Play interactive tour

Edit tour

Analysis Report 256ec8f8f67b59c5e085b0bb63afcd13.exe

Overview

General Information

Sample Name:	256ec8f8f67b59c5e085b0bb63afcd13.exe
Analysis ID:	355753
MD5:	0bbcc2e64e3edf053ed4af2c0bafb0eb
SHA1:	c006b8d2ec4b92f441815b20f1bdadf98eab1b4d
SHA256:	52d01903f7c366e01359a00ea771ca1f71d4e1bb54731290bc62c3a218f5af80
Tags:	exeNanoCoreRAT
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Yara detected Nanocore RAT

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Uses schtasks.exe or at.exe to add and modify task schedules

Antivirus or Machine Learning detection for unpacked file

Contains functionality to call native functions

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

256ec8f8f67b59c5e085b0bb63afcd13.exe (PID: 6720 cmdline: 'C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exe' MD5: 0BBCC2E64E3EDF053ED4AF2C0BAFB0EB)

256ec8f8f67b59c5e085b0bb63afcd13.exe (PID: 6416 cmdline: {path} MD5: 0BBCC2E64E3EDF053ED4AF2C0BAFB0EB)

schtasks.exe (PID: 6540 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp98F0.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 6632 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpA082.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

256ec8f8f67b59c5e085b0bb63afcd13.exe (PID: 6888 cmdline: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exe 0 MD5: 0BBCC2E64E3EDF053ED4AF2C0BAFB0EB)

256ec8f8f67b59c5e085b0bb63afcd13.exe (PID: 6260 cmdline: {path} MD5: 0BBCC2E64E3EDF053ED4AF2C0BAFB0EB)

dhcpmon.exe (PID: 2460 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 0BBCC2E64E3EDF053ED4AF2C0BAFB0EB)

dhcpmon.exe (PID: 6500 cmdline: {path} MD5: 0BBCC2E64E3EDF053ED4AF2C0BAFB0EB)

dhcpmon.exe (PID: 7160 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 0BBCC2E64E3EDF053ED4AF2C0BAFB0EB)

dhcpmon.exe (PID: 5748 cmdline: {path} MD5: 0BBCC2E64E3EDF053ED4AF2C0BAFB0EB)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "94----", "Group": "V-HASH", "Domain1": "cloudhost.myfirewall.org", "Domain2": "cloudhost.myfirewall.org", "Port": 5654, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "cloudhost.myfirewall.org", "BackupDNSServer": "cloudhost.myfirewall.orgbxpU=", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000002.721135661.0000000003471000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000B.00000002.721135661.0000000003471000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x23877:$a: NanoCore 0x238d0:$a: NanoCore 0x2390d:$a: NanoCore 0x23986:$a: NanoCore 0x238d9:$b: ClientPlugin 0x23916:$b: ClientPlugin 0x24214:$b: ClientPlugin 0x24221:$b: ClientPlugin 0x1b5fe:$e: KeepAlive 0x23d61:$g: LogClientMessage 0x23ce1:$i: get_Connected 0x158a9:$j: #=q 0x158d9:$j: #=q 0x15915:$j: #=q 0x1593d:$j: #=q 0x1596d:$j: #=q 0x1599d:$j: #=q 0x159cd:$j: #=q 0x159fd:$j: #=q 0x15a19:$j: #=q 0x15a49:$j: #=q
00000008.00000002.717514074.0000000003B51000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x23761d:$x1: NanoCore.ClientPluginHost 0x26a03d:$x1: NanoCore.ClientPluginHost 0x23765a:$x2: IClientNetworkHost 0x26a07a:$x2: IClientNetworkHost 0x23b18d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x26dbad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000008.00000002.717514074.0000000003B51000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000008.00000002.717514074.0000000003B51000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x237385:$a: NanoCore 0x237395:$a: NanoCore 0x2375c9:$a: NanoCore 0x2375dd:$a: NanoCore 0x23761d:$a: NanoCore 0x269da5:$a: NanoCore 0x269db5:$a: NanoCore 0x269fe9:$a: NanoCore 0x269ffd:$a: NanoCore 0x26a03d:$a: NanoCore 0x2373e4:$b: ClientPlugin 0x2375e6:$b: ClientPlugin 0x237626:$b: ClientPlugin 0x269e04:$b: ClientPlugin 0x26a006:$b: ClientPlugin 0x26a046:$b: ClientPlugin 0x1835a1:$c: ProjectData 0x23750b:$c: ProjectData 0x269f2b:$c: ProjectData 0x237f12:$d: DESCrypto 0x26a932:$d: DESCrypto
00000007.00000002.707013030.0000000004471000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x23761d:$x1: NanoCore.ClientPluginHost 0x26a03d:$x1: NanoCore.ClientPluginHost 0x23765a:$x2: IClientNetworkHost 0x26a07a:$x2: IClientNetworkHost 0x23b18d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x26dbad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000007.00000002.707013030.0000000004471000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000002.707013030.0000000004471000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x237385:$a: NanoCore 0x237395:$a: NanoCore 0x2375c9:$a: NanoCore 0x2375dd:$a: NanoCore 0x23761d:$a: NanoCore 0x269da5:$a: NanoCore 0x269db5:$a: NanoCore 0x269fe9:$a: NanoCore 0x269ffd:$a: NanoCore 0x26a03d:$a: NanoCore 0x2373e4:$b: ClientPlugin 0x2375e6:$b: ClientPlugin 0x237626:$b: ClientPlugin 0x269e04:$b: ClientPlugin 0x26a006:$b: ClientPlugin 0x26a046:$b: ClientPlugin 0x1835a1:$c: ProjectData 0x23750b:$c: ProjectData 0x269f2b:$c: ProjectData 0x237f12:$d: DESCrypto 0x26a932:$d: DESCrypto
0000000E.00000002.742484463.0000000003FB1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.742484463.0000000003FB1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x49a5d:$a: NanoCore 0x49ab6:$a: NanoCore 0x49af3:$a: NanoCore 0x49b6c:$a: NanoCore 0x5d217:$a: NanoCore 0x5d22c:$a: NanoCore 0x5d261:$a: NanoCore 0x76233:$a: NanoCore 0x76248:$a: NanoCore 0x7627d:$a: NanoCore 0x49abf:$b: ClientPlugin 0x49afc:$b: ClientPlugin 0x4a3fa:$b: ClientPlugin 0x4a407:$b: ClientPlugin 0x5cfd3:$b: ClientPlugin 0x5cfee:$b: ClientPlugin 0x5d01e:$b: ClientPlugin 0x5d235:$b: ClientPlugin 0x5d26a:$b: ClientPlugin 0x75fef:$b: ClientPlugin 0x7600a:$b: ClientPlugin
0000000C.00000002.722378411.0000000003371000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.722378411.0000000003371000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x238a7:$a: NanoCore 0x23900:$a: NanoCore 0x2393d:$a: NanoCore 0x239b6:$a: NanoCore 0x23909:$b: ClientPlugin 0x23946:$b: ClientPlugin 0x24244:$b: ClientPlugin 0x24251:$b: ClientPlugin 0x1b62e:$e: KeepAlive 0x23d91:$g: LogClientMessage 0x23d11:$i: get_Connected 0x158d9:$j: #=q 0x15909:$j: #=q 0x15945:$j: #=q 0x1596d:$j: #=q 0x1599d:$j: #=q 0x159cd:$j: #=q 0x159fd:$j: #=q 0x15a2d:$j: #=q 0x15a49:$j: #=q 0x15a79:$j: #=q
00000002.00000002.907132131.0000000005980000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000002.00000002.907132131.0000000005980000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
0000000A.00000002.730081391.00000000044D1000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x23761d:$x1: NanoCore.ClientPluginHost 0x26a03d:$x1: NanoCore.ClientPluginHost 0x23765a:$x2: IClientNetworkHost 0x26a07a:$x2: IClientNetworkHost 0x23b18d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x26dbad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000A.00000002.730081391.00000000044D1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000A.00000002.730081391.00000000044D1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x237385:$a: NanoCore 0x237395:$a: NanoCore 0x2375c9:$a: NanoCore 0x2375dd:$a: NanoCore 0x23761d:$a: NanoCore 0x269da5:$a: NanoCore 0x269db5:$a: NanoCore 0x269fe9:$a: NanoCore 0x269ffd:$a: NanoCore 0x26a03d:$a: NanoCore 0x2373e4:$b: ClientPlugin 0x2375e6:$b: ClientPlugin 0x237626:$b: ClientPlugin 0x269e04:$b: ClientPlugin 0x26a006:$b: ClientPlugin 0x26a046:$b: ClientPlugin 0x1835a1:$c: ProjectData 0x23750b:$c: ProjectData 0x269f2b:$c: ProjectData 0x237f12:$d: DESCrypto 0x26a932:$d: DESCrypto
0000000E.00000002.741098736.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000E.00000002.741098736.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.741098736.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000B.00000002.719796822.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000B.00000002.719796822.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000B.00000002.719796822.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000002.00000002.907264968.0000000005C20000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000002.00000002.907264968.0000000005C20000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000002.00000002.907264968.0000000005C20000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.742370218.0000000002FB1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000E.00000002.742370218.0000000002FB1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x238a7:$a: NanoCore 0x23900:$a: NanoCore 0x2393d:$a: NanoCore 0x239b6:$a: NanoCore 0x23909:$b: ClientPlugin 0x23946:$b: ClientPlugin 0x24244:$b: ClientPlugin 0x24251:$b: ClientPlugin 0x1b62e:$e: KeepAlive 0x23d91:$g: LogClientMessage 0x23d11:$i: get_Connected 0x158d9:$j: #=q 0x15909:$j: #=q 0x15945:$j: #=q 0x1596d:$j: #=q 0x1599d:$j: #=q 0x159cd:$j: #=q 0x159fd:$j: #=q 0x15a2d:$j: #=q 0x15a49:$j: #=q 0x15a79:$j: #=q
0000000C.00000002.721387726.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000002.721387726.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.721387726.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000B.00000002.721168712.0000000004471000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000B.00000002.721168712.0000000004471000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x49a5d:$a: NanoCore 0x49ab6:$a: NanoCore 0x49af3:$a: NanoCore 0x49b6c:$a: NanoCore 0x5d217:$a: NanoCore 0x5d22c:$a: NanoCore 0x5d261:$a: NanoCore 0x76233:$a: NanoCore 0x76248:$a: NanoCore 0x7627d:$a: NanoCore 0x49abf:$b: ClientPlugin 0x49afc:$b: ClientPlugin 0x4a3fa:$b: ClientPlugin 0x4a407:$b: ClientPlugin 0x5cfd3:$b: ClientPlugin 0x5cfee:$b: ClientPlugin 0x5d01e:$b: ClientPlugin 0x5d235:$b: ClientPlugin 0x5d26a:$b: ClientPlugin 0x75fef:$b: ClientPlugin 0x7600a:$b: ClientPlugin
00000002.00000002.903845537.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000002.00000002.903845537.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000002.00000002.903845537.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000002.00000002.905880969.0000000004057000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000002.00000002.905880969.0000000004057000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3a5d:$a: NanoCore 0x3ab6:$a: NanoCore 0x3af3:$a: NanoCore 0x3b6c:$a: NanoCore 0x17217:$a: NanoCore 0x1722c:$a: NanoCore 0x17261:$a: NanoCore 0x30233:$a: NanoCore 0x30248:$a: NanoCore 0x3027d:$a: NanoCore 0x3abf:$b: ClientPlugin 0x3afc:$b: ClientPlugin 0x43fa:$b: ClientPlugin 0x4407:$b: ClientPlugin 0x16fd3:$b: ClientPlugin 0x16fee:$b: ClientPlugin 0x1701e:$b: ClientPlugin 0x17235:$b: ClientPlugin 0x1726a:$b: ClientPlugin 0x2ffef:$b: ClientPlugin 0x3000a:$b: ClientPlugin
0000000C.00000002.722411296.0000000004371000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.722411296.0000000004371000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x49a5d:$a: NanoCore 0x49ab6:$a: NanoCore 0x49af3:$a: NanoCore 0x49b6c:$a: NanoCore 0x5d217:$a: NanoCore 0x5d22c:$a: NanoCore 0x5d261:$a: NanoCore 0x76233:$a: NanoCore 0x76248:$a: NanoCore 0x7627d:$a: NanoCore 0x49abf:$b: ClientPlugin 0x49afc:$b: ClientPlugin 0x4a3fa:$b: ClientPlugin 0x4a407:$b: ClientPlugin 0x5cfd3:$b: ClientPlugin 0x5cfee:$b: ClientPlugin 0x5d01e:$b: ClientPlugin 0x5d235:$b: ClientPlugin 0x5d26a:$b: ClientPlugin 0x75fef:$b: ClientPlugin 0x7600a:$b: ClientPlugin
00000000.00000002.676219646.00000000042A1000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x23761d:$x1: NanoCore.ClientPluginHost 0x26a03d:$x1: NanoCore.ClientPluginHost 0x23765a:$x2: IClientNetworkHost 0x26a07a:$x2: IClientNetworkHost 0x23b18d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x26dbad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.676219646.00000000042A1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.676219646.00000000042A1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x237385:$a: NanoCore 0x237395:$a: NanoCore 0x2375c9:$a: NanoCore 0x2375dd:$a: NanoCore 0x23761d:$a: NanoCore 0x269da5:$a: NanoCore 0x269db5:$a: NanoCore 0x269fe9:$a: NanoCore 0x269ffd:$a: NanoCore 0x26a03d:$a: NanoCore 0x2373e4:$b: ClientPlugin 0x2375e6:$b: ClientPlugin 0x237626:$b: ClientPlugin 0x269e04:$b: ClientPlugin 0x26a006:$b: ClientPlugin 0x26a046:$b: ClientPlugin 0x1835a1:$c: ProjectData 0x23750b:$c: ProjectData 0x269f2b:$c: ProjectData 0x237f12:$d: DESCrypto 0x26a932:$d: DESCrypto
Process Memory Space: 256ec8f8f67b59c5e085b0bb63afcd13.exe PID: 6416	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x187cb:$x1: NanoCore.ClientPluginHost 0x17e19c:$x1: NanoCore.ClientPluginHost 0x2765e5:$x1: NanoCore.ClientPluginHost 0x3214b3:$x1: NanoCore.ClientPluginHost 0x342094:$x1: NanoCore.ClientPluginHost 0x347c53:$x1: NanoCore.ClientPluginHost 0x35902c:$x1: NanoCore.ClientPluginHost 0x187f1:$x2: IClientNetworkHost 0x17e1c2:$x2: IClientNetworkHost 0x27662a:$x2: IClientNetworkHost 0x321514:$x2: IClientNetworkHost 0x3420ba:$x2: IClientNetworkHost 0x347c98:$x2: IClientNetworkHost 0x359071:$x2: IClientNetworkHost 0x326919:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x33488b:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: 256ec8f8f67b59c5e085b0bb63afcd13.exe PID: 6416	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: 256ec8f8f67b59c5e085b0bb63afcd13.exe PID: 6416	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x186bd:$a: NanoCore 0x1875e:$a: NanoCore 0x187cb:$a: NanoCore 0x1888c:$a: NanoCore 0x1975d:$a: NanoCore 0x197b0:$a: NanoCore 0x197e9:$a: NanoCore 0x1985c:$a: NanoCore 0x17e08e:$a: NanoCore 0x17e12f:$a: NanoCore 0x17e19c:$a: NanoCore 0x17e25d:$a: NanoCore 0x17f12e:$a: NanoCore 0x17f181:$a: NanoCore 0x17f1ba:$a: NanoCore 0x17f22d:$a: NanoCore 0x19655a:$a: NanoCore 0x27655f:$a: NanoCore 0x27658c:$a: NanoCore 0x2765e5:$a: NanoCore 0x27ddf4:$a: NanoCore
Process Memory Space: dhcpmon.exe PID: 5748	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xa155:$x1: NanoCore.ClientPluginHost 0xfd14:$x1: NanoCore.ClientPluginHost 0x21114:$x1: NanoCore.ClientPluginHost 0x34629:$x1: NanoCore.ClientPluginHost 0x69728:$x1: NanoCore.ClientPluginHost 0xa17b:$x2: IClientNetworkHost 0xfd59:$x2: IClientNetworkHost 0x21159:$x2: IClientNetworkHost 0x3468a:$x2: IClientNetworkHost 0x6974e:$x2: IClientNetworkHost 0x39a8f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x47a01:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: dhcpmon.exe PID: 5748	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dhcpmon.exe PID: 5748	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xa047:$a: NanoCore 0xa0e8:$a: NanoCore 0xa155:$a: NanoCore 0xa216:$a: NanoCore 0xb0e7:$a: NanoCore 0xb13a:$a: NanoCore 0xb173:$a: NanoCore 0xb1e6:$a: NanoCore 0xfc8e:$a: NanoCore 0xfcbb:$a: NanoCore 0xfd14:$a: NanoCore 0x17523:$a: NanoCore 0x17536:$a: NanoCore 0x17568:$a: NanoCore 0x2108e:$a: NanoCore 0x210bb:$a: NanoCore 0x21114:$a: NanoCore 0x28923:$a: NanoCore 0x28936:$a: NanoCore 0x28968:$a: NanoCore 0x3412e:$a: NanoCore
Process Memory Space: dhcpmon.exe PID: 2460	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x38715:$x1: NanoCore.ClientPluginHost 0x5712d:$x1: NanoCore.ClientPluginHost 0x38776:$x2: IClientNetworkHost 0x5718e:$x2: IClientNetworkHost 0x3db7b:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4baed:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x5c593:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x6a505:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: dhcpmon.exe PID: 2460	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dhcpmon.exe PID: 2460	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3821a:$a: NanoCore 0x38236:$a: NanoCore 0x38391:$a: NanoCore 0x383a0:$a: NanoCore 0x38679:$a: NanoCore 0x386a5:$a: NanoCore 0x38715:$a: NanoCore 0x48157:$a: NanoCore 0x48169:$a: NanoCore 0x481a5:$a: NanoCore 0x56c32:$a: NanoCore 0x56c4e:$a: NanoCore 0x56da9:$a: NanoCore 0x56db8:$a: NanoCore 0x57091:$a: NanoCore 0x570bd:$a: NanoCore 0x5712d:$a: NanoCore 0x66b6f:$a: NanoCore 0x66b81:$a: NanoCore 0x66bbd:$a: NanoCore 0x382c1:$b: ClientPlugin
Process Memory Space: 256ec8f8f67b59c5e085b0bb63afcd13.exe PID: 6720	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4b0fbe:$x1: NanoCore.ClientPluginHost 0x4cf9d6:$x1: NanoCore.ClientPluginHost 0x4b101f:$x2: IClientNetworkHost 0x4cfa37:$x2: IClientNetworkHost 0x4b6424:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4c4396:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4d4e3c:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4e2dae:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: 256ec8f8f67b59c5e085b0bb63afcd13.exe PID: 6720	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: 256ec8f8f67b59c5e085b0bb63afcd13.exe PID: 6720	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4b0ac3:$a: NanoCore 0x4b0adf:$a: NanoCore 0x4b0c3a:$a: NanoCore 0x4b0c49:$a: NanoCore 0x4b0f22:$a: NanoCore 0x4b0f4e:$a: NanoCore 0x4b0fbe:$a: NanoCore 0x4c0a00:$a: NanoCore 0x4c0a12:$a: NanoCore 0x4c0a4e:$a: NanoCore 0x4cf4db:$a: NanoCore 0x4cf4f7:$a: NanoCore 0x4cf652:$a: NanoCore 0x4cf661:$a: NanoCore 0x4cf93a:$a: NanoCore 0x4cf966:$a: NanoCore 0x4cf9d6:$a: NanoCore 0x4df418:$a: NanoCore 0x4df42a:$a: NanoCore 0x4df466:$a: NanoCore 0x4b0b6a:$b: ClientPlugin
Process Memory Space: 256ec8f8f67b59c5e085b0bb63afcd13.exe PID: 6888	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1e206a:$x1: NanoCore.ClientPluginHost 0x200ad0:$x1: NanoCore.ClientPluginHost 0x1e20cb:$x2: IClientNetworkHost 0x200b31:$x2: IClientNetworkHost 0x1e74d0:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1f5442:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x205f36:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x213ea8:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: 256ec8f8f67b59c5e085b0bb63afcd13.exe PID: 6888	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: 256ec8f8f67b59c5e085b0bb63afcd13.exe PID: 6888	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1e1b6f:$a: NanoCore 0x1e1b8b:$a: NanoCore 0x1e1ce6:$a: NanoCore 0x1e1cf5:$a: NanoCore 0x1e1fce:$a: NanoCore 0x1e1ffa:$a: NanoCore 0x1e206a:$a: NanoCore 0x1f1aac:$a: NanoCore 0x1f1abe:$a: NanoCore 0x1f1afa:$a: NanoCore 0x2005d5:$a: NanoCore 0x2005f1:$a: NanoCore 0x20074c:$a: NanoCore 0x20075b:$a: NanoCore 0x200a34:$a: NanoCore 0x200a60:$a: NanoCore 0x200ad0:$a: NanoCore 0x210512:$a: NanoCore 0x210524:$a: NanoCore 0x210560:$a: NanoCore 0x1e1c16:$b: ClientPlugin
Process Memory Space: dhcpmon.exe PID: 7160	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x272349:$x1: NanoCore.ClientPluginHost 0x290d61:$x1: NanoCore.ClientPluginHost 0x2723aa:$x2: IClientNetworkHost 0x290dc2:$x2: IClientNetworkHost 0x2777af:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x285721:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2961c7:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2a4139:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: dhcpmon.exe PID: 7160	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dhcpmon.exe PID: 7160	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x271e4e:$a: NanoCore 0x271e6a:$a: NanoCore 0x271fc5:$a: NanoCore 0x271fd4:$a: NanoCore 0x2722ad:$a: NanoCore 0x2722d9:$a: NanoCore 0x272349:$a: NanoCore 0x281d8b:$a: NanoCore 0x281d9d:$a: NanoCore 0x281dd9:$a: NanoCore 0x290866:$a: NanoCore 0x290882:$a: NanoCore 0x2909dd:$a: NanoCore 0x2909ec:$a: NanoCore 0x290cc5:$a: NanoCore 0x290cf1:$a: NanoCore 0x290d61:$a: NanoCore 0x2a07a3:$a: NanoCore 0x2a07b5:$a: NanoCore 0x2a07f1:$a: NanoCore 0x271ef5:$b: ClientPlugin
Process Memory Space: 256ec8f8f67b59c5e085b0bb63afcd13.exe PID: 6260	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1089a:$x1: NanoCore.ClientPluginHost 0x238ec:$x1: NanoCore.ClientPluginHost 0x43bdb:$x1: NanoCore.ClientPluginHost 0x4979a:$x1: NanoCore.ClientPluginHost 0x5ab73:$x1: NanoCore.ClientPluginHost 0x108c0:$x2: IClientNetworkHost 0x2394d:$x2: IClientNetworkHost 0x43c01:$x2: IClientNetworkHost 0x497df:$x2: IClientNetworkHost 0x5abb8:$x2: IClientNetworkHost 0x28d52:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x36cc4:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: 256ec8f8f67b59c5e085b0bb63afcd13.exe PID: 6260	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: 256ec8f8f67b59c5e085b0bb63afcd13.exe PID: 6260	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x42dd:$a: NanoCore 0x4362:$a: NanoCore 0x444d:$a: NanoCore 0x1078c:$a: NanoCore 0x1082d:$a: NanoCore 0x1089a:$a: NanoCore 0x1095b:$a: NanoCore 0x1182c:$a: NanoCore 0x1187f:$a: NanoCore 0x118b8:$a: NanoCore 0x1192b:$a: NanoCore 0x13428:$a: NanoCore 0x1373b:$a: NanoCore 0x13759:$a: NanoCore 0x1379b:$a: NanoCore 0x137d2:$a: NanoCore 0x137f0:$a: NanoCore 0x233f1:$a: NanoCore 0x2340d:$a: NanoCore 0x23568:$a: NanoCore 0x23577:$a: NanoCore
Process Memory Space: dhcpmon.exe PID: 6500	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x11f6f:$x1: NanoCore.ClientPluginHost 0x22ca3:$x1: NanoCore.ClientPluginHost 0x44594:$x1: NanoCore.ClientPluginHost 0x4a153:$x1: NanoCore.ClientPluginHost 0x5b52c:$x1: NanoCore.ClientPluginHost 0x11f95:$x2: IClientNetworkHost 0x22d04:$x2: IClientNetworkHost 0x445ba:$x2: IClientNetworkHost 0x4a198:$x2: IClientNetworkHost 0x5b571:$x2: IClientNetworkHost 0x28109:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3607b:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: dhcpmon.exe PID: 6500	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dhcpmon.exe PID: 6500	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x59de:$a: NanoCore 0x5a63:$a: NanoCore 0x5b4e:$a: NanoCore 0x11e61:$a: NanoCore 0x11f02:$a: NanoCore 0x11f6f:$a: NanoCore 0x12030:$a: NanoCore 0x12f01:$a: NanoCore 0x12f54:$a: NanoCore 0x12f8d:$a: NanoCore 0x13000:$a: NanoCore 0x14a7c:$a: NanoCore 0x14d20:$a: NanoCore 0x14d3e:$a: NanoCore 0x14d80:$a: NanoCore 0x14db7:$a: NanoCore 0x14dd5:$a: NanoCore 0x227a8:$a: NanoCore 0x227c4:$a: NanoCore 0x2291f:$a: NanoCore 0x2292e:$a: NanoCore
Click to see the 62 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
14.2.dhcpmon.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
14.2.dhcpmon.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
14.2.dhcpmon.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.dhcpmon.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.405eab4.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.405eab4.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.405eab4.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.4698490.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42bad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42bea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4671d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.4698490.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.4698490.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42915:$a: NanoCore 0x42925:$a: NanoCore 0x42b59:$a: NanoCore 0x42b6d:$a: NanoCore 0x42bad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42974:$b: ClientPlugin 0x42b76:$b: ClientPlugin 0x42bb6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42a9b:$c: ProjectData 0x10a82:$d: DESCrypto 0x434a2:$d: DESCrypto 0x1844e:$e: KeepAlive
14.2.dhcpmon.exe.2fd3ac8.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
14.2.dhcpmon.exe.2fd3ac8.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
14.2.dhcpmon.exe.3ffeab4.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x287c9:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287f6:$x2: IClientNetworkHost
14.2.dhcpmon.exe.3ffeab4.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x287c9:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x298a4:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287e3:$s5: IClientLoggingHost
14.2.dhcpmon.exe.3ffeab4.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.dhcpmon.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
12.2.dhcpmon.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
12.2.dhcpmon.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.dhcpmon.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.3493a98.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.3493a98.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.5c20000.11.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.5c20000.11.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.5c20000.11.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.405eab4.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x287c9:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287f6:$x2: IClientNetworkHost
2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.405eab4.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x287c9:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x298a4:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287e3:$s5: IClientLoggingHost
2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.405eab4.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.dhcpmon.exe.3c7ffe0.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10863d:$x1: NanoCore.ClientPluginHost 0x13b05d:$x1: NanoCore.ClientPluginHost 0x10867a:$x2: IClientNetworkHost 0x13b09a:$x2: IClientNetworkHost 0x10c1ad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x13ebcd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
8.2.dhcpmon.exe.3c7ffe0.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.dhcpmon.exe.3c7ffe0.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1083a5:$a: NanoCore 0x1083b5:$a: NanoCore 0x1085e9:$a: NanoCore 0x1085fd:$a: NanoCore 0x10863d:$a: NanoCore 0x13adc5:$a: NanoCore 0x13add5:$a: NanoCore 0x13b009:$a: NanoCore 0x13b01d:$a: NanoCore 0x13b05d:$a: NanoCore 0x108404:$b: ClientPlugin 0x108606:$b: ClientPlugin 0x108646:$b: ClientPlugin 0x13ae24:$b: ClientPlugin 0x13b026:$b: ClientPlugin 0x13b066:$b: ClientPlugin 0x545c1:$c: ProjectData 0x10852b:$c: ProjectData 0x13af4b:$c: ProjectData 0x108f32:$d: DESCrypto 0x13b952:$d: DESCrypto
2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
10.2.dhcpmon.exe.46f8490.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42bad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42bea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4671d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
10.2.dhcpmon.exe.46f8490.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
10.2.dhcpmon.exe.46f8490.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42915:$a: NanoCore 0x42925:$a: NanoCore 0x42b59:$a: NanoCore 0x42b6d:$a: NanoCore 0x42bad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42974:$b: ClientPlugin 0x42b76:$b: ClientPlugin 0x42bb6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42a9b:$c: ProjectData 0x10a82:$d: DESCrypto 0x434a2:$d: DESCrypto 0x1844e:$e: KeepAlive
7.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.459ffe0.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10863d:$x1: NanoCore.ClientPluginHost 0x13b05d:$x1: NanoCore.ClientPluginHost 0x10867a:$x2: IClientNetworkHost 0x13b09a:$x2: IClientNetworkHost 0x10c1ad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x13ebcd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.459ffe0.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.459ffe0.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1083a5:$a: NanoCore 0x1083b5:$a: NanoCore 0x1085e9:$a: NanoCore 0x1085fd:$a: NanoCore 0x10863d:$a: NanoCore 0x13adc5:$a: NanoCore 0x13add5:$a: NanoCore 0x13b009:$a: NanoCore 0x13b01d:$a: NanoCore 0x13b05d:$a: NanoCore 0x108404:$b: ClientPlugin 0x108606:$b: ClientPlugin 0x108646:$b: ClientPlugin 0x13ae24:$b: ClientPlugin 0x13b026:$b: ClientPlugin 0x13b066:$b: ClientPlugin 0x545c1:$c: ProjectData 0x10852b:$c: ProjectData 0x13af4b:$c: ProjectData 0x108f32:$d: DESCrypto 0x13b952:$d: DESCrypto
8.2.dhcpmon.exe.3d78490.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
8.2.dhcpmon.exe.3d78490.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
8.2.dhcpmon.exe.3d78490.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.dhcpmon.exe.3d78490.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
12.2.dhcpmon.exe.43beab4.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
12.2.dhcpmon.exe.43beab4.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
12.2.dhcpmon.exe.43beab4.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
10.2.dhcpmon.exe.45fffe0.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10863d:$x1: NanoCore.ClientPluginHost 0x13b05d:$x1: NanoCore.ClientPluginHost 0x10867a:$x2: IClientNetworkHost 0x13b09a:$x2: IClientNetworkHost 0x10c1ad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x13ebcd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
10.2.dhcpmon.exe.45fffe0.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
10.2.dhcpmon.exe.45fffe0.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1083a5:$a: NanoCore 0x1083b5:$a: NanoCore 0x1085e9:$a: NanoCore 0x1085fd:$a: NanoCore 0x10863d:$a: NanoCore 0x13adc5:$a: NanoCore 0x13add5:$a: NanoCore 0x13b009:$a: NanoCore 0x13b01d:$a: NanoCore 0x13b05d:$a: NanoCore 0x108404:$b: ClientPlugin 0x108606:$b: ClientPlugin 0x108646:$b: ClientPlugin 0x13ae24:$b: ClientPlugin 0x13b026:$b: ClientPlugin 0x13b066:$b: ClientPlugin 0x545c1:$c: ProjectData 0x10852b:$c: ProjectData 0x13af4b:$c: ProjectData 0x108f32:$d: DESCrypto 0x13b952:$d: DESCrypto
2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.4059c7e.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5ff:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d62c:$x2: IClientNetworkHost
2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.4059c7e.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5ff:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e6da:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d619:$s5: IClientLoggingHost
2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.4059c7e.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.4059c7e.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d5b5:$a: NanoCore 0x2d5ca:$a: NanoCore 0x2d5ff:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d371:$b: ClientPlugin 0x2d38c:$b: ClientPlugin
0.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44c8490.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44c8490.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44c8490.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44c8490.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
12.2.dhcpmon.exe.43c30dd.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x241a0:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x241cd:$x2: IClientNetworkHost
12.2.dhcpmon.exe.43c30dd.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x241a0:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x2527b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x241ba:$s5: IClientLoggingHost
12.2.dhcpmon.exe.43c30dd.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.5980000.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.5980000.8.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
14.2.dhcpmon.exe.3ffeab4.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
14.2.dhcpmon.exe.3ffeab4.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
14.2.dhcpmon.exe.3ffeab4.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.40630dd.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x241a0:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x241cd:$x2: IClientNetworkHost
2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.40630dd.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x241a0:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x2527b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x241ba:$s5: IClientLoggingHost
2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.40630dd.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
10.2.dhcpmon.exe.46f8490.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
10.2.dhcpmon.exe.46f8490.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
10.2.dhcpmon.exe.46f8490.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
10.2.dhcpmon.exe.46f8490.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
12.2.dhcpmon.exe.3393ac8.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
12.2.dhcpmon.exe.3393ac8.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
7.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.4698490.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.4698490.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
7.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.4698490.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.4698490.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.5c20000.11.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.5c20000.11.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.5c20000.11.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44c30dd.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x241a0:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x241cd:$x2: IClientNetworkHost
11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44c30dd.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x241a0:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x2527b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x241ba:$s5: IClientLoggingHost
11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44c30dd.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.dhcpmon.exe.3ff9c7e.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5ff:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d62c:$x2: IClientNetworkHost
14.2.dhcpmon.exe.3ff9c7e.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5ff:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e6da:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d619:$s5: IClientLoggingHost
14.2.dhcpmon.exe.3ff9c7e.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
14.2.dhcpmon.exe.3ff9c7e.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d5b5:$a: NanoCore 0x2d5ca:$a: NanoCore 0x2d5ff:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d371:$b: ClientPlugin 0x2d38c:$b: ClientPlugin
11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44beab4.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44beab4.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44beab4.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.3021680.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.3021680.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.5c24629.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.5c24629.10.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.5c24629.10.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.dhcpmon.exe.3d78490.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42bad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42bea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4671d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
8.2.dhcpmon.exe.3d78490.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
8.2.dhcpmon.exe.3d78490.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42915:$a: NanoCore 0x42925:$a: NanoCore 0x42b59:$a: NanoCore 0x42b6d:$a: NanoCore 0x42bad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42974:$b: ClientPlugin 0x42b76:$b: ClientPlugin 0x42bb6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42a9b:$c: ProjectData 0x10a82:$d: DESCrypto 0x434a2:$d: DESCrypto 0x1844e:$e: KeepAlive
11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.43cffe0.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10863d:$x1: NanoCore.ClientPluginHost 0x13b05d:$x1: NanoCore.ClientPluginHost 0x10867a:$x2: IClientNetworkHost 0x13b09a:$x2: IClientNetworkHost 0x10c1ad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x13ebcd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.43cffe0.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.43cffe0.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1083a5:$a: NanoCore 0x1083b5:$a: NanoCore 0x1085e9:$a: NanoCore 0x1085fd:$a: NanoCore 0x10863d:$a: NanoCore 0x13adc5:$a: NanoCore 0x13add5:$a: NanoCore 0x13b009:$a: NanoCore 0x13b01d:$a: NanoCore 0x13b05d:$a: NanoCore 0x108404:$b: ClientPlugin 0x108606:$b: ClientPlugin 0x108646:$b: ClientPlugin 0x13ae24:$b: ClientPlugin 0x13b026:$b: ClientPlugin 0x13b066:$b: ClientPlugin 0x545c1:$c: ProjectData 0x10852b:$c: ProjectData 0x13af4b:$c: ProjectData 0x108f32:$d: DESCrypto 0x13b952:$d: DESCrypto
14.2.dhcpmon.exe.40030dd.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x241a0:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x241cd:$x2: IClientNetworkHost
14.2.dhcpmon.exe.40030dd.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x241a0:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x2527b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x241ba:$s5: IClientLoggingHost
14.2.dhcpmon.exe.40030dd.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44beab4.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x287c9:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287f6:$x2: IClientNetworkHost
11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44beab4.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x287c9:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x298a4:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287e3:$s5: IClientLoggingHost
11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44beab4.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.dhcpmon.exe.43b9c7e.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5ff:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d62c:$x2: IClientNetworkHost
12.2.dhcpmon.exe.43b9c7e.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5ff:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e6da:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d619:$s5: IClientLoggingHost
12.2.dhcpmon.exe.43b9c7e.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.dhcpmon.exe.43b9c7e.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d5b5:$a: NanoCore 0x2d5ca:$a: NanoCore 0x2d5ff:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d371:$b: ClientPlugin 0x2d38c:$b: ClientPlugin
11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44b9c7e.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5ff:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d62c:$x2: IClientNetworkHost
11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44b9c7e.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5ff:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e6da:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d619:$s5: IClientLoggingHost
11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44b9c7e.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44b9c7e.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d5b5:$a: NanoCore 0x2d5ca:$a: NanoCore 0x2d5ff:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d371:$b: ClientPlugin 0x2d38c:$b: ClientPlugin
12.2.dhcpmon.exe.43beab4.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x287c9:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287f6:$x2: IClientNetworkHost
12.2.dhcpmon.exe.43beab4.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x287c9:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x298a4:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287e3:$s5: IClientLoggingHost
12.2.dhcpmon.exe.43beab4.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44c8490.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42bad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42bea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4671d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44c8490.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44c8490.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42915:$a: NanoCore 0x42925:$a: NanoCore 0x42b59:$a: NanoCore 0x42b6d:$a: NanoCore 0x42bad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42974:$b: ClientPlugin 0x42b76:$b: ClientPlugin 0x42bb6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42a9b:$c: ProjectData 0x10a82:$d: DESCrypto 0x434a2:$d: DESCrypto 0x1844e:$e: KeepAlive
Click to see the 122 entries

Sigma Overview

System Summary:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exe, ProcessId: 6416, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp98F0.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp98F0.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: {path}, ParentImage: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exe, ParentProcessId: 6416, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp98F0.tmp', ProcessId: 6540

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0000000B.00000002.721135661.0000000003471000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "94----", "Group": "V-HASH", "Domain1": "cloudhost.myfirewall.org", "Domain2": "cloudhost.myfirewall.org", "Port": 5654, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "cloudhost.myfirewall.org", "BackupDNSServer": "cloudhost.myfirewall.orgbxpU=", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000000B.00000002.721135661.0000000003471000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.717514074.0000000003B51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.707013030.0000000004471000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.742484463.0000000003FB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.722378411.0000000003371000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.730081391.00000000044D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.741098736.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.719796822.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.907264968.0000000005C20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.742370218.0000000002FB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.721387726.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.721168712.0000000004471000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.903845537.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.905880969.0000000004057000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.722411296.0000000004371000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.676219646.00000000042A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 256ec8f8f67b59c5e085b0bb63afcd13.exe PID: 6416, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 5748, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 2460, type: MEMORY
Source: Yara match	File source: Process Memory Space: 256ec8f8f67b59c5e085b0bb63afcd13.exe PID: 6720, type: MEMORY
Source: Yara match	File source: Process Memory Space: 256ec8f8f67b59c5e085b0bb63afcd13.exe PID: 6888, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 7160, type: MEMORY
Source: Yara match	File source: Process Memory Space: 256ec8f8f67b59c5e085b0bb63afcd13.exe PID: 6260, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6500, type: MEMORY
Source: Yara match	File source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.405eab4.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.4698490.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.3ffeab4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.5c20000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.405eab4.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.dhcpmon.exe.3c7ffe0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.dhcpmon.exe.46f8490.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.459ffe0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.dhcpmon.exe.3d78490.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.dhcpmon.exe.43beab4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.dhcpmon.exe.45fffe0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.4059c7e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44c8490.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.dhcpmon.exe.43c30dd.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.3ffeab4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.40630dd.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.dhcpmon.exe.46f8490.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.4698490.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.5c20000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44c30dd.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.3ff9c7e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44beab4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.5c24629.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.dhcpmon.exe.3d78490.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.43cffe0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.dhcpmon.exe.40030dd.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44beab4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.dhcpmon.exe.43b9c7e.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44b9c7e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.dhcpmon.exe.43beab4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.44c8490.2.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe

Joe Sandbox ML: detected

Source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.5c20000.11.unpack	Avira: Label: TR/NanoCore.fadte
Source: 12.2.dhcpmon.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 14.2.dhcpmon.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 2.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 11.2.256ec8f8f67b59c5e085b0bb63afcd13.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

Uses 32bit PE files

Show sources

Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Uses new MSVCR Dlls

Show sources

Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Show sources

Source:	Binary string: indows\mscorlib.pdbpdblib.pdb source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000002.00000002.904860246.0000000002A85000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000002.680575404.0000000008770000.00000002.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000002.00000002.907073740.0000000005920000.00000002.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000007.00000002.717914840.00000000082E0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.724995186.00000000076E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.734162357.0000000008310000.00000002.00000001.sdmp

Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exe	Code function: 4x nop then lea ecx, dword ptr [ebp-30h]	0_2_05470608
Source: C:\Users\user\Desktop\256ec8f8f67b59c5e085b0bb63afcd13.exe	Code function: 4x nop then lea ecx, dword ptr [ebp-30h]	7_2_055C0608
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 4x nop then lea ecx, dword ptr [ebp-30h]	8_2_02560608
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe	Code function: 4x nop then lea ecx, dword ptr [ebp-30h]	10_2_017F0608

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: cloudhost.myfirewall.org

Source: global traffic

TCP traffic: 192.168.2.4:49743 -> 79.134.225.105:5654

Source: Joe Sandbox View

IP Address: 79.134.225.105 79.134.225.105

Source: Joe Sandbox View

ASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH

Source: unknown

DNS traffic detected: queries for: cloudhost.myfirewall.org

Source: 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000000.00000002.677120512.0000000005960000.00000002.00000001.sdmp, 256ec8f8f67b59c5e085b0bb63afcd13.exe, 00000007.00000002.715867498.00000000059B0000.00000002.00000001.sdmp, dhcpmon.exe, 00000008.00000002.720166161.0000000004DB0000.00000002

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 256ec8f8f67b59c5e085b0bb63afcd13.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking: