Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Invoice# 77-84993-84929.exe

Overview

General Information

Sample Name:Invoice# 77-84993-84929.exe
Analysis ID:339358
MD5:3beaa725263104d4638eb877a7d0b37d
SHA1:da267ad7c11acb864db25a561fea1e2cc3663fd0
SHA256:eba0abe9461df84c76949df2d559f66b0379cbdbd430f8db884c55d0aa469980
Tags:exeNanoCore

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara signature match

Classification

Startup

  • System is w10x64
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.699728992.0000000006DE0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x1aa7d:$x1: NanoCore.ClientPluginHost
  • 0x1aa6a:$x2: IClientNetworkHost
  • 0x19142:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000002.699728992.0000000006DE0000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0x19983:$x1: NanoCore Client.exe
  • 0x1aa7d:$x2: NanoCore.ClientPluginHost
  • 0x19120:$s1: PluginCommand
  • 0x19108:$s2: FileCommand
  • 0x1a88b:$s3: PipeExists
  • 0x190d8:$s4: PipeCreated
  • 0x1aa57:$s5: IClientLoggingHost
00000001.00000002.699728992.0000000006DE0000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000001.00000002.699728992.0000000006DE0000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x19536:$a: NanoCore
    • 0x19983:$a: NanoCore
    • 0x19e84:$a: NanoCore
    • 0x1a974:$a: NanoCore
    • 0x1aa7d:$a: NanoCore
    • 0x19e8d:$b: ClientPlugin
    • 0x1aa86:$b: ClientPlugin
    • 0x18f48:$c: ProjectData
    • 0x332cd:$c: ProjectData
    • 0x1a295:$d: DESCrypto
    • 0x1991a:$e: KeepAlive
    • 0x1927a:$g: LogClientMessage
    • 0x190e4:$i: get_Connected
    • 0xfc25:$j: #=q
    • 0xfc76:$j: #=q
    • 0xfcba:$j: #=q
    • 0xfdd5:$j: #=q
    • 0xfe3a:$j: #=q
    • 0xfe9f:$j: #=q
    • 0xfeef:$j: #=q
    • 0xff33:$j: #=q
    00000001.00000002.699774289.0000000006E20000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1a82d:$x1: NanoCore.ClientPluginHost
    • 0x1a81a:$x2: IClientNetworkHost
    • 0x18ef2:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    Click to see the 52 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    1.2.Invoice# 77-84993-84929.exe.6c90000.6.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1980d:$x1: NanoCore.ClientPluginHost
    • 0x197fa:$x2: IClientNetworkHost
    • 0x17ed2:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    1.2.Invoice# 77-84993-84929.exe.6c90000.6.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x18713:$x1: NanoCore Client.exe
    • 0x1980d:$x2: NanoCore.ClientPluginHost
    • 0x17eb0:$s1: PluginCommand
    • 0x17e98:$s2: FileCommand
    • 0x1961b:$s3: PipeExists
    • 0x17e68:$s4: PipeCreated
    • 0x197e7:$s5: IClientLoggingHost
    1.2.Invoice# 77-84993-84929.exe.6c90000.6.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      1.2.Invoice# 77-84993-84929.exe.6c90000.6.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x182c6:$a: NanoCore
      • 0x18713:$a: NanoCore
      • 0x18c14:$a: NanoCore
      • 0x19704:$a: NanoCore
      • 0x1980d:$a: NanoCore
      • 0x18c1d:$b: ClientPlugin
      • 0x19816:$b: ClientPlugin
      • 0x17cd8:$c: ProjectData
      • 0x3205d:$c: ProjectData
      • 0x3487d:$c: ProjectData
      • 0x36ce0:$c: ProjectData
      • 0x391a5:$c: ProjectData
      • 0x3bb38:$c: ProjectData
      • 0x3e599:$c: ProjectData
      • 0x19025:$d: DESCrypto
      • 0x186aa:$e: KeepAlive
      • 0x1800a:$g: LogClientMessage
      • 0x17e74:$i: get_Connected
      • 0xe9b5:$j: #=q
      • 0xea06:$j: #=q
      • 0xea4a:$j: #=q
      1.2.Invoice# 77-84993-84929.exe.6da0000.10.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x18ecd:$x1: NanoCore.ClientPluginHost
      • 0x18eba:$x2: IClientNetworkHost
      • 0x17592:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      Click to see the 83 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Invoice# 77-84993-84929.exe, ProcessId: 5732, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for submitted fileShow sources
      Source: Invoice# 77-84993-84929.exeReversingLabs: Detection: 28%
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000001.00000002.699728992.0000000006DE0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699774289.0000000006E20000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699685453.0000000006DA0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699371662.0000000006C10000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.698742579.0000000005A61000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699281215.0000000006B70000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699325849.0000000006BC0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699482814.0000000006C90000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.698504470.0000000005810000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699633514.0000000006D60000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699532840.0000000006CE0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.698665135.0000000005981000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699584706.0000000006D20000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.695812658.00000000043B1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Invoice# 77-84993-84929.exe PID: 5732, type: MEMORY
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6c90000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6da0000.10.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6da0000.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6c10000.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.5810000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6c90000.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6d60000.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6de0000.11.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6d60000.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6e20000.12.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6de0000.11.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.5810000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6d20000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6ce0000.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6bc0000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6b70000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6e20000.12.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6c10000.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6bc0000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6d20000.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6ce0000.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6b70000.3.raw.unpack, type: UNPACKEDPE
      Machine Learning detection for sampleShow sources
      Source: Invoice# 77-84993-84929.exeJoe Sandbox ML: detected
      Source: Invoice# 77-84993-84929.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: Invoice# 77-84993-84929.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
      Source: Invoice# 77-84993-84929.exe, 00000000.00000002.399118004.0000000005104000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
      Source: Invoice# 77-84993-84929.exe, 00000000.00000002.399118004.0000000005104000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
      Source: Invoice# 77-84993-84929.exe, 00000000.00000002.399118004.0000000005104000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
      Source: Invoice# 77-84993-84929.exe, 00000000.00000002.399118004.0000000005104000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
      Source: Invoice# 77-84993-84929.exe, 00000000.00000002.399118004.0000000005104000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
      Source: Invoice# 77-84993-84929.exe, 00000000.00000002.399118004.0000000005104000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
      Source: Invoice# 77-84993-84929.exe, 00000000.00000002.399118004.0000000005104000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0C
      Source: Invoice# 77-84993-84929.exe, 00000000.00000002.399118004.0000000005104000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0O
      Source: Invoice# 77-84993-84929.exe, 00000000.00000002.399118004.0000000005104000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com/CPS0
      Source: Invoice# 77-84993-84929.exe, 00000000.00000002.399118004.0000000005104000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
      Source: Invoice# 77-84993-84929.exe, 00000000.00000002.392107723.00000000015BB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000001.00000002.699728992.0000000006DE0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699774289.0000000006E20000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699685453.0000000006DA0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699371662.0000000006C10000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.698742579.0000000005A61000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699281215.0000000006B70000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699325849.0000000006BC0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699482814.0000000006C90000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.698504470.0000000005810000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699633514.0000000006D60000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699532840.0000000006CE0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.698665135.0000000005981000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699584706.0000000006D20000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.695812658.00000000043B1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Invoice# 77-84993-84929.exe PID: 5732, type: MEMORY
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6c90000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6da0000.10.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6da0000.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6c10000.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.5810000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6c90000.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6d60000.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6de0000.11.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6d60000.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6e20000.12.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6de0000.11.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.5810000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6d20000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6ce0000.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6bc0000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6b70000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6e20000.12.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6c10000.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6bc0000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6d20000.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6ce0000.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6b70000.3.raw.unpack, type: UNPACKEDPE

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000001.00000002.699728992.0000000006DE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.699728992.0000000006DE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000001.00000002.699774289.0000000006E20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.699774289.0000000006E20000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000001.00000002.699685453.0000000006DA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.699685453.0000000006DA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000001.00000002.699371662.0000000006C10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.699371662.0000000006C10000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000001.00000002.698742579.0000000005A61000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.698742579.0000000005A61000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000001.00000002.699281215.0000000006B70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.699281215.0000000006B70000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000001.00000002.699325849.0000000006BC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.699325849.0000000006BC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000001.00000002.699482814.0000000006C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.699482814.0000000006C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000001.00000002.698504470.0000000005810000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.698504470.0000000005810000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000001.00000002.699633514.0000000006D60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.699633514.0000000006D60000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000001.00000002.699532840.0000000006CE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.699532840.0000000006CE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000001.00000002.698665135.0000000005981000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.698665135.0000000005981000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000001.00000002.699584706.0000000006D20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.699584706.0000000006D20000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000001.00000002.695812658.00000000043B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000001.00000002.695812658.00000000043B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: Invoice# 77-84993-84929.exe PID: 5732, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: Invoice# 77-84993-84929.exe PID: 5732, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.6c90000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.6c90000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.6da0000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.6da0000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.6da0000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.6da0000.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.6c10000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.6c10000.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.5810000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.5810000.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.6c90000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.6c90000.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.6d60000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.6d60000.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.6de0000.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.6de0000.11.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.6d60000.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.6d60000.9.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.6e20000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.6e20000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.6de0000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.6de0000.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.5810000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.5810000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.6d20000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.6d20000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.6ce0000.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.6ce0000.7.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.6bc0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.6bc0000.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.6b70000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.6b70000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.6e20000.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.6e20000.12.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.6c10000.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.6c10000.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.6bc0000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.6bc0000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.6d20000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.6d20000.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.6ce0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.6ce0000.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 1.2.Invoice# 77-84993-84929.exe.6b70000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 1.2.Invoice# 77-84993-84929.exe.6b70000.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Initial sample is a PE file and has a suspicious nameShow sources
      Source: initial sampleStatic PE information: Filename: Invoice# 77-84993-84929.exe
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeCode function: 0_2_019BCAE4
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeCode function: 0_2_019BEEB0
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeCode function: 0_2_019BEEA3
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeCode function: 0_2_05848848
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeCode function: 0_2_05840AE0
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeCode function: 0_2_05849690
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeCode function: 0_2_0584A538
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeCode function: 0_2_0584A548
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeCode function: 0_2_0584A7E8
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeCode function: 0_2_0584886D
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeCode function: 0_2_05840AD3
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeCode function: 0_2_05849680
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeCode function: 1_2_019F9528
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeCode function: 1_2_019F9C90
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeCode function: 1_2_019F3E18
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeCode function: 1_2_01A832B0
      Source: Invoice# 77-84993-84929.exeBinary or memory string: OriginalFilename vs Invoice# 77-84993-84929.exe
      Source: Invoice# 77-84993-84929.exe, 00000000.00000002.400929477.0000000005860000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameTypeLibImporterFlags.dll4 vs Invoice# 77-84993-84929.exe
      Source: Invoice# 77-84993-84929.exe, 00000000.00000002.395473314.0000000004704000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs Invoice# 77-84993-84929.exe
      Source: Invoice# 77-84993-84929.exeBinary or memory string: OriginalFilename vs Invoice# 77-84993-84929.exe
      Source: Invoice# 77-84993-84929.exe, 00000001.00000002.700544344.0000000007EF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Invoice# 77-84993-84929.exe
      Source: Invoice# 77-84993-84929.exe, 00000001.00000002.699371662.0000000006C10000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamedcad daf.exe2 vs Invoice# 77-84993-84929.exe
      Source: Invoice# 77-84993-84929.exe, 00000001.00000002.699371662.0000000006C10000.00000004.00000001.sdmpBinary or memory string: OriginalFilename>T vs Invoice# 77-84993-84929.exe
      Source: Invoice# 77-84993-84929.exe, 00000001.00000002.699371662.0000000006C10000.00000004.00000001.sdmpBinary or memory string: OriginalFilename~ vs Invoice# 77-84993-84929.exe
      Source: Invoice# 77-84993-84929.exe, 00000001.00000002.699371662.0000000006C10000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamel vs Invoice# 77-84993-84929.exe
      Source: Invoice# 77-84993-84929.exeBinary or memory string: OriginalFilenamebB.exeR vs Invoice# 77-84993-84929.exe
      Source: Invoice# 77-84993-84929.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: 00000001.00000002.699728992.0000000006DE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000001.00000002.699728992.0000000006DE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000001.00000002.699728992.0000000006DE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000001.00000002.699774289.0000000006E20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000001.00000002.699774289.0000000006E20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000001.00000002.699774289.0000000006E20000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000001.00000002.699685453.0000000006DA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000001.00000002.699685453.0000000006DA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000001.00000002.699685453.0000000006DA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000001.00000002.699371662.0000000006C10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000001.00000002.699371662.0000000006C10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000001.00000002.699371662.0000000006C10000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000001.00000002.698742579.0000000005A61000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000001.00000002.698742579.0000000005A61000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000001.00000002.699281215.0000000006B70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000001.00000002.699281215.0000000006B70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000001.00000002.699281215.0000000006B70000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000001.00000002.699325849.0000000006BC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000001.00000002.699325849.0000000006BC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000001.00000002.699325849.0000000006BC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000001.00000002.699482814.0000000006C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000001.00000002.699482814.0000000006C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000001.00000002.699482814.0000000006C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000001.00000002.698504470.0000000005810000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000001.00000002.698504470.0000000005810000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000001.00000002.698504470.0000000005810000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000001.00000002.699633514.0000000006D60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000001.00000002.699633514.0000000006D60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000001.00000002.699633514.0000000006D60000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000001.00000002.699532840.0000000006CE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000001.00000002.699532840.0000000006CE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000001.00000002.699532840.0000000006CE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000001.00000002.698665135.0000000005981000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000001.00000002.698665135.0000000005981000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000001.00000002.699584706.0000000006D20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000001.00000002.699584706.0000000006D20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000001.00000002.699584706.0000000006D20000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000001.00000002.695812658.00000000043B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000001.00000002.695812658.00000000043B1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: Invoice# 77-84993-84929.exe PID: 5732, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: Invoice# 77-84993-84929.exe PID: 5732, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.Invoice# 77-84993-84929.exe.6c90000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.Invoice# 77-84993-84929.exe.6c90000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.Invoice# 77-84993-84929.exe.6c90000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.Invoice# 77-84993-84929.exe.6da0000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.Invoice# 77-84993-84929.exe.6da0000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.Invoice# 77-84993-84929.exe.6da0000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.Invoice# 77-84993-84929.exe.6da0000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.Invoice# 77-84993-84929.exe.6da0000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.Invoice# 77-84993-84929.exe.6da0000.10.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.Invoice# 77-84993-84929.exe.6c10000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.Invoice# 77-84993-84929.exe.6c10000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.Invoice# 77-84993-84929.exe.6c10000.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.Invoice# 77-84993-84929.exe.5810000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.Invoice# 77-84993-84929.exe.5810000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.Invoice# 77-84993-84929.exe.5810000.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.Invoice# 77-84993-84929.exe.6c90000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.Invoice# 77-84993-84929.exe.6c90000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.Invoice# 77-84993-84929.exe.6c90000.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.Invoice# 77-84993-84929.exe.6d60000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.Invoice# 77-84993-84929.exe.6d60000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.Invoice# 77-84993-84929.exe.6d60000.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.Invoice# 77-84993-84929.exe.6de0000.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.Invoice# 77-84993-84929.exe.6de0000.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.Invoice# 77-84993-84929.exe.6de0000.11.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.Invoice# 77-84993-84929.exe.6d60000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.Invoice# 77-84993-84929.exe.6d60000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.Invoice# 77-84993-84929.exe.6d60000.9.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.Invoice# 77-84993-84929.exe.6e20000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.Invoice# 77-84993-84929.exe.6e20000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.Invoice# 77-84993-84929.exe.6e20000.12.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.Invoice# 77-84993-84929.exe.6de0000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.Invoice# 77-84993-84929.exe.6de0000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.Invoice# 77-84993-84929.exe.6de0000.11.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.Invoice# 77-84993-84929.exe.5810000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.Invoice# 77-84993-84929.exe.5810000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.Invoice# 77-84993-84929.exe.5810000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.Invoice# 77-84993-84929.exe.6d20000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.Invoice# 77-84993-84929.exe.6d20000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.Invoice# 77-84993-84929.exe.6d20000.8.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.Invoice# 77-84993-84929.exe.6ce0000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.Invoice# 77-84993-84929.exe.6ce0000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.Invoice# 77-84993-84929.exe.6ce0000.7.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.Invoice# 77-84993-84929.exe.6bc0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.Invoice# 77-84993-84929.exe.6bc0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.Invoice# 77-84993-84929.exe.6bc0000.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.Invoice# 77-84993-84929.exe.6b70000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.Invoice# 77-84993-84929.exe.6b70000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.Invoice# 77-84993-84929.exe.6b70000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.Invoice# 77-84993-84929.exe.6e20000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.Invoice# 77-84993-84929.exe.6e20000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.Invoice# 77-84993-84929.exe.6e20000.12.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.Invoice# 77-84993-84929.exe.6c10000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.Invoice# 77-84993-84929.exe.6c10000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.Invoice# 77-84993-84929.exe.6c10000.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.Invoice# 77-84993-84929.exe.6bc0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.Invoice# 77-84993-84929.exe.6bc0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.Invoice# 77-84993-84929.exe.6bc0000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.Invoice# 77-84993-84929.exe.6d20000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.Invoice# 77-84993-84929.exe.6d20000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.Invoice# 77-84993-84929.exe.6d20000.8.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.Invoice# 77-84993-84929.exe.6ce0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.Invoice# 77-84993-84929.exe.6ce0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.Invoice# 77-84993-84929.exe.6ce0000.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 1.2.Invoice# 77-84993-84929.exe.6b70000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 1.2.Invoice# 77-84993-84929.exe.6b70000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 1.2.Invoice# 77-84993-84929.exe.6b70000.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Invoice# 77-84993-84929.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: 0.2.Invoice# 77-84993-84929.exe.eb0000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
      Source: 0.2.Invoice# 77-84993-84929.exe.eb0000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
      Source: 0.2.Invoice# 77-84993-84929.exe.eb0000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
      Source: Invoice# 77-84993-84929.exe, ParentalControl/ParentalControl.csSecurity API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
      Source: Invoice# 77-84993-84929.exe, ParentalControl/ParentalControl.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
      Source: Invoice# 77-84993-84929.exe, ParentalControl/ParentalControl.csSecurity API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
      Source: 1.2.Invoice# 77-84993-84929.exe.f90000.1.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
      Source: 1.2.Invoice# 77-84993-84929.exe.f90000.1.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
      Source: 1.2.Invoice# 77-84993-84929.exe.f90000.1.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
      Source: 1.0.Invoice# 77-84993-84929.exe.f90000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
      Source: 1.0.Invoice# 77-84993-84929.exe.f90000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
      Source: 1.0.Invoice# 77-84993-84929.exe.f90000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
      Source: 0.0.Invoice# 77-84993-84929.exe.eb0000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
      Source: 0.0.Invoice# 77-84993-84929.exe.eb0000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
      Source: 0.0.Invoice# 77-84993-84929.exe.eb0000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
      Source: classification engineClassification label: mal100.troj.evad.winEXE@3/2@0/1
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Invoice# 77-84993-84929.exe.logJump to behavior
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{00000000-0000-0000-0000-000000000000}
      Source: Invoice# 77-84993-84929.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: Invoice# 77-84993-84929.exeReversingLabs: Detection: 28%
      Source: unknownProcess created: C:\Users\user\Desktop\Invoice# 77-84993-84929.exe 'C:\Users\user\Desktop\Invoice# 77-84993-84929.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\Invoice# 77-84993-84929.exe {path}
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess created: C:\Users\user\Desktop\Invoice# 77-84993-84929.exe {path}
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
      Source: Invoice# 77-84993-84929.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: Invoice# 77-84993-84929.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
      Source: Invoice# 77-84993-84929.exeStatic file information: File size 1082880 > 1048576
      Source: Invoice# 77-84993-84929.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x107c00
      Source: Invoice# 77-84993-84929.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Invoice# 77-84993-84929.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

      Data Obfuscation:

      barindex
      .NET source code contains potential unpackerShow sources
      Source: Invoice# 77-84993-84929.exe, ParentalControl/ParentalControl.cs.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 0.2.Invoice# 77-84993-84929.exe.eb0000.0.unpack, ParentalControl/ParentalControl.cs.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 0.0.Invoice# 77-84993-84929.exe.eb0000.0.unpack, ParentalControl/ParentalControl.cs.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 1.2.Invoice# 77-84993-84929.exe.f90000.1.unpack, ParentalControl/ParentalControl.cs.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 1.0.Invoice# 77-84993-84929.exe.f90000.0.unpack, ParentalControl/ParentalControl.cs.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Binary contains a suspicious time stampShow sources
      Source: initial sampleStatic PE information: 0xE7183342 [Mon Nov 10 02:34:42 2092 UTC]
      Source: initial sampleStatic PE information: section name: .text entropy: 7.95337627624

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeFile opened: C:\Users\user\Desktop\Invoice# 77-84993-84929.exe:Zone.Identifier read attributes | delete
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion:

      barindex
      Yara detected AntiVM_3Show sources
      Source: Yara matchFile source: Process Memory Space: Invoice# 77-84993-84929.exe PID: 6104, type: MEMORY
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: Invoice# 77-84993-84929.exe, 00000000.00000002.392719522.0000000003378000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
      Source: Invoice# 77-84993-84929.exe, 00000000.00000002.392719522.0000000003378000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeWindow / User API: threadDelayed 2354
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeWindow / User API: threadDelayed 6146
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exe TID: 5800Thread sleep time: -31500s >= -30000s
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exe TID: 5936Thread sleep time: -922337203685477s >= -30000s
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exe TID: 5244Thread sleep time: -1400000s >= -30000s
      Source: Invoice# 77-84993-84929.exe, 00000000.00000002.392818820.00000000033D4000.00000004.00000001.sdmpBinary or memory string: VMware
      Source: Invoice# 77-84993-84929.exe, 00000001.00000002.700544344.0000000007EF0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: Invoice# 77-84993-84929.exe, 00000000.00000002.392818820.00000000033D4000.00000004.00000001.sdmpBinary or memory string: vmware
      Source: Invoice# 77-84993-84929.exe, 00000000.00000002.392818820.00000000033D4000.00000004.00000001.sdmpBinary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: Invoice# 77-84993-84929.exe, 00000000.00000002.392818820.00000000033D4000.00000004.00000001.sdmpBinary or memory string: VMWARE
      Source: Invoice# 77-84993-84929.exe, 00000000.00000002.392719522.0000000003378000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
      Source: Invoice# 77-84993-84929.exe, 00000001.00000002.700544344.0000000007EF0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: Invoice# 77-84993-84929.exe, 00000001.00000002.700544344.0000000007EF0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: Invoice# 77-84993-84929.exe, 00000000.00000002.392719522.0000000003378000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
      Source: Invoice# 77-84993-84929.exe, 00000000.00000002.392719522.0000000003378000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
      Source: Invoice# 77-84993-84929.exe, 00000000.00000002.392818820.00000000033D4000.00000004.00000001.sdmpBinary or memory string: VMware
      Source: Invoice# 77-84993-84929.exe, 00000000.00000002.392719522.0000000003378000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
      Source: Invoice# 77-84993-84929.exe, 00000000.00000002.392818820.00000000033D4000.00000004.00000001.sdmpBinary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
      Source: Invoice# 77-84993-84929.exe, 00000001.00000002.700544344.0000000007EF0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeMemory allocated: page read and write | page guard
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeProcess created: C:\Users\user\Desktop\Invoice# 77-84993-84929.exe {path}
      Source: Invoice# 77-84993-84929.exe, 00000001.00000002.693178990.0000000001E90000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: Invoice# 77-84993-84929.exe, 00000001.00000002.693178990.0000000001E90000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: Invoice# 77-84993-84929.exe, 00000001.00000002.693178990.0000000001E90000.00000002.00000001.sdmpBinary or memory string: &Program Manager
      Source: Invoice# 77-84993-84929.exe, 00000001.00000002.693178990.0000000001E90000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeQueries volume information: C:\Users\user\Desktop\Invoice# 77-84993-84929.exe VolumeInformation
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeQueries volume information: C:\Users\user\Desktop\Invoice# 77-84993-84929.exe VolumeInformation
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\Desktop\Invoice# 77-84993-84929.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

      Stealing of Sensitive Information:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000001.00000002.699728992.0000000006DE0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699774289.0000000006E20000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699685453.0000000006DA0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699371662.0000000006C10000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.698742579.0000000005A61000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699281215.0000000006B70000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699325849.0000000006BC0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699482814.0000000006C90000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.698504470.0000000005810000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699633514.0000000006D60000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699532840.0000000006CE0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.698665135.0000000005981000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699584706.0000000006D20000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.695812658.00000000043B1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Invoice# 77-84993-84929.exe PID: 5732, type: MEMORY
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6c90000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6da0000.10.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6da0000.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6c10000.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.5810000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6c90000.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6d60000.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6de0000.11.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6d60000.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6e20000.12.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6de0000.11.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.5810000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6d20000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6ce0000.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6bc0000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6b70000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6e20000.12.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6c10000.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6bc0000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6d20000.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6ce0000.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6b70000.3.raw.unpack, type: UNPACKEDPE

      Remote Access Functionality:

      barindex
      Detected Nanocore RatShow sources
      Source: Invoice# 77-84993-84929.exe, 00000001.00000002.699371662.0000000006C10000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000001.00000002.699728992.0000000006DE0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699774289.0000000006E20000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699685453.0000000006DA0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699371662.0000000006C10000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.698742579.0000000005A61000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699281215.0000000006B70000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699325849.0000000006BC0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699482814.0000000006C90000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.698504470.0000000005810000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699633514.0000000006D60000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699532840.0000000006CE0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.698665135.0000000005981000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.699584706.0000000006D20000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.695812658.00000000043B1000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Invoice# 77-84993-84929.exe PID: 5732, type: MEMORY
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6c90000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6da0000.10.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6da0000.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6c10000.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.5810000.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6c90000.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6d60000.9.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6de0000.11.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6d60000.9.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6e20000.12.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6de0000.11.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.5810000.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6d20000.8.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6ce0000.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6bc0000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6b70000.3.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6e20000.12.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6c10000.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6bc0000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6d20000.8.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6ce0000.7.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 1.2.Invoice# 77-84993-84929.exe.6b70000.3.raw.unpack, type: UNPACKEDPE

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection12Masquerading1Input Capture1Security Software Discovery11Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion2LSASS MemoryVirtualization/Sandbox Evasion2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothRemote Access Software1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection12NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptHidden Files and Directories1LSA SecretsSystem Information Discovery12SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing12DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobTimestomp1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      Invoice# 77-84993-84929.exe28%ReversingLabsWin32.PUA.Wacapew
      Invoice# 77-84993-84929.exe100%Joe Sandbox ML

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      No Antivirus matches

      Domains and IPs

      Contacted Domains

      No contacted domains info

      Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public

      IPDomainCountryFlagASNASN NameMalicious

      Private

      IP
      127.0.0.1

      General Information

      Joe Sandbox Version:31.0.0 Red Diamond
      Analysis ID:339358
      Start date:13.01.2021
      Start time:21:36:32
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 8m 19s
      Hypervisor based Inspection enabled:false
      Report type:light
      Sample file name:Invoice# 77-84993-84929.exe
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
      Number of analysed new started processes analysed:7
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:MAL
      Classification:mal100.troj.evad.winEXE@3/2@0/1
      EGA Information:Failed
      HDC Information:
      • Successful, ratio: 0.3% (good quality ratio 0.2%)
      • Quality average: 79.9%
      • Quality standard deviation: 31.2%
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 0
      • Number of non-executed functions: 0
      Cookbook Comments:
      • Adjust boot time
      • Enable AMSI
      • Found application associated with file extension: .exe
      Warnings:
      Show All
      • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, svchost.exe
      • Report size getting too big, too many NtAllocateVirtualMemory calls found.

      Simulations

      Behavior and APIs

      TimeTypeDescription
      21:37:27API Interceptor1124x Sleep call for process: Invoice# 77-84993-84929.exe modified

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASN

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Invoice# 77-84993-84929.exe.log
      Process:C:\Users\user\Desktop\Invoice# 77-84993-84929.exe
      File Type:ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):1216
      Entropy (8bit):5.355304211458859
      Encrypted:false
      SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
      MD5:FED34146BF2F2FA59DCF8702FCC8232E
      SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
      SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
      SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
      Malicious:true
      Reputation:high, very likely benign file
      Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21
      C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
      Process:C:\Users\user\Desktop\Invoice# 77-84993-84929.exe
      File Type:Non-ISO extended-ASCII text, with no line terminators
      Category:dropped
      Size (bytes):8
      Entropy (8bit):3.0
      Encrypted:false
      SSDEEP:3:2/l:ql
      MD5:904C75C757951861A0708BE11E7058FB
      SHA1:8835D363C38767D84A5A3E2483CD1B94EE7FF0CD
      SHA-256:86B9242C9DB4D22310489A0E372733E9E029A08A05E219ACC1BDE7CC02E6809E
      SHA-512:EBAC3B8031EF52CFBDF971D28B4C8CEEB2B12F64CE0193F3DA3E989DF946D290EC9F90097B6CC75CB582C441E4D65F8CA73A517EE03EC3C14200F6A60DF2080F
      Malicious:true
      Reputation:low
      Preview: .O?.N..H

      Static File Info

      General

      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
      Entropy (8bit):7.949599343543474
      TrID:
      • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
      • Win32 Executable (generic) a (10002005/4) 49.75%
      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
      • Windows Screen Saver (13104/52) 0.07%
      • Generic Win/DOS Executable (2004/3) 0.01%
      File name:Invoice# 77-84993-84929.exe
      File size:1082880
      MD5:3beaa725263104d4638eb877a7d0b37d
      SHA1:da267ad7c11acb864db25a561fea1e2cc3663fd0
      SHA256:eba0abe9461df84c76949df2d559f66b0379cbdbd430f8db884c55d0aa469980
      SHA512:efa1dfea9a15b9cb8c15bed2d510d0c8f879ba2ccf377e0c134d0f0c9047feabc2c17f20bfcf089f33c237391258bf020bb9041308d573a63ca63415e2f459e7
      SSDEEP:24576:pVTN1bAVAo+sZ5Ox7NJEAebUfl0u/r3qEO5CLTvaskuDKUZ:HNG6o+Py+25C/asxJZ
      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B3................0..|............... ........@.. ....................................@................................

      File Icon

      Icon Hash:00828e8e8686b000

      Static PE Info

      General

      Entrypoint:0x509b8e
      Entrypoint Section:.text
      Digitally signed:false
      Imagebase:0x400000
      Subsystem:windows gui
      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Time Stamp:0xE7183342 [Mon Nov 10 02:34:42 2092 UTC]
      TLS Callbacks:
      CLR (.Net) Version:v4.0.30319
      OS Version Major:4
      OS Version Minor:0
      File Version Major:4
      File Version Minor:0
      Subsystem Version Major:4
      Subsystem Version Minor:0
      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

      Entrypoint Preview

      Instruction
      jmp dword ptr [00402000h]
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al

      Data Directories

      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0x109b3c0x4f.text
      IMAGE_DIRECTORY_ENTRY_RESOURCE0x10a0000x5d4.rsrc
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x10c0000xc.reloc
      IMAGE_DIRECTORY_ENTRY_DEBUG0x109b200x1c.text
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

      Sections

      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x20000x107b940x107c00False0.952498333827data7.95337627624IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      .rsrc0x10a0000x5d40x600False0.427083333333data4.14249009427IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .reloc0x10c0000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

      Resources

      NameRVASizeTypeLanguageCountry
      RT_VERSION0x10a0900x344data
      RT_MANIFEST0x10a3e40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

      Imports

      DLLImport
      mscoree.dll_CorExeMain

      Version Infos

      DescriptionData
      Translation0x0000 0x04b0
      LegalCopyrightCopyright 2019
      Assembly Version1.0.0.0
      InternalNamebB.exe
      FileVersion1.0.0.0
      CompanyName
      LegalTrademarks
      Comments
      ProductNameMultiUserParentalControl
      ProductVersion1.0.0.0
      FileDescriptionMultiUserParentalControl
      OriginalFilenamebB.exe

      Network Behavior

      No network behavior found

      Code Manipulations

      Statistics

      Behavior

      Click to jump to process

      System Behavior

      Analysis Process: Invoice# 77-84993-84929.exe PID: 6104 Parent PID: 5864

      General

      Start time:21:37:26
      Start date:13/01/2021
      Path:C:\Users\user\Desktop\Invoice# 77-84993-84929.exe
      Wow64 process (32bit):true
      Commandline:'C:\Users\user\Desktop\Invoice# 77-84993-84929.exe'
      Imagebase:0xeb0000
      File size:1082880 bytes
      MD5 hash:3BEAA725263104D4638EB877A7D0B37D
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:.Net C# or VB.NET
      Reputation:low

      Analysis Process: Invoice# 77-84993-84929.exe PID: 5732 Parent PID: 6104

      General

      Start time:21:37:52
      Start date:13/01/2021
      Path:C:\Users\user\Desktop\Invoice# 77-84993-84929.exe
      Wow64 process (32bit):true
      Commandline:{path}
      Imagebase:0xf90000
      File size:1082880 bytes
      MD5 hash:3BEAA725263104D4638EB877A7D0B37D
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:.Net C# or VB.NET
      Yara matches:
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.699728992.0000000006DE0000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.699728992.0000000006DE0000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.699728992.0000000006DE0000.00000004.00000001.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.699728992.0000000006DE0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.699774289.0000000006E20000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.699774289.0000000006E20000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.699774289.0000000006E20000.00000004.00000001.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.699774289.0000000006E20000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.699685453.0000000006DA0000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.699685453.0000000006DA0000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.699685453.0000000006DA0000.00000004.00000001.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.699685453.0000000006DA0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.699371662.0000000006C10000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.699371662.0000000006C10000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.699371662.0000000006C10000.00000004.00000001.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.699371662.0000000006C10000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.698742579.0000000005A61000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.698742579.0000000005A61000.00000004.00000001.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.698742579.0000000005A61000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.699281215.0000000006B70000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.699281215.0000000006B70000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.699281215.0000000006B70000.00000004.00000001.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.699281215.0000000006B70000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.699325849.0000000006BC0000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.699325849.0000000006BC0000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.699325849.0000000006BC0000.00000004.00000001.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.699325849.0000000006BC0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.699482814.0000000006C90000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.699482814.0000000006C90000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.699482814.0000000006C90000.00000004.00000001.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.699482814.0000000006C90000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.698504470.0000000005810000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.698504470.0000000005810000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.698504470.0000000005810000.00000004.00000001.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.698504470.0000000005810000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.699633514.0000000006D60000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.699633514.0000000006D60000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.699633514.0000000006D60000.00000004.00000001.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.699633514.0000000006D60000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.699532840.0000000006CE0000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.699532840.0000000006CE0000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.699532840.0000000006CE0000.00000004.00000001.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.699532840.0000000006CE0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.698665135.0000000005981000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.698665135.0000000005981000.00000004.00000001.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.698665135.0000000005981000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.699584706.0000000006D20000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.699584706.0000000006D20000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.699584706.0000000006D20000.00000004.00000001.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.699584706.0000000006D20000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.695812658.00000000043B1000.00000004.00000001.sdmp, Author: Florian Roth
      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.695812658.00000000043B1000.00000004.00000001.sdmp, Author: Joe Security
      • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.695812658.00000000043B1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
      Reputation:low

      Disassembly

      Code Analysis

      Reset < >