Loading ...

Play interactive tourEdit tour

Analysis Report Doc#6620200947535257653.exe

Overview

General Information

Sample Name:Doc#6620200947535257653.exe
Analysis ID:338654
MD5:6618b8298100d5fb25d23b498a33d492
SHA1:bd61a9c97e54b031ae4eaeb7f69f2006454e1edc
SHA256:96cdf96daea9002d2dcf31e5d37b7df4942ef6085209df1f6b269b9baca3e40a
Tags:exeHostwindsNanoCoreRAT

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Allocates memory in foreign processes
Binary contains a suspicious time stamp
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Doc#6620200947535257653.exe (PID: 4120 cmdline: 'C:\Users\user\Desktop\Doc#6620200947535257653.exe' MD5: 6618B8298100D5FB25D23B498A33D492)
    • gjhgkuytgkgfgd.exe (PID: 6308 cmdline: 'C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exe' MD5: 6618B8298100D5FB25D23B498A33D492)
      • AddInProcess32.exe (PID: 5820 cmdline: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe MD5: F2A47587431C466535F3C3D3427724BE)
      • ffgfhfjftdghghrghse.exe (PID: 5404 cmdline: 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • ffgfhfjftdghghrghse.exe (PID: 5768 cmdline: 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • ffgfhfjftdghghrghse.exe (PID: 6288 cmdline: 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • ffgfhfjftdghghrghse.exe (PID: 5056 cmdline: 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • ffgfhfjftdghghrghse.exe (PID: 4516 cmdline: 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • ffgfhfjftdghghrghse.exe (PID: 6408 cmdline: 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • ffgfhfjftdghghrghse.exe (PID: 5968 cmdline: 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • ffgfhfjftdghghrghse.exe (PID: 6112 cmdline: 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • ffgfhfjftdghghrghse.exe (PID: 5368 cmdline: 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • ffgfhfjftdghghrghse.exe (PID: 6836 cmdline: 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["185.157.160.233"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000017.00000002.692289484.0000000003EB9000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000017.00000002.692289484.0000000003EB9000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x2f25:$a: NanoCore
    • 0x2f7e:$a: NanoCore
    • 0x2fbb:$a: NanoCore
    • 0x3034:$a: NanoCore
    • 0x166df:$a: NanoCore
    • 0x166f4:$a: NanoCore
    • 0x16729:$a: NanoCore
    • 0x2f1ab:$a: NanoCore
    • 0x2f1c0:$a: NanoCore
    • 0x2f1f5:$a: NanoCore
    • 0x2f87:$b: ClientPlugin
    • 0x2fc4:$b: ClientPlugin
    • 0x38c2:$b: ClientPlugin
    • 0x38cf:$b: ClientPlugin
    • 0x1649b:$b: ClientPlugin
    • 0x164b6:$b: ClientPlugin
    • 0x164e6:$b: ClientPlugin
    • 0x166fd:$b: ClientPlugin
    • 0x16732:$b: ClientPlugin
    • 0x2ef67:$b: ClientPlugin
    • 0x2ef82:$b: ClientPlugin
    00000000.00000002.314934882.00000000049AC000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x10b87:$x1: NanoCore.ClientPluginHost
    • 0x569c5:$x1: NanoCore.ClientPluginHost
    • 0x10bc4:$x2: IClientNetworkHost
    • 0x56a02:$x2: IClientNetworkHost
    • 0x146f7:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    • 0x5a535:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000000.00000002.314934882.00000000049AC000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000000.00000002.314934882.00000000049AC000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x108ef:$a: NanoCore
      • 0x108ff:$a: NanoCore
      • 0x10b33:$a: NanoCore
      • 0x10b47:$a: NanoCore
      • 0x10b87:$a: NanoCore
      • 0x5672d:$a: NanoCore
      • 0x5673d:$a: NanoCore
      • 0x56971:$a: NanoCore
      • 0x56985:$a: NanoCore
      • 0x569c5:$a: NanoCore
      • 0x1094e:$b: ClientPlugin
      • 0x10b50:$b: ClientPlugin
      • 0x10b90:$b: ClientPlugin
      • 0x5678c:$b: ClientPlugin
      • 0x5698e:$b: ClientPlugin
      • 0x569ce:$b: ClientPlugin
      • 0x10a75:$c: ProjectData
      • 0x44762:$c: ProjectData
      • 0x568b3:$c: ProjectData
      • 0x1147c:$d: DESCrypto
      • 0x572ba:$d: DESCrypto
      Click to see the 29 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      23.2.AddInProcess32.exe.52e0000.3.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe75:$x1: NanoCore.ClientPluginHost
      • 0xe8f:$x2: IClientNetworkHost
      23.2.AddInProcess32.exe.52e0000.3.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe75:$x2: NanoCore.ClientPluginHost
      • 0x1261:$s3: PipeExists
      • 0x1136:$s4: PipeCreated
      • 0xeb0:$s5: IClientLoggingHost
      23.2.AddInProcess32.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      23.2.AddInProcess32.exe.400000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xff05:$x1: NanoCore Client.exe
      • 0x1018d:$x2: NanoCore.ClientPluginHost
      • 0x117c6:$s1: PluginCommand
      • 0x117ba:$s2: FileCommand
      • 0x1266b:$s3: PipeExists
      • 0x18422:$s4: PipeCreated
      • 0x101b7:$s5: IClientLoggingHost
      23.2.AddInProcess32.exe.400000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        Click to see the 7 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, ProcessId: 5820, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: AddInProcess32.exe.5820.23.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["185.157.160.233"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000017.00000002.692289484.0000000003EB9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.314934882.00000000049AC000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.314242326.000000000484F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.704326696.0000000004721000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.672265622.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.701805555.0000000005720000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.704615515.000000000499C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.704483178.000000000483F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 5820, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: gjhgkuytgkgfgd.exe PID: 6308, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Doc#6620200947535257653.exe PID: 4120, type: MEMORY
        Source: Yara matchFile source: 23.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.AddInProcess32.exe.5720000.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.AddInProcess32.exe.5720000.6.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: Doc#6620200947535257653.exeJoe Sandbox ML: detected
        Source: 23.2.AddInProcess32.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 23.2.AddInProcess32.exe.5720000.6.unpackAvira: Label: TR/NanoCore.fadte
        Source: Doc#6620200947535257653.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: Doc#6620200947535257653.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
        Source: Binary string: AddInProcess32.pdb source: Doc#6620200947535257653.exe, 00000000.00000003.287381501.0000000001C16000.00000004.00000001.sdmp, AddInProcess32.exe, AddInProcess32.exe.0.dr
        Source: Binary string: AddInProcess32.pdbpw source: Doc#6620200947535257653.exe, 00000000.00000003.287381501.0000000001C16000.00000004.00000001.sdmp, AddInProcess32.exe, 00000017.00000000.388454489.0000000000882000.00000002.00020000.sdmp, AddInProcess32.exe.0.dr
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeCode function: 4x nop then jmp 01B0F62Eh0_2_01B0EE58
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 4x nop then jmp 0199F62Eh16_2_0199EE58
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 4x nop then jmp 05DF88CFh16_2_05DF87A0
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 4x nop then jmp 05DF88CFh16_2_05DF8790
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 4x nop then jmp 05DF7D76h16_2_05DF7C80
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 4x nop then jmp 05DF7D76h16_2_05DF7C71
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeCode function: 4x nop then jmp 012D0799h26_2_012D0560
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeCode function: 4x nop then jmp 012D0799h26_2_012D0555
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeCode function: 4x nop then jmp 02B50799h29_2_02B50560
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeCode function: 4x nop then jmp 02B50799h29_2_02B50551
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeCode function: 4x nop then jmp 01530799h30_2_01530560
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeCode function: 4x nop then jmp 01530799h30_2_01530555
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeCode function: 4x nop then jmp 01880799h31_2_01880560
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeCode function: 4x nop then jmp 01880799h31_2_01880551

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorIPs: 185.157.160.233
        Source: global trafficTCP traffic: 192.168.2.3:49744 -> 185.157.160.233:2212
        Source: global trafficTCP traffic: 192.168.2.3:49749 -> 105.112.106.128:2212
        Source: Joe Sandbox ViewIP Address: 185.157.160.233 185.157.160.233
        Source: Joe Sandbox ViewASN Name: OBE-EUROPEObenetworkEuropeSE OBE-EUROPEObenetworkEuropeSE
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
        Source: unknownTCP traffic detected without corresponding DNS query: 185.157.160.233
        Source: unknownDNS traffic detected: queries for: annapro.linkpc.net
        Source: Doc#6620200947535257653.exe, 00000000.00000003.218378992.00000000088C0000.00000004.00000001.sdmp, Doc#6620200947535257653.exe, 00000000.00000003.310684596.00000000088C0000.00000004.00000001.sdmpString found in binary or memory: http://ns.ado/1
        Source: gjhgkuytgkgfgd.exe, 00000010.00000003.319689296.0000000008760000.00000004.00000001.sdmpString found in binary or memory: http://ns.ado/1q
        Source: Doc#6620200947535257653.exe, 00000000.00000003.218378992.00000000088C0000.00000004.00000001.sdmp, Doc#6620200947535257653.exe, 00000000.00000003.310684596.00000000088C0000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g
        Source: gjhgkuytgkgfgd.exe, 00000010.00000003.319689296.0000000008760000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/gq
        Source: Doc#6620200947535257653.exe, 00000000.00000003.218378992.00000000088C0000.00000004.00000001.sdmp, Doc#6620200947535257653.exe, 00000000.00000003.310684596.00000000088C0000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.cobj
        Source: gjhgkuytgkgfgd.exe, 00000010.00000003.319689296.0000000008760000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.cobjq
        Source: Doc#6620200947535257653.exe, 00000000.00000002.313171492.0000000001B68000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
        Source: AddInProcess32.exe, 00000017.00000002.692289484.0000000003EB9000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000017.00000002.692289484.0000000003EB9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.314934882.00000000049AC000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.314242326.000000000484F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.704326696.0000000004721000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.672265622.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.701805555.0000000005720000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.704615515.000000000499C000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000010.00000002.704483178.000000000483F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 5820, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: gjhgkuytgkgfgd.exe PID: 6308, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Doc#6620200947535257653.exe PID: 4120, type: MEMORY
        Source: Yara matchFile source: 23.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.AddInProcess32.exe.5720000.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.AddInProcess32.exe.5720000.6.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000017.00000002.692289484.0000000003EB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.314934882.00000000049AC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.314934882.00000000049AC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.314242326.000000000484F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.314242326.000000000484F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000010.00000002.704326696.0000000004721000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000010.00000002.704326696.0000000004721000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000017.00000002.672265622.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000017.00000002.672265622.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000017.00000002.700402304.00000000052E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000017.00000002.701805555.0000000005720000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000010.00000002.704615515.000000000499C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000010.00000002.704615515.000000000499C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000010.00000002.704483178.000000000483F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000010.00000002.704483178.000000000483F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: AddInProcess32.exe PID: 5820, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: AddInProcess32.exe PID: 5820, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: gjhgkuytgkgfgd.exe PID: 6308, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: gjhgkuytgkgfgd.exe PID: 6308, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: Doc#6620200947535257653.exe PID: 4120, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: Doc#6620200947535257653.exe PID: 4120, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 23.2.AddInProcess32.exe.52e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 23.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 23.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 23.2.AddInProcess32.exe.5720000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 23.2.AddInProcess32.exe.5720000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 16_2_05DF1BFC CreateProcessAsUserW,16_2_05DF1BFC
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeCode function: 0_2_01B09A090_2_01B09A09
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeCode function: 0_2_01B0A4F80_2_01B0A4F8
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeCode function: 0_2_01B0BC280_2_01B0BC28
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeCode function: 0_2_01B03FB80_2_01B03FB8
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeCode function: 0_2_01B047200_2_01B04720
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeCode function: 0_2_01B0D6F40_2_01B0D6F4
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeCode function: 0_2_01B076D00_2_01B076D0
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeCode function: 0_2_01B0F6580_2_01B0F658
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeCode function: 0_2_01B0EE580_2_01B0EE58
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeCode function: 0_2_01B0F6480_2_01B0F648
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 16_2_01999A0116_2_01999A01
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 16_2_0199A4F816_2_0199A4F8
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 16_2_0199BC2816_2_0199BC28
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 16_2_01993FB816_2_01993FB8
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 16_2_019976D016_2_019976D0
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 16_2_0199D6EA16_2_0199D6EA
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 16_2_0199F65816_2_0199F658
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 16_2_0199EE5816_2_0199EE58
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 16_2_0199F64816_2_0199F648
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 16_2_05DF2F3816_2_05DF2F38
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 16_2_05DF572016_2_05DF5720
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 16_2_05DF04E816_2_05DF04E8
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 16_2_05DF0C1816_2_05DF0C18
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 16_2_05DF45C816_2_05DF45C8
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 16_2_05DF25F816_2_05DF25F8
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 16_2_05DF25E816_2_05DF25E8
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 16_2_05DF218016_2_05DF2180
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 16_2_05DF398016_2_05DF3980
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 16_2_05DF634016_2_05DF6340
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 16_2_05DF217116_2_05DF2171
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 16_2_05DF571016_2_05DF5710
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 16_2_05DF2F2816_2_05DF2F28
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 16_2_05DF04E116_2_05DF04E1
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 16_2_05DF0C0816_2_05DF0C08
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 23_2_0088205023_2_00882050
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 23_2_0134E47123_2_0134E471
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 23_2_0134E48023_2_0134E480
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 23_2_0134BBD423_2_0134BBD4
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 23_2_0524F5F823_2_0524F5F8
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 23_2_0524978823_2_05249788
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 23_2_0524A5D023_2_0524A5D0
        Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe 23F4A2CCDCE499C524CF43793FDA8E773D809514B5471C02FA5E68F0CDA7A10B
        Source: Doc#6620200947535257653.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: gjhgkuytgkgfgd.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: Doc#6620200947535257653.exeBinary or memory string: OriginalFilename vs Doc#6620200947535257653.exe
        Source: Doc#6620200947535257653.exe, 00000000.00000002.313463921.0000000001E40000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Doc#6620200947535257653.exe
        Source: Doc#6620200947535257653.exe, 00000000.00000002.313463921.0000000001E40000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Doc#6620200947535257653.exe
        Source: Doc#6620200947535257653.exe, 00000000.00000002.313392512.0000000001DF0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSHCore1.dll0 vs Doc#6620200947535257653.exe
        Source: Doc#6620200947535257653.exe, 00000000.00000002.313171492.0000000001B68000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Doc#6620200947535257653.exe
        Source: Doc#6620200947535257653.exe, 00000000.00000002.322695546.0000000008CB0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Doc#6620200947535257653.exe
        Source: Doc#6620200947535257653.exe, 00000000.00000002.314934882.00000000049AC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAstronot plart.exe> vs Doc#6620200947535257653.exe
        Source: Doc#6620200947535257653.exe, 00000000.00000003.287381501.0000000001C16000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAddInProcess32.exeT vs Doc#6620200947535257653.exe
        Source: Doc#6620200947535257653.exe, 00000000.00000002.322289598.0000000005E70000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Doc#6620200947535257653.exe
        Source: Doc#6620200947535257653.exeBinary or memory string: OriginalFilenametonyumeze1.exeP vs Doc#6620200947535257653.exe
        Source: Doc#6620200947535257653.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 00000017.00000002.692289484.0000000003EB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.314934882.00000000049AC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.314934882.00000000049AC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.314242326.000000000484F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.314242326.000000000484F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000010.00000002.704326696.0000000004721000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000010.00000002.704326696.0000000004721000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000017.00000002.672265622.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000017.00000002.672265622.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000017.00000002.700402304.00000000052E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000017.00000002.700402304.00000000052E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000017.00000002.701805555.0000000005720000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000017.00000002.701805555.0000000005720000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000010.00000002.704615515.000000000499C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000010.00000002.704615515.000000000499C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000010.00000002.704483178.000000000483F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000010.00000002.704483178.000000000483F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: AddInProcess32.exe PID: 5820, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: AddInProcess32.exe PID: 5820, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: gjhgkuytgkgfgd.exe PID: 6308, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: gjhgkuytgkgfgd.exe PID: 6308, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: Doc#6620200947535257653.exe PID: 4120, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: Doc#6620200947535257653.exe PID: 4120, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 23.2.AddInProcess32.exe.52e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 23.2.AddInProcess32.exe.52e0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 23.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 23.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 23.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 23.2.AddInProcess32.exe.5720000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 23.2.AddInProcess32.exe.5720000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 23.2.AddInProcess32.exe.5720000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 23.2.AddInProcess32.exe.5720000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 23.2.AddInProcess32.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 23.2.AddInProcess32.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 23.2.AddInProcess32.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: classification engineClassification label: mal100.troj.evad.winEXE@26/19@3/3
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gjhgkuytgkgfgd.lnkJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{5c958888-f81c-42a4-939d-31983a2cd9ba}
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeFile created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to behavior
        Source: Doc#6620200947535257653.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeFile read: C:\Users\user\Desktop\Doc#6620200947535257653.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\Doc#6620200947535257653.exe 'C:\Users\user\Desktop\Doc#6620200947535257653.exe'
        Source: unknownProcess created: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exe 'C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exe'
        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe'
        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe'
        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe'
        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe'
        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe'
        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe'
        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe'
        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe'
        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe'
        Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe'
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeProcess created: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exe 'C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exe' Jump to behavior
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to behavior
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess created: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe' Jump to behavior
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess created: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe' Jump to behavior
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess created: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe' Jump to behavior
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess created: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe' Jump to behavior
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess created: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe' Jump to behavior
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeProcess created: unknown unknownJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess created: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe' Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess created: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe'
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess created: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe'
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess created: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe'
        Source: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exeProcess created: C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe 'C:\Users\user\AppData\Local\Temp\ffgfhfjftdghghrghse.exe'
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32Jump to behavior
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: Doc#6620200947535257653.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: Doc#6620200947535257653.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
        Source: Doc#6620200947535257653.exeStatic file information: File size 5468672 > 1048576
        Source: Doc#6620200947535257653.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x50b200
        Source: Doc#6620200947535257653.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
        Source: Binary string: AddInProcess32.pdb source: Doc#6620200947535257653.exe, 00000000.00000003.287381501.0000000001C16000.00000004.00000001.sdmp, AddInProcess32.exe, AddInProcess32.exe.0.dr
        Source: Binary string: AddInProcess32.pdbpw source: Doc#6620200947535257653.exe, 00000000.00000003.287381501.0000000001C16000.00000004.00000001.sdmp, AddInProcess32.exe, 00000017.00000000.388454489.0000000000882000.00000002.00020000.sdmp, AddInProcess32.exe.0.dr

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: 23.2.AddInProcess32.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 23.2.AddInProcess32.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Binary contains a suspicious time stampShow sources
        Source: initial sampleStatic PE information: 0xC7142059 [Sun Nov 3 05:36:25 2075 UTC]
        Source: C:\Users\user\Desktop\Doc#6620200947535257653.exeCode function: 0_2_01B03A90 push CC01B4B1h; retf 0_2_01B03CDD
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 16_2_05DF4F52 push esp; retf 16_2_05DF4F59
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 16_2_05DF52D0 push eax; iretd 16_2_05DF52D1
        Source: C:\Users\user\AppData\Roaming\gjhgkuytgkgfgd.exeCode function: 16_2_05DF1C79 push ebx; iretd 16_2_05DF1C7A
        Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 23_2_052469F8 pushad ; retf 23_2_052469F9
        Source: ffgfhfjftdghghrghse.exe.16.dr, Astronotplart/My/tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
        Source: ffgfhfjftdghghrghse.exe.16.dr, Astronotplart/gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: '.ctor', 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
        Source: ffgfhfjftdghghrghse.exe.16.dr, Astronotplart/My/Resources/cZsjfbJLI2Nt8If5QOa3YzSXxDXbcmzUTY.csHigh entropy of concatenated method names: '7tuLHfXnvgcErulp', 'vFPZGqKub8S44KK9njyrAe1CN2qDJ3IQa7tiGW3Oebu', 'p0Rr9tY6YlifmwQtRmfPXGEDX', 'IPf8zIYNrroPiylxpRDezmMidW58Fr8mLO'
        Source: ffgfhfjftdghghrghse.exe.16.dr, Astronotplart/My/nVdeDLHvVsfVxwgFzORDky8W3f9u4lGmiaWnSDb.csHigh entropy of concatenated method names: '.cctor', 'ipfF6OV8JHE8Qin24Sz2H', 'GBAU51HdoykwtyLJ8j', 'A6Cmw4VPbNKHMkR6BnXqjGTCsaLYYK', 'ZhXAveIVREq8oAgNFODqxTnhx35', 'TL13XiWxESQiImm09SkPUl2iIyfqvqfNa1eW0WN', 'hXlgWtIDkKwHkCLRcj1P0yvWMryPDm997zSDv', 'crnIowWf8YVTDoRdGn'
        Source: ffgfhfjftdghghrghse.exe.16.dr, Astronotplart/rtGPmvPIdl5IaacYtOxDvUDj4cyvAKDSBQSIKnjuJ.csHigh entropy of concatenated method names: '.ctor', 'lXIhNy5k2zuUtWijXRf3Smh', 'K04wNKQqGraj7cH31jV3', 'XjtDF35KWLF6l1is3R1Q6HxEJwEr3PbjtGbh2HVd2', 'lvOSFdRQCCluXgGa7jGQkU1jNoXRaK5EpfPYnW', 'gZQk7h6spRLFg3NwAmoe'
        Source: 23.2.AddInProcess32.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 23.2.AddInProcess32.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 26.0.ffgfhfjftdghghrghse.exe.920000.0.unpack, Astronotplart/My/tT7bk4FnxbYaKqMtWjIqvyKWh4J9tkfAvLZ8e5Y4BU.csHigh entropy of concatenated method names: 'nn9DM7TZkpnl4dSPqnpPS2oW', 'LztRLhG61h4KFshxtO7P7', 'G4vjdlUHNvtWZenTXSNdtGwCIYmCoKE77', '5fQycwGNtn0lBuMB2jteITZhMQF3wG', 'ZJSZEAUpgBzwUgSXvnbC6lEhXmP5VpN2nCiGvnzMTR'
        Source: 26.0.ffgfhfjftdghghrghse.exe.920000.0.unpack, Astronotplart/gabKErPURPS76kDKjrme.csHigh entropy of concatenated method names: '.ctor', 'EmwYECB1wGyvIA2snT', 'zQyq6GQCkVXH2m9ORWKDS7znEfc2l', 'X3TE6RCIZMD7ECwwVoqD8j43J8u', 'SwV7wVQkM24hXoCSpr83uLH4TEFtSUXME6LQS7', 'gIglw7CqsSJGzE2AtTN3JYbIYwYS1QQ7ADpw', 'aciMX0Q3f70STq8WXW'
        Source: 26.0.ffgfhfjftdghghrghse.exe.920000.0.unpack, Astronotplart/My/nVdeDLHvVsfVxwgFzORDky8W3f9u4lGmiaWnSDb.csHigh entropy of concatenated method names: '.cctor', 'ipfF6OV8JHE8Qin24Sz2H', 'GBAU51HdoykwtyLJ8j', 'A6Cmw4VPbNKHMkR6BnXqjGTCsaLYYK', 'ZhXAveIVREq8oAgNFODqxTnhx35', 'TL13XiWxESQiImm09SkPUl2iIyfqvqfNa1eW0WN', 'hXlgWtIDkKwHkCLRcj1P0yvWMryPDm997zSDv', 'crnIowWf8YVTDoRdGn'
        Source: 26.0.ffgfhfjftdghghrghse.exe.920000.0.unpack, Astronotplart/My/Resources/cZsjfbJLI2Nt8If5QOa3YzSXxDXbcmzUTY.csHigh entropy of concatenated method names: '7tuLHfXnvgcErulp', 'vFPZGqKub8S44KK9njyrAe1CN2qDJ3IQa7tiGW3Oebu', 'p0Rr9tY6YlifmwQtRmfPXGEDX', 'IPf8zIYNrroPiylxpRDezmMidW58Fr8mLO'