Loading ...

Play interactive tourEdit tour

Analysis Report LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe

Overview

General Information

Sample Name:LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe
Analysis ID:355833
MD5:988bbc4bf9b82be5dfa915ecb1b63c49
SHA1:c4a75851e915e5072a9ec720139a7693f3819f84
SHA256:9af6ee7679b5e12c34b0530a2b7639c65b1ff8449930ed9a6156338a2eebbb98
Tags:exeNanoCoreRAT

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Double Extension
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe (PID: 6336 cmdline: 'C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe' MD5: 988BBC4BF9B82BE5DFA915ECB1B63C49)
    • schtasks.exe (PID: 6864 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FOvTZkul' /XML 'C:\Users\user\AppData\Local\Temp\tmp9968.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe (PID: 6908 cmdline: {path} MD5: 988BBC4BF9B82BE5DFA915ECB1B63C49)
      • schtasks.exe (PID: 4552 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp4916.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 5460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "c4cca249-81f6-4232-9f14-01569e09f5f0", "Group": "JANUARY", "Domain1": "shahzad73.casacam.net", "Domain2": "shahzad73.ddns.net", "Port": 9036, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000015.00000002.365342774.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000015.00000002.365342774.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000015.00000002.365342774.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    00000007.00000002.493487439.0000000002DC1000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000000.00000002.280044415.0000000004209000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x10cf65:$x1: NanoCore.ClientPluginHost
      • 0x10cfa2:$x2: IClientNetworkHost
      • 0x110ad5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      Click to see the 24 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.4729f40.3.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      0.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.4729f40.3.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xff05:$x1: NanoCore Client.exe
      • 0x1018d:$x2: NanoCore.ClientPluginHost
      • 0x117c6:$s1: PluginCommand
      • 0x117ba:$s2: FileCommand
      • 0x1266b:$s3: PipeExists
      • 0x18422:$s4: PipeCreated
      • 0x101b7:$s5: IClientLoggingHost
      21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3e9b7ee.3.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe75:$x1: NanoCore.ClientPluginHost
      • 0x145e3:$x1: NanoCore.ClientPluginHost
      • 0x2d5d7:$x1: NanoCore.ClientPluginHost
      • 0xe8f:$x2: IClientNetworkHost
      • 0x14610:$x2: IClientNetworkHost
      • 0x2d604:$x2: IClientNetworkHost
      0.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.4729f40.3.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        0.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.4729f40.3.raw.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xfef5:$a: NanoCore
        • 0xff05:$a: NanoCore
        • 0x10139:$a: NanoCore
        • 0x1014d:$a: NanoCore
        • 0x1018d:$a: NanoCore
        • 0xff54:$b: ClientPlugin
        • 0x10156:$b: ClientPlugin
        • 0x10196:$b: ClientPlugin
        • 0x1007b:$c: ProjectData
        • 0x10a82:$d: DESCrypto
        • 0x1844e:$e: KeepAlive
        • 0x1643c:$g: LogClientMessage
        • 0x12637:$i: get_Connected
        • 0x10db8:$j: #=q
        • 0x10de8:$j: #=q
        • 0x10e04:$j: #=q
        • 0x10e34:$j: #=q
        • 0x10e50:$j: #=q
        • 0x10e6c:$j: #=q
        • 0x10e9c:$j: #=q
        • 0x10eb8:$j: #=q
        Click to see the 38 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, ProcessId: 6908, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: Scheduled temp file as task from temp locationShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FOvTZkul' /XML 'C:\Users\user\AppData\Local\Temp\tmp9968.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FOvTZkul' /XML 'C:\Users\user\AppData\Local\Temp\tmp9968.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe' , ParentImage: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, ParentProcessId: 6336, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FOvTZkul' /XML 'C:\Users\user\AppData\Local\Temp\tmp9968.tmp', ProcessId: 6864
        Sigma detected: Suspicious Double ExtensionShow sources
        Source: Process startedAuthor: Florian Roth (rule), @blu3_team (idea): Data: Command: {path}, CommandLine: {path}, CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, NewProcessName: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, OriginalFileName: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, ParentCommandLine: 'C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe' , ParentImage: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, ParentProcessId: 6336, ProcessCommandLine: {path}, ProcessId: 6908

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 00000015.00000002.370926802.0000000003E59000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "c4cca249-81f6-4232-9f14-01569e09f5f0", "Group": "JANUARY", "Domain1": "shahzad73.casacam.net", "Domain2": "shahzad73.ddns.net", "Port": 9036, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\FOvTZkul.exeReversingLabs: Detection: 12%
        Multi AV Scanner detection for submitted fileShow sources
        Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exeReversingLabs: Detection: 12%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000015.00000002.365342774.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.493487439.0000000002DC1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.280044415.0000000004209000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.281405044.00000000046F7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.370926802.0000000003E59000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.352145184.0000000003859000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.488637501.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.370366843.0000000002E51000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe PID: 1236, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe PID: 6336, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe PID: 6908, type: MEMORY
        Source: Yara matchFile source: 0.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.4729f40.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3e9b7ee.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3988c08.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3ea0624.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3ea4c4d.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.4729f40.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3988c08.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3a413e8.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3ea0624.4.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\FOvTZkul.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exeJoe Sandbox ML: detected
        Source: 7.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7

        Compliance:

        barindex
        Uses 32bit PE filesShow sources
        Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
        Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

        Networking:

        barindex
        Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49721 -> 91.212.153.84:9036
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49722 -> 91.212.153.84:9036
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49723 -> 91.212.153.84:9036
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49730 -> 91.212.153.84:9036
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49731 -> 91.212.153.84:9036
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49732 -> 91.212.153.84:9036
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49738 -> 91.212.153.84:9036
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49739 -> 91.212.153.84:9036
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49740 -> 91.212.153.84:9036
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49741 -> 91.212.153.84:9036
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49742 -> 91.212.153.84:9036
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49744 -> 91.212.153.84:9036
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49745 -> 91.212.153.84:9036
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49746 -> 91.212.153.84:9036
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49749 -> 91.212.153.84:9036
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: shahzad73.ddns.net
        Source: Malware configuration extractorURLs: shahzad73.casacam.net
        Source: global trafficTCP traffic: 192.168.2.5:49721 -> 91.212.153.84:9036
        Source: Joe Sandbox ViewIP Address: 91.212.153.84 91.212.153.84
        Source: Joe Sandbox ViewASN Name: MYLOC-ASIPBackboneofmyLocmanagedITAGDE MYLOC-ASIPBackboneofmyLocmanagedITAGDE
        Source: unknownDNS traffic detected: queries for: shahzad73.casacam.net
        Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000000.00000002.285862518.00000000072A2000.00000004.00000001.sdmp, LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 0000000F.00000002.354228123.0000000005710000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
        Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000000.00000002.279958013.0000000003201000.00000004.00000001.sdmp, LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 0000000F.00000002.349317167.0000000002851000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000000.00000002.285862518.00000000072A2000.00000004.00000001.sdmp, LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 0000000F.00000002.354228123.0000000005710000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000000.00000002.285862518.00000000072A2000.00000004.00000001.sdmp, LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 0000000F.00000002.354228123.0000000005710000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000000.00000002.285862518.00000000072A2000.00000004.00000001.sdmp, LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 0000000F.00000002.354228123.0000000005710000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 0000000F.00000002.354228123.0000000005710000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000000.00000002.285862518.00000000072A2000.00000004.00000001.sdmp, LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 0000000F.00000002.354228123.0000000005710000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000000.00000002.285862518.00000000072A2000.00000004.00000001.sdmp, LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 0000000F.00000002.354228123.0000000005710000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000000.00000002.285862518.00000000072A2000.00000004.00000001.sdmp, LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 0000000F.00000002.354228123.0000000005710000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
        Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000000.00000002.285862518.00000000072A2000.00000004.00000001.sdmp, LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 0000000F.00000002.354228123.0000000005710000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000000.00000002.285862518.00000000072A2000.00000004.00000001.sdmp, LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 0000000F.00000002.354228123.0000000005710000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000000.00000002.285862518.00000000072A2000.00000004.00000001.sdmp, LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 0000000F.00000002.354228123.0000000005710000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000000.00000002.285862518.00000000072A2000.00000004.00000001.sdmp, LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 0000000F.00000002.354228123.0000000005710000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
        Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000000.00000002.285862518.00000000072A2000.00000004.00000001.sdmp, LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 0000000F.00000002.354228123.0000000005710000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000000.00000002.285862518.00000000072A2000.00000004.00000001.sdmp, LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 0000000F.00000002.354228123.0000000005710000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000000.00000002.285862518.00000000072A2000.00000004.00000001.sdmp, LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 0000000F.00000002.354228123.0000000005710000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000000.00000002.285862518.00000000072A2000.00000004.00000001.sdmp, LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 0000000F.00000002.354228123.0000000005710000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000000.00000002.285862518.00000000072A2000.00000004.00000001.sdmp, LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 0000000F.00000002.354228123.0000000005710000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000000.00000002.285862518.00000000072A2000.00000004.00000001.sdmp, LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 0000000F.00000002.354228123.0000000005710000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000000.00000002.285862518.00000000072A2000.00000004.00000001.sdmp, LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 0000000F.00000002.354228123.0000000005710000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000000.00000002.285862518.00000000072A2000.00000004.00000001.sdmp, LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 0000000F.00000002.354228123.0000000005710000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000000.00000002.285862518.00000000072A2000.00000004.00000001.sdmp, LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 0000000F.00000002.354228123.0000000005710000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
        Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000000.00000002.285862518.00000000072A2000.00000004.00000001.sdmp, LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 0000000F.00000002.354228123.0000000005710000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 0000000F.00000002.354228123.0000000005710000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
        Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000000.00000002.285862518.00000000072A2000.00000004.00000001.sdmp, LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 0000000F.00000002.354228123.0000000005710000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
        Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000000.00000002.285862518.00000000072A2000.00000004.00000001.sdmp, LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 0000000F.00000002.354228123.0000000005710000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000000.00000002.285862518.00000000072A2000.00000004.00000001.sdmp, LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 0000000F.00000002.354228123.0000000005710000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
        Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000000.00000002.279627168.000000000147B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
        Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000015.00000002.370926802.0000000003E59000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000015.00000002.365342774.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.493487439.0000000002DC1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.280044415.0000000004209000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.281405044.00000000046F7000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.370926802.0000000003E59000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000F.00000002.352145184.0000000003859000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.488637501.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.370366843.0000000002E51000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe PID: 1236, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe PID: 6336, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe PID: 6908, type: MEMORY
        Source: Yara matchFile source: 0.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.4729f40.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3e9b7ee.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3988c08.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3ea0624.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3ea4c4d.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.4729f40.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3988c08.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 15.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3a413e8.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3ea0624.4.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000015.00000002.365342774.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000015.00000002.365342774.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.280044415.0000000004209000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.280044415.0000000004209000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.281405044.00000000046F7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.281405044.00000000046F7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000015.00000002.370926802.0000000003E59000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000F.00000002.352145184.0000000003859000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000F.00000002.352145184.0000000003859000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000007.00000002.488637501.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000007.00000002.488637501.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000015.00000002.370366843.0000000002E51000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe PID: 1236, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe PID: 1236, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe PID: 6336, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe PID: 6336, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe PID: 6908, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe PID: 6908, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.4729f40.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3e9b7ee.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.4729f40.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 7.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3e9b7ee.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 7.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 15.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3988c08.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3988c08.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 7.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.2decaf8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3ea0624.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3ea4c4d.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.4729f40.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.4729f40.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 15.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3988c08.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3988c08.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.2eb9820.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3a413e8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 15.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3a413e8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3ea0624.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Initial sample is a PE file and has a suspicious nameShow sources
        Source: initial sampleStatic PE information: Filename: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe
        Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exeProcess Stats: CPU usage > 98%
        Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exeCode function: 0_2_0172F4700_2_0172F470
        Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exeCode function: 0_2_0172F4600_2_0172F460
        Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exeCode function: 0_2_0172D4FC0_2_0172D4FC
        Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exeCode function: 0_2_056D15350_2_056D1535
        Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exeCode function: 7_2_012FE4717_2_012FE471
        Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exeCode function: 7_2_012FE4807_2_012FE480
        Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exeCode function: 7_2_012FBBD47_2_012FBBD4
        Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exeCode function: 15_2_068B3EF415_2_068B3EF4
        Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exeCode function: 15_2_068B020015_2_068B0200
        Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exeCode function: 15_2_068B3A7015_2_068B3A70
        Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exeCode function: 15_2_068B01F015_2_068B01F0
        Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exeCode function: 15_2_068B6F7715_2_068B6F77
        Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exeCode function: 21_2_0130E47121_2_0130E471
        Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exeCode function: 21_2_0130E48021_2_0130E480
        Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exeCode function: 21_2_0130BBD421_2_0130BBD4
        Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000000.00000002.288486730.0000000009030000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe
        Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000000.00000002.279627168.000000000147B000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe
        Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000000.00000002.288762334.00000000096F0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe
        Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000000.00000002.288762334.00000000096F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe
        Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000000.00000000.222149206.0000000000D40000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe
        Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000007.00000002.493487439.0000000002DC1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe
        Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000007.00000002.489676838.0000000000A70000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe
        Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000007.00000003.299491725.00000000065FD000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe
        Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 0000000F.00000000.291317278.0000000000480000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe
        Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 0000000F.00000002.356753641.0000000008720000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe
        Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 0000000F.00000002.356277146.0000000006810000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameBunifu.UI.dll4 vs LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe
        Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000014.00000002.344932562.00000000000C0000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe
        Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000015.00000000.346222068.00000000009E0000.00000002.00020000.sdmpBinary or memory string: OriginalFilename vs LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe
        Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000015.00000002.370926802.0000000003E59000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe
        Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000015.00000002.370926802.0000000003E59000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe
        Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000015.00000002.370926802.0000000003E59000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe
        Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exeBinary or memory string: OriginalFilename vs LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe
        Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 00000015.00000002.365342774.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000015.00000002.365342774.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.280044415.0000000004209000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.280044415.0000000004209000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.281405044.00000000046F7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.281405044.00000000046F7000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000015.00000002.370926802.0000000003E59000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000F.00000002.352145184.0000000003859000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000F.00000002.352145184.0000000003859000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000007.00000002.488637501.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000007.00000002.488637501.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000015.00000002.370366843.0000000002E51000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe PID: 1236, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe PID: 1236, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe PID: 6336, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe PID: 6336, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe PID: 6908, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe PID: 6908, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.4729f40.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.4729f40.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3e9b7ee.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.4729f40.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3e9b7ee.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 7.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3e9b7ee.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 7.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 15.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3988c08.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3988c08.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 7.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.2decaf8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.2decaf8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3ea0624.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3ea0624.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3ea4c4d.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3ea4c4d.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.4729f40.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.4729f40.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.4729f40.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 15.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3988c08.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3988c08.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 15.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3988c08.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.2eb9820.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.2eb9820.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 15.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3a413e8.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 15.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3a413e8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3ea0624.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3ea0624.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: FOvTZkul.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: 7.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 7.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 7.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 7.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 7.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: classification engineClassification label: mal100.troj.evad.winEXE@17/10@15/2
        Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exeFile created: C:\Users\user\AppData\Roaming\FOvTZkul.exeJump to behavior
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5928:120:WilError_01
        Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{c4cca249-81f6-4232-9f14-01569e09f5f0}
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5460:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6872:120:WilError_01
        Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exeMutant created: \Sessions\1\BaseNamedObjects\WjOJCroITQdUbvUa
        Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exeFile created: C:\Users\user\AppData\Local\Temp\tmp9968.tmpJump to behavior
        Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exeReversingLabs: Detection: 12%
        Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exeFile read: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe 'C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FOvTZkul' /XML 'C:\Users\user\AppData\Local\Temp\tmp9968.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe {path}
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp4916.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe 'C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe' 0
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FOvTZkul' /XML 'C:\Users\user\AppData\Local\Temp\tmpA04.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe {path}
        Source: unknownProcess created: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe {path}
        Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FOvTZkul' /XML 'C:\Users\user\AppData\Local\Temp\tmp9968.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exeProcess created: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe {path}Jump to behavior
        Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp4916.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FOvTZkul' /XML 'C:\Users\user\AppData\Local\Temp\tmpA04.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exeProcess created: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe {path}Jump to behavior
        Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exeProcess created: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe {path}Jump to behavior
        Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exeStatic PE information: data directory type:<