTR/Dropper.GenDownload File
      1.2.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpack100%AviraTR/Dropper.GenDownload File
      7.2.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpack100%AviraTR/Dropper.GenDownload File
      17.2.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpack100%AviraTR/Dropper.GenDownload File
      3.0.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpack100%AviraTR/Dropper.GenDownload File
      1.0.BFSV-1F(N)_1B-8B_ANSI.exe.3e0000.0.unpack100%AviraTR/Dropper.GenDownload File

      Domains

      No Antivirus matches

      URLs

      No Antivirus matches

      Domains and IPs

      Contacted Domains

      No contacted domains info

      Contacted IPs

      No contacted IP infos

      General Information

      Joe Sandbox Version:31.0.0 Red Diamond
      Analysis ID:336687
      Start date:06.01.2021
      Start time:17:30:37
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 8m 48s
      Hypervisor based Inspection enabled:false
      Report type:light
      Sample file name:BFSV-1F(N)_1B-8B_ANSI.exe
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
      Number of analysed new started processes analysed:30
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:MAL
      Classification:mal84.troj.winEXE@29/0@0/0
      EGA Information:Failed
      HDC Information:Failed
      HCA Information:Failed
      Cookbook Comments:
      • Adjust boot time
      • Enable AMSI
      • Found application associated with file extension: .exe
      Warnings:
      Show All
      • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe

      Simulations

      Behavior and APIs

      No simulations

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASN

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      No created / dropped files found

      Static File Info

      General

      File type:PE32 executable (GUI) Intel 80386, for MS Windows
      Entropy (8bit):7.5209083744680925
      TrID:
      • Win32 Executable (generic) a (10002005/4) 99.96%
      • Generic Win/DOS Executable (2004/3) 0.02%
      • DOS Executable Generic (2002/1) 0.02%
      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
      File name:BFSV-1F(N)_1B-8B_ANSI.exe
      File size:451584
      MD5:157d3320cafb9799ed5d996692e8bea7
      SHA1:b8dc9d3720b84695bc18a4310a5f34e2603fc829
      SHA256:5b474ca6fc8158bd6f14d53bca8962f25db3392dfe324f49ddf376610bd785e4
      SHA512:aafe5ef3c4e7f0f24eb41da724b6a518bf18f5226e00e3318a888ab0b69de6724ee3da4fa210080f29f254f6a043ecfaa4753a841a21ef6f3f39c338feed8983
      SSDEEP:12288:aVZsUDYE0ewlQyiKIRhyIAI6vFxxBEEmfVfXeVKl:aV7XGQyjI2IAJxxA52Kl
      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......&+..bJ..bJ..bJ...=K.nJ..bJ..MJ...U..aJ...V..`J...U..iJ..E.<.cJ..E.;.cJ..E.>.cJ..RichbJ..........PE..L...>t._.................R.

      File Icon

      Icon Hash:74f4c4ccccd4d0d4

      Static PE Info

      General

      Entrypoint:0x425eef
      Entrypoint Section:.text
      Digitally signed:false
      Imagebase:0x400000
      Subsystem:windows gui
      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
      DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Time Stamp:0x5FF5743E [Wed Jan 6 08:26:38 2021 UTC]
      TLS Callbacks:
      CLR (.Net) Version:
      OS Version Major:6
      OS Version Minor:0
      File Version Major:6
      File Version Minor:0
      Subsystem Version Major:6
      Subsystem Version Minor:0
      Import Hash:31c815897a3b55d8d8afcee958fa181c

      Entrypoint Preview

      Instruction
      push ebp
      mov ebp, esp
      push FFFFFFFFh
      push 004270D0h
      push 00426070h
      mov eax, dword ptr fs:[00000000h]
      push eax
      mov dword ptr fs:[00000000h], esp
      sub esp, 68h
      push ebx
      push esi
      push edi
      mov dword ptr [ebp-18h], esp
      xor ebx, ebx
      mov dword ptr [ebp-04h], ebx
      push 00000002h
      call dword ptr [00427044h]
      pop ecx
      or dword ptr [00428054h], FFFFFFFFh
      or dword ptr [00428058h], FFFFFFFFh
      call dword ptr [00427048h]
      mov ecx, dword ptr [00428050h]
      mov dword ptr [eax], ecx
      call dword ptr [0042704Ch]
      mov ecx, dword ptr [0042804Ch]
      mov dword ptr [eax], ecx
      mov eax, dword ptr [00427050h]
      mov eax, dword ptr [eax]
      mov dword ptr [0042805Ch], eax
      call 00007F8C60F8ED06h
      cmp dword ptr [00428030h], ebx
      jne 00007F8C60F8EBFEh
      push 0042606Ch
      call dword ptr [00427054h]
      pop ecx
      call 00007F8C60F8ECD8h
      push 0042800Ch
      push 00428008h
      call 00007F8C60F8ECC3h
      mov eax, dword ptr [00428048h]
      mov dword ptr [ebp-6Ch], eax
      lea eax, dword ptr [ebp-6Ch]
      push eax
      push dword ptr [00428044h]
      lea eax, dword ptr [ebp-64h]
      push eax
      lea eax, dword ptr [ebp-70h]
      push eax
      lea eax, dword ptr [ebp-60h]
      push eax
      call dword ptr [0042705Ch]
      push 00428004h
      push 00428000h
      call 00007F8C60F8EC90h

      Rich Headers

      Programming Language:
      • [ C ] VS98 (6.0) build 8168
      • [LNK] VS2012 build 50727
      • [ C ] VS2012 build 50727
      • [LNK] VS98 (6.0) imp/exp build 8168
      • [RES] VS2012 build 50727

      Data Directories

      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0x270dc0xa0.rdata
      IMAGE_DIRECTORY_ENTRY_RESOURCE0x290000x4138.rsrc
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x2e0000xa4.reloc
      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0x270000xd0.rdata
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

      Sections

      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x10000x251240x25200False0.416831071128data5.57014558903IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      .rdata0x270000x5ac0x600False0.51171875data4.78880407178IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .data0x280000x600x200False0.056640625data0.195201267787IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
      .rsrc0x290000x41380x4200False0.816761363636data7.55093870165IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .reloc0x2e0000x2640x400False0.1689453125data1.22391765681IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

      Resources

      NameRVASizeTypeLanguageCountry
      RT_ICON0x291000x2615PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
      RT_RCDATA0x2b7300x1a05dataEnglishUnited States
      RT_GROUP_ICON0x2b7180x14dataEnglishUnited States

      Imports

      DLLImport
      MSVCRT.dll_controlfp, _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, free, exit, _XcptFilter, _exit, malloc
      KERNEL32.dllGetStartupInfoA, GetModuleHandleA
      MSACM32.dllacmDriverMessage, acmDriverPriority, acmFilterChooseW, acmFilterDetailsA, acmFilterEnumW, acmFormatTagEnumW
      mscms.dllUnregisterCMMA, CloseColorProfile, UninstallColorProfileW, CheckBitmapBits
      WINSPOOL.DRVDeleteMonitorA, EnumMonitorsA, EnumPrintProcessorDatatypesW, PrinterMessageBoxA, ResetPrinterW, GetPrinterA, AddPrinterConnectionW
      COMDLG32.dllGetFileTitleW, ChooseColorW, ReplaceTextA, PageSetupDlgA
      SHLWAPI.dllGetMenuPosFromID, StrCmpNW, StrToIntW, SHQueryValueExA, PathGetDriveNumberA, PathFindNextComponentW, SHRegEnumUSKeyW

      Possible Origin

      Language of compilation systemCountry where language is spokenMap
      EnglishUnited States

      Network Behavior

      No network behavior found

      Code Manipulations

      Statistics

      Behavior

      Click to jump to process

      System Behavior

      Analysis Process: BFSV-1F(N)_1B-8B_ANSI.exe PID: 5812 Parent PID: 6084

      General

      Start time:17:31:25
      Start date:06/01/2021
      Path:C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Wow64 process (32bit):true
      Commandline:'C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe'
      Imagebase:0x3e0000
      File size:451584 bytes
      MD5 hash:157D3320CAFB9799ED5D996692E8BEA7
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Yara matches:
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.658023980.0000000000D70000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000000.00000002.658023980.0000000000D70000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.658023980.0000000000D70000.00000004.00000001.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.658023980.0000000000D70000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      Reputation:low

      Analysis Process: BFSV-1F(N)_1B-8B_ANSI.exe PID: 6560 Parent PID: 5812

      General

      Start time:17:31:28
      Start date:06/01/2021
      Path:C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Wow64 process (32bit):false
      Commandline:'C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe'
      Imagebase:0x3e0000
      File size:451584 bytes
      MD5 hash:157D3320CAFB9799ED5D996692E8BEA7
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:low

      Analysis Process: BFSV-1F(N)_1B-8B_ANSI.exe PID: 5748 Parent PID: 5812

      General

      Start time:17:31:29
      Start date:06/01/2021
      Path:C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Wow64 process (32bit):true
      Commandline:C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Imagebase:0x3e0000
      File size:451584 bytes
      MD5 hash:157D3320CAFB9799ED5D996692E8BEA7
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Yara matches:
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.664101566.0000000001430000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.664101566.0000000001430000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.664101566.0000000001430000.00000004.00000001.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.664101566.0000000001430000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      Reputation:low

      Analysis Process: BFSV-1F(N)_1B-8B_ANSI.exe PID: 5728 Parent PID: 5748

      General

      Start time:17:31:31
      Start date:06/01/2021
      Path:C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Wow64 process (32bit):false
      Commandline:C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Imagebase:0x3e0000
      File size:451584 bytes
      MD5 hash:157D3320CAFB9799ED5D996692E8BEA7
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:low

      Analysis Process: BFSV-1F(N)_1B-8B_ANSI.exe PID: 4544 Parent PID: 5748

      General

      Start time:17:31:31
      Start date:06/01/2021
      Path:C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Wow64 process (32bit):true
      Commandline:C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Imagebase:0x3e0000
      File size:451584 bytes
      MD5 hash:157D3320CAFB9799ED5D996692E8BEA7
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Yara matches:
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.670372139.0000000001530000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.670372139.0000000001530000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.670372139.0000000001530000.00000004.00000001.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 00000004.00000002.670372139.0000000001530000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      Reputation:low

      Analysis Process: BFSV-1F(N)_1B-8B_ANSI.exe PID: 2228 Parent PID: 4544

      General

      Start time:17:31:33
      Start date:06/01/2021
      Path:C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Wow64 process (32bit):false
      Commandline:C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Imagebase:0x3e0000
      File size:451584 bytes
      MD5 hash:157D3320CAFB9799ED5D996692E8BEA7
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:low

      Analysis Process: BFSV-1F(N)_1B-8B_ANSI.exe PID: 6592 Parent PID: 4544

      General

      Start time:17:31:34
      Start date:06/01/2021
      Path:C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Wow64 process (32bit):true
      Commandline:C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Imagebase:0x3e0000
      File size:451584 bytes
      MD5 hash:157D3320CAFB9799ED5D996692E8BEA7
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Yara matches:
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000006.00000002.675497262.0000000002F40000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000006.00000002.675497262.0000000002F40000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000006.00000002.675497262.0000000002F40000.00000004.00000001.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 00000006.00000002.675497262.0000000002F40000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      Reputation:low

      Analysis Process: BFSV-1F(N)_1B-8B_ANSI.exe PID: 6584 Parent PID: 6592

      General

      Start time:17:31:36
      Start date:06/01/2021
      Path:C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Wow64 process (32bit):false
      Commandline:C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Imagebase:0x3e0000
      File size:451584 bytes
      MD5 hash:157D3320CAFB9799ED5D996692E8BEA7
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:low

      Analysis Process: BFSV-1F(N)_1B-8B_ANSI.exe PID: 4944 Parent PID: 6592

      General

      Start time:17:31:37
      Start date:06/01/2021
      Path:C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Wow64 process (32bit):true
      Commandline:C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Imagebase:0x3e0000
      File size:451584 bytes
      MD5 hash:157D3320CAFB9799ED5D996692E8BEA7
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Yara matches:
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.686570986.0000000002870000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000008.00000002.686570986.0000000002870000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.686570986.0000000002870000.00000004.00000001.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 00000008.00000002.686570986.0000000002870000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      Reputation:low

      Analysis Process: BFSV-1F(N)_1B-8B_ANSI.exe PID: 6980 Parent PID: 4944

      General

      Start time:17:31:38
      Start date:06/01/2021
      Path:C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Wow64 process (32bit):false
      Commandline:C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Imagebase:0x3e0000
      File size:451584 bytes
      MD5 hash:157D3320CAFB9799ED5D996692E8BEA7
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:low

      Analysis Process: BFSV-1F(N)_1B-8B_ANSI.exe PID: 6648 Parent PID: 4944

      General

      Start time:17:31:39
      Start date:06/01/2021
      Path:C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Wow64 process (32bit):true
      Commandline:C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Imagebase:0x3e0000
      File size:451584 bytes
      MD5 hash:157D3320CAFB9799ED5D996692E8BEA7
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Yara matches:
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.691981291.0000000000D00000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000A.00000002.691981291.0000000000D00000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.691981291.0000000000D00000.00000004.00000001.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.691981291.0000000000D00000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      Reputation:low

      Analysis Process: BFSV-1F(N)_1B-8B_ANSI.exe PID: 6884 Parent PID: 6648

      General

      Start time:17:31:43
      Start date:06/01/2021
      Path:C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Wow64 process (32bit):false
      Commandline:C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Imagebase:0x3e0000
      File size:451584 bytes
      MD5 hash:157D3320CAFB9799ED5D996692E8BEA7
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:low

      Analysis Process: BFSV-1F(N)_1B-8B_ANSI.exe PID: 6644 Parent PID: 6648

      General

      Start time:17:31:44
      Start date:06/01/2021
      Path:C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Wow64 process (32bit):true
      Commandline:C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Imagebase:0x3e0000
      File size:451584 bytes
      MD5 hash:157D3320CAFB9799ED5D996692E8BEA7
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Yara matches:
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000D.00000002.1018854481.0000000000A10000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000D.00000002.1018854481.0000000000A10000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000D.00000002.1018854481.0000000000A10000.00000004.00000001.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 0000000D.00000002.1018854481.0000000000A10000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      Reputation:low

      Analysis Process: BFSV-1F(N)_1B-8B_ANSI.exe PID: 7140 Parent PID: 6644

      General

      Start time:17:31:46
      Start date:06/01/2021
      Path:C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Wow64 process (32bit):false
      Commandline:C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Imagebase:0x3e0000
      File size:451584 bytes
      MD5 hash:157D3320CAFB9799ED5D996692E8BEA7
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:low

      Analysis Process: BFSV-1F(N)_1B-8B_ANSI.exe PID: 7100 Parent PID: 6644

      General

      Start time:17:31:47
      Start date:06/01/2021
      Path:C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Wow64 process (32bit):true
      Commandline:C:\Users\user\Desktop\BFSV-1F(N)_1B-8B_ANSI.exe
      Imagebase:0x360000
      File size:451584 bytes
      MD5 hash:157D3320CAFB9799ED5D996692E8BEA7
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:low

      Disassembly

      Code Analysis

      Reset < >