Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Paypal Payment Authorization pdf.exe

Overview

General Information

Sample Name:Paypal Payment Authorization pdf.exe
Analysis ID:337761
MD5:43796c264cd5716211cca1333d02c545
SHA1:cd0af8e864d885c7495a0783a17daa185c7ac224
SHA256:1d7e3f93b597143dc7762692af6d463b43feac3372d01a1ced3e9e6741205533
Tags:exeNanoCoreRAT

Most interesting Screenshot:

Errors
  • Sigma syntax error: Has an empty selector, Rule: Abusing Azure Browser SSO

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Executable has a suspicious name (potential lure to open the executable)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Conhost Parent Proces Executions
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Paypal Payment Authorization pdf.exe (PID: 4544 cmdline: 'C:\Users\user\Desktop\Paypal Payment Authorization pdf.exe' MD5: 43796C264CD5716211CCA1333D02C545)
    • Paypal Payment Authorization pdf.exe (PID: 6136 cmdline: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exe MD5: 43796C264CD5716211CCA1333D02C545)
      • schtasks.exe (PID: 2800 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp2E95.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 4352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • dhcpmon.exe (PID: 788 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 43796C264CD5716211CCA1333D02C545)
      • schtasks.exe (PID: 5496 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp3184.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 2776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 5912 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 43796C264CD5716211CCA1333D02C545)
    • dhcpmon.exe (PID: 4928 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 43796C264CD5716211CCA1333D02C545)
  • dhcpmon.exe (PID: 4352 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 43796C264CD5716211CCA1333D02C545)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["185.244.38.210"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.281240988.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000002.281240988.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000C.00000002.281240988.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    00000007.00000002.264202941.0000000003959000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000007.00000002.264202941.0000000003959000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x435bd:$a: NanoCore
      • 0x43616:$a: NanoCore
      • 0x43653:$a: NanoCore
      • 0x436cc:$a: NanoCore
      • 0x56d77:$a: NanoCore
      • 0x56d8c:$a: NanoCore
      • 0x56dc1:$a: NanoCore
      • 0x6fd4b:$a: NanoCore
      • 0x6fd60:$a: NanoCore
      • 0x6fd95:$a: NanoCore
      • 0x4361f:$b: ClientPlugin
      • 0x4365c:$b: ClientPlugin
      • 0x43f5a:$b: ClientPlugin
      • 0x43f67:$b: ClientPlugin
      • 0x56b33:$b: ClientPlugin
      • 0x56b4e:$b: ClientPlugin
      • 0x56b7e:$b: ClientPlugin
      • 0x56d95:$b: ClientPlugin
      • 0x56dca:$b: ClientPlugin
      • 0x6fb07:$b: ClientPlugin
      • 0x6fb22:$b: ClientPlugin
      Click to see the 50 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      12.2.dhcpmon.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      12.2.dhcpmon.exe.400000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xff05:$x1: NanoCore Client.exe
      • 0x1018d:$x2: NanoCore.ClientPluginHost
      • 0x117c6:$s1: PluginCommand
      • 0x117ba:$s2: FileCommand
      • 0x1266b:$s3: PipeExists
      • 0x18422:$s4: PipeCreated
      • 0x101b7:$s5: IClientLoggingHost
      12.2.dhcpmon.exe.400000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        12.2.dhcpmon.exe.400000.0.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xfef5:$a: NanoCore
        • 0xff05:$a: NanoCore
        • 0x10139:$a: NanoCore
        • 0x1014d:$a: NanoCore
        • 0x1018d:$a: NanoCore
        • 0xff54:$b: ClientPlugin
        • 0x10156:$b: ClientPlugin
        • 0x10196:$b: ClientPlugin
        • 0x1007b:$c: ProjectData
        • 0x10a82:$d: DESCrypto
        • 0x1844e:$e: KeepAlive
        • 0x1643c:$g: LogClientMessage
        • 0x12637:$i: get_Connected
        • 0x10db8:$j: #=q
        • 0x10de8:$j: #=q
        • 0x10e04:$j: #=q
        • 0x10e34:$j: #=q
        • 0x10e50:$j: #=q
        • 0x10e6c:$j: #=q
        • 0x10e9c:$j: #=q
        • 0x10eb8:$j: #=q
        7.2.Paypal Payment Authorization pdf.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x1018d:$x1: NanoCore.ClientPluginHost
        • 0x101ca:$x2: IClientNetworkHost
        • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        Click to see the 7 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exe, ProcessId: 6136, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: Scheduled temp file as task from temp locationShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp2E95.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp2E95.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exe, ParentImage: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exe, ParentProcessId: 6136, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp2E95.tmp', ProcessId: 2800
        Sigma detected: Conhost Parent Proces ExecutionsShow sources
        Source: Process startedAuthor: omkar72: Data: Command: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, CommandLine: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, CommandLine|base64offset|contains: )^, Image: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, NewProcessName: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, OriginalFileName: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, ParentCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ParentImage: C:\Windows\System32\conhost.exe, ParentProcessId: 4352, ProcessCommandLine: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, ProcessId: 788

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Antivirus / Scanner detection for submitted sampleShow sources
        Source: Paypal Payment Authorization pdf.exeAvira: detected
        Antivirus detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeAvira: detection malicious, Label: TR/Dropper.MSIL.Gen
        Found malware configurationShow sources
        Source: Paypal Payment Authorization pdf.exe.4348.7.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["185.244.38.210"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 52%
        Multi AV Scanner detection for submitted fileShow sources
        Source: Paypal Payment Authorization pdf.exeReversingLabs: Detection: 52%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000C.00000002.281240988.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.264202941.0000000003959000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.282400561.00000000027E1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.268198186.0000000003809000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.257617015.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.266349011.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.248386256.00000000038D9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.282484135.00000000037E9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.229389547.0000000003839000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.268089458.0000000002801000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.243400566.0000000003E79000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.267647233.0000000003D09000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Paypal Payment Authorization pdf.exe PID: 4544, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Paypal Payment Authorization pdf.exe PID: 4348, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Paypal Payment Authorization pdf.exe PID: 5444, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4928, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5912, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 788, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4352, type: MEMORY
        Source: Yara matchFile source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.Paypal Payment Authorization pdf.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: Paypal Payment Authorization pdf.exeJoe Sandbox ML: detected
        Source: 8.2.dhcpmon.exe.470000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen
        Source: 0.0.Paypal Payment Authorization pdf.exe.440000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen
        Source: 6.2.Paypal Payment Authorization pdf.exe.930000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen
        Source: 12.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 12.0.dhcpmon.exe.450000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen
        Source: 8.0.dhcpmon.exe.470000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen
        Source: 6.0.Paypal Payment Authorization pdf.exe.930000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen
        Source: 10.0.dhcpmon.exe.9d0000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen
        Source: 7.2.Paypal Payment Authorization pdf.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 9.2.dhcpmon.exe.450000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen
        Source: 9.0.dhcpmon.exe.450000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen
        Source: 9.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 7.2.Paypal Payment Authorization pdf.exe.630000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen
        Source: 7.0.Paypal Payment Authorization pdf.exe.630000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen
        Source: 10.2.dhcpmon.exe.9d0000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen
        Source: 0.2.Paypal Payment Authorization pdf.exe.440000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen
        Source: 1.0.Paypal Payment Authorization pdf.exe.ab0000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen
        Source: 12.2.dhcpmon.exe.450000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen
        Source: Paypal Payment Authorization pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: Paypal Payment Authorization pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: RunPE.pdb source: Paypal Payment Authorization pdf.exe, 00000000.00000002.229334209.0000000002831000.00000004.00000001.sdmp, Paypal Payment Authorization pdf.exe, 00000006.00000002.243331552.0000000002E71000.00000004.00000001.sdmp, dhcpmon.exe, 00000008.00000002.248280032.00000000028D1000.00000004.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.267476892.0000000002D01000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: Paypal Payment Authorization pdf.exe, 00000001.00000003.248761049.0000000004A77000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: Paypal Payment Authorization pdf.exe, 00000001.00000003.248761049.0000000004A77000.00000004.00000001.sdmp
        Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: Paypal Payment Authorization pdf.exe, 00000001.00000003.248761049.0000000004A77000.00000004.00000001.sdmp
        Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: Paypal Payment Authorization pdf.exe, 00000001.00000003.248761049.0000000004A77000.00000004.00000001.sdmp
        Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: Paypal Payment Authorization pdf.exe, 00000001.00000003.248761049.0000000004A77000.00000004.00000001.sdmp

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorIPs: 185.244.38.210
        Source: global trafficTCP traffic: 192.168.2.7:49721 -> 185.244.38.210:7008
        Source: Joe Sandbox ViewASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: unknownTCP traffic detected without corresponding DNS query: 185.244.38.210
        Source: Paypal Payment Authorization pdf.exe, 00000001.00000003.248761049.0000000004A77000.00000004.00000001.sdmpString found in binary or memory: http://google.com
        Source: Paypal Payment Authorization pdf.exe, 00000000.00000002.229112118.0000000000C4B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
        Source: Paypal Payment Authorization pdf.exe, 00000007.00000002.264202941.0000000003959000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 0000000C.00000002.281240988.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.264202941.0000000003959000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.282400561.00000000027E1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.268198186.0000000003809000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.257617015.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.266349011.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.248386256.00000000038D9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.282484135.00000000037E9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.229389547.0000000003839000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000009.00000002.268089458.0000000002801000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000006.00000002.243400566.0000000003E79000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000A.00000002.267647233.0000000003D09000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Paypal Payment Authorization pdf.exe PID: 4544, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Paypal Payment Authorization pdf.exe PID: 4348, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Paypal Payment Authorization pdf.exe PID: 5444, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4928, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5912, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 788, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 4352, type: MEMORY
        Source: Yara matchFile source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.Paypal Payment Authorization pdf.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 9.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 0000000C.00000002.281240988.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000002.281240988.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000007.00000002.264202941.0000000003959000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000003.248761049.0000000004A77000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000002.282400561.00000000027E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000009.00000002.268198186.0000000003809000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000007.00000002.257617015.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000007.00000002.257617015.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000009.00000002.266349011.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000009.00000002.266349011.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000008.00000002.248386256.00000000038D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000008.00000002.248386256.00000000038D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000002.282484135.00000000037E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.229389547.0000000003839000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.229389547.0000000003839000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000009.00000002.268089458.0000000002801000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000007.00000002.264137814.0000000002988000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000006.00000002.243400566.0000000003E79000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000006.00000002.243400566.0000000003E79000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000A.00000002.267647233.0000000003D09000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000A.00000002.267647233.0000000003D09000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: Paypal Payment Authorization pdf.exe PID: 4544, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: Paypal Payment Authorization pdf.exe PID: 4544, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: Paypal Payment Authorization pdf.exe PID: 4348, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: Paypal Payment Authorization pdf.exe PID: 4348, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: Paypal Payment Authorization pdf.exe PID: 5444, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: Paypal Payment Authorization pdf.exe PID: 5444, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 4928, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 4928, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 5912, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 5912, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 788, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 788, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 4352, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 4352, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: Paypal Payment Authorization pdf.exe PID: 6136, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 7.2.Paypal Payment Authorization pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.Paypal Payment Authorization pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 9.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 9.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Executable has a suspicious name (potential lure to open the executable)Show sources
        Source: Paypal Payment Authorization pdf.exeStatic file information: Suspicious name
        Initial sample is a PE file and has a suspicious nameShow sources
        Source: initial sampleStatic PE information: Filename: Paypal Payment Authorization pdf.exe
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeCode function: 6_2_012E20A86_2_012E20A8
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeCode function: 6_2_012E32396_2_012E3239
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeCode function: 6_2_012E2FE86_2_012E2FE8
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeCode function: 6_2_012E2FD86_2_012E2FD8
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeCode function: 7_2_028FE4807_2_028FE480
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeCode function: 7_2_028FE4717_2_028FE471
        Source: C:\Users\user\Desktop\Paypal Payment Authorization pdf.exeCode function: 7_2_028FBBD47_2_028FBBD4
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_00E820A88_2_00E820A8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_00E830088_2_00E83008
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 8_2_00E832728_2_00E83272
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_04D84A509_2_04D84A50
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_04D83E309_2_04D83E30
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 9_2_04D84B089_2_04D84B08
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_012820B310_2_012820B3
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_0128323910_2_01283239
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_0128324810_2_01283248
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_01282FE810_2_01282FE8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_01282FDB10_2_01282FDB
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_0100E47112_2_0100E471
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_0100E48012_2_0100E480
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_0100BBD412_2_0100BBD4
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_04E54A5012_2_04E54A50
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_04E53E3012_2_04E53E30
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_04E54B0812_2_04E54B08
        Source: Paypal Payment Authorization pdf.exe, 00000000.00000002.229334209.0000000002831000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRunPE.dll" vs Paypal Payment Authorization pdf.exe
        Source: Paypal Payment Authorization pdf.exe, 00000000.00000002.229112118.0000000000C4B000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Paypal Payment Authorization pdf.exe
        Source: Paypal Payment Authorization pdf.exe, 00000001.00000003.248761049.0000000004A77000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs Paypal Payment Authorization pdf.exe
        Source: Paypal Payment Authorization pdf.exe, 00000001.00000003.248761049.0000000004A77000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs Paypal Payment Authorization pdf.exe
        Source: Paypal Payment Authorization pdf.exe, 00000001.00000003.248761049.0000000004A77000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs Paypal Payment Authorization pdf.exe
        Source: Paypal Payment Authorization pdf.exe, 00000001.00000003.248761049.0000000004A77000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs Paypal Payment Authorization pdf.exe
        Source: Paypal Payment Authorization pdf.exe, 00000001.00000003.248761049.0000000004A77000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs Paypal Payment Authorization pdf.exe
        Source: Paypal Payment Authorization pdf.exe, 00000001.00000003.248761049.0000000004A77000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs Paypal Payment Authorization pdf.exe
        Source: Paypal Payment Authorization pdf.exe, 00000001.00000003.248761049.0000000004A77000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs Paypal Payment Authorization pdf.exe
        Source: Paypal Payment Authorization pdf.exe, 00000001.00000003.248761049.0000000004A77000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs Paypal Payment Authorization pdf.exe
        Source: Paypal Payment Authorization pdf.exe, 00000001.00000003.248761049.0000000004A77000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs Paypal Payment Authorization pdf.exe
        Source: Paypal Payment Authorization pdf.exe, 00000001.00000003.248761049.0000000004A77000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs Paypal Payment Authorization pdf.exe
        Source: Paypal Payment Authorization pdf.exe, 00000001.00000003.248761049.0000000004A77000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs Paypal Payment Authorization pdf.exe
        Source: Paypal Payment Authorization pdf.exe, 00000001.00000003.248761049.0000000004A77000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs Paypal Payment Authorization pdf.exe
        Source: Paypal Payment Authorization pdf.exe, 00000001.00000003.248761049.0000000004A77000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs Paypal Payment Authorization pdf.exe
        Source: Paypal Payment Authorization pdf.exe, 00000006.00000002.243331552.0000000002E71000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRunPE.dll" vs Paypal Payment Authorization pdf.exe
        Source: Paypal Payment Authorization pdf.exe, 00000007.00000002.264202941.0000000003959000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs Paypal Payment Authorization pdf.exe
        Source: Paypal Payment Authorization pdf.exe, 00000007.00000002.264202941.0000000003959000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs Paypal Payment Authorization pdf.exe
        Source: Paypal Payment Authorization pdf.exe, 00000007.00000002.264202941.0000000003959000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Paypal Payment Authorization pdf.exe
        Source: Paypal Payment Authorization pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 0000000C.00000002.281240988.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000002.281240988.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000007.00000002.264202941.0000000003959000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000003.248761049.0000000004A77000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000002.282400561.00000000027E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000009.00000002.268198186.0000000003809000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000007.00000002.257617015.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000007.00000002.257617015.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000009.00000002.266349011.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000009.00000002.266349011.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000008.00000002.248386256.00000000038D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000008.00000002.248386256.00000000038D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000002.282484135.00000000037E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.229389547.0000000003839000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.229389547.0000000003839000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000009.00000002.268089458.0000000002801000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000007.00000002.264137814.0000000002988000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000006.00000002.243400566.0000000003E79000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000006.00000002.243400566.0000000003E79000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000A.00000002.267647233.0000000003D09000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000A.00000002.267647233.0000000003D09000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: Paypal Payment Authorization pdf.exe PID: 4544, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: Paypal Payment Authorization pdf.exe PID: 4544, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: Paypal Payment Authorization pdf.exe PID: 4348, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: Paypal Payment Authorization pdf.exe PID: 4348, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: Paypal Payment Authorization pdf.exe PID: 5444, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: Paypal Payment Authorization pdf.exe PID: 5444, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 4928, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 4928, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 5912, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 5912, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 788, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 788, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 4352, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 4352, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: Paypal Payment Authorization pdf.exe PID: 6136, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 7.2.Paypal Payment Authorization pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.Paypal Payment Authorization pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 7.2.Paypal Payment Authorization pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 9.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched