Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report New Order_1132012_xlxs.exe

Overview

General Information

Sample Name:New Order_1132012_xlxs.exe
Analysis ID:339352
MD5:1dc30f0b34a4f0d1404dc25a1cd54f6e
SHA1:a13d3512000d9f88bc0615e63cf3fe0053eac762
SHA256:80d727cce7ca79da42e564afa636a5d023353bd7f87f9b5328038d8d3c4f071a
Tags:exeNanoCorenVpnRAT

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • New Order_1132012_xlxs.exe (PID: 4132 cmdline: 'C:\Users\user\Desktop\New Order_1132012_xlxs.exe' MD5: 1DC30F0B34A4F0D1404DC25A1CD54F6E)
    • New Order_1132012_xlxs.exe (PID: 6192 cmdline: {path} MD5: 1DC30F0B34A4F0D1404DC25A1CD54F6E)
      • schtasks.exe (PID: 6276 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp53AD.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 6328 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp5729.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 6408 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 1DC30F0B34A4F0D1404DC25A1CD54F6E)
    • dhcpmon.exe (PID: 6732 cmdline: {path} MD5: 1DC30F0B34A4F0D1404DC25A1CD54F6E)
  • dhcpmon.exe (PID: 6904 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 1DC30F0B34A4F0D1404DC25A1CD54F6E)
    • dhcpmon.exe (PID: 1928 cmdline: {path} MD5: 1DC30F0B34A4F0D1404DC25A1CD54F6E)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["185.140.53.251"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.275464694.0000000002401000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000015.00000002.314926958.0000000003A39000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000015.00000002.314926958.0000000003A39000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x43555:$a: NanoCore
      • 0x435ae:$a: NanoCore
      • 0x435eb:$a: NanoCore
      • 0x43664:$a: NanoCore
      • 0x56d0f:$a: NanoCore
      • 0x56d24:$a: NanoCore
      • 0x56d59:$a: NanoCore
      • 0x6fcdb:$a: NanoCore
      • 0x6fcf0:$a: NanoCore
      • 0x6fd25:$a: NanoCore
      • 0x435b7:$b: ClientPlugin
      • 0x435f4:$b: ClientPlugin
      • 0x43ef2:$b: ClientPlugin
      • 0x43eff:$b: ClientPlugin
      • 0x56acb:$b: ClientPlugin
      • 0x56ae6:$b: ClientPlugin
      • 0x56b16:$b: ClientPlugin
      • 0x56d2d:$b: ClientPlugin
      • 0x56d62:$b: ClientPlugin
      • 0x6fa97:$b: ClientPlugin
      • 0x6fab2:$b: ClientPlugin
      00000009.00000002.279881959.0000000003E49000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x148b65:$x1: NanoCore.ClientPluginHost
      • 0x17b585:$x1: NanoCore.ClientPluginHost
      • 0x148ba2:$x2: IClientNetworkHost
      • 0x17b5c2:$x2: IClientNetworkHost
      • 0x14c6d5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      • 0x17f0f5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      00000009.00000002.279881959.0000000003E49000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        Click to see the 57 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        4.2.New Order_1132012_xlxs.exe.52d0000.4.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xd9ad:$x1: NanoCore.ClientPluginHost
        • 0xd9da:$x2: IClientNetworkHost
        4.2.New Order_1132012_xlxs.exe.52d0000.4.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
        • 0xd9ad:$x2: NanoCore.ClientPluginHost
        • 0xea88:$s4: PipeCreated
        • 0xd9c7:$s5: IClientLoggingHost
        4.2.New Order_1132012_xlxs.exe.52d0000.4.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
          4.2.New Order_1132012_xlxs.exe.4e90000.3.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
          • 0xe75:$x1: NanoCore.ClientPluginHost
          • 0xe8f:$x2: IClientNetworkHost
          4.2.New Order_1132012_xlxs.exe.4e90000.3.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
          • 0xe75:$x2: NanoCore.ClientPluginHost
          • 0x1261:$s3: PipeExists
          • 0x1136:$s4: PipeCreated
          • 0xeb0:$s5: IClientLoggingHost
          Click to see the 19 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: NanoCoreShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\New Order_1132012_xlxs.exe, ProcessId: 6192, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
          Sigma detected: Scheduled temp file as task from temp locationShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp53AD.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp53AD.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: {path}, ParentImage: C:\Users\user\Desktop\New Order_1132012_xlxs.exe, ParentProcessId: 6192, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp53AD.tmp', ProcessId: 6276

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: New Order_1132012_xlxs.exe.6740.14.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["185.140.53.251"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 28%
          Multi AV Scanner detection for submitted fileShow sources
          Source: New Order_1132012_xlxs.exeReversingLabs: Detection: 28%
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000015.00000002.314926958.0000000003A39000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.279881959.0000000003E49000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.298640803.00000000036B9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.632780032.00000000052D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.625065981.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.291660403.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.631227388.0000000003A09000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.292460519.00000000040E9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.314829401.0000000002A31000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.292360574.00000000030E1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.292801706.0000000003C39000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.291345804.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.276289789.0000000003409000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.292643698.0000000002C31000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.313795834.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.245920133.0000000003D49000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: New Order_1132012_xlxs.exe PID: 6740, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: New Order_1132012_xlxs.exe PID: 6192, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 1928, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6732, type: MEMORY
          Source: Yara matchFile source: 4.2.New Order_1132012_xlxs.exe.52d0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 21.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 13.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.New Order_1132012_xlxs.exe.52d0000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.New Order_1132012_xlxs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.New Order_1132012_xlxs.exe.400000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: New Order_1132012_xlxs.exeJoe Sandbox ML: detected
          Source: 13.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 4.2.New Order_1132012_xlxs.exe.52d0000.4.unpackAvira: Label: TR/NanoCore.fadte
          Source: 21.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 4.2.New Order_1132012_xlxs.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: 14.2.New Order_1132012_xlxs.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
          Source: New Order_1132012_xlxs.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: New Order_1132012_xlxs.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_052D9690
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h10_2_04A89690

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorIPs: 185.140.53.251
          Source: global trafficTCP traffic: 192.168.2.5:49722 -> 185.140.53.251:1995
          Source: Joe Sandbox ViewASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: unknownTCP traffic detected without corresponding DNS query: 185.140.53.251
          Source: dhcpmon.exe, 0000000A.00000002.275179535.00000000008A8000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
          Source: New Order_1132012_xlxs.exe, 00000004.00000002.631227388.0000000003A09000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

          E-Banking Fraud:

          barindex
          Yara detected Nanocore RATShow sources
          Source: Yara matchFile source: 00000015.00000002.314926958.0000000003A39000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.279881959.0000000003E49000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.298640803.00000000036B9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.632780032.00000000052D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.625065981.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.291660403.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.631227388.0000000003A09000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.292460519.00000000040E9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.314829401.0000000002A31000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.292360574.00000000030E1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.292801706.0000000003C39000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.291345804.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.276289789.0000000003409000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.292643698.0000000002C31000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.313795834.0000000000402000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.245920133.0000000003D49000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: New Order_1132012_xlxs.exe PID: 6740, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: New Order_1132012_xlxs.exe PID: 6192, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 1928, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6732, type: MEMORY
          Source: Yara matchFile source: 4.2.New Order_1132012_xlxs.exe.52d0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 21.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 13.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.New Order_1132012_xlxs.exe.52d0000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.New Order_1132012_xlxs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 14.2.New Order_1132012_xlxs.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000015.00000002.314926958.0000000003A39000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000009.00000002.279881959.0000000003E49000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000009.00000002.279881959.0000000003E49000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000F.00000002.298640803.00000000036B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000F.00000002.298640803.00000000036B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000004.00000002.632780032.00000000052D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000004.00000002.632470140.0000000004E90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000004.00000002.625065981.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000004.00000002.625065981.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000E.00000002.291660403.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000E.00000002.291660403.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000004.00000002.631227388.0000000003A09000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000D.00000002.292460519.00000000040E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000015.00000002.314829401.0000000002A31000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000D.00000002.292360574.00000000030E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000E.00000002.292801706.0000000003C39000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000D.00000002.291345804.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000D.00000002.291345804.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000A.00000002.276289789.0000000003409000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 0000000A.00000002.276289789.0000000003409000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 0000000E.00000002.292643698.0000000002C31000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000015.00000002.313795834.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000015.00000002.313795834.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 00000000.00000002.245920133.0000000003D49000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 00000000.00000002.245920133.0000000003D49000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: New Order_1132012_xlxs.exe PID: 6740, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: New Order_1132012_xlxs.exe PID: 6740, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: New Order_1132012_xlxs.exe PID: 6192, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: New Order_1132012_xlxs.exe PID: 6192, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: dhcpmon.exe PID: 1928, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: dhcpmon.exe PID: 1928, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: Process Memory Space: dhcpmon.exe PID: 6732, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: Process Memory Space: dhcpmon.exe PID: 6732, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 4.2.New Order_1132012_xlxs.exe.52d0000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 4.2.New Order_1132012_xlxs.exe.4e90000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 21.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 21.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 13.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 13.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 4.2.New Order_1132012_xlxs.exe.52d0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 4.2.New Order_1132012_xlxs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 4.2.New Order_1132012_xlxs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Source: 14.2.New Order_1132012_xlxs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
          Source: 14.2.New Order_1132012_xlxs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: New Order_1132012_xlxs.exe
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeCode function: 0_2_0136CAE40_2_0136CAE4
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeCode function: 0_2_0136EEB00_2_0136EEB0
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeCode function: 0_2_0136EEA30_2_0136EEA3
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeCode function: 0_2_052D86580_2_052D8658
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeCode function: 0_2_052D0AE00_2_052D0AE0
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeCode function: 0_2_052D96900_2_052D9690
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeCode function: 0_2_052DA5380_2_052DA538
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeCode function: 0_2_052DA5480_2_052DA548
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeCode function: 0_2_052DA7E80_2_052DA7E8
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeCode function: 0_2_052D86480_2_052D8648
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeCode function: 0_2_052D0AD30_2_052D0AD3
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeCode function: 0_2_052D96800_2_052D9680
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeCode function: 4_2_0104E4714_2_0104E471
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeCode function: 4_2_0104E4804_2_0104E480
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeCode function: 4_2_0104BBD44_2_0104BBD4
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeCode function: 4_2_029A97884_2_029A9788
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeCode function: 4_2_029AF5F84_2_029AF5F8
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeCode function: 4_2_029A35A84_2_029A35A8
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeCode function: 4_2_029AA5D04_2_029AA5D0
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeCode function: 4_2_029AA5F84_2_029AA5F8
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeCode function: 4_2_063600404_2_06360040
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeCode function: 9_2_0148CAE49_2_0148CAE4
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeCode function: 9_2_0148EEAB9_2_0148EEAB
          Source: C:\Users\user\Desktop\New Order_1132012_xlxs.exeCode function: 9_2_0148EEB09_2_0148EEB0
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_0085CAE410_2_0085CAE4
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_0085EEAA10_2_0085EEAA
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_0085EEB010_2_0085EEB0
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04A8865810_2_04A88658
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04A80AE010_2_04A80AE0
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04A8969010_2_04A89690
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04A8A53810_2_04A8A538
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04A8A54810_2_04A8A548
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04A8864810_2_04A88648
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04A8A7E810_2_04A8A7E8
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04A80AD210_2_04A80AD2
          Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_04A8968010_2_04A89680
          Source: New Order_1132012_xlxs.exeBinary or memory string: OriginalFilename vs New Order_1132012_xlxs.exe
          Source: New Order_1132012_xlxs.exe, 00000000.00000002.249375207.0000000005E00000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs New Order_1132012_xlxs.exe
          Source: New Order_1132012_xlxs.exeBinary or memory string: OriginalFilename vs New Order_1132012_xlxs.exe
          Source: New Order_1132012_xlxs.exeBinary or memory string: OriginalFilename vs New Order_1132012_xlxs.exe
          Source: New Order_1132012_xlxs.exeBinary or memory string: OriginalFilename vs New Order_1132012_xlxs.exe
          Source: New Order_1132012_xlxs.exe, 00000004.00000002.633834300.0000000006870000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs New Order_1132012_xlxs.exe
          Source: New Order_1132012_xlxs.exe, 00000004.00000002.633553683.00000000061F0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs New Order_1132012_xlxs.exe
          Source: New Order_1132012_xlxs.exe, 00000004.00000002.631227388.0000000003A09000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs New Order_1132012_xlxs.exe
          Source: New Order_1132012_xlxs.exe, 00000004.00000002.631227388.0000000003A09000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs New Order_1132012_xlxs.exe
          Source: New Order_1132012_xlxs.exe, 00000004.00000002.633122925.0000000005DC0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs New Order_1132012_xlxs.exe
          Source: New Order_1132012_xlxs.exeBinary or memory string: OriginalFilename vs New Order_1132012_xlxs.exe
          Source: New Order_1132012_xlxs.exe, 00000009.00000002.283641532.0000000005380000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs New Order_1132012_xlxs.exe
          Source: New Order_1132012_xlxs.exe, 00000009.00000002.283632147.0000000005370000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dllj% vs New Order_1132012_xlxs.exe
          Source: New Order_1132012_xlxs.exe, 00000009.00000002.284265973.0000000005EE0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs New Order_1132012_xlxs.exe
          Source: New Order_1132012_xlxs.exe, 00000009.00000002.276116621.0000000001259000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs New Order_1132012_xlxs.exe
          Source: New Order_1132012_xlxs.exe, 0000000E.00000002.292801706.0000000003C39000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs New Order_1132012_xlxs.exe
          Source: New Order_1132012_xlxs.exe, 0000000E.00000002.292801706.0000000003C39000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs New Order_1132012_xlxs.exe
          Source: New Order_1132012_xlxs.exe, 0000000E.00000002.292801706.0000000003C39000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs New Order_1132012_xlxs.exe
          Source: New Order_1132012_xlxs.exeBinary or memory string: OriginalFilename3FU.exeR vs New Order_1132012_xlxs.exe
          Source: New Order_1132012_xlxs.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 00000015.00000002.314926958.0000000003A39000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000009.00000002.279881959.0000000003E49000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000009.00000002.279881959.0000000003E49000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000F.00000002.298640803.00000000036B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000F.00000002.298640803.00000000036B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000004.00000002.632780032.00000000052D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000004.00000002.632780032.00000000052D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000004.00000002.632470140.0000000004E90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000004.00000002.632470140.0000000004E90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 00000004.00000002.625065981.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000004.00000002.625065981.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000E.00000002.291660403.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000E.00000002.291660403.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000004.00000002.631227388.0000000003A09000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000D.00000002.292460519.00000000040E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000015.00000002.314829401.0000000002A31000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000D.00000002.292360574.00000000030E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000E.00000002.292801706.0000000003C39000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000D.00000002.291345804.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000D.00000002.291345804.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000A.00000002.276289789.0000000003409000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 0000000A.00000002.276289789.0000000003409000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 0000000E.00000002.292643698.0000000002C31000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000015.00000002.313795834.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000015.00000002.313795834.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 00000000.00000002.245920133.0000000003D49000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 00000000.00000002.245920133.0000000003D49000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: New Order_1132012_xlxs.exe PID: 6740, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: New Order_1132012_xlxs.exe PID: 6740, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: New Order_1132012_xlxs.exe PID: 6192, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: New Order_1132012_xlxs.exe PID: 6192, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: dhcpmon.exe PID: 1928, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: dhcpmon.exe PID: 1928, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: Process Memory Space: dhcpmon.exe PID: 6732, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: Process Memory Space: dhcpmon.exe PID: 6732, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 4.2.New Order_1132012_xlxs.exe.52d0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 4.2.New Order_1132012_xlxs.exe.52d0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 4.2.New Order_1132012_xlxs.exe.4e90000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 4.2.New Order_1132012_xlxs.exe.4e90000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 21.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 21.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 21.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 13.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 13.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 13.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 4.2.New Order_1132012_xlxs.exe.52d0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 4.2.New Order_1132012_xlxs.exe.52d0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 4.2.New Order_1132012_xlxs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 4.2.New Order_1132012_xlxs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 4.2.New Order_1132012_xlxs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: 14.2.New Order_1132012_xlxs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
          Source: 14.2.New Order_1132012_xlxs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
          Source: 14.2.New Order_1132012_xlxs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
          Source: New Order_1132012_xlxs.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: dhcpmon.exe.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: 4.2.New Order_1132012_xlxs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 4.2.New Order_1132012_xlxs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
          Source: 4.2.New Order_1132012_xlxs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
          Source: 10.0.dhcpmon.exe.90000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
          Source: 10.0.dhcpmon.exe.90000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: 10.0.dhcpmon.exe.90000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
          Source: 4.2.New Order_1132012_xlxs.exe.4e0000.1.unpack, ParentalControl/ParentalControl.cs