Loading ...

Play interactive tourEdit tour

Analysis Report Invoice# 77-84993-84929.exe

Overview

General Information

Sample Name:Invoice# 77-84993-84929.exe
Analysis ID:339358
MD5:3beaa725263104d4638eb877a7d0b37d
SHA1:da267ad7c11acb864db25a561fea1e2cc3663fd0
SHA256:eba0abe9461df84c76949df2d559f66b0379cbdbd430f8db884c55d0aa469980
Tags:exeNanoCore

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara signature match

Classification

Startup

  • System is w10x64
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.699728992.0000000006DE0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x1aa7d:$x1: NanoCore.ClientPluginHost
  • 0x1aa6a:$x2: IClientNetworkHost
  • 0x19142:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000002.699728992.0000000006DE0000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x19983:$x1: NanoCore Client.exe
  • 0x1aa7d:$x2: NanoCore.ClientPluginHost
  • 0x19120:$s1: PluginCommand
  • 0x19108:$s2: FileCommand
  • 0x1a88b:$s3: PipeExists
  • 0x190d8:$s4: PipeCreated
  • 0x1aa57:$s5: IClientLoggingHost
00000001.00000002.699728992.0000000006DE0000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000001.00000002.699728992.0000000006DE0000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x19536:$a: NanoCore
    • 0x19983:$a: NanoCore
    • 0x19e84:$a: NanoCore
    • 0x1a974:$a: NanoCore
    • 0x1aa7d:$a: NanoCore
    • 0x19e8d:$b: ClientPlugin
    • 0x1aa86:$b: ClientPlugin
    • 0x18f48:$c: ProjectData
    • 0x332cd:$c: ProjectData
    • 0x1a295:$d: DESCrypto
    • 0x1991a:$e: KeepAlive
    • 0x1927a:$g: LogClientMessage
    • 0x190e4:$i: get_Connected
    • 0xfc25:$j: #=q
    • 0xfc76:$j: #=q
    • 0xfcba:$j: #=q
    • 0xfdd5:$j: #=q
    • 0xfe3a:$j: #=q
    • 0xfe9f:$j: #=q
    • 0xfeef:$j: #=q
    • 0xff33:$j: #=q
    00000001.00000002.699774289.0000000006E20000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1a82d:$x1: NanoCore.ClientPluginHost
    • 0x1a81a:$x2: IClientNetworkHost
    • 0x18ef2:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    Click to see the 52 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    1.2.Invoice# 77-84993-84929.exe.6c90000.6.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1980d:$x1: NanoCore.ClientPluginHost
    • 0x197fa:$x2: IClientNetworkHost
    • 0x17ed2:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    1.2.Invoice# 77-84993-84929.exe.6c90000.6.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x18713:$x1: NanoCore Client.exe
    • 0x1980d:$x2: NanoCore.ClientPluginHost
    • 0x17eb0:$s1: PluginCommand
    • 0x17e98:$s2: FileCommand
    • 0x1961b:$s3: PipeExists
    • 0x17e68:$s4: PipeCreated
    • 0x197e7:$s5: IClientLoggingHost
    1.2.Invoice# 77-84993-84929.exe.6c90000.6.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      1.2.Invoice# 77-84993-84929.exe.6c90000.6.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x182c6:$a: NanoCore
      • 0x18713:$a: NanoCore
      • 0x18c14:$a: NanoCore
      • 0x19704:$a: NanoCore
      • 0x1980d:$a: NanoCore
      • 0x18c1d:$b: ClientPlugin
      • 0x19816:$b: ClientPlugin
      • 0x17cd8:$c: ProjectData
      • 0x3205d:$c: ProjectData
      • 0x3487d:$c: ProjectData
      • 0x36ce0:$c: ProjectData
      • 0x391a5:$c: ProjectData
      • 0x3bb38:$c: ProjectData
      • 0x3e599:$c: ProjectData
      • 0x19025:$d: DESCrypto
      • 0x186aa:$e: KeepAlive
      • 0x1800a:$g: LogClientMessage
      • 0x17e74:$i: get_Connected
      • 0xe9b5:$j: #=q
      • 0xea06:$j: #=q
      • 0xea4a:$j: #=q
      1.2.Invoice# 77-84993-84929.exe.6da0000.10.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x18ecd:$x1: NanoCore.ClientPluginHost
      • 0x18eba:$x2: IClientNetworkHost
      • 0x17592:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      Click to see the 83 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Invoice# 77-84993-84929.exe, ProcessId: 5732, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for submitted fileShow sources
      Source: Invoice# 77-84993-84929.exeReversingLabs: Detection: 28%
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000001.00000002.699728992.0000000006DE0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699774289.0000000006E20000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699685453.0000000006DA0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699371662.0000000006C10000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.698742579.0000000005A61000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699281215.0000000006B70000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699325849.0000000006BC0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699482814.0000000006C90000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.698504470.0000000005810000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699633514.0000000006D60000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699532840.0000000006CE0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.698665135.0000000005981000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699584706.0000000006D20000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.695812658.00000000043B1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Invoice# 77-84993-84929.exe PID: 5732, type: MEMORY
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6c90000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6da0000.10.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6da0000.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6c10000.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.5810000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6c90000.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6d60000.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6de0000.11.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6d60000.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6e20000.12.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6de0000.11.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.5810000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6d20000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6ce0000.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6bc0000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6b70000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6e20000.12.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6c10000.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6bc0000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6d20000.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6ce0000.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6b70000.3.raw.unpack, type: UNPACKEDPE
      Machine Learning detection for sampleShow sources
      Source: Invoice# 77-84993-84929.exeJoe Sandbox ML: detected
      Source: Invoice# 77-84993-84929.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: Invoice# 77-84993-84929.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_05849690
      Source: Invoice# 77-84993-84929.exe, 00000000.00000002.399118004.0000000005104000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
      Source: Invoice# 77-84993-84929.exe, 00000000.00000002.399118004.0000000005104000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
      Source: Invoice# 77-84993-84929.exe, 00000000.00000002.399118004.0000000005104000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
      Source: Invoice# 77-84993-84929.exe, 00000000.00000002.399118004.0000000005104000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
      Source: Invoice# 77-84993-84929.exe, 00000000.00000002.399118004.0000000005104000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
      Source: Invoice# 77-84993-84929.exe, 00000000.00000002.399118004.0000000005104000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
      Source: Invoice# 77-84993-84929.exe, 00000000.00000002.399118004.0000000005104000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0C
      Source: Invoice# 77-84993-84929.exe, 00000000.00000002.399118004.0000000005104000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0O
      Source: Invoice# 77-84993-84929.exe, 00000000.00000002.399118004.0000000005104000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com/CPS0
      Source: Invoice# 77-84993-84929.exe, 00000000.00000002.399118004.0000000005104000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
      Source: Invoice# 77-84993-84929.exe, 00000000.00000002.392107723.00000000015BB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000001.00000002.699728992.0000000006DE0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699774289.0000000006E20000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699685453.0000000006DA0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699371662.0000000006C10000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.698742579.0000000005A61000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699281215.0000000006B70000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699325849.0000000006BC0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699482814.0000000006C90000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.698504470.0000000005810000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699633514.0000000006D60000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699532840.0000000006CE0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.698665135.0000000005981000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699584706.0000000006D20000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.695812658.00000000043B1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Invoice# 77-84993-84929.exe PID: 5732, type: MEMORY
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6c90000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6da0000.10.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6da0000.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6c10000.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.5810000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6c90000.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6d60000.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6de0000.11.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6d60000.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6e20000.12.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6de0000.11.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.5810000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6d20000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6ce0000.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6bc0000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6b70000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6e20000.12.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6c10000.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6bc0000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6d20000.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6ce0000.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6b70000.3.raw.unpack, type: UNPACKEDPE

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000001.00000002.699728992.0000000006DE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.699728992.0000000006DE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000001.00000002.699774289.0000000006E20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.699774289.0000000006E20000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000001.00000002.699685453.0000000006DA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.699685453.0000000006DA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000001.00000002.699371662.0000000006C10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.699371662.0000000006C10000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000001.00000002.698742579.0000000005A61000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.698742579.0000000005A61000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000001.00000002.699281215.0000000006B70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.699281215.0000000006B70000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000001.00000002.699325849.0000000006BC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.699325849.0000000006BC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000001.00000002.699482814.0000000006C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.699482814.0000000006C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000001.00000002.698504470.0000000005810000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.698504470.0000000005810000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000001.00000002.699633514.0000000006D60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.699633514.0000000006D60000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000001.00000002.699532840.0000000006CE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.699532840.0000000006CE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000001.00000002.698665135.0000000005981000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.698665135.0000000005981000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000001.00000002.699584706.0000000006D20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.699584706.0000000006D20000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000001.00000002.695812658.00000000043B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.695812658.00000000043B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: Invoice# 77-84993-84929.exe PID: 5732, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: Invoice# 77-84993-84929.exe PID: 5732, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.6c90000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.6c90000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.6da0000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.6da0000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.6da0000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.6da0000.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.6c10000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.6c10000.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.5810000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.5810000.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.6c90000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.6c90000.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.6d60000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.6d60000.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.6de0000.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.6de0000.11.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.6d60000.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.6d60000.9.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.6e20000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.6e20000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.6de0000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.6de0000.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.5810000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.5810000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.6d20000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.6d20000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.6ce0000.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.6ce0000.7.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.6bc0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.6bc0000.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.6b70000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.6b70000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.6e20000.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.6e20000.12.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.6c10000.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.6c10000.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.6bc0000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.6bc0000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.6d20000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.6d20000.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.6ce0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.6ce0000.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.6b70000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.6b70000.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Initial sample is a PE file and has a suspicious nameShow sources
      Source: initial sampleStatic PE information: Filename: Invoice# 77-84993-84929.exe
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeCode function: 0_2_019BCAE40_2_019BCAE4
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeCode function: 0_2_019BEEB00_2_019BEEB0
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeCode function: 0_2_019BEEA30_2_019BEEA3
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeCode function: 0_2_058488480_2_05848848
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeCode function: 0_2_05840AE00_2_05840AE0
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeCode function: 0_2_058496900_2_05849690
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeCode function: 0_2_0584A5380_2_0584A538
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeCode function: 0_2_0584A5480_2_0584A548
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeCode function: 0_2_0584A7E80_2_0584A7E8
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeCode function: 0_2_0584886D0_2_0584886D
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeCode function: 0_2_05840AD30_2_05840AD3
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeCode function: 0_2_058496800_2_05849680
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeCode function: 1_2_019F95281_2_019F9528
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeCode function: 1_2_019F9C901_2_019F9C90
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeCode function: 1_2_019F3E181_2_019F3E18
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeCode function: 1_2_01A832B01_2_01A832B0
      Source: Invoice# 77-84993-84929.exeBinary or memory string: OriginalFilename vs Invoice# 77-84993-84929.exe
      Source: Invoice# 77-84993-84929.exe, 00000000.00000002.400929477.0000000005860000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameTypeLibImporterFlags.dll4 vs Invoice# 77-84993-84929.exe
      Source: Invoice# 77-84993-84929.exe, 00000000.00000002.395473314.0000000004704000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs Invoice# 77-84993-84929.exe
      Source: Invoice# 77-84993-84929.exeBinary or memory string: OriginalFilename vs Invoice# 77-84993-84929.exe
      Source: Invoice# 77-84993-84929.exe, 00000001.00000002.700544344.0000000007EF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Invoice# 77-84993-84929.exe
      Source: Invoice# 77-84993-84929.exe, 00000001.00000002.699371662.0000000006C10000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamedcad daf.exe2 vs Invoice# 77-84993-84929.exe
      Source: Invoice# 77-84993-84929.exe, 00000001.00000002.699371662.0000000006C10000.00000004.00000001.sdmpBinary or memory string: OriginalFilename>T vs Invoice# 77-84993-84929.exe
      Source: Invoice# 77-84993-84929.exe, 00000001.00000002.699371662.0000000006C10000.00000004.00000001.sdmpBinary or memory string: OriginalFilename~ vs Invoice# 77-84993-84929.exe
      Source: Invoice# 77-84993-84929.exe, 00000001.00000002.699371662.0000000006C10000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamel vs Invoice# 77-84993-84929.exe
      Source: Invoice# 77-84993-84929.exeBinary or memory string: OriginalFilenamebB.exeR vs Invoice# 77-84993-84929.exe
      Source: Invoice# 77-84993-84929.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: 00000001.00000002.699728992.0000000006DE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000001.00000002.699728992.0000000006DE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000001.00000002.699728992.0000000006DE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000001.00000002.699774289.0000000006E20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000001.00000002.699774289.0000000006E20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000001.00000002.699774289.0000000006E20000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000001.00000002.699685453.0000000006DA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000001.00000002.699685453.0000000006DA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000001.00000002.699685453.0000000006DA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000001.00000002.699371662.0000000006C10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000001.00000002.699371662.0000000006C10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000001.00000002.699371662.0000000006C10000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000001.00000002.698742579.0000000005A61000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000001.00000002.698742579.0000000005A61000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000001.00000002.699281215.0000000006B70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000001.00000002.699281215.0000000006B70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000001.00000002.699281215.0000000006B70000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000001.00000002.699325849.0000000006BC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000001.00000002.699325849.0000000006BC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000001.00000002.699325849.0000000006BC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000001.00000002.699482814.0000000006C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000001.00000002.699482814.0000000006C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000001.00000002.699482814.0000000006C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000001.00000002.698504470.0000000005810000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000001.00000002.698504470.0000000005810000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000001.00000002.698504470.0000000005810000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000001.00000002.699633514.0000000006D60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, licen<