Play interactive tour

Edit tour

Analysis Report Invoice# 77-83992-8297382 (2).exe

Overview

General Information

Sample Name:	Invoice# 77-83992-8297382 (2).exe
Analysis ID:	339193
MD5:	4c67eb7b3f4ea88e5e5487ade487de3f
SHA1:	d118ae4beef890783251d53f3f7fe5e6c9a65a10
SHA256:	db433304c3e22d8222cfe510e8548515c9dccfc9f080f94efc67aa11f44a6b3f
Tags:	exeNanoCore
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Yara detected Nanocore RAT

.NET source code contains potential unpacker

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Antivirus or Machine Learning detection for unpacked file

Contains functionality to launch a process as a different user

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Installs a raw input device (often for capturing keystrokes)

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Yara signature match

Classification

Startup

System is w10x64

Invoice# 77-83992-8297382 (2).exe (PID: 4120 cmdline: 'C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe' MD5: 4C67EB7B3F4EA88E5E5487ADE487DE3F)

Invoice# 77-83992-8297382 (2).exe (PID: 5800 cmdline: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe MD5: 4C67EB7B3F4EA88E5E5487ADE487DE3F)

dhcpmon.exe (PID: 1020 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 4C67EB7B3F4EA88E5E5487ADE487DE3F)

dhcpmon.exe (PID: 6228 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 4C67EB7B3F4EA88E5E5487ADE487DE3F)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.619051050.0000000004069000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000002.619051050.0000000004069000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2ee5:$a: NanoCore 0x2f3e:$a: NanoCore 0x2f7b:$a: NanoCore 0x2ff4:$a: NanoCore 0x1669f:$a: NanoCore 0x166b4:$a: NanoCore 0x166e9:$a: NanoCore 0x2f173:$a: NanoCore 0x2f188:$a: NanoCore 0x2f1bd:$a: NanoCore 0x2f47:$b: ClientPlugin 0x2f84:$b: ClientPlugin 0x3882:$b: ClientPlugin 0x388f:$b: ClientPlugin 0x1645b:$b: ClientPlugin 0x16476:$b: ClientPlugin 0x164a6:$b: ClientPlugin 0x166bd:$b: ClientPlugin 0x166f2:$b: ClientPlugin 0x2ef2f:$b: ClientPlugin 0x2ef4a:$b: ClientPlugin
00000001.00000002.621166702.00000000059E0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000001.00000002.621166702.00000000059E0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000001.00000002.621166702.00000000059E0000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000002.300827633.00000000044AF000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x107e7:$x1: NanoCore.ClientPluginHost 0x432a5:$x1: NanoCore.ClientPluginHost 0x10824:$x2: IClientNetworkHost 0x432e2:$x2: IClientNetworkHost 0x14357:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x46e15:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000004.00000002.300827633.00000000044AF000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000002.300827633.00000000044AF000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1054f:$a: NanoCore 0x1055f:$a: NanoCore 0x10793:$a: NanoCore 0x107a7:$a: NanoCore 0x107e7:$a: NanoCore 0x4300d:$a: NanoCore 0x4301d:$a: NanoCore 0x43251:$a: NanoCore 0x43265:$a: NanoCore 0x432a5:$a: NanoCore 0x105ae:$b: ClientPlugin 0x107b0:$b: ClientPlugin 0x107f0:$b: ClientPlugin 0x4306c:$b: ClientPlugin 0x4326e:$b: ClientPlugin 0x432ae:$b: ClientPlugin 0x106d5:$c: ProjectData 0x43193:$c: ProjectData 0x110dc:$d: DESCrypto 0x43b9a:$d: DESCrypto 0x18aa8:$e: KeepAlive
00000001.00000002.613044676.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000002.613044676.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000002.613044676.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000000.00000002.244571473.0000000004A9F000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x107e7:$x1: NanoCore.ClientPluginHost 0x432a5:$x1: NanoCore.ClientPluginHost 0x10824:$x2: IClientNetworkHost 0x432e2:$x2: IClientNetworkHost 0x14357:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x46e15:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.244571473.0000000004A9F000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.244571473.0000000004A9F000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1054f:$a: NanoCore 0x1055f:$a: NanoCore 0x10793:$a: NanoCore 0x107a7:$a: NanoCore 0x107e7:$a: NanoCore 0x4300d:$a: NanoCore 0x4301d:$a: NanoCore 0x43251:$a: NanoCore 0x43265:$a: NanoCore 0x432a5:$a: NanoCore 0x105ae:$b: ClientPlugin 0x107b0:$b: ClientPlugin 0x107f0:$b: ClientPlugin 0x4306c:$b: ClientPlugin 0x4326e:$b: ClientPlugin 0x432ae:$b: ClientPlugin 0x106d5:$c: ProjectData 0x43193:$c: ProjectData 0x110dc:$d: DESCrypto 0x43b9a:$d: DESCrypto 0x18aa8:$e: KeepAlive
00000007.00000002.307110365.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000007.00000002.307110365.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000002.307110365.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000000.00000002.243948615.0000000004909000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xdbcb7:$x1: NanoCore.ClientPluginHost 0x10e797:$x1: NanoCore.ClientPluginHost 0x141267:$x1: NanoCore.ClientPluginHost 0xdbcf4:$x2: IClientNetworkHost 0x10e7d4:$x2: IClientNetworkHost 0x1412a4:$x2: IClientNetworkHost 0xdf827:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x112307:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x144dd7:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.243948615.0000000004909000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.243948615.0000000004909000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xdba1f:$a: NanoCore 0xdba2f:$a: NanoCore 0xdbc63:$a: NanoCore 0xdbc77:$a: NanoCore 0xdbcb7:$a: NanoCore 0x10e4ff:$a: NanoCore 0x10e50f:$a: NanoCore 0x10e743:$a: NanoCore 0x10e757:$a: NanoCore 0x10e797:$a: NanoCore 0x140fcf:$a: NanoCore 0x140fdf:$a: NanoCore 0x141213:$a: NanoCore 0x141227:$a: NanoCore 0x141267:$a: NanoCore 0xdba7e:$b: ClientPlugin 0xdbc80:$b: ClientPlugin 0xdbcc0:$b: ClientPlugin 0x10e55e:$b: ClientPlugin 0x10e760:$b: ClientPlugin 0x10e7a0:$b: ClientPlugin
00000001.00000002.616036115.0000000003021000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.243390482.0000000003FC1000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2e45d:$x1: NanoCore.ClientPluginHost 0x2e49a:$x2: IClientNetworkHost 0x31fcd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.243390482.0000000003FC1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.243390482.0000000003FC1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2e1c5:$a: NanoCore 0x2e1d5:$a: NanoCore 0x2e409:$a: NanoCore 0x2e41d:$a: NanoCore 0x2e45d:$a: NanoCore 0x2e224:$b: ClientPlugin 0x2e426:$b: ClientPlugin 0x2e466:$b: ClientPlugin 0x1af47:$c: ProjectData 0x2e34b:$c: ProjectData 0x2ed52:$d: DESCrypto 0x3671e:$e: KeepAlive 0x3470c:$g: LogClientMessage 0x30907:$i: get_Connected 0x2f088:$j: #=q 0x2f0b8:$j: #=q 0x2f0d4:$j: #=q 0x2f104:$j: #=q 0x2f120:$j: #=q 0x2f13c:$j: #=q 0x2f16c:$j: #=q
00000007.00000002.308355679.0000000003C49000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000002.308355679.0000000003C49000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x42ee5:$a: NanoCore 0x42f3e:$a: NanoCore 0x42f7b:$a: NanoCore 0x42ff4:$a: NanoCore 0x5669f:$a: NanoCore 0x566b4:$a: NanoCore 0x566e9:$a: NanoCore 0x6f173:$a: NanoCore 0x6f188:$a: NanoCore 0x6f1bd:$a: NanoCore 0x42f47:$b: ClientPlugin 0x42f84:$b: ClientPlugin 0x43882:$b: ClientPlugin 0x4388f:$b: ClientPlugin 0x5645b:$b: ClientPlugin 0x56476:$b: ClientPlugin 0x564a6:$b: ClientPlugin 0x566bd:$b: ClientPlugin 0x566f2:$b: ClientPlugin 0x6ef2f:$b: ClientPlugin 0x6ef4a:$b: ClientPlugin
00000004.00000002.296404991.00000000039D1000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2e45d:$x1: NanoCore.ClientPluginHost 0x2e49a:$x2: IClientNetworkHost 0x31fcd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000004.00000002.296404991.00000000039D1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000002.296404991.00000000039D1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2e1c5:$a: NanoCore 0x2e1d5:$a: NanoCore 0x2e409:$a: NanoCore 0x2e41d:$a: NanoCore 0x2e45d:$a: NanoCore 0x2e224:$b: ClientPlugin 0x2e426:$b: ClientPlugin 0x2e466:$b: ClientPlugin 0x1af47:$c: ProjectData 0x2e34b:$c: ProjectData 0x2ed52:$d: DESCrypto 0x3671e:$e: KeepAlive 0x3470c:$g: LogClientMessage 0x30907:$i: get_Connected 0x2f088:$j: #=q 0x2f0b8:$j: #=q 0x2f0d4:$j: #=q 0x2f104:$j: #=q 0x2f120:$j: #=q 0x2f13c:$j: #=q 0x2f16c:$j: #=q
00000004.00000002.297386701.0000000004319000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xdbcb7:$x1: NanoCore.ClientPluginHost 0x10e797:$x1: NanoCore.ClientPluginHost 0x141267:$x1: NanoCore.ClientPluginHost 0xdbcf4:$x2: IClientNetworkHost 0x10e7d4:$x2: IClientNetworkHost 0x1412a4:$x2: IClientNetworkHost 0xdf827:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x112307:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x144dd7:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000004.00000002.297386701.0000000004319000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000002.297386701.0000000004319000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xdba1f:$a: NanoCore 0xdba2f:$a: NanoCore 0xdbc63:$a: NanoCore 0xdbc77:$a: NanoCore 0xdbcb7:$a: NanoCore 0x10e4ff:$a: NanoCore 0x10e50f:$a: NanoCore 0x10e743:$a: NanoCore 0x10e757:$a: NanoCore 0x10e797:$a: NanoCore 0x140fcf:$a: NanoCore 0x140fdf:$a: NanoCore 0x141213:$a: NanoCore 0x141227:$a: NanoCore 0x141267:$a: NanoCore 0xdba7e:$b: ClientPlugin 0xdbc80:$b: ClientPlugin 0xdbcc0:$b: ClientPlugin 0x10e55e:$b: ClientPlugin 0x10e760:$b: ClientPlugin 0x10e7a0:$b: ClientPlugin
00000001.00000002.620857692.0000000005730000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000001.00000002.620857692.0000000005730000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000007.00000002.308252762.0000000002C41000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000002.308252762.0000000002C41000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x69437:$a: NanoCore 0x69490:$a: NanoCore 0x694cd:$a: NanoCore 0x69546:$a: NanoCore 0x69499:$b: ClientPlugin 0x694d6:$b: ClientPlugin 0x69dd4:$b: ClientPlugin 0x69de1:$b: ClientPlugin 0x5f0a0:$e: KeepAlive 0x69921:$g: LogClientMessage 0x698a1:$i: get_Connected 0x5986d:$j: #=q 0x5989d:$j: #=q 0x598d9:$j: #=q 0x59901:$j: #=q 0x59931:$j: #=q 0x59961:$j: #=q 0x59991:$j: #=q 0x599c1:$j: #=q 0x599dd:$j: #=q 0x59a0d:$j: #=q
Process Memory Space: Invoice# 77-83992-8297382 (2).exe PID: 4120	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x31339:$x1: NanoCore.ClientPluginHost 0x50035:$x1: NanoCore.ClientPluginHost 0xee744:$x1: NanoCore.ClientPluginHost 0x3139a:$x2: IClientNetworkHost 0x50096:$x2: IClientNetworkHost 0xee7a5:$x2: IClientNetworkHost 0x3679f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x44711:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x5549b:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x6340d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xf3baa:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x101b1c:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: Invoice# 77-83992-8297382 (2).exe PID: 4120	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: Invoice# 77-83992-8297382 (2).exe PID: 4120	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x30e3e:$a: NanoCore 0x30e5a:$a: NanoCore 0x30fb5:$a: NanoCore 0x30fc4:$a: NanoCore 0x3129d:$a: NanoCore 0x312c9:$a: NanoCore 0x31339:$a: NanoCore 0x40d7b:$a: NanoCore 0x40d8d:$a: NanoCore 0x40dc9:$a: NanoCore 0x4fb3a:$a: NanoCore 0x4fb56:$a: NanoCore 0x4fcb1:$a: NanoCore 0x4fcc0:$a: NanoCore 0x4ff99:$a: NanoCore 0x4ffc5:$a: NanoCore 0x50035:$a: NanoCore 0x5fa77:$a: NanoCore 0x5fa89:$a: NanoCore 0x5fac5:$a: NanoCore 0xee249:$a: NanoCore
Process Memory Space: Invoice# 77-83992-8297382 (2).exe PID: 5800	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xc5613:$x1: NanoCore.ClientPluginHost 0xcb1d2:$x1: NanoCore.ClientPluginHost 0xdc069:$x1: NanoCore.ClientPluginHost 0x19c9de:$x1: NanoCore.ClientPluginHost 0x1f6410:$x1: NanoCore.ClientPluginHost 0xc5639:$x2: IClientNetworkHost 0xcb217:$x2: IClientNetworkHost 0xdc0ae:$x2: IClientNetworkHost 0x19ca3f:$x2: IClientNetworkHost 0x1f6436:$x2: IClientNetworkHost 0x1a1e44:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1afdb6:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: Invoice# 77-83992-8297382 (2).exe PID: 5800	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: Invoice# 77-83992-8297382 (2).exe PID: 5800	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xc5505:$a: NanoCore 0xc55a6:$a: NanoCore 0xc5613:$a: NanoCore 0xc56d4:$a: NanoCore 0xc65a5:$a: NanoCore 0xc65f8:$a: NanoCore 0xc6631:$a: NanoCore 0xc66a4:$a: NanoCore 0xcb14c:$a: NanoCore 0xcb179:$a: NanoCore 0xcb1d2:$a: NanoCore 0xd29e1:$a: NanoCore 0xd29f4:$a: NanoCore 0xd2a26:$a: NanoCore 0xdbfe3:$a: NanoCore 0xdc010:$a: NanoCore 0xdc069:$a: NanoCore 0xe3878:$a: NanoCore 0xe388b:$a: NanoCore 0xe38bd:$a: NanoCore 0x19c4e3:$a: NanoCore
Process Memory Space: dhcpmon.exe PID: 1020	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x61757:$x1: NanoCore.ClientPluginHost 0x80453:$x1: NanoCore.ClientPluginHost 0xf6cfe:$x1: NanoCore.ClientPluginHost 0x617b8:$x2: IClientNetworkHost 0x804b4:$x2: IClientNetworkHost 0xf6d5f:$x2: IClientNetworkHost 0x66bbd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x74b2f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x858b9:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x9382b:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xfc164:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x10a0d6:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: dhcpmon.exe PID: 1020	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dhcpmon.exe PID: 1020	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x6125c:$a: NanoCore 0x61278:$a: NanoCore 0x613d3:$a: NanoCore 0x613e2:$a: NanoCore 0x616bb:$a: NanoCore 0x616e7:$a: NanoCore 0x61757:$a: NanoCore 0x71199:$a: NanoCore 0x711ab:$a: NanoCore 0x711e7:$a: NanoCore 0x7ff58:$a: NanoCore 0x7ff74:$a: NanoCore 0x800cf:$a: NanoCore 0x800de:$a: NanoCore 0x803b7:$a: NanoCore 0x803e3:$a: NanoCore 0x80453:$a: NanoCore 0x8fe95:$a: NanoCore 0x8fea7:$a: NanoCore 0x8fee3:$a: NanoCore 0xf6803:$a: NanoCore
Process Memory Space: dhcpmon.exe PID: 6228	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x659d:$x1: NanoCore.ClientPluginHost 0x29350:$x1: NanoCore.ClientPluginHost 0x2ef0f:$x1: NanoCore.ClientPluginHost 0x3fda6:$x1: NanoCore.ClientPluginHost 0x91d81:$x1: NanoCore.ClientPluginHost 0x65fe:$x2: IClientNetworkHost 0x29376:$x2: IClientNetworkHost 0x2ef54:$x2: IClientNetworkHost 0x3fdeb:$x2: IClientNetworkHost 0x91da7:$x2: IClientNetworkHost 0xba03:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x19975:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: dhcpmon.exe PID: 6228	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dhcpmon.exe PID: 6228	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x60a2:$a: NanoCore 0x60be:$a: NanoCore 0x6219:$a: NanoCore 0x6228:$a: NanoCore 0x6501:$a: NanoCore 0x652d:$a: NanoCore 0x659d:$a: NanoCore 0x15fdf:$a: NanoCore 0x15ff1:$a: NanoCore 0x1602d:$a: NanoCore 0x29242:$a: NanoCore 0x292e3:$a: NanoCore 0x29350:$a: NanoCore 0x29411:$a: NanoCore 0x2a2e2:$a: NanoCore 0x2a335:$a: NanoCore 0x2a36e:$a: NanoCore 0x2a3e1:$a: NanoCore 0x2ee89:$a: NanoCore 0x2eeb6:$a: NanoCore 0x2ef0f:$a: NanoCore
Click to see the 43 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.Invoice# 77-83992-8297382 (2).exe.5730000.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
1.2.Invoice# 77-83992-8297382 (2).exe.5730000.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
1.2.Invoice# 77-83992-8297382 (2).exe.59e0000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
1.2.Invoice# 77-83992-8297382 (2).exe.59e0000.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
1.2.Invoice# 77-83992-8297382 (2).exe.59e0000.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.dhcpmon.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.2.dhcpmon.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
7.2.dhcpmon.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.dhcpmon.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
1.2.Invoice# 77-83992-8297382 (2).exe.59e0000.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
1.2.Invoice# 77-83992-8297382 (2).exe.59e0000.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
1.2.Invoice# 77-83992-8297382 (2).exe.59e0000.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Click to see the 11 entries

Sigma Overview

System Summary:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe, ProcessId: 5800, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

ReversingLabs: Detection: 26%

Multi AV Scanner detection for submitted file

Show sources

Source: Invoice# 77-83992-8297382 (2).exe

ReversingLabs: Detection: 26%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000001.00000002.619051050.0000000004069000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.621166702.00000000059E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.300827633.00000000044AF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.613044676.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.244571473.0000000004A9F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.307110365.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.243948615.0000000004909000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.616036115.0000000003021000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.243390482.0000000003FC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.308355679.0000000003C49000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.296404991.00000000039D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.297386701.0000000004319000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.308252762.0000000002C41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Invoice# 77-83992-8297382 (2).exe PID: 4120, type: MEMORY
Source: Yara match	File source: Process Memory Space: Invoice# 77-83992-8297382 (2).exe PID: 5800, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 1020, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6228, type: MEMORY
Source: Yara match	File source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Invoice# 77-83992-8297382 (2).exe.59e0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Invoice# 77-83992-8297382 (2).exe.59e0000.4.raw.unpack, type: UNPACKEDPE

Source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 7.2.dhcpmon.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 1.2.Invoice# 77-83992-8297382 (2).exe.59e0000.4.unpack	Avira: Label: TR/NanoCore.fadte

Source: Invoice# 77-83992-8297382 (2).exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: Invoice# 77-83992-8297382 (2).exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Code function: 4x nop then jmp 016AEB76h	0_2_016AE3B0
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Code function: 4x nop then mov esp, ebp	0_2_016A8DC0
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Code function: 4x nop then jmp 016AEB76h	0_2_016AE3A0
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Code function: 4x nop then mov esp, ebp	0_2_016A8DB1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 4x nop then jmp 00DBEB76h	4_2_00DBE3A0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 4x nop then mov esp, ebp	4_2_00DB8DC0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 4x nop then mov esp, ebp	4_2_00DB8DB1

Source: global traffic

TCP traffic: 192.168.2.3:49712 -> 194.5.97.173:10004

Source: unknown

DNS traffic detected: queries for: 1.ispnano.dns-cloud.net

Source: Invoice# 77-83992-8297382 (2).exe, 00000000.00000003.233824722.0000000001326000.00000004.00000001.sdmp	String found in binary or memory: http://go.microsoft.c
Source: Invoice# 77-83992-8297382 (2).exe, 00000000.00000002.240339078.00000000016E9000.00000004.00000040.sdmp	String found in binary or memory: http://ns.ado/Ident

Source: Invoice# 77-83992-8297382 (2).exe, 00000001.00000002.619051050.0000000004069000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000001.00000002.619051050.0000000004069000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.621166702.00000000059E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.300827633.00000000044AF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.613044676.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.244571473.0000000004A9F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.307110365.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.243948615.0000000004909000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.616036115.0000000003021000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.243390482.0000000003FC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.308355679.0000000003C49000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.296404991.00000000039D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.297386701.0000000004319000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.308252762.0000000002C41000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Invoice# 77-83992-8297382 (2).exe PID: 4120, type: MEMORY
Source: Yara match	File source: Process Memory Space: Invoice# 77-83992-8297382 (2).exe PID: 5800, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 1020, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6228, type: MEMORY
Source: Yara match	File source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Invoice# 77-83992-8297382 (2).exe.59e0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Invoice# 77-83992-8297382 (2).exe.59e0000.4.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000001.00000002.619051050.0000000004069000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.621166702.00000000059E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.300827633.00000000044AF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.300827633.00000000044AF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.613044676.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.613044676.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.244571473.0000000004A9F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.244571473.0000000004A9F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.307110365.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.307110365.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.243948615.0000000004909000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.243948615.0000000004909000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.243390482.0000000003FC1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.243390482.0000000003FC1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.308355679.0000000003C49000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.296404991.00000000039D1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.296404991.00000000039D1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.297386701.0000000004319000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.297386701.0000000004319000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.620857692.0000000005730000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.308252762.0000000002C41000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Invoice# 77-83992-8297382 (2).exe PID: 4120, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Invoice# 77-83992-8297382 (2).exe PID: 4120, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Invoice# 77-83992-8297382 (2).exe PID: 5800, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Invoice# 77-83992-8297382 (2).exe PID: 5800, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 1020, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 1020, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 6228, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 6228, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.Invoice# 77-83992-8297382 (2).exe.5730000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.Invoice# 77-83992-8297382 (2).exe.59e0000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.Invoice# 77-83992-8297382 (2).exe.59e0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: Invoice# 77-83992-8297382 (2).exe

Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe

Code function: 0_2_0F2E2FE8 CreateProcessAsUserW,

0_2_0F2E2FE8

Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Code function: 0_2_016AB180	0_2_016AB180
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Code function: 0_2_016AEBA0	0_2_016AEBA0
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Code function: 0_2_016AE3B0	0_2_016AE3B0
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Code function: 0_2_016A9A50	0_2_016A9A50
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Code function: 0_2_016A0448	0_2_016A0448
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Code function: 0_2_016ACC40	0_2_016ACC40
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Code function: 0_2_016A6C10	0_2_016A6C10
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Code function: 0_2_016A34F8	0_2_016A34F8
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Code function: 0_2_016A8F58	0_2_016A8F58
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Code function: 0_2_016AB170	0_2_016AB170
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Code function: 0_2_016AE3A0	0_2_016AE3A0
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Code function: 0_2_016AEB90	0_2_016AEB90
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Code function: 0_2_016A9A3F	0_2_016A9A3F
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Code function: 0_2_016ACC30	0_2_016ACC30
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Code function: 0_2_016A8F4A	0_2_016A8F4A
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Code function: 0_2_016AF648	0_2_016AF648
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Code function: 0_2_0F2E4748	0_2_0F2E4748
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Code function: 0_2_0F2E1EA8	0_2_0F2E1EA8
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Code function: 0_2_0F2E0040	0_2_0F2E0040
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Code function: 0_2_0F2E4738	0_2_0F2E4738
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Code function: 0_2_0F2E5368	0_2_0F2E5368
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Code function: 0_2_0F2E1620	0_2_0F2E1620
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Code function: 0_2_0F2E1E9D	0_2_0F2E1E9D
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Code function: 0_2_0F2E2930	0_2_0F2E2930
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Code function: 0_2_0F2E11A8	0_2_0F2E11A8
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Code function: 0_2_0F2E35F0	0_2_0F2E35F0
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Code function: 1_2_02F0E480	1_2_02F0E480
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Code function: 1_2_02F0E471	1_2_02F0E471
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Code function: 1_2_02F0BBD4	1_2_02F0BBD4
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Code function: 1_2_066B0040	1_2_066B0040
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 4_2_00DBB170	4_2_00DBB170
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 4_2_00DB9A3F	4_2_00DB9A3F
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 4_2_00DBEBA0	4_2_00DBEBA0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 4_2_00DBE3A0	4_2_00DBE3A0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 4_2_00DB34F8	4_2_00DB34F8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 4_2_00DB0448	4_2_00DB0448
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 4_2_00DB3C60	4_2_00DB3C60
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 4_2_00DB6C10	4_2_00DB6C10
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 4_2_00DBCC30	4_2_00DBCC30
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 4_2_00DB8F4A	4_2_00DB8F4A
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 4_2_00DBEB90	4_2_00DBEB90
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 4_2_00DB0427	4_2_00DB0427
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 4_2_00DBF658	4_2_00DBF658
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 4_2_0E994748	4_2_0E994748
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 4_2_0E991F60	4_2_0E991F60
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 4_2_0E990040	4_2_0E990040
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 4_2_0E991620	4_2_0E991620
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 4_2_0E994738	4_2_0E994738
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 4_2_0E991F51	4_2_0E991F51
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 4_2_0E995368	4_2_0E995368
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 4_2_0E9911A8	4_2_0E9911A8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 4_2_0E9929A8	4_2_0E9929A8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 4_2_0E9935F0	4_2_0E9935F0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 7_2_0126E471	7_2_0126E471
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 7_2_0126E480	7_2_0126E480
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 7_2_0126BBD4	7_2_0126BBD4

Source: Invoice# 77-83992-8297382 (2).exe, 00000000.00000002.245504993.0000000005830000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs Invoice# 77-83992-8297382 (2).exe
Source: Invoice# 77-83992-8297382 (2).exe, 00000000.00000000.220656885.0000000000D02000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameStub52.exe. vs Invoice# 77-83992-8297382 (2).exe
Source: Invoice# 77-83992-8297382 (2).exe, 00000000.00000002.243390482.0000000003FC1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSHCore1.dll0 vs Invoice# 77-83992-8297382 (2).exe
Source: Invoice# 77-83992-8297382 (2).exe, 00000000.00000002.240375788.0000000002FB1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameRunPe6.dll" vs Invoice# 77-83992-8297382 (2).exe
Source: Invoice# 77-83992-8297382 (2).exe, 00000001.00000002.621984474.0000000006F40000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs Invoice# 77-83992-8297382 (2).exe
Source: Invoice# 77-83992-8297382 (2).exe, 00000001.00000002.619051050.0000000004069000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs Invoice# 77-83992-8297382 (2).exe
Source: Invoice# 77-83992-8297382 (2).exe, 00000001.00000002.619051050.0000000004069000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs Invoice# 77-83992-8297382 (2).exe
Source: Invoice# 77-83992-8297382 (2).exe, 00000001.00000002.619051050.0000000004069000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Invoice# 77-83992-8297382 (2).exe
Source: Invoice# 77-83992-8297382 (2).exe, 00000001.00000002.621320469.0000000006200000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs Invoice# 77-83992-8297382 (2).exe
Source: Invoice# 77-83992-8297382 (2).exe, 00000001.00000003.243082118.00000000014BF000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameStub52.exe. vs Invoice# 77-83992-8297382 (2).exe
Source: Invoice# 77-83992-8297382 (2).exe, 00000001.00000002.615231415.000000000144A000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Invoice# 77-83992-8297382 (2).exe
Source: Invoice# 77-83992-8297382 (2).exe	Binary or memory string: OriginalFilenameStub52.exe. vs Invoice# 77-83992-8297382 (2).exe

Source: Invoice# 77-83992-8297382 (2).exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000001.00000002.619051050.0000000004069000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.621166702.00000000059E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.621166702.00000000059E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.300827633.00000000044AF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.300827633.00000000044AF000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.613044676.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.613044676.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.244571473.0000000004A9F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.244571473.0000000004A9F000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.307110365.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.307110365.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.243948615.0000000004909000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.243948615.0000000004909000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.243390482.0000000003FC1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.243390482.0000000003FC1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.308355679.0000000003C49000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.296404991.00000000039D1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.296404991.00000000039D1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.297386701.0000000004319000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.297386701.0000000004319000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.620857692.0000000005730000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.620857692.0000000005730000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.308252762.0000000002C41000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Invoice# 77-83992-8297382 (2).exe PID: 4120, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Invoice# 77-83992-8297382 (2).exe PID: 4120, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Invoice# 77-83992-8297382 (2).exe PID: 5800, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Invoice# 77-83992-8297382 (2).exe PID: 5800, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 1020, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 1020, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 6228, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 6228, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.Invoice# 77-83992-8297382 (2).exe.5730000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.Invoice# 77-83992-8297382 (2).exe.5730000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.Invoice# 77-83992-8297382 (2).exe.59e0000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.Invoice# 77-83992-8297382 (2).exe.59e0000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.Invoice# 77-83992-8297382 (2).exe.59e0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.Invoice# 77-83992-8297382 (2).exe.59e0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 7.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.2.dhcpmon.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.dhcpmon.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 7.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: classification engine

Classification label: mal100.troj.evad.winEXE@6/5@39/2

Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe

File created: C:\Program Files (x86)\DHCP Monitor

Jump to behavior

Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Invoice# 77-83992-8297382 (2).exe.log

Jump to behavior

Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\{e1e01d8e-d2ec-4c98-af39-dda666441e66}

Source: Invoice# 77-83992-8297382 (2).exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Invoice# 77-83992-8297382 (2).exe

ReversingLabs: Detection: 26%

Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe

File read: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe 'C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe'
Source: unknown	Process created: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: unknown	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Process created: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Jump to behavior

Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Invoice# 77-83992-8297382 (2).exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Invoice# 77-83992-8297382 (2).exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.dhcpmon.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 7.2.dhcpmon.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 7.2.dhcpmon.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe

File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	File opened: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe\:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	File opened: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	File opened: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe\:Zone.Identifier read attributes \| delete	Jump to behavior

Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\u

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Invoice# 77-83992-8297382 (2).exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection: