Analysis Report PAYMENT COPY.exe

Overview

General Information

Sample Name: PAYMENT COPY.exe
Analysis ID: 356453
MD5: 53e8c460446fe305dfc2159961aa6234
SHA1: bbebce3965dfc237eac2711a47c141a4f8ff0083
SHA256: b082aa828dd2eb42d6e1de8ccd8573ac3096ceee92ad26449fc1df6e490ff4ed
Tags: exeNanoCoreRATSCB

Most interesting Screenshot:

Detection

Nanocore
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Executable has a suspicious name (potential lure to open the executable)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000008.00000002.278420831.0000000002460000.00000004.00000001.sdmp Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "bed38ea9-13ae-4999-bfd6-9ec5f9de3405", "Group": "Default", "Domain1": "chinomso.duckdns.org", "Domain2": "chinomso.duckdns.org", "Port": 7688, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Enable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "chinomso.duckdns.org", "BackupDNSServer": "chinomso.duckdns.orgAMC9Avo9uFWUE1JbxpU=", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
Multi AV Scanner detection for domain / URL
Source: chinomso.duckdns.org Virustotal: Detection: 8% Perma Link
Source: chinomso.duckdns.org Virustotal: Detection: 8% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe ReversingLabs: Detection: 35%
Source: C:\Users\user\AppData\Local\Temp\ri8clfcgml62un.dll ReversingLabs: Detection: 14%
Multi AV Scanner detection for submitted file
Source: PAYMENT COPY.exe ReversingLabs: Detection: 35%
Yara detected Nanocore RAT
Source: Yara match File source: 00000001.00000002.498580778.0000000000599000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.505736368.000000000341C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.298228465.000000000054A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.298702640.00000000032CC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.278034704.00000000007CE000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.278506705.000000000344C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.278355916.0000000002411000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.278466609.0000000003411000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.277405850.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000001.237862989.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.298677896.0000000003291000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.501309782.0000000002391000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.298074708.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.279255629.00000000049C2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.279026119.00000000048F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.264472405.0000000002A60000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.299582604.00000000047B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.300040048.0000000004E32000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000001.257730823.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.242328677.0000000002A80000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.497023091.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000001.281117600.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.298587099.0000000002291000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.286656662.0000000002A50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PAYMENT COPY.exe PID: 6712, type: MEMORY
Source: Yara match File source: Process Memory Space: PAYMENT COPY.exe PID: 6432, type: MEMORY
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 2896, type: MEMORY
Source: Yara match File source: Process Memory Space: PAYMENT COPY.exe PID: 6612, type: MEMORY
Source: Yara match File source: Process Memory Space: PAYMENT COPY.exe PID: 6392, type: MEMORY
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 5932, type: MEMORY
Source: Yara match File source: 1.2.PAYMENT COPY.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.47b0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.PAYMENT COPY.exe.3430821.25.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.565f58.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.4e30000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PAYMENT COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.565f58.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.PAYMENT COPY.exe.342c1f8.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PAYMENT COPY.exe.2a80000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.PAYMENT COPY.exe.5b2488.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.PAYMENT COPY.exe.5b2488.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.1.PAYMENT COPY.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dhcpmon.exe.2a50000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.1.PAYMENT COPY.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.PAYMENT COPY.exe.342c1f8.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dhcpmon.exe.2a61458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PAYMENT COPY.exe.2a91458.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.PAYMENT COPY.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.1.PAYMENT COPY.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.3295530.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.PAYMENT COPY.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PAYMENT COPY.exe.3497815.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.PAYMENT COPY.exe.2a60000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PAYMENT COPY.exe.34931ec.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PAYMENT COPY.exe.34931ec.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PAYMENT COPY.exe.348e3b6.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dhcpmon.exe.2a61458.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PAYMENT COPY.exe.2a80000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.47b0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.PAYMENT COPY.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.PAYMENT COPY.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.3317815.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.PAYMENT COPY.exe.2a71458.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PAYMENT COPY.exe.7eae40.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.33131ec.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PAYMENT COPY.exe.2a91458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.1.PAYMENT COPY.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.330e3b6.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PAYMENT COPY.exe.48f0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.33131ec.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PAYMENT COPY.exe.3415530.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PAYMENT COPY.exe.7eae40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PAYMENT COPY.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.3295530.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PAYMENT COPY.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PAYMENT COPY.exe.48f0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PAYMENT COPY.exe.49c0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dhcpmon.exe.2a50000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.PAYMENT COPY.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.PAYMENT COPY.exe.2a60000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.PAYMENT COPY.exe.2a71458.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PAYMENT COPY.exe.3415530.5.unpack, type: UNPACKEDPE
Machine Learning detection for dropped file
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: PAYMENT COPY.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 1.2.PAYMENT COPY.exe.342c1f8.24.unpack Avira: Label: TR/NanoCore.fadte
Source: 15.2.dhcpmon.exe.4e30000.10.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 8.1.PAYMENT COPY.exe.400000.1.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 15.1.dhcpmon.exe.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 15.2.dhcpmon.exe.400000.1.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 1.2.PAYMENT COPY.exe.400000.1.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 1.1.PAYMENT COPY.exe.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 8.2.PAYMENT COPY.exe.400000.0.unpack Avira: Label: TR/Dropper.MSIL.Gen7
Source: 8.2.PAYMENT COPY.exe.49c0000.10.unpack Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Unpacked PE file: 1.2.PAYMENT COPY.exe.400000.1.unpack
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Unpacked PE file: 8.2.PAYMENT COPY.exe.400000.0.unpack
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Unpacked PE file: 15.2.dhcpmon.exe.400000.1.unpack
Uses 32bit PE files
Source: PAYMENT COPY.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Contains modern PE file flags such as dynamic base (ASLR) or NX
Source: PAYMENT COPY.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Binary contains paths to debug symbols
Source: Binary string: wntdll.pdbUGP source: PAYMENT COPY.exe, 00000000.00000003.237791410.0000000002B20000.00000004.00000001.sdmp, PAYMENT COPY.exe, 00000007.00000003.251492752.0000000002C40000.00000004.00000001.sdmp, dhcpmon.exe, 0000000E.00000003.274760299.0000000002C30000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: PAYMENT COPY.exe, 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: PAYMENT COPY.exe, 00000000.00000003.237791410.0000000002B20000.00000004.00000001.sdmp, PAYMENT COPY.exe, 00000007.00000003.251492752.0000000002C40000.00000004.00000001.sdmp, dhcpmon.exe, 0000000E.00000003.274760299.0000000002C30000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: PAYMENT COPY.exe, 00000001.00000002.500087557.00000000006E0000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: PAYMENT COPY.exe, 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmp
Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: PAYMENT COPY.exe, 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmp
Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: PAYMENT COPY.exe, 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: PAYMENT COPY.exe, 00000001.00000002.499927530.00000000006C0000.00000004.00000001.sdmp
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 0_2_00405A15 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 0_2_00405A15
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 0_2_004065C1 FindFirstFileA,FindClose, 0_2_004065C1
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 0_2_004027A1 FindFirstFileA, 0_2_004027A1
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 1_2_00404A29 FindFirstFileExW, 1_2_00404A29
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 1_1_00404A29 FindFirstFileExW, 1_1_00404A29
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 8_2_00404A29 FindFirstFileExW, 8_2_00404A29
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 10_2_00405A15 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 10_2_00405A15
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 10_2_004065C1 FindFirstFileA,FindClose, 10_2_004065C1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 10_2_004027A1 FindFirstFileA, 10_2_004027A1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_00404A29 FindFirstFileExW, 15_2_00404A29

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: chinomso.duckdns.org
Uses dynamic DNS services
Source: unknown DNS query: name: chinomso.duckdns.org
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.7:49711 -> 185.150.24.55:7688
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.150.24.55 185.150.24.55
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SKYLINKNL SKYLINKNL
Source: unknown DNS traffic detected: queries for: chinomso.duckdns.org
Source: PAYMENT COPY.exe, 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmp String found in binary or memory: http://google.com
Source: dhcpmon.exe, dhcpmon.exe, 0000000A.00000002.497269393.000000000040A000.00000004.00020000.sdmp, dhcpmon.exe, 0000000E.00000000.270226951.000000000040A000.00000008.00020000.sdmp, dhcpmon.exe, 0000000F.00000000.273721399.000000000040A000.00000008.00020000.sdmp, PAYMENT COPY.exe String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: PAYMENT COPY.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 0_2_004054B2 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_004054B2
Installs a raw input device (often for capturing keystrokes)
Source: PAYMENT COPY.exe, 00000001.00000002.505736368.000000000341C000.00000004.00000001.sdmp Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 00000001.00000002.498580778.0000000000599000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.505736368.000000000341C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.298228465.000000000054A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.298702640.00000000032CC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.278034704.00000000007CE000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.278506705.000000000344C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.278355916.0000000002411000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.278466609.0000000003411000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.277405850.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000001.237862989.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.298677896.0000000003291000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.501309782.0000000002391000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.298074708.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.279255629.00000000049C2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.279026119.00000000048F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.264472405.0000000002A60000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.299582604.00000000047B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.300040048.0000000004E32000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000001.257730823.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.242328677.0000000002A80000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.497023091.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000001.281117600.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.298587099.0000000002291000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.286656662.0000000002A50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PAYMENT COPY.exe PID: 6712, type: MEMORY
Source: Yara match File source: Process Memory Space: PAYMENT COPY.exe PID: 6432, type: MEMORY
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 2896, type: MEMORY
Source: Yara match File source: Process Memory Space: PAYMENT COPY.exe PID: 6612, type: MEMORY
Source: Yara match File source: Process Memory Space: PAYMENT COPY.exe PID: 6392, type: MEMORY
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 5932, type: MEMORY
Source: Yara match File source: 1.2.PAYMENT COPY.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.47b0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.PAYMENT COPY.exe.3430821.25.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.565f58.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.4e30000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PAYMENT COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.565f58.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.PAYMENT COPY.exe.342c1f8.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PAYMENT COPY.exe.2a80000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.PAYMENT COPY.exe.5b2488.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.PAYMENT COPY.exe.5b2488.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.1.PAYMENT COPY.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dhcpmon.exe.2a50000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.1.PAYMENT COPY.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.PAYMENT COPY.exe.342c1f8.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dhcpmon.exe.2a61458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PAYMENT COPY.exe.2a91458.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.PAYMENT COPY.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.1.PAYMENT COPY.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.3295530.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.PAYMENT COPY.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PAYMENT COPY.exe.3497815.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.PAYMENT COPY.exe.2a60000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PAYMENT COPY.exe.34931ec.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PAYMENT COPY.exe.34931ec.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PAYMENT COPY.exe.348e3b6.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dhcpmon.exe.2a61458.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PAYMENT COPY.exe.2a80000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.47b0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.PAYMENT COPY.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.PAYMENT COPY.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.3317815.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.PAYMENT COPY.exe.2a71458.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PAYMENT COPY.exe.7eae40.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.33131ec.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PAYMENT COPY.exe.2a91458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.1.PAYMENT COPY.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.330e3b6.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PAYMENT COPY.exe.48f0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.33131ec.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PAYMENT COPY.exe.3415530.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PAYMENT COPY.exe.7eae40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PAYMENT COPY.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.3295530.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PAYMENT COPY.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PAYMENT COPY.exe.48f0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PAYMENT COPY.exe.49c0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dhcpmon.exe.2a50000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.PAYMENT COPY.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.PAYMENT COPY.exe.2a60000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.PAYMENT COPY.exe.2a71458.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PAYMENT COPY.exe.3415530.5.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000001.00000002.498580778.0000000000599000.00000004.00000020.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.498580778.0000000000599000.00000004.00000020.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.500337236.0000000000730000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.499927530.00000000006C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.500528462.0000000000780000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.500087557.00000000006E0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000002.278420831.0000000002460000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.298632979.00000000022E0000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.298228465.000000000054A000.00000004.00000020.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.298228465.000000000054A000.00000004.00000020.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.298702640.00000000032CC000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.278034704.00000000007CE000.00000004.00000020.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000002.278034704.00000000007CE000.00000004.00000020.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.278506705.000000000344C000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.278466609.0000000003411000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000002.278466609.0000000003411000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.277405850.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000002.277405850.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000001.237862989.0000000000414000.00000040.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000001.237862989.0000000000414000.00000040.00020000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.298677896.0000000003291000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.298677896.0000000003291000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.500417911.0000000000750000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.298074708.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.298074708.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.279255629.00000000049C2000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000002.279255629.00000000049C2000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000002.279026119.00000000048F0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000002.279026119.00000000048F0000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.264472405.0000000002A60000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.264472405.0000000002A60000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.499796910.00000000006B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.500251784.0000000000710000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.299582604.00000000047B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.299582604.00000000047B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.300040048.0000000004E32000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.300040048.0000000004E32000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000008.00000001.257730823.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000008.00000001.257730823.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.242328677.0000000002A80000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.242328677.0000000002A80000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.499394347.0000000000660000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.500213366.0000000000700000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.500144000.00000000006F0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.497023091.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.497023091.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.499506090.0000000000680000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000001.281117600.0000000000414000.00000040.00020000.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000001.281117600.0000000000414000.00000040.00020000.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000E.00000002.286656662.0000000002A50000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000E.00000002.286656662.0000000002A50000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.499715879.00000000006A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.504422573.00000000027A5000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000003.401079389.0000000003861000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: PAYMENT COPY.exe PID: 6712, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: PAYMENT COPY.exe PID: 6712, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: PAYMENT COPY.exe PID: 6432, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: PAYMENT COPY.exe PID: 6432, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 2896, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 2896, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: PAYMENT COPY.exe PID: 6612, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: PAYMENT COPY.exe PID: 6612, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: PAYMENT COPY.exe PID: 6392, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: PAYMENT COPY.exe PID: 6392, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: dhcpmon.exe PID: 5932, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: dhcpmon.exe PID: 5932, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.PAYMENT COPY.exe.780000.16.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.PAYMENT COPY.exe.27b2a64.22.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.PAYMENT COPY.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.PAYMENT COPY.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.PAYMENT COPY.exe.700000.10.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.47b0000.9.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.47b0000.9.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.PAYMENT COPY.exe.3430821.25.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.565f58.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.565f58.2.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.PAYMENT COPY.exe.750000.14.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.4e30000.10.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.4e30000.10.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.PAYMENT COPY.exe.37b0e8f.29.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.PAYMENT COPY.exe.243cc68.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.PAYMENT COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.PAYMENT COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.dhcpmon.exe.565f58.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.565f58.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.PAYMENT COPY.exe.342c1f8.24.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.PAYMENT COPY.exe.2a80000.6.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.PAYMENT COPY.exe.2a80000.6.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.PAYMENT COPY.exe.5b2488.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.PAYMENT COPY.exe.5b2488.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.PAYMENT COPY.exe.5b2488.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.PAYMENT COPY.exe.5b2488.2.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.1.PAYMENT COPY.exe.415058.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.1.PAYMENT COPY.exe.415058.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.dhcpmon.exe.2a50000.6.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.dhcpmon.exe.2a50000.6.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.1.PAYMENT COPY.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.1.PAYMENT COPY.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.PAYMENT COPY.exe.342c1f8.24.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.PAYMENT COPY.exe.6f0000.9.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.dhcpmon.exe.2a61458.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.dhcpmon.exe.2a61458.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.PAYMENT COPY.exe.2a91458.5.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.PAYMENT COPY.exe.2a91458.5.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.PAYMENT COPY.exe.24228c4.18.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.PAYMENT COPY.exe.24228c4.18.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.PAYMENT COPY.exe.680000.4.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.PAYMENT COPY.exe.2436f00.20.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.PAYMENT COPY.exe.2436f00.20.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.PAYMENT COPY.exe.365ec98.27.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.PAYMENT COPY.exe.27a65e4.21.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.PAYMENT COPY.exe.27a65e4.21.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.PAYMENT COPY.exe.710000.11.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.PAYMENT COPY.exe.415058.0.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.PAYMENT COPY.exe.415058.0.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.PAYMENT COPY.exe.366d53c.26.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.PAYMENT COPY.exe.247b9ec.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.PAYMENT COPY.exe.23bc994.17.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.1.PAYMENT COPY.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.1.PAYMENT COPY.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.PAYMENT COPY.exe.27b2a64.22.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.PAYMENT COPY.exe.27b2a64.22.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.PAYMENT COPY.exe.75e8a4.15.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.3295530.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.3295530.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.PAYMENT COPY.exe.730000.12.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.PAYMENT COPY.exe.37b0e8f.29.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.PAYMENT COPY.exe.750000.14.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.PAYMENT COPY.exe.6c0000.7.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.3.PAYMENT COPY.exe.387e041.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.3.PAYMENT COPY.exe.387e041.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.PAYMENT COPY.exe.415058.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.PAYMENT COPY.exe.415058.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.PAYMENT COPY.exe.24228c4.18.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.PAYMENT COPY.exe.3497815.7.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.PAYMENT COPY.exe.660000.3.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.PAYMENT COPY.exe.2a60000.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.PAYMENT COPY.exe.2a60000.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.PAYMENT COPY.exe.34931ec.8.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.PAYMENT COPY.exe.6e0000.8.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.3.PAYMENT COPY.exe.3883a6d.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.PAYMENT COPY.exe.34931ec.8.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.PAYMENT COPY.exe.348e3b6.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.PAYMENT COPY.exe.348e3b6.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.PAYMENT COPY.exe.27bb8ec.23.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.PAYMENT COPY.exe.241667c.19.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.PAYMENT COPY.exe.241667c.19.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.dhcpmon.exe.22bcc90.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.PAYMENT COPY.exe.241667c.19.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.dhcpmon.exe.2a61458.5.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.dhcpmon.exe.2a61458.5.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.PAYMENT COPY.exe.365ec98.27.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.PAYMENT COPY.exe.2a80000.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.PAYMENT COPY.exe.2a80000.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.dhcpmon.exe.47b0000.9.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.47b0000.9.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.PAYMENT COPY.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.PAYMENT COPY.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.1.PAYMENT COPY.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.1.PAYMENT COPY.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.dhcpmon.exe.3317815.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.PAYMENT COPY.exe.2a71458.6.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.PAYMENT COPY.exe.2a71458.6.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.PAYMENT COPY.exe.7eae40.2.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.PAYMENT COPY.exe.7eae40.2.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.PAYMENT COPY.exe.6b0000.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.33131ec.8.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.PAYMENT COPY.exe.2a91458.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.PAYMENT COPY.exe.2a91458.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.1.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.1.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.PAYMENT COPY.exe.6c0000.7.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.PAYMENT COPY.exe.3663937.28.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.PAYMENT COPY.exe.6a0000.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.3.PAYMENT COPY.exe.3869a16.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.PAYMENT COPY.exe.710000.11.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.1.PAYMENT COPY.exe.415058.0.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.1.PAYMENT COPY.exe.415058.0.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.PAYMENT COPY.exe.27bb8ec.23.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.330e3b6.7.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.330e3b6.7.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.PAYMENT COPY.exe.27a65e4.21.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.PAYMENT COPY.exe.48f0000.9.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.PAYMENT COPY.exe.48f0000.9.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.PAYMENT COPY.exe.680000.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.PAYMENT COPY.exe.730000.12.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.33131ec.8.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.PAYMENT COPY.exe.3415530.5.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.PAYMENT COPY.exe.3415530.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.PAYMENT COPY.exe.780000.16.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.PAYMENT COPY.exe.7eae40.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.PAYMENT COPY.exe.7eae40.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.PAYMENT COPY.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.PAYMENT COPY.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.dhcpmon.exe.3295530.5.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.3295530.5.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.PAYMENT COPY.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.PAYMENT COPY.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.PAYMENT COPY.exe.48f0000.9.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.PAYMENT COPY.exe.48f0000.9.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 8.2.PAYMENT COPY.exe.49c0000.10.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.PAYMENT COPY.exe.49c0000.10.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.3.PAYMENT COPY.exe.3869a16.0.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.3.PAYMENT COPY.exe.3869a16.0.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 14.2.dhcpmon.exe.2a50000.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 14.2.dhcpmon.exe.2a50000.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.PAYMENT COPY.exe.6f0000.9.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.1.PAYMENT COPY.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.1.PAYMENT COPY.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.PAYMENT COPY.exe.2a60000.5.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.PAYMENT COPY.exe.2a60000.5.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.PAYMENT COPY.exe.754c9f.13.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.PAYMENT COPY.exe.2a71458.6.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.PAYMENT COPY.exe.2a71458.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.PAYMENT COPY.exe.6b0000.6.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.dhcpmon.exe.22fba98.4.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.PAYMENT COPY.exe.660000.3.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.PAYMENT COPY.exe.3415530.5.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 8.2.PAYMENT COPY.exe.3415530.5.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.PAYMENT COPY.exe.700000.10.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.3.PAYMENT COPY.exe.3883a6d.2.raw.unpack, type: UNPACKEDPE Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.3.PAYMENT COPY.exe.3883a6d.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Executable has a suspicious name (potential lure to open the executable)
Source: PAYMENT COPY.exe Static file information: Suspicious name
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: PAYMENT COPY.exe
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 0_2_00403486 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403486
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 10_2_00403486 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 10_2_00403486
Detected potential crypto function
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 0_2_00407272 0_2_00407272
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 0_2_00406A9B 0_2_00406A9B
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 0_2_73581A98 0_2_73581A98
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 1_2_0040A2A5 1_2_0040A2A5
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 1_2_00783324 1_2_00783324
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 1_1_0040A2A5 1_1_0040A2A5
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 8_2_0040A2A5 8_2_0040A2A5
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 8_2_0499E480 8_2_0499E480
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 8_2_0499E470 8_2_0499E470
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 8_2_0499BBD4 8_2_0499BBD4
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 8_2_051CF5F8 8_2_051CF5F8
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 8_2_051C9788 8_2_051C9788
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 8_2_051CA5F8 8_2_051CA5F8
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 8_2_051CA610 8_2_051CA610
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 10_2_00407272 10_2_00407272
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 10_2_00406A9B 10_2_00406A9B
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_0040A2A5 15_2_0040A2A5
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_04D6E480 15_2_04D6E480
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_04D6E471 15_2_04D6E471
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_04D6E47B 15_2_04D6E47B
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_04D6BBD4 15_2_04D6BBD4
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_0509F5F8 15_2_0509F5F8
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_05099788 15_2_05099788
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_0509A5D0 15_2_0509A5D0
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_0509A610 15_2_0509A610
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_05243E30 15_2_05243E30
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_05244A50 15_2_05244A50
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_05244B08 15_2_05244B08
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: String function: 00401ED0 appears 69 times
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: String function: 0040569E appears 54 times
Sample file is different than original file name gathered from version info
Source: PAYMENT COPY.exe, 00000000.00000003.238893639.0000000002DCF000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs PAYMENT COPY.exe
Source: PAYMENT COPY.exe, 00000000.00000002.240855252.00000000022F0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs PAYMENT COPY.exe
Source: PAYMENT COPY.exe Binary or memory string: OriginalFilename vs PAYMENT COPY.exe
Source: PAYMENT COPY.exe, 00000001.00000002.500337236.0000000000730000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs PAYMENT COPY.exe
Source: PAYMENT COPY.exe, 00000001.00000002.500528462.0000000000780000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs PAYMENT COPY.exe
Source: PAYMENT COPY.exe, 00000001.00000002.499927530.00000000006C0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs PAYMENT COPY.exe
Source: PAYMENT COPY.exe, 00000001.00000002.505736368.000000000341C000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs PAYMENT COPY.exe
Source: PAYMENT COPY.exe, 00000001.00000002.505736368.000000000341C000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameLzma#.dll4 vs PAYMENT COPY.exe
Source: PAYMENT COPY.exe, 00000001.00000002.506109620.0000000003650000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs PAYMENT COPY.exe
Source: PAYMENT COPY.exe, 00000001.00000002.506109620.0000000003650000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameNAudio.dll4 vs PAYMENT COPY.exe
Source: PAYMENT COPY.exe, 00000001.00000002.506109620.0000000003650000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs PAYMENT COPY.exe
Source: PAYMENT COPY.exe, 00000001.00000002.500087557.00000000006E0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs PAYMENT COPY.exe
Source: PAYMENT COPY.exe, 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs PAYMENT COPY.exe
Source: PAYMENT COPY.exe, 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs PAYMENT COPY.exe
Source: PAYMENT COPY.exe, 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs PAYMENT COPY.exe
Source: PAYMENT COPY.exe, 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs PAYMENT COPY.exe
Source: PAYMENT COPY.exe, 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs PAYMENT COPY.exe
Source: PAYMENT COPY.exe, 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs PAYMENT COPY.exe
Source: PAYMENT COPY.exe, 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs PAYMENT COPY.exe
Source: PAYMENT COPY.exe, 00000001.00000002.501309782.0000000002391000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameClientPlugin.dll4 vs PAYMENT COPY.exe
Source: PAYMENT COPY.exe, 00000007.00000003.254565501.0000000002C16000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs PAYMENT COPY.exe
Source: PAYMENT COPY.exe, 00000007.00000002.261551351.00000000022E0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs PAYMENT COPY.exe
Source: PAYMENT COPY.exe, 00000008.00000002.279599268.0000000005360000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs PAYMENT COPY.exe
Source: PAYMENT COPY.exe, 00000008.00000002.278420831.0000000002460000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs PAYMENT COPY.exe
Source: PAYMENT COPY.exe, 00000008.00000002.278420831.0000000002460000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameClientPlugin.dll4 vs PAYMENT COPY.exe
Source: PAYMENT COPY.exe, 00000008.00000002.278506705.000000000344C000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameLzma#.dll4 vs PAYMENT COPY.exe
Uses 32bit PE files
Source: PAYMENT COPY.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 00000001.00000002.498580778.0000000000599000.00000004.00000020.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.498580778.0000000000599000.00000004.00000020.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.500337236.0000000000730000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.500337236.0000000000730000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000001.00000002.499927530.00000000006C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.499927530.00000000006C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000001.00000002.500528462.0000000000780000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.500528462.0000000000780000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000001.00000002.500087557.00000000006E0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.500087557.00000000006E0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000008.00000002.278420831.0000000002460000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000002.298632979.00000000022E0000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000002.298228465.000000000054A000.00000004.00000020.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000002.298228465.000000000054A000.00000004.00000020.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000002.298702640.00000000032CC000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000002.278034704.00000000007CE000.00000004.00000020.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000002.278034704.00000000007CE000.00000004.00000020.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000002.278506705.000000000344C000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000002.278466609.0000000003411000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000002.278466609.0000000003411000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000002.277405850.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000002.277405850.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000008.00000002.277405850.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000001.237862989.0000000000414000.00000040.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000001.237862989.0000000000414000.00000040.00020000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000002.298677896.0000000003291000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000002.298677896.0000000003291000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.500417911.0000000000750000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.500417911.0000000000750000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000002.298074708.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000002.298074708.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000F.00000002.298074708.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000002.279255629.00000000049C2000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000002.279255629.00000000049C2000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000002.279026119.00000000048F0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000002.279026119.00000000048F0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000008.00000002.279026119.00000000048F0000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.264472405.0000000002A60000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.264472405.0000000002A60000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000007.00000002.264472405.0000000002A60000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.499796910.00000000006B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.499796910.00000000006B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000001.00000002.500251784.0000000000710000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.500251784.0000000000710000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000F.00000002.299582604.00000000047B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000002.299582604.00000000047B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000F.00000002.299582604.00000000047B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000002.300040048.0000000004E32000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000002.300040048.0000000004E32000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000008.00000001.257730823.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000008.00000001.257730823.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000008.00000001.257730823.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.242328677.0000000002A80000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.242328677.0000000002A80000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.242328677.0000000002A80000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.499394347.0000000000660000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.499394347.0000000000660000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000001.00000002.500213366.0000000000700000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.500213366.0000000000700000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000001.00000002.500144000.00000000006F0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.500144000.00000000006F0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000001.00000002.497023091.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.497023091.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000001.00000002.497023091.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.499506090.0000000000680000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.499506090.0000000000680000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000F.00000001.281117600.0000000000414000.00000040.00020000.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000001.281117600.0000000000414000.00000040.00020000.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000E.00000002.286656662.0000000002A50000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000E.00000002.286656662.0000000002A50000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000E.00000002.286656662.0000000002A50000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.499715879.00000000006A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.499715879.00000000006A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000001.00000002.504422573.00000000027A5000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000003.401079389.0000000003861000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: PAYMENT COPY.exe PID: 6712, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: PAYMENT COPY.exe PID: 6712, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: PAYMENT COPY.exe PID: 6432, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: PAYMENT COPY.exe PID: 6432, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 2896, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 2896, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: PAYMENT COPY.exe PID: 6612, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: PAYMENT COPY.exe PID: 6612, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: PAYMENT COPY.exe PID: 6392, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: PAYMENT COPY.exe PID: 6392, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: dhcpmon.exe PID: 5932, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: dhcpmon.exe PID: 5932, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.PAYMENT COPY.exe.780000.16.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.PAYMENT COPY.exe.780000.16.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.PAYMENT COPY.exe.27b2a64.22.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.PAYMENT COPY.exe.27b2a64.22.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.PAYMENT COPY.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.PAYMENT COPY.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.PAYMENT COPY.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.PAYMENT COPY.exe.700000.10.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.PAYMENT COPY.exe.700000.10.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.dhcpmon.exe.47b0000.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.dhcpmon.exe.47b0000.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.dhcpmon.exe.47b0000.9.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.PAYMENT COPY.exe.3430821.25.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.PAYMENT COPY.exe.3430821.25.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.dhcpmon.exe.565f58.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.dhcpmon.exe.565f58.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.dhcpmon.exe.565f58.2.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.PAYMENT COPY.exe.750000.14.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.PAYMENT COPY.exe.750000.14.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.dhcpmon.exe.4e30000.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.dhcpmon.exe.4e30000.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.dhcpmon.exe.4e30000.10.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.PAYMENT COPY.exe.37b0e8f.29.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.PAYMENT COPY.exe.37b0e8f.29.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.PAYMENT COPY.exe.243cc68.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.PAYMENT COPY.exe.243cc68.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.PAYMENT COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.PAYMENT COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.PAYMENT COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.dhcpmon.exe.565f58.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.dhcpmon.exe.565f58.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.dhcpmon.exe.565f58.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.PAYMENT COPY.exe.342c1f8.24.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.PAYMENT COPY.exe.342c1f8.24.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PAYMENT COPY.exe.2a80000.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.PAYMENT COPY.exe.2a80000.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PAYMENT COPY.exe.2a80000.6.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.PAYMENT COPY.exe.5b2488.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.PAYMENT COPY.exe.5b2488.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.PAYMENT COPY.exe.5b2488.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.PAYMENT COPY.exe.5b2488.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.PAYMENT COPY.exe.5b2488.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.PAYMENT COPY.exe.5b2488.2.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.1.PAYMENT COPY.exe.415058.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.1.PAYMENT COPY.exe.415058.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.1.PAYMENT COPY.exe.415058.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.dhcpmon.exe.2a50000.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.dhcpmon.exe.2a50000.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.dhcpmon.exe.2a50000.6.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.1.PAYMENT COPY.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.1.PAYMENT COPY.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.1.PAYMENT COPY.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.PAYMENT COPY.exe.342c1f8.24.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.PAYMENT COPY.exe.342c1f8.24.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.PAYMENT COPY.exe.6f0000.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.PAYMENT COPY.exe.6f0000.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.dhcpmon.exe.2a61458.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.dhcpmon.exe.2a61458.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.dhcpmon.exe.2a61458.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.PAYMENT COPY.exe.2a91458.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.PAYMENT COPY.exe.2a91458.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PAYMENT COPY.exe.2a91458.5.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.PAYMENT COPY.exe.24228c4.18.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.PAYMENT COPY.exe.24228c4.18.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.PAYMENT COPY.exe.680000.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.PAYMENT COPY.exe.680000.4.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.PAYMENT COPY.exe.2436f00.20.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.PAYMENT COPY.exe.2436f00.20.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.PAYMENT COPY.exe.365ec98.27.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.PAYMENT COPY.exe.365ec98.27.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.PAYMENT COPY.exe.27a65e4.21.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.PAYMENT COPY.exe.27a65e4.21.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.PAYMENT COPY.exe.27a65e4.21.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.PAYMENT COPY.exe.710000.11.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.PAYMENT COPY.exe.710000.11.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.PAYMENT COPY.exe.415058.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.PAYMENT COPY.exe.415058.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.PAYMENT COPY.exe.415058.0.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.PAYMENT COPY.exe.366d53c.26.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.PAYMENT COPY.exe.366d53c.26.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.PAYMENT COPY.exe.247b9ec.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.PAYMENT COPY.exe.247b9ec.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.PAYMENT COPY.exe.23bc994.17.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.PAYMENT COPY.exe.23bc994.17.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.1.PAYMENT COPY.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.1.PAYMENT COPY.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.1.PAYMENT COPY.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.PAYMENT COPY.exe.27b2a64.22.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.PAYMENT COPY.exe.27b2a64.22.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.PAYMENT COPY.exe.27b2a64.22.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.PAYMENT COPY.exe.75e8a4.15.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.PAYMENT COPY.exe.75e8a4.15.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.dhcpmon.exe.3295530.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.dhcpmon.exe.3295530.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.dhcpmon.exe.3295530.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.PAYMENT COPY.exe.730000.12.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.PAYMENT COPY.exe.730000.12.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.PAYMENT COPY.exe.37b0e8f.29.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.PAYMENT COPY.exe.37b0e8f.29.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.PAYMENT COPY.exe.750000.14.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.PAYMENT COPY.exe.750000.14.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.PAYMENT COPY.exe.6c0000.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.PAYMENT COPY.exe.6c0000.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.3.PAYMENT COPY.exe.387e041.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.3.PAYMENT COPY.exe.387e041.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.3.PAYMENT COPY.exe.387e041.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.PAYMENT COPY.exe.415058.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.PAYMENT COPY.exe.415058.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.PAYMENT COPY.exe.415058.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.PAYMENT COPY.exe.24228c4.18.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.PAYMENT COPY.exe.24228c4.18.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.PAYMENT COPY.exe.3497815.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.PAYMENT COPY.exe.3497815.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.PAYMENT COPY.exe.660000.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.PAYMENT COPY.exe.660000.3.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.PAYMENT COPY.exe.2a60000.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.PAYMENT COPY.exe.2a60000.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.PAYMENT COPY.exe.2a60000.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.PAYMENT COPY.exe.34931ec.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.PAYMENT COPY.exe.34931ec.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.PAYMENT COPY.exe.6e0000.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.PAYMENT COPY.exe.6e0000.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.3.PAYMENT COPY.exe.3883a6d.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.3.PAYMENT COPY.exe.3883a6d.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.PAYMENT COPY.exe.34931ec.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.PAYMENT COPY.exe.34931ec.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.PAYMENT COPY.exe.348e3b6.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.PAYMENT COPY.exe.348e3b6.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.PAYMENT COPY.exe.348e3b6.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.PAYMENT COPY.exe.27bb8ec.23.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.PAYMENT COPY.exe.27bb8ec.23.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.PAYMENT COPY.exe.241667c.19.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.PAYMENT COPY.exe.241667c.19.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.dhcpmon.exe.22bcc90.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.dhcpmon.exe.22bcc90.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.PAYMENT COPY.exe.241667c.19.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.PAYMENT COPY.exe.241667c.19.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.dhcpmon.exe.2a61458.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.dhcpmon.exe.2a61458.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.dhcpmon.exe.2a61458.5.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.PAYMENT COPY.exe.365ec98.27.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.PAYMENT COPY.exe.365ec98.27.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PAYMENT COPY.exe.2a80000.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.PAYMENT COPY.exe.2a80000.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PAYMENT COPY.exe.2a80000.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.dhcpmon.exe.47b0000.9.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.dhcpmon.exe.47b0000.9.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.dhcpmon.exe.47b0000.9.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.PAYMENT COPY.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.PAYMENT COPY.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.PAYMENT COPY.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.1.PAYMENT COPY.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.1.PAYMENT COPY.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.1.PAYMENT COPY.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.dhcpmon.exe.3317815.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.dhcpmon.exe.3317815.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.PAYMENT COPY.exe.2a71458.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.PAYMENT COPY.exe.2a71458.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.PAYMENT COPY.exe.2a71458.6.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.PAYMENT COPY.exe.7eae40.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.PAYMENT COPY.exe.7eae40.2.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.PAYMENT COPY.exe.7eae40.2.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.PAYMENT COPY.exe.6b0000.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.PAYMENT COPY.exe.6b0000.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.dhcpmon.exe.33131ec.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.dhcpmon.exe.33131ec.8.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PAYMENT COPY.exe.2a91458.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.PAYMENT COPY.exe.2a91458.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PAYMENT COPY.exe.2a91458.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.1.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.1.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.1.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.PAYMENT COPY.exe.6c0000.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.PAYMENT COPY.exe.6c0000.7.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.PAYMENT COPY.exe.3663937.28.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.PAYMENT COPY.exe.3663937.28.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.PAYMENT COPY.exe.6a0000.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.PAYMENT COPY.exe.6a0000.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.3.PAYMENT COPY.exe.3869a16.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.3.PAYMENT COPY.exe.3869a16.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.PAYMENT COPY.exe.710000.11.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.PAYMENT COPY.exe.710000.11.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.1.PAYMENT COPY.exe.415058.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.1.PAYMENT COPY.exe.415058.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.1.PAYMENT COPY.exe.415058.0.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.PAYMENT COPY.exe.27bb8ec.23.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.PAYMENT COPY.exe.27bb8ec.23.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.dhcpmon.exe.330e3b6.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.dhcpmon.exe.330e3b6.7.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.dhcpmon.exe.330e3b6.7.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.PAYMENT COPY.exe.27a65e4.21.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.PAYMENT COPY.exe.27a65e4.21.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.PAYMENT COPY.exe.48f0000.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.PAYMENT COPY.exe.48f0000.9.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.PAYMENT COPY.exe.48f0000.9.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.PAYMENT COPY.exe.680000.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.PAYMENT COPY.exe.680000.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.PAYMENT COPY.exe.730000.12.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.PAYMENT COPY.exe.730000.12.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.dhcpmon.exe.33131ec.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.dhcpmon.exe.33131ec.8.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.PAYMENT COPY.exe.3415530.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.PAYMENT COPY.exe.3415530.5.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.PAYMENT COPY.exe.3415530.5.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.PAYMENT COPY.exe.780000.16.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.PAYMENT COPY.exe.780000.16.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.PAYMENT COPY.exe.7eae40.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.PAYMENT COPY.exe.7eae40.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.PAYMENT COPY.exe.7eae40.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.PAYMENT COPY.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.PAYMENT COPY.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.PAYMENT COPY.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.dhcpmon.exe.3295530.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.dhcpmon.exe.3295530.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.dhcpmon.exe.3295530.5.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.PAYMENT COPY.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.PAYMENT COPY.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.PAYMENT COPY.exe.415058.1.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.PAYMENT COPY.exe.48f0000.9.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.PAYMENT COPY.exe.48f0000.9.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.PAYMENT COPY.exe.48f0000.9.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.PAYMENT COPY.exe.49c0000.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.PAYMENT COPY.exe.49c0000.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.PAYMENT COPY.exe.49c0000.10.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.3.PAYMENT COPY.exe.3869a16.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.3.PAYMENT COPY.exe.3869a16.0.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.3.PAYMENT COPY.exe.3869a16.0.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 14.2.dhcpmon.exe.2a50000.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 14.2.dhcpmon.exe.2a50000.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 14.2.dhcpmon.exe.2a50000.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.PAYMENT COPY.exe.6f0000.9.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.PAYMENT COPY.exe.6f0000.9.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.1.PAYMENT COPY.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.1.PAYMENT COPY.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.1.PAYMENT COPY.exe.415058.1.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.PAYMENT COPY.exe.2a60000.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.PAYMENT COPY.exe.2a60000.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.PAYMENT COPY.exe.2a60000.5.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.PAYMENT COPY.exe.754c9f.13.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.PAYMENT COPY.exe.754c9f.13.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.PAYMENT COPY.exe.2a71458.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.PAYMENT COPY.exe.2a71458.6.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.PAYMENT COPY.exe.2a71458.6.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.PAYMENT COPY.exe.6b0000.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.PAYMENT COPY.exe.6b0000.6.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.dhcpmon.exe.22fba98.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.dhcpmon.exe.22fba98.4.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.PAYMENT COPY.exe.660000.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.PAYMENT COPY.exe.660000.3.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.PAYMENT COPY.exe.3415530.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 8.2.PAYMENT COPY.exe.3415530.5.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 8.2.PAYMENT COPY.exe.3415530.5.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.PAYMENT COPY.exe.700000.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.PAYMENT COPY.exe.700000.10.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.3.PAYMENT COPY.exe.3883a6d.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.3.PAYMENT COPY.exe.3883a6d.2.raw.unpack, type: UNPACKEDPE Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.3.PAYMENT COPY.exe.3883a6d.2.raw.unpack, type: UNPACKEDPE Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 8.2.PAYMENT COPY.exe.49c0000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 8.2.PAYMENT COPY.exe.49c0000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'CreateDecryptor'
Source: 8.2.PAYMENT COPY.exe.49c0000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 15.2.dhcpmon.exe.4e30000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 15.2.dhcpmon.exe.4e30000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'CreateDecryptor'
Source: 15.2.dhcpmon.exe.4e30000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 8.2.PAYMENT COPY.exe.49c0000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 8.2.PAYMENT COPY.exe.49c0000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 15.2.dhcpmon.exe.4e30000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 15.2.dhcpmon.exe.4e30000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: classification engine Classification label: mal100.troj.evad.winEXE@16/24@13/1
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 0_2_00403486 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403486
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 10_2_00403486 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 10_2_00403486
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 0_2_00404763 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_00404763
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 0_2_72C34239 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW, 0_2_72C34239
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar, 0_2_0040216B
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 1_2_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess, 1_2_00401489
Source: C:\Users\user\Desktop\PAYMENT COPY.exe File created: C:\Program Files (x86)\DHCP Monitor Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe File created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6548:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6604:120:WilError_01
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{bed38ea9-13ae-4999-bfd6-9ec5f9de3405}
Source: C:\Users\user\Desktop\PAYMENT COPY.exe File created: C:\Users\user~1\AppData\Local\Temp\nsxD869.tmp Jump to behavior
Source: PAYMENT COPY.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: PAYMENT COPY.exe ReversingLabs: Detection: 35%
Source: C:\Users\user\Desktop\PAYMENT COPY.exe File read: C:\Users\user\Desktop\PAYMENT COPY.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\PAYMENT COPY.exe 'C:\Users\user\Desktop\PAYMENT COPY.exe'
Source: unknown Process created: C:\Users\user\Desktop\PAYMENT COPY.exe 'C:\Users\user\Desktop\PAYMENT COPY.exe'
Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpEEDF.tmp'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpF23B.tmp'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\Desktop\PAYMENT COPY.exe 'C:\Users\user\Desktop\PAYMENT COPY.exe' 0
Source: unknown Process created: C:\Users\user\Desktop\PAYMENT COPY.exe 'C:\Users\user\Desktop\PAYMENT COPY.exe' 0
Source: unknown Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
Source: unknown Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: unknown Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process created: C:\Users\user\Desktop\PAYMENT COPY.exe 'C:\Users\user\Desktop\PAYMENT COPY.exe' Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpEEDF.tmp' Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpF23B.tmp' Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process created: C:\Users\user\Desktop\PAYMENT COPY.exe 'C:\Users\user\Desktop\PAYMENT COPY.exe' 0 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: PAYMENT COPY.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wntdll.pdbUGP source: PAYMENT COPY.exe, 00000000.00000003.237791410.0000000002B20000.00000004.00000001.sdmp, PAYMENT COPY.exe, 00000007.00000003.251492752.0000000002C40000.00000004.00000001.sdmp, dhcpmon.exe, 0000000E.00000003.274760299.0000000002C30000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: PAYMENT COPY.exe, 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: PAYMENT COPY.exe, 00000000.00000003.237791410.0000000002B20000.00000004.00000001.sdmp, PAYMENT COPY.exe, 00000007.00000003.251492752.0000000002C40000.00000004.00000001.sdmp, dhcpmon.exe, 0000000E.00000003.274760299.0000000002C30000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: PAYMENT COPY.exe, 00000001.00000002.500087557.00000000006E0000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: PAYMENT COPY.exe, 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmp
Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: PAYMENT COPY.exe, 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmp
Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: PAYMENT COPY.exe, 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: PAYMENT COPY.exe, 00000001.00000002.499927530.00000000006C0000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Unpacked PE file: 1.2.PAYMENT COPY.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Unpacked PE file: 8.2.PAYMENT COPY.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Unpacked PE file: 15.2.dhcpmon.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Unpacked PE file: 1.2.PAYMENT COPY.exe.400000.1.unpack
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Unpacked PE file: 8.2.PAYMENT COPY.exe.400000.0.unpack
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Unpacked PE file: 15.2.dhcpmon.exe.400000.1.unpack
.NET source code contains potential unpacker
Source: 8.2.PAYMENT COPY.exe.49c0000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.2.PAYMENT COPY.exe.49c0000.10.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.2.dhcpmon.exe.4e30000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs .Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 15.2.dhcpmon.exe.4e30000.10.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs .Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 0_2_73581A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA, 0_2_73581A98
PE file contains sections with non-standard names
Source: ri8clfcgml62un.dll.0.dr Static PE information: section name: .code
Source: ri8clfcgml62un.dll.7.dr Static PE information: section name: .code
Source: ri8clfcgml62un.dll.14.dr Static PE information: section name: .code
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 0_2_73582F60 push eax; ret 0_2_73582F8E
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 1_2_00401F16 push ecx; ret 1_2_00401F29
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 1_1_00401F16 push ecx; ret 1_1_00401F29
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 8_2_00401F16 push ecx; ret 8_2_00401F29
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 8_2_051C7648 push eax; iretd 8_2_051C7649
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_00401F16 push ecx; ret 15_2_00401F29
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_05097648 push eax; iretd 15_2_05097649
Source: initial sample Static PE information: section name: .data entropy: 7.6178797985
Source: initial sample Static PE information: section name: .data entropy: 7.6178797985
Source: initial sample Static PE information: section name: .data entropy: 7.6178797985
Source: 8.2.PAYMENT COPY.exe.49c0000.10.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 8.2.PAYMENT COPY.exe.49c0000.10.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 15.2.dhcpmon.exe.4e30000.10.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 15.2.dhcpmon.exe.4e30000.10.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\PAYMENT COPY.exe File created: C:\Users\user\AppData\Local\Temp\nsoF70E.tmp\System.dll Jump to dropped file
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe File created: C:\Users\user\AppData\Local\Temp\ri8clfcgml62un.dll Jump to dropped file
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe File created: C:\Users\user\AppData\Local\Temp\nsc2504.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\PAYMENT COPY.exe File created: C:\Users\user\AppData\Local\Temp\nsmD8C8.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\PAYMENT COPY.exe File created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpEEDF.tmp'

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\PAYMENT COPY.exe File opened: C:\Users\user\Desktop\PAYMENT COPY.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains capabilities to detect virtual machines
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Window / User API: threadDelayed 5356 Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Window / User API: threadDelayed 4142 Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Window / User API: foregroundWindowGot 456 Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Window / User API: foregroundWindowGot 420 Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Window / User API: foregroundWindowGot 374 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\PAYMENT COPY.exe TID: 6660 Thread sleep time: -13835058055282155s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe TID: 7108 Thread sleep count: 42 > 30 Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe TID: 7048 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6404 Thread sleep count: 42 > 30 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4496 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 0_2_00405A15 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 0_2_00405A15
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 0_2_004065C1 FindFirstFileA,FindClose, 0_2_004065C1
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 0_2_004027A1 FindFirstFileA, 0_2_004027A1
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 1_2_00404A29 FindFirstFileExW, 1_2_00404A29
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 1_1_00404A29 FindFirstFileExW, 1_1_00404A29
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 8_2_00404A29 FindFirstFileExW, 8_2_00404A29
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 10_2_00405A15 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 10_2_00405A15
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 10_2_004065C1 FindFirstFileA,FindClose, 10_2_004065C1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 10_2_004027A1 FindFirstFileA, 10_2_004027A1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_00404A29 FindFirstFileExW, 15_2_00404A29
Source: PAYMENT COPY.exe, 00000001.00000003.303652307.0000000000634000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 1_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0040446F
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 0_2_73581A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA, 0_2_73581A98
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 0_2_72C347A3 mov eax, dword ptr fs:[00000030h] 0_2_72C347A3
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 0_2_72C345A0 mov eax, dword ptr fs:[00000030h] 0_2_72C345A0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 1_2_004035F1 mov eax, dword ptr fs:[00000030h] 1_2_004035F1
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 1_1_004035F1 mov eax, dword ptr fs:[00000030h] 1_1_004035F1
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 7_2_72C347A3 mov eax, dword ptr fs:[00000030h] 7_2_72C347A3
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 7_2_72C345A0 mov eax, dword ptr fs:[00000030h] 7_2_72C345A0
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 8_2_004035F1 mov eax, dword ptr fs:[00000030h] 8_2_004035F1
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_004035F1 mov eax, dword ptr fs:[00000030h] 15_2_004035F1
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 1_2_004067FE GetProcessHeap, 1_2_004067FE
Enables debug privileges
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 1_2_00401E1D SetUnhandledExceptionFilter, 1_2_00401E1D
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 1_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0040446F
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 1_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00401C88
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 1_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_00401F30
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 1_1_00401E1D SetUnhandledExceptionFilter, 1_1_00401E1D
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 1_1_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_1_0040446F
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 1_1_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_1_00401C88
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 1_1_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_1_00401F30
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 8_2_00401E1D SetUnhandledExceptionFilter, 8_2_00401E1D
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 8_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_0040446F
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 8_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_00401C88
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 8_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 8_2_00401F30
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_00401E1D SetUnhandledExceptionFilter, 15_2_00401E1D
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 15_2_0040446F
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 15_2_00401C88
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Code function: 15_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 15_2_00401F30
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Section loaded: unknown target: C:\Users\user\Desktop\PAYMENT COPY.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Section loaded: unknown target: C:\Users\user\Desktop\PAYMENT COPY.exe protection: execute and read and write Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Section loaded: unknown target: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe protection: execute and read and write Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process created: C:\Users\user\Desktop\PAYMENT COPY.exe 'C:\Users\user\Desktop\PAYMENT COPY.exe' Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpEEDF.tmp' Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpF23B.tmp' Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Process created: C:\Users\user\Desktop\PAYMENT COPY.exe 'C:\Users\user\Desktop\PAYMENT COPY.exe' 0 Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Process created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' Jump to behavior
Source: PAYMENT COPY.exe, 00000001.00000002.501042599.0000000000D80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.498613399.0000000000DF0000.00000002.00000001.sdmp Binary or memory string: uProgram Manager
Source: PAYMENT COPY.exe, 00000001.00000002.503675448.00000000026D0000.00000004.00000001.sdmp Binary or memory string: Program Manager
Source: PAYMENT COPY.exe, 00000001.00000002.501042599.0000000000D80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.498613399.0000000000DF0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: PAYMENT COPY.exe, 00000001.00000002.501042599.0000000000D80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.498613399.0000000000DF0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: PAYMENT COPY.exe, 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmp Binary or memory string: Program ManagerD$
Source: PAYMENT COPY.exe, 00000001.00000002.503675448.00000000026D0000.00000004.00000001.sdmp Binary or memory string: Program Managerp
Source: PAYMENT COPY.exe, 00000001.00000002.501042599.0000000000D80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.498613399.0000000000DF0000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: PAYMENT COPY.exe, 00000001.00000002.505472590.000000000297E000.00000004.00000001.sdmp Binary or memory string: Program Manager@

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 1_2_0040208D cpuid 1_2_0040208D
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 1_2_00401B74 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 1_2_00401B74
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Code function: 0_2_00403486 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403486
Source: C:\Users\user\Desktop\PAYMENT COPY.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\PAYMENT COPY.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\PAYMENT COPY.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\PAYMENT COPY.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\PAYMENT COPY.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\PAYMENT COPY.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\PAYMENT COPY.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\PAYMENT COPY.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\PAYMENT COPY.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\PAYMENT COPY.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\PAYMENT COPY.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\PAYMENT COPY.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\PAYMENT COPY.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\PAYMENT COPY.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\PAYMENT COPY.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\PAYMENT COPY.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\PAYMENT COPY.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\PAYMENT COPY.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\PAYMENT COPY.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\PAYMENT COPY.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\PAYMENT COPY.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\PAYMENT COPY.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\PAYMENT COPY.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\PAYMENT COPY.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\PAYMENT COPY.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information:

barindex
Yara detected Nanocore RAT
Source: Yara match File source: 00000001.00000002.498580778.0000000000599000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.505736368.000000000341C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.298228465.000000000054A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.298702640.00000000032CC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.278034704.00000000007CE000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.278506705.000000000344C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.278355916.0000000002411000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.278466609.0000000003411000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.277405850.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000001.237862989.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.298677896.0000000003291000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.501309782.0000000002391000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.298074708.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.279255629.00000000049C2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.279026119.00000000048F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.264472405.0000000002A60000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.299582604.00000000047B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.300040048.0000000004E32000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000001.257730823.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.242328677.0000000002A80000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.497023091.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000001.281117600.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.298587099.0000000002291000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.286656662.0000000002A50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PAYMENT COPY.exe PID: 6712, type: MEMORY
Source: Yara match File source: Process Memory Space: PAYMENT COPY.exe PID: 6432, type: MEMORY
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 2896, type: MEMORY
Source: Yara match File source: Process Memory Space: PAYMENT COPY.exe PID: 6612, type: MEMORY
Source: Yara match File source: Process Memory Space: PAYMENT COPY.exe PID: 6392, type: MEMORY
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 5932, type: MEMORY
Source: Yara match File source: 1.2.PAYMENT COPY.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.47b0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.PAYMENT COPY.exe.3430821.25.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.565f58.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.4e30000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PAYMENT COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.565f58.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.PAYMENT COPY.exe.342c1f8.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PAYMENT COPY.exe.2a80000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.PAYMENT COPY.exe.5b2488.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.PAYMENT COPY.exe.5b2488.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.1.PAYMENT COPY.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dhcpmon.exe.2a50000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.1.PAYMENT COPY.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.PAYMENT COPY.exe.342c1f8.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dhcpmon.exe.2a61458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PAYMENT COPY.exe.2a91458.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.PAYMENT COPY.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.1.PAYMENT COPY.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.3295530.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.PAYMENT COPY.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PAYMENT COPY.exe.3497815.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.PAYMENT COPY.exe.2a60000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PAYMENT COPY.exe.34931ec.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PAYMENT COPY.exe.34931ec.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PAYMENT COPY.exe.348e3b6.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dhcpmon.exe.2a61458.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PAYMENT COPY.exe.2a80000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.47b0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.PAYMENT COPY.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.PAYMENT COPY.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.3317815.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.PAYMENT COPY.exe.2a71458.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PAYMENT COPY.exe.7eae40.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.33131ec.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PAYMENT COPY.exe.2a91458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.1.PAYMENT COPY.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.330e3b6.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PAYMENT COPY.exe.48f0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.33131ec.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PAYMENT COPY.exe.3415530.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PAYMENT COPY.exe.7eae40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PAYMENT COPY.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.3295530.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PAYMENT COPY.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PAYMENT COPY.exe.48f0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PAYMENT COPY.exe.49c0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dhcpmon.exe.2a50000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.PAYMENT COPY.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.PAYMENT COPY.exe.2a60000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.PAYMENT COPY.exe.2a71458.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PAYMENT COPY.exe.3415530.5.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Detected Nanocore Rat
Source: PAYMENT COPY.exe, 00000000.00000002.242328677.0000000002A80000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: PAYMENT COPY.exe String found in binary or memory: NanoCore.ClientPluginHost
Source: PAYMENT COPY.exe, 00000001.00000002.499927530.00000000006C0000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: PAYMENT COPY.exe, 00000001.00000002.500087557.00000000006E0000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: PAYMENT COPY.exe, 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: PAYMENT COPY.exe, 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: PAYMENT COPY.exe, 00000001.00000002.501309782.0000000002391000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: PAYMENT COPY.exe, 00000007.00000002.264472405.0000000002A60000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: PAYMENT COPY.exe String found in binary or memory: NanoCore.ClientPluginHost
Source: PAYMENT COPY.exe, 00000008.00000002.278420831.0000000002460000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: dhcpmon.exe, 0000000E.00000002.286656662.0000000002A50000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe String found in binary or memory: NanoCore.ClientPluginHost
Source: dhcpmon.exe, 0000000F.00000002.298632979.00000000022E0000.00000004.00000001.sdmp String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Yara detected Nanocore RAT
Source: Yara match File source: 00000001.00000002.498580778.0000000000599000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.505736368.000000000341C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.298228465.000000000054A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.298702640.00000000032CC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.278034704.00000000007CE000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.278506705.000000000344C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.278355916.0000000002411000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.278466609.0000000003411000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.277405850.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000001.237862989.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.298677896.0000000003291000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.501309782.0000000002391000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.298074708.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.279255629.00000000049C2000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.279026119.00000000048F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.264472405.0000000002A60000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.299582604.00000000047B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.300040048.0000000004E32000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000001.257730823.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.242328677.0000000002A80000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.497023091.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000001.281117600.0000000000414000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.298587099.0000000002291000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.286656662.0000000002A50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PAYMENT COPY.exe PID: 6712, type: MEMORY
Source: Yara match File source: Process Memory Space: PAYMENT COPY.exe PID: 6432, type: MEMORY
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 2896, type: MEMORY
Source: Yara match File source: Process Memory Space: PAYMENT COPY.exe PID: 6612, type: MEMORY
Source: Yara match File source: Process Memory Space: PAYMENT COPY.exe PID: 6392, type: MEMORY
Source: Yara match File source: Process Memory Space: dhcpmon.exe PID: 5932, type: MEMORY
Source: Yara match File source: 1.2.PAYMENT COPY.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.47b0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.PAYMENT COPY.exe.3430821.25.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.565f58.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.4e30000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PAYMENT COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.565f58.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.PAYMENT COPY.exe.342c1f8.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PAYMENT COPY.exe.2a80000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.PAYMENT COPY.exe.5b2488.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.PAYMENT COPY.exe.5b2488.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.1.PAYMENT COPY.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dhcpmon.exe.2a50000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.1.PAYMENT COPY.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.PAYMENT COPY.exe.342c1f8.24.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dhcpmon.exe.2a61458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PAYMENT COPY.exe.2a91458.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.PAYMENT COPY.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.1.PAYMENT COPY.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.3295530.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.PAYMENT COPY.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PAYMENT COPY.exe.3497815.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.PAYMENT COPY.exe.2a60000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PAYMENT COPY.exe.34931ec.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PAYMENT COPY.exe.34931ec.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PAYMENT COPY.exe.348e3b6.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dhcpmon.exe.2a61458.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PAYMENT COPY.exe.2a80000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.47b0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.PAYMENT COPY.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.PAYMENT COPY.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.3317815.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.PAYMENT COPY.exe.2a71458.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PAYMENT COPY.exe.7eae40.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.33131ec.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PAYMENT COPY.exe.2a91458.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.1.PAYMENT COPY.exe.415058.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.330e3b6.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PAYMENT COPY.exe.48f0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.33131ec.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PAYMENT COPY.exe.3415530.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PAYMENT COPY.exe.7eae40.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PAYMENT COPY.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.3295530.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PAYMENT COPY.exe.415058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PAYMENT COPY.exe.48f0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PAYMENT COPY.exe.49c0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.dhcpmon.exe.2a50000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.PAYMENT COPY.exe.415058.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.PAYMENT COPY.exe.2a60000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.PAYMENT COPY.exe.2a71458.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.PAYMENT COPY.exe.3415530.5.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 356453 Sample: PAYMENT COPY.exe Startdate: 23/02/2021 Architecture: WINDOWS Score: 100 57 Multi AV Scanner detection for domain / URL 2->57 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 16 other signatures 2->63 8 PAYMENT COPY.exe 19 2->8         started        12 dhcpmon.exe 17 2->12         started        14 PAYMENT COPY.exe 17 2->14         started        16 dhcpmon.exe 9 2->16         started        process3 file4 47 C:\Users\user\AppData\Local\...\System.dll, PE32 8->47 dropped 67 Maps a DLL or memory area into another process 8->67 18 PAYMENT COPY.exe 1 15 8->18         started        49 C:\Users\user\AppData\...\ri8clfcgml62un.dll, PE32 12->49 dropped 51 C:\Users\user\AppData\Local\...\System.dll, PE32 12->51 dropped 23 dhcpmon.exe 3 12->23         started        53 C:\Users\user\AppData\Local\...\System.dll, PE32 14->53 dropped 25 PAYMENT COPY.exe 3 14->25         started        signatures5 process6 dnsIp7 55 chinomso.duckdns.org 185.150.24.55, 49725, 49728, 49734 SKYLINKNL Netherlands 18->55 35 C:\Program Files (x86)\...\dhcpmon.exe, PE32 18->35 dropped 37 C:\Users\user\AppData\Roaming\...\run.dat, International 18->37 dropped 39 C:\Users\user\AppData\Local\...\tmpEEDF.tmp, XML 18->39 dropped 41 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 18->41 dropped 65 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->65 27 schtasks.exe 1 18->27         started        29 schtasks.exe 1 18->29         started        43 C:\Users\user\AppData\...\dhcpmon.exe.log, ASCII 23->43 dropped 45 C:\Users\user\...\PAYMENT COPY.exe.log, ASCII 25->45 dropped file8 signatures9 process10 process11 31 conhost.exe 27->31         started        33 conhost.exe 29->33         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.150.24.55
 unknown Netherlands
44592 SKYLINKNL true

Contacted Domains

Name IP Active
chinomso.duckdns.org 185.150.24.55 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
chinomso.duckdns.org true
  • 8%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown