Play interactive tour

Edit tour

Analysis Report order-181289654312464648.exe

Overview

General Information

Sample Name:	order-181289654312464648.exe
Analysis ID:	339042
MD5:	28da42c2cd57e51cb8ea7df263802924
SHA1:	81c980f2cda9b42b0b8bf50c7128cc88afd942fd
SHA256:	2d564ae361eb499ca493273e9fcfb88546105c88293c7633a7e1580a435cee9f
Tags:	exeNanoCoreRAT
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Sigma detected: NanoCore

Yara detected Nanocore RAT

.NET source code contains potential unpacker

Allocates memory in foreign processes

Binary contains a suspicious time stamp

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Contains functionality to launch a process as a different user

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

order-181289654312464648.exe (PID: 5964 cmdline: 'C:\Users\user\Desktop\order-181289654312464648.exe' MD5: 28DA42C2CD57E51CB8EA7DF263802924)

fdcgjhjyuyihdastagghejh.exe (PID: 6692 cmdline: 'C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exe' MD5: 28DA42C2CD57E51CB8EA7DF263802924)

AddInProcess32.exe (PID: 4316 cmdline: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe MD5: F2A47587431C466535F3C3D3427724BE)

fdexedxfuuyytwq.exe (PID: 5168 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)

fdexedxfuuyytwq.exe (PID: 5188 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)

fdexedxfuuyytwq.exe (PID: 5688 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)

fdexedxfuuyytwq.exe (PID: 3564 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)

fdexedxfuuyytwq.exe (PID: 1048 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)

fdexedxfuuyytwq.exe (PID: 5044 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)

fdexedxfuuyytwq.exe (PID: 6328 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)

fdexedxfuuyytwq.exe (PID: 6816 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)

fdexedxfuuyytwq.exe (PID: 6880 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)

fdexedxfuuyytwq.exe (PID: 6708 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)

fdexedxfuuyytwq.exe (PID: 6800 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)

fdexedxfuuyytwq.exe (PID: 5504 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)

fdexedxfuuyytwq.exe (PID: 6124 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)

fdexedxfuuyytwq.exe (PID: 6892 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)

fdexedxfuuyytwq.exe (PID: 2792 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)

fdexedxfuuyytwq.exe (PID: 6936 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)

fdexedxfuuyytwq.exe (PID: 7120 cmdline: 'C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe' MD5: 0E362E7005823D0BEC3719B902ED6D62)

cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["185.157.162.81"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000F.00000002.624408872.0000000005C00000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
0000000F.00000002.624408872.0000000005C00000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
0000000F.00000002.624408872.0000000005C00000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000F.00000002.624910732.0000000006BD0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
0000000F.00000002.624910732.0000000006BD0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0xe576:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost
0000000F.00000002.625265297.0000000006CE0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
0000000F.00000002.625265297.0000000006CE0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5fee:$x2: NanoCore.ClientPluginHost 0x9441:$s4: PipeCreated 0x6018:$s5: IClientLoggingHost
00000000.00000002.315049409.0000000003B84000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x110bf:$x1: NanoCore.ClientPluginHost 0x110fc:$x2: IClientNetworkHost 0x14c2f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.315049409.0000000003B84000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.315049409.0000000003B84000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10e27:$a: NanoCore 0x10e37:$a: NanoCore 0x1106b:$a: NanoCore 0x1107f:$a: NanoCore 0x110bf:$a: NanoCore 0x10e86:$b: ClientPlugin 0x11088:$b: ClientPlugin 0x110c8:$b: ClientPlugin 0x10fad:$c: ProjectData 0x44c9b:$c: ProjectData 0x119b4:$d: DESCrypto 0x19380:$e: KeepAlive 0x1736e:$g: LogClientMessage 0x13569:$i: get_Connected 0x11cea:$j: #=q 0x11d1a:$j: #=q 0x11d36:$j: #=q 0x11d66:$j: #=q 0x11d82:$j: #=q 0x11d9e:$j: #=q 0x11dce:$j: #=q
0000000F.00000002.625016694.0000000006C30000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
0000000F.00000002.625016694.0000000006C30000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2205:$x2: NanoCore.ClientPluginHost 0x2320:$s4: PipeCreated 0x221f:$s5: IClientLoggingHost
0000000F.00000002.612358336.0000000002BA4000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x84ab:$a: NanoCore 0x8504:$a: NanoCore 0x8541:$a: NanoCore 0x85ba:$a: NanoCore 0x4094a:$a: NanoCore 0x4096f:$a: NanoCore 0x409c8:$a: NanoCore 0x50b7b:$a: NanoCore 0x50ba1:$a: NanoCore 0x50bfd:$a: NanoCore 0x5da63:$a: NanoCore 0x5dabc:$a: NanoCore 0x5daef:$a: NanoCore 0x5dd1b:$a: NanoCore 0x5dd97:$a: NanoCore 0x5e3b0:$a: NanoCore 0x5e4f9:$a: NanoCore 0x5e9cd:$a: NanoCore 0x5ecb4:$a: NanoCore 0x5eccb:$a: NanoCore 0x67b7b:$a: NanoCore
0000000D.00000002.623442854.00000000044AD000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x56cff:$x1: NanoCore.ClientPluginHost 0x56d3c:$x2: IClientNetworkHost 0x5a86f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000D.00000002.623442854.00000000044AD000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000D.00000002.623442854.00000000044AD000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x56a67:$a: NanoCore 0x56a77:$a: NanoCore 0x56cab:$a: NanoCore 0x56cbf:$a: NanoCore 0x56cff:$a: NanoCore 0x56ac6:$b: ClientPlugin 0x56cc8:$b: ClientPlugin 0x56d08:$b: ClientPlugin 0x56bed:$c: ProjectData 0x8a8db:$c: ProjectData 0x575f4:$d: DESCrypto 0x5efc0:$e: KeepAlive 0x5cfae:$g: LogClientMessage 0x591a9:$i: get_Connected 0x5792a:$j: #=q 0x5795a:$j: #=q 0x57976:$j: #=q 0x579a6:$j: #=q 0x579c2:$j: #=q 0x579de:$j: #=q 0x57a0e:$j: #=q
0000000D.00000002.624104734.000000000465F000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x109cd:$x1: NanoCore.ClientPluginHost 0x10a0a:$x2: IClientNetworkHost 0x1453d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000D.00000002.624104734.000000000465F000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000D.00000002.624104734.000000000465F000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10735:$a: NanoCore 0x10745:$a: NanoCore 0x10979:$a: NanoCore 0x1098d:$a: NanoCore 0x109cd:$a: NanoCore 0x10794:$b: ClientPlugin 0x10996:$b: ClientPlugin 0x109d6:$b: ClientPlugin 0x108bb:$c: ProjectData 0x112c2:$d: DESCrypto 0x18c8e:$e: KeepAlive 0x16c7c:$g: LogClientMessage 0x12e77:$i: get_Connected 0x115f8:$j: #=q 0x11628:$j: #=q 0x11644:$j: #=q 0x11674:$j: #=q 0x11690:$j: #=q 0x116ac:$j: #=q 0x116dc:$j: #=q 0x116f8:$j: #=q
00000000.00000002.314866304.0000000003A5E000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5705f:$x1: NanoCore.ClientPluginHost 0x5709c:$x2: IClientNetworkHost 0x5abcf:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.314866304.0000000003A5E000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.314866304.0000000003A5E000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x56dc7:$a: NanoCore 0x56dd7:$a: NanoCore 0x5700b:$a: NanoCore 0x5701f:$a: NanoCore 0x5705f:$a: NanoCore 0x56e26:$b: ClientPlugin 0x57028:$b: ClientPlugin 0x57068:$b: ClientPlugin 0x56f4d:$c: ProjectData 0x8ac3b:$c: ProjectData 0x57954:$d: DESCrypto 0x5f320:$e: KeepAlive 0x5d30e:$g: LogClientMessage 0x59509:$i: get_Connected 0x57c8a:$j: #=q 0x57cba:$j: #=q 0x57cd6:$j: #=q 0x57d06:$j: #=q 0x57d22:$j: #=q 0x57d3e:$j: #=q 0x57d6e:$j: #=q
00000000.00000002.315098998.0000000003C10000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10d2d:$x1: NanoCore.ClientPluginHost 0x9c65f:$x1: NanoCore.ClientPluginHost 0xe24bf:$x1: NanoCore.ClientPluginHost 0x10d6a:$x2: IClientNetworkHost 0x9c69c:$x2: IClientNetworkHost 0xe24fc:$x2: IClientNetworkHost 0x1489d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xa01cf:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xe602f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.315098998.0000000003C10000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.315098998.0000000003C10000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10a95:$a: NanoCore 0x10aa5:$a: NanoCore 0x10cd9:$a: NanoCore 0x10ced:$a: NanoCore 0x10d2d:$a: NanoCore 0x9c3c7:$a: NanoCore 0x9c3d7:$a: NanoCore 0x9c60b:$a: NanoCore 0x9c61f:$a: NanoCore 0x9c65f:$a: NanoCore 0xe2227:$a: NanoCore 0xe2237:$a: NanoCore 0xe246b:$a: NanoCore 0xe247f:$a: NanoCore 0xe24bf:$a: NanoCore 0x10af4:$b: ClientPlugin 0x10cf6:$b: ClientPlugin 0x10d36:$b: ClientPlugin 0x9c426:$b: ClientPlugin 0x9c628:$b: ClientPlugin 0x9c668:$b: ClientPlugin
0000000F.00000002.624983363.0000000006C10000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost
0000000F.00000002.624983363.0000000006C10000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0x1800:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost
0000000F.00000002.620423784.0000000003E84000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x55fd7:$a: NanoCore 0x560c1:$a: NanoCore 0x56f38:$a: NanoCore 0x600e2:$a: NanoCore 0x60143:$a: NanoCore 0x60186:$a: NanoCore 0x601c6:$a: NanoCore 0x60402:$a: NanoCore 0x604a2:$a: NanoCore 0x60c7a:$a: NanoCore 0x6126d:$a: NanoCore 0x613be:$a: NanoCore 0x62218:$a: NanoCore 0x6247f:$a: NanoCore 0x62494:$a: NanoCore 0x624b3:$a: NanoCore 0x6b3b6:$a: NanoCore 0x6b3df:$a: NanoCore 0x77158:$a: NanoCore 0x77181:$a: NanoCore 0x9c044:$a: NanoCore
0000000D.00000003.390444818.000000000470C000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3515f:$x1: NanoCore.ClientPluginHost 0x3519c:$x2: IClientNetworkHost 0x38ccf:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000D.00000003.390444818.000000000470C000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000D.00000003.390444818.000000000470C000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x34ec7:$a: NanoCore 0x34ed7:$a: NanoCore 0x3510b:$a: NanoCore 0x3511f:$a: NanoCore 0x3515f:$a: NanoCore 0x34f26:$b: ClientPlugin 0x35128:$b: ClientPlugin 0x35168:$b: ClientPlugin 0x22edb:$c: ProjectData 0x3504d:$c: ProjectData 0x68d3b:$c: ProjectData 0x35a54:$d: DESCrypto 0x3d420:$e: KeepAlive 0x3b40e:$g: LogClientMessage 0x37609:$i: get_Connected 0x35d8a:$j: #=q 0x35dba:$j: #=q 0x35dd6:$j: #=q 0x35e06:$j: #=q 0x35e22:$j: #=q 0x35e3e:$j: #=q
0000000F.00000002.625032550.0000000006C40000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost
0000000F.00000002.625032550.0000000006C40000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x13a8:$x2: NanoCore.ClientPluginHost 0x1486:$s4: PipeCreated 0x13c2:$s5: IClientLoggingHost
0000000F.00000002.619247841.0000000003B51000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000F.00000002.625156989.0000000006CA0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
0000000F.00000002.625156989.0000000006CA0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
0000000D.00000002.623152761.0000000004411000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2e45d:$x1: NanoCore.ClientPluginHost 0x2e49a:$x2: IClientNetworkHost 0x31fcd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000D.00000002.623152761.0000000004411000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000D.00000002.623152761.0000000004411000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2e1c5:$a: NanoCore 0x2e1d5:$a: NanoCore 0x2e409:$a: NanoCore 0x2e41d:$a: NanoCore 0x2e45d:$a: NanoCore 0x2e224:$b: ClientPlugin 0x2e426:$b: ClientPlugin 0x2e466:$b: ClientPlugin 0x1af47:$c: ProjectData 0x2e34b:$c: ProjectData 0x2ed52:$d: DESCrypto 0x3671e:$e: KeepAlive 0x3470c:$g: LogClientMessage 0x30907:$i: get_Connected 0x2f088:$j: #=q 0x2f0b8:$j: #=q 0x2f0d4:$j: #=q 0x2f104:$j: #=q 0x2f120:$j: #=q 0x2f13c:$j: #=q 0x2f16c:$j: #=q
0000000D.00000002.624021744.00000000045D3000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10d5f:$x1: NanoCore.ClientPluginHost 0x10d9c:$x2: IClientNetworkHost 0x148cf:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000D.00000002.624021744.00000000045D3000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000D.00000002.624021744.00000000045D3000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10ac7:$a: NanoCore 0x10ad7:$a: NanoCore 0x10d0b:$a: NanoCore 0x10d1f:$a: NanoCore 0x10d5f:$a: NanoCore 0x10b26:$b: ClientPlugin 0x10d28:$b: ClientPlugin 0x10d68:$b: ClientPlugin 0x10c4d:$c: ProjectData 0x4493b:$c: ProjectData 0x11654:$d: DESCrypto 0x19020:$e: KeepAlive 0x1700e:$g: LogClientMessage 0x13209:$i: get_Connected 0x1198a:$j: #=q 0x119ba:$j: #=q 0x119d6:$j: #=q 0x11a06:$j: #=q 0x11a22:$j: #=q 0x11a3e:$j: #=q 0x11a6e:$j: #=q
0000000F.00000002.625048622.0000000006C50000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
0000000F.00000002.625048622.0000000006C50000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x59eb:$x2: NanoCore.ClientPluginHost 0x6941:$s3: PipeExists 0x5be1:$s4: PipeCreated 0x5a05:$s5: IClientLoggingHost
0000000F.00000002.605043000.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000F.00000002.605043000.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000F.00000002.605043000.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000F.00000002.625126493.0000000006C90000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
0000000F.00000002.625126493.0000000006C90000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost
0000000F.00000002.624889874.0000000006BC0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost
0000000F.00000002.624889874.0000000006BC0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x6a6b:$s4: PipeCreated
0000000F.00000002.619550033.0000000003C3E000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xb438f:$a: NanoCore 0xb43b4:$a: NanoCore 0xb440d:$a: NanoCore 0xc45ac:$a: NanoCore 0xc45d2:$a: NanoCore 0xc462e:$a: NanoCore 0xd1485:$a: NanoCore 0xd14de:$a: NanoCore 0xd1511:$a: NanoCore 0xd173d:$a: NanoCore 0xd17b9:$a: NanoCore 0xd1dd2:$a: NanoCore 0xd1f1b:$a: NanoCore 0xd23ef:$a: NanoCore 0xd26d6:$a: NanoCore 0xd26ed:$a: NanoCore 0xdb591:$a: NanoCore 0xdb60d:$a: NanoCore 0xddef0:$a: NanoCore 0xe34b9:$a: NanoCore 0xe3533:$a: NanoCore
0000000F.00000002.625086476.0000000006C70000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
0000000F.00000002.625086476.0000000006C70000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost
0000000F.00000002.624999401.0000000006C20000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b0b:$x1: NanoCore.ClientPluginHost 0x5b44:$x2: IClientNetworkHost
0000000F.00000002.624999401.0000000006C20000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b0b:$x2: NanoCore.ClientPluginHost 0x5c0f:$s4: PipeCreated 0x5b25:$s5: IClientLoggingHost
0000000F.00000002.623946602.00000000051A0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
0000000F.00000002.623946602.00000000051A0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
0000000F.00000002.625068564.0000000006C60000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
0000000F.00000002.625068564.0000000006C60000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost
0000000F.00000002.620771478.0000000003F6F000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000F.00000002.620771478.0000000003F6F000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1ae9:$a: NanoCore 0x1b42:$a: NanoCore 0x1b7f:$a: NanoCore 0x1bf8:$a: NanoCore 0x152a3:$a: NanoCore 0x152b8:$a: NanoCore 0x152ed:$a: NanoCore 0x22f02:$a: NanoCore 0x22f27:$a: NanoCore 0x22f80:$a: NanoCore 0x3311d:$a: NanoCore 0x33143:$a: NanoCore 0x3319f:$a: NanoCore 0x3fff4:$a: NanoCore 0x4004d:$a: NanoCore 0x40080:$a: NanoCore 0x402ac:$a: NanoCore 0x40328:$a: NanoCore 0x40941:$a: NanoCore 0x40a8a:$a: NanoCore 0x40f5e:$a: NanoCore
Process Memory Space: order-181289654312464648.exe PID: 5964	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1cc58:$x1: NanoCore.ClientPluginHost 0xcfb14:$x1: NanoCore.ClientPluginHost 0xfd8be:$x1: NanoCore.ClientPluginHost 0x1253af:$x1: NanoCore.ClientPluginHost 0x1485b0:$x1: NanoCore.ClientPluginHost 0x1ccb9:$x2: IClientNetworkHost 0xcfb75:$x2: IClientNetworkHost 0xfd91f:$x2: IClientNetworkHost 0x125410:$x2: IClientNetworkHost 0x148611:$x2: IClientNetworkHost 0x220be:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x30030:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xd4f7a:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xe2eec:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x102d24:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x110c96:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x12a815:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x138787:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x14da16:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x15b988:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: order-181289654312464648.exe PID: 5964	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: order-181289654312464648.exe PID: 5964	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1c75d:$a: NanoCore 0x1c779:$a: NanoCore 0x1c8d4:$a: NanoCore 0x1c8e3:$a: NanoCore 0x1cbbc:$a: NanoCore 0x1cbe8:$a: NanoCore 0x1cc58:$a: NanoCore 0x2c69a:$a: NanoCore 0x2c6ac:$a: NanoCore 0x2c6e8:$a: NanoCore 0xcf619:$a: NanoCore 0xcf635:$a: NanoCore 0xcf790:$a: NanoCore 0xcf79f:$a: NanoCore 0xcfa78:$a: NanoCore 0xcfaa4:$a: NanoCore 0xcfb14:$a: NanoCore 0xdf556:$a: NanoCore 0xdf568:$a: NanoCore 0xdf5a4:$a: NanoCore 0xfd3c3:$a: NanoCore
Process Memory Space: fdcgjhjyuyihdastagghejh.exe PID: 6692	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x99626:$x1: NanoCore.ClientPluginHost 0x17714e:$x1: NanoCore.ClientPluginHost 0x20c2e3:$x1: NanoCore.ClientPluginHost 0x25d216:$x1: NanoCore.ClientPluginHost 0x99687:$x2: IClientNetworkHost 0x1771af:$x2: IClientNetworkHost 0x20c344:$x2: IClientNetworkHost 0x25d277:$x2: IClientNetworkHost 0x9ea8c:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xac9fe:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x17c5b4:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x18a526:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x211749:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x21f6bb:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x26267c:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2705ee:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: fdcgjhjyuyihdastagghejh.exe PID: 6692	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: fdcgjhjyuyihdastagghejh.exe PID: 6692	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x9912b:$a: NanoCore 0x99147:$a: NanoCore 0x992a2:$a: NanoCore 0x992b1:$a: NanoCore 0x9958a:$a: NanoCore 0x995b6:$a: NanoCore 0x99626:$a: NanoCore 0xa9068:$a: NanoCore 0xa907a:$a: NanoCore 0xa90b6:$a: NanoCore 0x176c53:$a: NanoCore 0x176c6f:$a: NanoCore 0x176dca:$a: NanoCore 0x176dd9:$a: NanoCore 0x1770b2:$a: NanoCore 0x1770de:$a: NanoCore 0x17714e:$a: NanoCore 0x186b90:$a: NanoCore 0x186ba2:$a: NanoCore 0x186bde:$a: NanoCore 0x20bde8:$a: NanoCore
Process Memory Space: AddInProcess32.exe PID: 4316	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f72b:$x1: NanoCore.ClientPluginHost 0x306a9:$x1: NanoCore.ClientPluginHost 0x4c5e2:$x1: NanoCore.ClientPluginHost 0xa15c8:$x1: NanoCore.ClientPluginHost 0xb5b34:$x1: NanoCore.ClientPluginHost 0xc044e:$x1: NanoCore.ClientPluginHost 0xd2fca:$x1: NanoCore.ClientPluginHost 0xd602c:$x1: NanoCore.ClientPluginHost 0xdb3e0:$x1: NanoCore.ClientPluginHost 0xde836:$x1: NanoCore.ClientPluginHost 0xe1433:$x1: NanoCore.ClientPluginHost 0xe85d8:$x1: NanoCore.ClientPluginHost 0xed433:$x1: NanoCore.ClientPluginHost 0xf9c0d:$x1: NanoCore.ClientPluginHost 0x100d37:$x1: NanoCore.ClientPluginHost 0x1332bd:$x1: NanoCore.ClientPluginHost 0x1d8bfb:$x1: NanoCore.ClientPluginHost 0x29b26b:$x1: NanoCore.ClientPluginHost 0x2a240f:$x1: NanoCore.ClientPluginHost 0x2a726a:$x1: NanoCore.ClientPluginHost 0x2b3a44:$x1: NanoCore.ClientPluginHost
Process Memory Space: AddInProcess32.exe PID: 4316	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: AddInProcess32.exe PID: 4316	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1f6a5:$a: NanoCore 0x1f6d2:$a: NanoCore 0x1f72b:$a: NanoCore 0x26f3a:$a: NanoCore 0x26f4d:$a: NanoCore 0x26f7f:$a: NanoCore 0x3063c:$a: NanoCore 0x3066c:$a: NanoCore 0x306a9:$a: NanoCore 0x36edb:$a: NanoCore 0x36ef1:$a: NanoCore 0x36f14:$a: NanoCore 0x4c5a4:$a: NanoCore 0x4c5e2:$a: NanoCore 0x4c66e:$a: NanoCore 0x5700b:$a: NanoCore 0x5702f:$a: NanoCore 0x57087:$a: NanoCore 0x647ca:$a: NanoCore 0x64a8b:$a: NanoCore 0x64ab0:$a: NanoCore
Click to see the 66 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
15.2.AddInProcess32.exe.6bc0000.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
15.2.AddInProcess32.exe.6bc0000.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
15.2.AddInProcess32.exe.6ca0000.18.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d3db:$x1: NanoCore.ClientPluginHost 0x1d3f5:$x2: IClientNetworkHost
15.2.AddInProcess32.exe.6ca0000.18.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d3db:$x2: NanoCore.ClientPluginHost 0x20718:$s4: PipeCreated 0x1d3c8:$s5: IClientLoggingHost
15.2.AddInProcess32.exe.6c60000.15.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
15.2.AddInProcess32.exe.6c60000.15.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost
15.2.AddInProcess32.exe.5c00000.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
15.2.AddInProcess32.exe.5c00000.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
15.2.AddInProcess32.exe.5c00000.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
15.2.AddInProcess32.exe.6c10000.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost
15.2.AddInProcess32.exe.6c10000.10.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0x1800:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost
15.2.AddInProcess32.exe.6c70000.16.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
15.2.AddInProcess32.exe.6c70000.16.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost
15.2.AddInProcess32.exe.6ce0000.19.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
15.2.AddInProcess32.exe.6ce0000.19.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5fee:$x2: NanoCore.ClientPluginHost 0x9441:$s4: PipeCreated 0x6018:$s5: IClientLoggingHost
15.2.AddInProcess32.exe.6c50000.14.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3deb:$x1: NanoCore.ClientPluginHost 0x3f48:$x2: IClientNetworkHost
15.2.AddInProcess32.exe.6c50000.14.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3deb:$x2: NanoCore.ClientPluginHost 0x4d41:$s3: PipeExists 0x3fe1:$s4: PipeCreated 0x3e05:$s5: IClientLoggingHost
15.2.AddInProcess32.exe.6ce0000.19.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x41ee:$x1: NanoCore.ClientPluginHost 0x422b:$x2: IClientNetworkHost
15.2.AddInProcess32.exe.6ce0000.19.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x41ee:$x2: NanoCore.ClientPluginHost 0x7641:$s4: PipeCreated 0x4218:$s5: IClientLoggingHost
15.2.AddInProcess32.exe.6bd0000.9.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
15.2.AddInProcess32.exe.6bd0000.9.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
15.2.AddInProcess32.exe.6c20000.11.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3f0b:$x1: NanoCore.ClientPluginHost 0x3f44:$x2: IClientNetworkHost
15.2.AddInProcess32.exe.6c20000.11.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3f0b:$x2: NanoCore.ClientPluginHost 0x400f:$s4: PipeCreated 0x3f25:$s5: IClientLoggingHost
15.2.AddInProcess32.exe.51a0000.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
15.2.AddInProcess32.exe.51a0000.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
15.2.AddInProcess32.exe.6c60000.15.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1deb:$x1: NanoCore.ClientPluginHost 0x1e24:$x2: IClientNetworkHost
15.2.AddInProcess32.exe.6c60000.15.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1deb:$x2: NanoCore.ClientPluginHost 0x1f36:$s4: PipeCreated 0x1e05:$s5: IClientLoggingHost
15.2.AddInProcess32.exe.6c90000.17.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
15.2.AddInProcess32.exe.6c90000.17.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost
15.2.AddInProcess32.exe.6c90000.17.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x170b:$x1: NanoCore.ClientPluginHost 0x1725:$x2: IClientNetworkHost
15.2.AddInProcess32.exe.6c90000.17.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x170b:$x2: NanoCore.ClientPluginHost 0x34b6:$s4: PipeCreated 0x16f8:$s5: IClientLoggingHost
15.2.AddInProcess32.exe.6c20000.11.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b0b:$x1: NanoCore.ClientPluginHost 0x5b44:$x2: IClientNetworkHost
15.2.AddInProcess32.exe.6c20000.11.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b0b:$x2: NanoCore.ClientPluginHost 0x5c0f:$s4: PipeCreated 0x5b25:$s5: IClientLoggingHost
15.2.AddInProcess32.exe.6bc0000.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost
15.2.AddInProcess32.exe.6bc0000.8.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x6a6b:$s4: PipeCreated
15.2.AddInProcess32.exe.6c30000.12.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
15.2.AddInProcess32.exe.6c30000.12.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2205:$x2: NanoCore.ClientPluginHost 0x2320:$s4: PipeCreated 0x221f:$s5: IClientLoggingHost
15.2.AddInProcess32.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
15.2.AddInProcess32.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
15.2.AddInProcess32.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
15.2.AddInProcess32.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
15.2.AddInProcess32.exe.6c30000.12.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x605:$x1: NanoCore.ClientPluginHost 0x63e:$x2: IClientNetworkHost
15.2.AddInProcess32.exe.6c30000.12.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x605:$x2: NanoCore.ClientPluginHost 0x720:$s4: PipeCreated 0x61f:$s5: IClientLoggingHost
15.2.AddInProcess32.exe.6c40000.13.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost
15.2.AddInProcess32.exe.6c40000.13.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x13a8:$x2: NanoCore.ClientPluginHost 0x1486:$s4: PipeCreated 0x13c2:$s5: IClientLoggingHost
15.2.AddInProcess32.exe.6c70000.16.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3d99:$x1: NanoCore.ClientPluginHost 0x3db3:$x2: IClientNetworkHost
15.2.AddInProcess32.exe.6c70000.16.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3d99:$x2: NanoCore.ClientPluginHost 0x4dce:$s4: PipeCreated 0x3d86:$s5: IClientLoggingHost
15.2.AddInProcess32.exe.5c00000.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
15.2.AddInProcess32.exe.5c00000.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
15.2.AddInProcess32.exe.5c00000.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
15.2.AddInProcess32.exe.6c50000.14.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
15.2.AddInProcess32.exe.6c50000.14.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x59eb:$x2: NanoCore.ClientPluginHost 0x6941:$s3: PipeExists 0x5be1:$s4: PipeCreated 0x5a05:$s5: IClientLoggingHost
15.2.AddInProcess32.exe.6ca0000.18.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
15.2.AddInProcess32.exe.6ca0000.18.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
15.2.AddInProcess32.exe.6bd0000.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
15.2.AddInProcess32.exe.6bd0000.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0xe576:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost
Click to see the 51 entries

Sigma Overview

System Summary:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe, ProcessId: 4316, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: AddInProcess32.exe.4316.15.memstr

Malware Configuration Extractor: NanoCore {"C2: ": ["185.157.162.81"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe

Virustotal: Detection: 7%

Perma Link

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000000F.00000002.624408872.0000000005C00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.315049409.0000000003B84000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.623442854.00000000044AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.624104734.000000000465F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.314866304.0000000003A5E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.315098998.0000000003C10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.390444818.000000000470C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.619247841.0000000003B51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.623152761.0000000004411000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.624021744.00000000045D3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.605043000.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.620771478.0000000003F6F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: order-181289654312464648.exe PID: 5964, type: MEMORY
Source: Yara match	File source: Process Memory Space: fdcgjhjyuyihdastagghejh.exe PID: 6692, type: MEMORY
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 4316, type: MEMORY
Source: Yara match	File source: 15.2.AddInProcess32.exe.5c00000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.AddInProcess32.exe.5c00000.6.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: order-181289654312464648.exe

Joe Sandbox ML: detected

Source: 15.2.AddInProcess32.exe.5c00000.6.unpack	Avira: Label: TR/NanoCore.fadte
Source: 15.2.AddInProcess32.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Source: order-181289654312464648.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: order-181289654312464648.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: AddInProcess32.pdb source: AddInProcess32.exe, AddInProcess32.exe.0.dr
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: AddInProcess32.exe, 0000000F.00000002.612358336.0000000002BA4000.00000004.00000001.sdmp
Source:	Binary string: AddInProcess32.pdbpw source: AddInProcess32.exe, 0000000F.00000000.391348657.00000000006A2000.00000002.00020000.sdmp, AddInProcess32.exe.0.dr
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: AddInProcess32.exe, 0000000F.00000002.612358336.0000000002BA4000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: AddInProcess32.exe, 0000000F.00000002.612358336.0000000002BA4000.00000004.00000001.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: AddInProcess32.exe, 0000000F.00000002.612358336.0000000002BA4000.00000004.00000001.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: AddInProcess32.exe, 0000000F.00000002.612358336.0000000002BA4000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: AddInProcess32.exe, 0000000F.00000002.612358336.0000000002BA4000.00000004.00000001.sdmp

Source: C:\Users\user\Desktop\order-181289654312464648.exe	Code function: 4x nop then jmp 027EF56Eh	0_2_027EED98
Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exe	Code function: 4x nop then jmp 031DF56Eh	13_2_031DED98
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	15_2_060FB031
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	15_2_06D01F10
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	15_2_06D01F20
Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe	Code function: 4x nop then jmp 02B00799h	19_2_02B00560
Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe	Code function: 4x nop then jmp 02B00799h	19_2_02B00551
Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe	Code function: 4x nop then jmp 01890799h	22_2_01890560
Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe	Code function: 4x nop then jmp 01890799h	22_2_01890551
Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe	Code function: 4x nop then jmp 00DD0799h	23_2_00DD0560
Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe	Code function: 4x nop then jmp 00DD0799h	23_2_00DD0551
Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe	Code function: 4x nop then jmp 00FE0799h	24_2_00FE0560
Source: C:\Users\user\AppData\Local\Temp\fdexedxfuuyytwq.exe	Code function: 4x nop then jmp 00FE0799h	24_2_00FE0552

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

IPs: 185.157.162.81

Source: global traffic	TCP traffic: 192.168.2.3:49741 -> 185.157.162.81:40700
Source: global traffic	TCP traffic: 192.168.2.3:49747 -> 185.157.161.86:40700

Source: Joe Sandbox View

IP Address: 185.157.162.81 185.157.162.81

Source: Joe Sandbox View

ASN Name: OBE-EUROPEObenetworkEuropeSE OBE-EUROPEObenetworkEuropeSE

Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.81
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.81
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.81
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.81
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.81
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.81
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.81
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.81
Source: unknown	TCP traffic detected without corresponding DNS query: 185.157.162.81

Source: unknown

DNS traffic detected: queries for: nanopc.linkpc.net

Source: AddInProcess32.exe, 0000000F.00000002.612358336.0000000002BA4000.00000004.00000001.sdmp	String found in binary or memory: http://google.com
Source: fdcgjhjyuyihdastagghejh.exe, 0000000D.00000002.616518111.0000000001789000.00000004.00000040.sdmp	String found in binary or memory: http://iptc.tc4xmp3
Source: fdcgjhjyuyihdastagghejh.exe, 0000000D.00000002.616518111.0000000001789000.00000004.00000040.sdmp	String found in binary or memory: http://ns.ado/Ident

Source: fdcgjhjyuyihdastagghejh.exe, 0000000D.00000002.614681646.000000000157B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: AddInProcess32.exe, 0000000F.00000002.624408872.0000000005C00000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000000F.00000002.624408872.0000000005C00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.315049409.0000000003B84000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.623442854.00000000044AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.624104734.000000000465F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.314866304.0000000003A5E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.315098998.0000000003C10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.390444818.000000000470C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.619247841.0000000003B51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.623152761.0000000004411000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.624021744.00000000045D3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.605043000.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.620771478.0000000003F6F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: order-181289654312464648.exe PID: 5964, type: MEMORY
Source: Yara match	File source: Process Memory Space: fdcgjhjyuyihdastagghejh.exe PID: 6692, type: MEMORY
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 4316, type: MEMORY
Source: Yara match	File source: 15.2.AddInProcess32.exe.5c00000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.AddInProcess32.exe.5c00000.6.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 0000000F.00000002.624408872.0000000005C00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.624910732.0000000006BD0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.625265297.0000000006CE0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.315049409.0000000003B84000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.315049409.0000000003B84000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.625016694.0000000006C30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.612358336.0000000002BA4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.623442854.00000000044AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.623442854.00000000044AD000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.624104734.000000000465F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.624104734.000000000465F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.314866304.0000000003A5E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.314866304.0000000003A5E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.315098998.0000000003C10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.315098998.0000000003C10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.624983363.0000000006C10000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.620423784.0000000003E84000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000003.390444818.000000000470C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000003.390444818.000000000470C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.625032550.0000000006C40000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.625156989.0000000006CA0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.623152761.0000000004411000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.623152761.0000000004411000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000D.00000002.624021744.00000000045D3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000D.00000002.624021744.00000000045D3000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.625048622.0000000006C50000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.605043000.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.605043000.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.625126493.0000000006C90000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.624889874.0000000006BC0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.619550033.0000000003C3E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.625086476.0000000006C70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.624999401.0000000006C20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.623946602.00000000051A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.625068564.0000000006C60000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.620771478.0000000003F6F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: order-181289654312464648.exe PID: 5964, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: order-181289654312464648.exe PID: 5964, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: fdcgjhjyuyihdastagghejh.exe PID: 6692, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: fdcgjhjyuyihdastagghejh.exe PID: 6692, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: AddInProcess32.exe PID: 4316, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: AddInProcess32.exe PID: 4316, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.AddInProcess32.exe.6bc0000.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.AddInProcess32.exe.6ca0000.18.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.AddInProcess32.exe.6c60000.15.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.AddInProcess32.exe.5c00000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.AddInProcess32.exe.6c10000.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.AddInProcess32.exe.6c70000.16.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.AddInProcess32.exe.6ce0000.19.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.AddInProcess32.exe.6c50000.14.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.AddInProcess32.exe.6ce0000.19.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.AddInProcess32.exe.6bd0000.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.AddInProcess32.exe.6c20000.11.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.AddInProcess32.exe.51a0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.AddInProcess32.exe.6c60000.15.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.AddInProcess32.exe.6c90000.17.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.AddInProcess32.exe.6c90000.17.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.AddInProcess32.exe.6c20000.11.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.AddInProcess32.exe.6bc0000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.AddInProcess32.exe.6c30000.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.AddInProcess32.exe.6c30000.12.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.AddInProcess32.exe.6c40000.13.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.AddInProcess32.exe.6c70000.16.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.AddInProcess32.exe.5c00000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.AddInProcess32.exe.6c50000.14.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.AddInProcess32.exe.6ca0000.18.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.AddInProcess32.exe.6bd0000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: order-181289654312464648.exe

Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exe

Code function: 13_2_05AE3D68 CreateProcessAsUserW,

13_2_05AE3D68

Source: C:\Users\user\Desktop\order-181289654312464648.exe	Code function: 0_2_027EBB69	0_2_027EBB69
Source: C:\Users\user\Desktop\order-181289654312464648.exe	Code function: 0_2_027E9941	0_2_027E9941
Source: C:\Users\user\Desktop\order-181289654312464648.exe	Code function: 0_2_027ED628	0_2_027ED628
Source: C:\Users\user\Desktop\order-181289654312464648.exe	Code function: 0_2_027E7610	0_2_027E7610
Source: C:\Users\user\Desktop\order-181289654312464648.exe	Code function: 0_2_027E3EF8	0_2_027E3EF8
Source: C:\Users\user\Desktop\order-181289654312464648.exe	Code function: 0_2_027EA438	0_2_027EA438
Source: C:\Users\user\Desktop\order-181289654312464648.exe	Code function: 0_2_027E04E8	0_2_027E04E8
Source: C:\Users\user\Desktop\order-181289654312464648.exe	Code function: 0_2_027EF598	0_2_027EF598
Source: C:\Users\user\Desktop\order-181289654312464648.exe	Code function: 0_2_027EED98	0_2_027EED98
Source: C:\Users\user\Desktop\order-181289654312464648.exe	Code function: 0_2_027EF588	0_2_027EF588
Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exe	Code function: 13_2_05AE2BC0	13_2_05AE2BC0
Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exe	Code function: 13_2_05AE0570	13_2_05AE0570
Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exe	Code function: 13_2_05AE0CA0	13_2_05AE0CA0
Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exe	Code function: 13_2_05AD63AB	13_2_05AD63AB
Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exe	Code function: 13_2_05AD48A2	13_2_05AD48A2
Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exe	Code function: 13_2_05AE2280	13_2_05AE2280
Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exe	Code function: 13_2_05AE36F0	13_2_05AE36F0
Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exe	Code function: 13_2_05AE1E08	13_2_05AE1E08
Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exe	Code function: 13_2_031DBB69	13_2_031DBB69
Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exe	Code function: 13_2_031D9943	13_2_031D9943
Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exe	Code function: 13_2_031D7610	13_2_031D7610
Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exe	Code function: 13_2_031DD628	13_2_031DD628
Source: C:\Users\user\AppData\Roaming\fdcgjhjyuyihdastagghejh.exe	Code function: 13_2_031D3EF8	13_2_031D3EF8
Source:

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report order-181289654312464648.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary: