Loading ...

Play interactive tourEdit tour

Analysis Report Invoice# 77-83992-8297382 (2).exe

Overview

General Information

Sample Name:Invoice# 77-83992-8297382 (2).exe
Analysis ID:339193
MD5:4c67eb7b3f4ea88e5e5487ade487de3f
SHA1:d118ae4beef890783251d53f3f7fe5e6c9a65a10
SHA256:db433304c3e22d8222cfe510e8548515c9dccfc9f080f94efc67aa11f44a6b3f
Tags:exeNanoCore

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Antivirus or Machine Learning detection for unpacked file
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara signature match

Classification

Startup

  • System is w10x64
  • dhcpmon.exe (PID: 1020 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 4C67EB7B3F4EA88E5E5487ADE487DE3F)
    • dhcpmon.exe (PID: 6228 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 4C67EB7B3F4EA88E5E5487ADE487DE3F)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.619051050.0000000004069000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000001.00000002.619051050.0000000004069000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x2ee5:$a: NanoCore
    • 0x2f3e:$a: NanoCore
    • 0x2f7b:$a: NanoCore
    • 0x2ff4:$a: NanoCore
    • 0x1669f:$a: NanoCore
    • 0x166b4:$a: NanoCore
    • 0x166e9:$a: NanoCore
    • 0x2f173:$a: NanoCore
    • 0x2f188:$a: NanoCore
    • 0x2f1bd:$a: NanoCore
    • 0x2f47:$b: ClientPlugin
    • 0x2f84:$b: ClientPlugin
    • 0x3882:$b: ClientPlugin
    • 0x388f:$b: ClientPlugin
    • 0x1645b:$b: ClientPlugin
    • 0x16476:$b: ClientPlugin
    • 0x164a6:$b: ClientPlugin
    • 0x166bd:$b: ClientPlugin
    • 0x166f2:$b: ClientPlugin
    • 0x2ef2f:$b: ClientPlugin
    • 0x2ef4a:$b: ClientPlugin
    00000001.00000002.621166702.00000000059E0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xf7ad:$x1: NanoCore.ClientPluginHost
    • 0xf7da:$x2: IClientNetworkHost
    00000001.00000002.621166702.00000000059E0000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xf7ad:$x2: NanoCore.ClientPluginHost
    • 0x10888:$s4: PipeCreated
    • 0xf7c7:$s5: IClientLoggingHost
    00000001.00000002.621166702.00000000059E0000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 43 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.Invoice# 77-83992-8297382 (2).exe.5730000.3.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe75:$x1: NanoCore.ClientPluginHost
      • 0xe8f:$x2: IClientNetworkHost
      1.2.Invoice# 77-83992-8297382 (2).exe.5730000.3.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe75:$x2: NanoCore.ClientPluginHost
      • 0x1261:$s3: PipeExists
      • 0x1136:$s4: PipeCreated
      • 0xeb0:$s5: IClientLoggingHost
      1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xff05:$x1: NanoCore Client.exe
      • 0x1018d:$x2: NanoCore.ClientPluginHost
      • 0x117c6:$s1: PluginCommand
      • 0x117ba:$s2: FileCommand
      • 0x1266b:$s3: PipeExists
      • 0x18422:$s4: PipeCreated
      • 0x101b7:$s5: IClientLoggingHost
      1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        Click to see the 11 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe, ProcessId: 5800, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 26%
        Multi AV Scanner detection for submitted fileShow sources
        Source: Invoice# 77-83992-8297382 (2).exeReversingLabs: Detection: 26%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000001.00000002.619051050.0000000004069000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.621166702.00000000059E0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.300827633.00000000044AF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.613044676.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.244571473.0000000004A9F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.307110365.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.243948615.0000000004909000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.616036115.0000000003021000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.243390482.0000000003FC1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.308355679.0000000003C49000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.296404991.00000000039D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.297386701.0000000004319000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.308252762.0000000002C41000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Invoice# 77-83992-8297382 (2).exe PID: 4120, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Invoice# 77-83992-8297382 (2).exe PID: 5800, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 1020, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6228, type: MEMORY
        Source: Yara matchFile source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.Invoice# 77-83992-8297382 (2).exe.59e0000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.Invoice# 77-83992-8297382 (2).exe.59e0000.4.raw.unpack, type: UNPACKEDPE
        Source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 7.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 1.2.Invoice# 77-83992-8297382 (2).exe.59e0000.4.unpackAvira: Label: TR/NanoCore.fadte
        Source: Invoice# 77-83992-8297382 (2).exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: Invoice# 77-83992-8297382 (2).exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 4x nop then jmp 016AEB76h0_2_016AE3B0
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 4x nop then mov esp, ebp0_2_016A8DC0
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 4x nop then jmp 016AEB76h0_2_016AE3A0
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 4x nop then mov esp, ebp0_2_016A8DB1
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then jmp 00DBEB76h4_2_00DBE3A0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then mov esp, ebp4_2_00DB8DC0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then mov esp, ebp4_2_00DB8DB1
        Source: global trafficTCP traffic: 192.168.2.3:49712 -> 194.5.97.173:10004
        Source: unknownDNS traffic detected: queries for: 1.ispnano.dns-cloud.net
        Source: Invoice# 77-83992-8297382 (2).exe, 00000000.00000003.233824722.0000000001326000.00000004.00000001.sdmpString found in binary or memory: http://go.microsoft.c
        Source: Invoice# 77-83992-8297382 (2).exe, 00000000.00000002.240339078.00000000016E9000.00000004.00000040.sdmpString found in binary or memory: http://ns.ado/Ident
        Source: Invoice# 77-83992-8297382 (2).exe, 00000001.00000002.619051050.0000000004069000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000001.00000002.619051050.0000000004069000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.621166702.00000000059E0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.300827633.00000000044AF000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.613044676.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.244571473.0000000004A9F000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.307110365.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.243948615.0000000004909000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000001.00000002.616036115.0000000003021000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.243390482.0000000003FC1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.308355679.0000000003C49000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.296404991.00000000039D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.297386701.0000000004319000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.308252762.0000000002C41000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Invoice# 77-83992-8297382 (2).exe PID: 4120, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Invoice# 77-83992-8297382 (2).exe PID: 5800, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 1020, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6228, type: MEMORY
        Source: Yara matchFile source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.Invoice# 77-83992-8297382 (2).exe.59e0000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 1.2.Invoice# 77-83992-8297382 (2).exe.59e0000.4.raw.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000001.00000002.619051050.0000000004069000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.621166702.00000000059E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000002.300827633.00000000044AF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000002.300827633.00000000044AF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.613044676.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000001.00000002.613044676.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.244571473.0000000004A9F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.244571473.0000000004A9F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000007.00000002.307110365.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000007.00000002.307110365.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.243948615.0000000004909000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.243948615.0000000004909000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.243390482.0000000003FC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.243390482.0000000003FC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000007.00000002.308355679.0000000003C49000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000002.296404991.00000000039D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000002.296404991.00000000039D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000004.00000002.297386701.0000000004319000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000004.00000002.297386701.0000000004319000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000001.00000002.620857692.0000000005730000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000007.00000002.308252762.0000000002C41000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: Invoice# 77-83992-8297382 (2).exe PID: 4120, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: Invoice# 77-83992-8297382 (2).exe PID: 4120, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: Invoice# 77-83992-8297382 (2).exe PID: 5800, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: Invoice# 77-83992-8297382 (2).exe PID: 5800, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 1020, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 1020, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 6228, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 6228, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.Invoice# 77-83992-8297382 (2).exe.5730000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.Invoice# 77-83992-8297382 (2).exe.59e0000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 1.2.Invoice# 77-83992-8297382 (2).exe.59e0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Initial sample is a PE file and has a suspicious nameShow sources
        Source: initial sampleStatic PE information: Filename: Invoice# 77-83992-8297382 (2).exe
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 0_2_0F2E2FE8 CreateProcessAsUserW,0_2_0F2E2FE8
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 0_2_016AB1800_2_016AB180
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 0_2_016AEBA00_2_016AEBA0
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 0_2_016AE3B00_2_016AE3B0
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 0_2_016A9A500_2_016A9A50
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 0_2_016A04480_2_016A0448
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 0_2_016ACC400_2_016ACC40
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 0_2_016A6C100_2_016A6C10
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 0_2_016A34F80_2_016A34F8
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 0_2_016A8F580_2_016A8F58
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 0_2_016AB1700_2_016AB170
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 0_2_016AE3A00_2_016AE3A0
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 0_2_016AEB900_2_016AEB90
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 0_2_016A9A3F0_2_016A9A3F
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 0_2_016ACC300_2_016ACC30
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 0_2_016A8F4A0_2_016A8F4A
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 0_2_016AF6480_2_016AF648
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 0_2_0F2E47480_2_0F2E4748
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 0_2_0F2E1EA80_2_0F2E1EA8
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 0_2_0F2E00400_2_0F2E0040
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 0_2_0F2E47380_2_0F2E4738
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 0_2_0F2E53680_2_0F2E5368
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 0_2_0F2E16200_2_0F2E1620
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 0_2_0F2E1E9D0_2_0F2E1E9D
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 0_2_0F2E29300_2_0F2E2930
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 0_2_0F2E11A80_2_0F2E11A8
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 0_2_0F2E35F00_2_0F2E35F0
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 1_2_02F0E4801_2_02F0E480
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 1_2_02F0E4711_2_02F0E471
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 1_2_02F0BBD41_2_02F0BBD4
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeCode function: 1_2_066B00401_2_066B0040
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_00DBB1704_2_00DBB170
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_00DB9A3F4_2_00DB9A3F
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_00DBEBA04_2_00DBEBA0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_00DBE3A04_2_00DBE3A0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_00DB34F84_2_00DB34F8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_00DB04484_2_00DB0448
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_00DB3C604_2_00DB3C60
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_00DB6C104_2_00DB6C10
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_00DBCC304_2_00DBCC30
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_00DB8F4A4_2_00DB8F4A
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_00DBEB904_2_00DBEB90
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_00DB04274_2_00DB0427
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_00DBF6584_2_00DBF658
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_0E9947484_2_0E994748
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_0E991F604_2_0E991F60
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_0E9900404_2_0E990040
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_0E9916204_2_0E991620
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_0E9947384_2_0E994738
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_0E991F514_2_0E991F51
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_0E9953684_2_0E995368
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_0E9911A84_2_0E9911A8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_0E9929A84_2_0E9929A8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4_2_0E9935F04_2_0E9935F0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_0126E4717_2_0126E471
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_0126E4807_2_0126E480
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 7_2_0126BBD47_2_0126BBD4
        Source: Invoice# 77-83992-8297382 (2).exe, 00000000.00000002.245504993.0000000005830000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Invoice# 77-83992-8297382 (2).exe
        Source: Invoice# 77-83992-8297382 (2).exe, 00000000.00000000.220656885.0000000000D02000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameStub52.exe. vs Invoice# 77-83992-8297382 (2).exe
        Source: Invoice# 77-83992-8297382 (2).exe, 00000000.00000002.243390482.0000000003FC1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSHCore1.dll0 vs Invoice# 77-83992-8297382 (2).exe
        Source: Invoice# 77-83992-8297382 (2).exe, 00000000.00000002.240375788.0000000002FB1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRunPe6.dll" vs Invoice# 77-83992-8297382 (2).exe
        Source: Invoice# 77-83992-8297382 (2).exe, 00000001.00000002.621984474.0000000006F40000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Invoice# 77-83992-8297382 (2).exe
        Source: Invoice# 77-83992-8297382 (2).exe, 00000001.00000002.619051050.0000000004069000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs Invoice# 77-83992-8297382 (2).exe
        Source: Invoice# 77-83992-8297382 (2).exe, 00000001.00000002.619051050.0000000004069000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs Invoice# 77-83992-8297382 (2).exe
        Source: Invoice# 77-83992-8297382 (2).exe, 00000001.00000002.619051050.0000000004069000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Invoice# 77-83992-8297382 (2).exe
        Source: Invoice# 77-83992-8297382 (2).exe, 00000001.00000002.621320469.0000000006200000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Invoice# 77-83992-8297382 (2).exe
        Source: Invoice# 77-83992-8297382 (2).exe, 00000001.00000003.243082118.00000000014BF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameStub52.exe. vs Invoice# 77-83992-8297382 (2).exe
        Source: Invoice# 77-83992-8297382 (2).exe, 00000001.00000002.615231415.000000000144A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Invoice# 77-83992-8297382 (2).exe
        Source: Invoice# 77-83992-8297382 (2).exeBinary or memory string: OriginalFilenameStub52.exe. vs Invoice# 77-83992-8297382 (2).exe
        Source: Invoice# 77-83992-8297382 (2).exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 00000001.00000002.619051050.0000000004069000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000002.621166702.00000000059E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.621166702.00000000059E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000004.00000002.300827633.00000000044AF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000002.300827633.00000000044AF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000002.613044676.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.613044676.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.244571473.0000000004A9F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.244571473.0000000004A9F000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000007.00000002.307110365.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000007.00000002.307110365.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.243948615.0000000004909000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.243948615.0000000004909000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.243390482.0000000003FC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.243390482.0000000003FC1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000007.00000002.308355679.0000000003C49000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000002.296404991.00000000039D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000002.296404991.00000000039D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000004.00000002.297386701.0000000004319000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000004.00000002.297386701.0000000004319000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000001.00000002.620857692.0000000005730000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000001.00000002.620857692.0000000005730000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000007.00000002.308252762.0000000002C41000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: Invoice# 77-83992-8297382 (2).exe PID: 4120, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: Invoice# 77-83992-8297382 (2).exe PID: 4120, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: Invoice# 77-83992-8297382 (2).exe PID: 5800, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: Invoice# 77-83992-8297382 (2).exe PID: 5800, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 1020, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 1020, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 6228, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 6228, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.Invoice# 77-83992-8297382 (2).exe.5730000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.Invoice# 77-83992-8297382 (2).exe.5730000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.Invoice# 77-83992-8297382 (2).exe.59e0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.Invoice# 77-83992-8297382 (2).exe.59e0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 7.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 7.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 1.2.Invoice# 77-83992-8297382 (2).exe.59e0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 1.2.Invoice# 77-83992-8297382 (2).exe.59e0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 7.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 7.2.dhcpmon.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 7.2.dhcpmon.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 7.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 7.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: classification engineClassification label: mal100.troj.evad.winEXE@6/5@39/2
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Invoice# 77-83992-8297382 (2).exe.logJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeMutant created: \Sessions\1\BaseNamedObjects\Global\{e1e01d8e-d2ec-4c98-af39-dda666441e66}
        Source: Invoice# 77-83992-8297382 (2).exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: Invoice# 77-83992-8297382 (2).exeReversingLabs: Detection: 26%
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeFile read: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe 'C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe'
        Source: unknownProcess created: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess created: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: Invoice# 77-83992-8297382 (2).exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: Invoice# 77-83992-8297382 (2).exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 7.2.dhcpmon.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 7.2.dhcpmon.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 1.2.Invoice# 77-83992-8297382 (2).exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 7.2.dhcpmon.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 7.2.dhcpmon.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeFile opened: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe\:Zone.Identifier read attributes | deleteJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeFile opened: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exe:Zone.Identifier read attributes | deleteJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeFile opened: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe\:Zone.Identifier read attributes | deleteJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\Invoice# 77-83992-8297382 (2).exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\u