Loading ...

Play interactive tourEdit tour

Analysis Report order-181289654312464648.exe

Overview

General Information

Sample Name:order-181289654312464648.exe
Analysis ID:339042
MD5:28da42c2cd57e51cb8ea7df263802924
SHA1:81c980f2cda9b42b0b8bf50c7128cc88afd942fd
SHA256:2d564ae361eb499ca493273e9fcfb88546105c88293c7633a7e1580a435cee9f
Tags:exeNanoCoreRAT

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: NanoCore
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Allocates memory in foreign processes
Binary contains a suspicious time stamp
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • order-181289654312464648.exe (PID: 5964 cmdline: 'C:\Users\user\Desktop\order-181289654312464648.exe' MD5: 28DA42C2CD57E51CB8EA7DF263802924)
    • fdcgjhjyuyihdastagghejh.exe (PID: 6692 cmdline: 'C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exe' MD5: 28DA42C2CD57E51CB8EA7DF263802924)
      • AddInProcess32.exe (PID: 4316 cmdline: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe MD5: F2A47587431C466535F3C3D3427724BE)
      • fdexedxfuuyytwq.exe (PID: 5168 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • fdexedxfuuyytwq.exe (PID: 5188 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • fdexedxfuuyytwq.exe (PID: 5688 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • fdexedxfuuyytwq.exe (PID: 3564 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • fdexedxfuuyytwq.exe (PID: 1048 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • fdexedxfuuyytwq.exe (PID: 5044 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • fdexedxfuuyytwq.exe (PID: 6328 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • fdexedxfuuyytwq.exe (PID: 6816 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • fdexedxfuuyytwq.exe (PID: 6880 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • fdexedxfuuyytwq.exe (PID: 6708 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • fdexedxfuuyytwq.exe (PID: 6800 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • fdexedxfuuyytwq.exe (PID: 5504 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • fdexedxfuuyytwq.exe (PID: 6124 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • fdexedxfuuyytwq.exe (PID: 6892 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • fdexedxfuuyytwq.exe (PID: 2792 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
        • fdexedxfuuyytwq.exe (PID: 6936 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
      • fdexedxfuuyytwq.exe (PID: 7120 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["185.157.162.81"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.624408872.0000000005C00000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xf7ad:$x1: NanoCore.ClientPluginHost
  • 0xf7da:$x2: IClientNetworkHost
0000000F.00000002.624408872.0000000005C00000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xf7ad:$x2: NanoCore.ClientPluginHost
  • 0x10888:$s4: PipeCreated
  • 0xf7c7:$s5: IClientLoggingHost
0000000F.00000002.624408872.0000000005C00000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    0000000F.00000002.624910732.0000000006BD0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x8ba5:$x1: NanoCore.ClientPluginHost
    • 0x8bd2:$x2: IClientNetworkHost
    0000000F.00000002.624910732.0000000006BD0000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x8ba5:$x2: NanoCore.ClientPluginHost
    • 0x9b74:$s2: FileCommand
    • 0xe576:$s4: PipeCreated
    • 0x8bbf:$s5: IClientLoggingHost
    Click to see the 66 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    15.2.AddInProcess32.exe.6bc0000.8.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x2dbb:$x1: NanoCore.ClientPluginHost
    • 0x2de5:$x2: IClientNetworkHost
    15.2.AddInProcess32.exe.6bc0000.8.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x2dbb:$x2: NanoCore.ClientPluginHost
    • 0x4c6b:$s4: PipeCreated
    15.2.AddInProcess32.exe.6ca0000.18.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1d3db:$x1: NanoCore.ClientPluginHost
    • 0x1d3f5:$x2: IClientNetworkHost
    15.2.AddInProcess32.exe.6ca0000.18.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x1d3db:$x2: NanoCore.ClientPluginHost
    • 0x20718:$s4: PipeCreated
    • 0x1d3c8:$s5: IClientLoggingHost
    15.2.AddInProcess32.exe.6c60000.15.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x39eb:$x1: NanoCore.ClientPluginHost
    • 0x3a24:$x2: IClientNetworkHost
    Click to see the 51 entries

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: NanoCoreShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, ProcessId: 4316, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: AddInProcess32.exe.4316.15.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["185.157.162.81"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
    Multi AV Scanner detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeVirustotal: Detection: 7%Perma Link
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 0000000F.00000002.624408872.0000000005C00000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.315049409.0000000003B84000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000002.623442854.00000000044AD000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000002.624104734.000000000465F000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.314866304.0000000003A5E000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.315098998.0000000003C10000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000003.390444818.000000000470C000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.619247841.0000000003B51000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000002.623152761.0000000004411000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000002.624021744.00000000045D3000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.605043000.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.620771478.0000000003F6F000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: order-181289654312464648.exe PID: 5964, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: fdcgjhjyuyihdastagghejh.exe PID: 6692, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 4316, type: MEMORY
    Source: Yara matchFile source: 15.2.AddInProcess32.exe.5c00000.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.AddInProcess32.exe.5c00000.6.raw.unpack, type: UNPACKEDPE
    Machine Learning detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeJoe Sandbox ML: detected
    Machine Learning detection for sampleShow sources
    Source: order-181289654312464648.exeJoe Sandbox ML: detected
    Source: 15.2.AddInProcess32.exe.5c00000.6.unpackAvira: Label: TR/NanoCore.fadte
    Source: 15.2.AddInProcess32.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: order-181289654312464648.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
    Source: order-181289654312464648.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
    Source: Binary string: AddInProcess32.pdb source: AddInProcess32.exe, AddInProcess32.exe.0.dr
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: AddInProcess32.exe, 0000000F.00000002.612358336.0000000002BA4000.00000004.00000001.sdmp
    Source: Binary string: AddInProcess32.pdbpw source: AddInProcess32.exe, 0000000F.00000000.391348657.00000000006A2000.00000002.00020000.sdmp, AddInProcess32.exe.0.dr
    Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: AddInProcess32.exe, 0000000F.00000002.612358336.0000000002BA4000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: AddInProcess32.exe, 0000000F.00000002.612358336.0000000002BA4000.00000004.00000001.sdmp
    Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: AddInProcess32.exe, 0000000F.00000002.612358336.0000000002BA4000.00000004.00000001.sdmp
    Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: AddInProcess32.exe, 0000000F.00000002.612358336.0000000002BA4000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: AddInProcess32.exe, 0000000F.00000002.612358336.0000000002BA4000.00000004.00000001.sdmp
    Source: C:\Users\user\Desktop\order-181289654312464648.exeCode function: 4x nop then jmp 027EF56Eh0_2_027EED98
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeCode function: 4x nop then jmp 031DF56Eh13_2_031DED98
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]15_2_060FB031
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]15_2_06D01F10
    Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]15_2_06D01F20
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeCode function: 4x nop then jmp 02B00799h19_2_02B00560
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeCode function: 4x nop then jmp 02B00799h19_2_02B00551
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeCode function: 4x nop then jmp 01890799h22_2_01890560
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeCode function: 4x nop then jmp 01890799h22_2_01890551
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeCode function: 4x nop then jmp 00DD0799h23_2_00DD0560
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeCode function: 4x nop then jmp 00DD0799h23_2_00DD0551
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeCode function: 4x nop then jmp 00FE0799h24_2_00FE0560
    Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exeCode function: 4x nop then jmp 00FE0799h24_2_00FE0552

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorIPs: 185.157.162.81
    Source: global trafficTCP traffic: 192.168.2.3:49741 -> 185.157.162.81:40700
    Source: global trafficTCP traffic: 192.168.2.3:49747 -> 185.157.161.86:40700
    Source: Joe Sandbox ViewIP Address: 185.157.162.81 185.157.162.81
    Source: Joe Sandbox ViewASN Name: OBE-EUROPEObenetworkEuropeSE OBE-EUROPEObenetworkEuropeSE
    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.81
    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.81
    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.81
    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.81
    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.81
    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.81
    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.81
    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.81
    Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.81
    Source: unknownDNS traffic detected: queries for: nanopc.linkpc.net
    Source: AddInProcess32.exe, 0000000F.00000002.612358336.0000000002BA4000.00000004.00000001.sdmpString found in binary or memory: http://google.com
    Source: fdcgjhjyuyihdastagghejh.exe, 0000000D.00000002.616518111.0000000001789000.00000004.00000040.sdmpString found in binary or memory: http://iptc.tc4xmp3
    Source: fdcgjhjyuyihdastagghejh.exe, 0000000D.00000002.616518111.0000000001789000.00000004.00000040.sdmpString found in binary or memory: http://ns.ado/Ident
    Source: fdcgjhjyuyihdastagghejh.exe, 0000000D.00000002.614681646.000000000157B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
    Source: AddInProcess32.exe, 0000000F.00000002.624408872.0000000005C00000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

    E-Banking Fraud:

    barindex
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 0000000F.00000002.624408872.0000000005C00000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.315049409.0000000003B84000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000002.623442854.00000000044AD000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000002.624104734.000000000465F000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.314866304.0000000003A5E000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.315098998.0000000003C10000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000003.390444818.000000000470C000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.619247841.0000000003B51000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000002.623152761.0000000004411000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000D.00000002.624021744.00000000045D3000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.605043000.0000000000402000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.620771478.0000000003F6F000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: order-181289654312464648.exe PID: 5964, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: fdcgjhjyuyihdastagghejh.exe PID: 6692, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 4316, type: MEMORY
    Source: Yara matchFile source: 15.2.AddInProcess32.exe.5c00000.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.AddInProcess32.exe.5c00000.6.raw.unpack, type: UNPACKEDPE

    System Summary:

    barindex
    Malicious sample detected (through community Yara rule)Show sources
    Source: 0000000F.00000002.624408872.0000000005C00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.624910732.0000000006BD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.625265297.0000000006CE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000000.00000002.315049409.0000000003B84000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000000.00000002.315049409.0000000003B84000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000F.00000002.625016694.0000000006C30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.612358336.0000000002BA4000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000D.00000002.623442854.00000000044AD000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000D.00000002.623442854.00000000044AD000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000D.00000002.624104734.000000000465F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000D.00000002.624104734.000000000465F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000000.00000002.314866304.0000000003A5E000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000000.00000002.314866304.0000000003A5E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000000.00000002.315098998.0000000003C10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000000.00000002.315098998.0000000003C10000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000F.00000002.624983363.0000000006C10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.620423784.0000000003E84000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000D.00000003.390444818.000000000470C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000D.00000003.390444818.000000000470C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000F.00000002.625032550.0000000006C40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.625156989.0000000006CA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000D.00000002.623152761.0000000004411000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000D.00000002.623152761.0000000004411000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000D.00000002.624021744.00000000045D3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000D.00000002.624021744.00000000045D3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000F.00000002.625048622.0000000006C50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.605043000.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.605043000.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000F.00000002.625126493.0000000006C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.624889874.0000000006BC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.619550033.0000000003C3E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000F.00000002.625086476.0000000006C70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.624999401.0000000006C20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.623946602.00000000051A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.625068564.0000000006C60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.620771478.0000000003F6F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: order-181289654312464648.exe PID: 5964, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: order-181289654312464648.exe PID: 5964, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: fdcgjhjyuyihdastagghejh.exe PID: 6692, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: fdcgjhjyuyihdastagghejh.exe PID: 6692, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: AddInProcess32.exe PID: 4316, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: AddInProcess32.exe PID: 4316, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 15.2.AddInProcess32.exe.6bc0000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.6ca0000.18.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.6c60000.15.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.5c00000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.6c10000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.6c70000.16.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.6ce0000.19.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.6c50000.14.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.6ce0000.19.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.6bd0000.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.6c20000.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.51a0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.6c60000.15.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.6c90000.17.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.6c90000.17.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.6c20000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.6bc0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.6c30000.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 15.2.AddInProcess32.exe.6c30000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.6c40000.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.6c70000.16.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.5c00000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.6c50000.14.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.6ca0000.18.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.AddInProcess32.exe.6bd0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Initial sample is a PE file and has a suspicious nameShow sources
    Source: initial sampleStatic PE information: Filename: order-181289654312464648.exe
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeCode function: 13_2_05AE3D68 CreateProcessAsUserW,13_2_05AE3D68
    Source: C:\Users\user\Desktop\order-181289654312464648.exeCode function: 0_2_027EBB690_2_027EBB69
    Source: C:\Users\user\Desktop\order-181289654312464648.exeCode function: 0_2_027E99410_2_027E9941
    Source: C:\Users\user\Desktop\order-181289654312464648.exeCode function: 0_2_027ED6280_2_027ED628
    Source: C:\Users\user\Desktop\order-181289654312464648.exeCode function: 0_2_027E76100_2_027E7610
    Source: C:\Users\user\Desktop\order-181289654312464648.exeCode function: 0_2_027E3EF80_2_027E3EF8
    Source: C:\Users\user\Desktop\order-181289654312464648.exeCode function: 0_2_027EA4380_2_027EA438
    Source: C:\Users\user\Desktop\order-181289654312464648.exeCode function: 0_2_027E04E80_2_027E04E8
    Source: C:\Users\user\Desktop\order-181289654312464648.exeCode function: 0_2_027EF5980_2_027EF598
    Source: C:\Users\user\Desktop\order-181289654312464648.exeCode function: 0_2_027EED980_2_027EED98
    Source: C:\Users\user\Desktop\order-181289654312464648.exeCode function: 0_2_027EF5880_2_027EF588
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeCode function: 13_2_05AE2BC013_2_05AE2BC0
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeCode function: 13_2_05AE057013_2_05AE0570
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeCode function: 13_2_05AE0CA013_2_05AE0CA0
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeCode function: 13_2_05AD63AB13_2_05AD63AB
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeCode function: 13_2_05AD48A213_2_05AD48A2
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeCode function: 13_2_05AE228013_2_05AE2280
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeCode function: 13_2_05AE36F013_2_05AE36F0
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeCode function: 13_2_05AE1E0813_2_05AE1E08
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeCode function: 13_2_031DBB6913_2_031DBB69
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeCode function: 13_2_031D994313_2_031D9943
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeCode function: 13_2_031D761013_2_031D7610
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeCode function: 13_2_031DD62813_2_031DD628
    Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exeCode function: 13_2_031D3EF813_2_031D3EF8
    Source: