Loading ...

Play interactive tourEdit tour

Analysis Report WxTm2cWLHF

Overview

General Information

Sample Name:WxTm2cWLHF (renamed file extension from none to exe)
Analysis ID:356788
MD5:da6d54ef4dd6752367ff3f516196b292
SHA1:b88ea4e2bc892980e6e9a394a36cc262178bdbbd
SHA256:6f226cb3268aafbe3ff45d8dae3655c171ab7e6a0e2069815b761ffad9e3a7ea
Tags:NanoCore
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • WxTm2cWLHF.exe (PID: 5512 cmdline: 'C:\Users\user\Desktop\WxTm2cWLHF.exe' MD5: DA6D54EF4DD6752367FF3F516196B292)
    • schtasks.exe (PID: 6612 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eNEXCeqZvjFuTO' /XML 'C:\Users\user\AppData\Local\Temp\tmp30A3.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • WxTm2cWLHF.exe (PID: 6664 cmdline: {path} MD5: DA6D54EF4DD6752367FF3F516196B292)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "0875083a-8885-4a01-8069-09c5a276748c", "Group": "feb16", "Domain1": "amuokuku.duckdns.org", "Domain2": "alliedtrade54321.ddns.net", "Port": 32114, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "amuokuku.duckdns.org", "BackupDNSServer": "alliedtrade54321.ddns.net"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.499194196.0000000006150000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xf7ad:$x1: NanoCore.ClientPluginHost
  • 0xf7da:$x2: IClientNetworkHost
00000007.00000002.499194196.0000000006150000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xf7ad:$x2: NanoCore.ClientPluginHost
  • 0x10888:$s4: PipeCreated
  • 0xf7c7:$s5: IClientLoggingHost
00000007.00000002.499194196.0000000006150000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000007.00000002.497750745.0000000003F29000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      00000007.00000002.497750745.0000000003F29000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
      • 0x2f15:$a: NanoCore
      • 0x2f6e:$a: NanoCore
      • 0x2fab:$a: NanoCore
      • 0x3024:$a: NanoCore
      • 0x166cf:$a: NanoCore
      • 0x166e4:$a: NanoCore
      • 0x16719:$a: NanoCore
      • 0x2f1c3:$a: NanoCore
      • 0x2f1d8:$a: NanoCore
      • 0x2f20d:$a: NanoCore
      • 0x2f77:$b: ClientPlugin
      • 0x2fb4:$b: ClientPlugin
      • 0x38b2:$b: ClientPlugin
      • 0x38bf:$b: ClientPlugin
      • 0x1648b:$b: ClientPlugin
      • 0x164a6:$b: ClientPlugin
      • 0x164d6:$b: ClientPlugin
      • 0x166ed:$b: ClientPlugin
      • 0x16722:$b: ClientPlugin
      • 0x2ef7f:$b: ClientPlugin
      • 0x2ef9a:$b: ClientPlugin
      Click to see the 18 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.WxTm2cWLHF.exe.43e16f0.3.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      0.2.WxTm2cWLHF.exe.43e16f0.3.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xff05:$x1: NanoCore Client.exe
      • 0x1018d:$x2: NanoCore.ClientPluginHost
      • 0x117c6:$s1: PluginCommand
      • 0x117ba:$s2: FileCommand
      • 0x1266b:$s3: PipeExists
      • 0x18422:$s4: PipeCreated
      • 0x101b7:$s5: IClientLoggingHost
      0.2.WxTm2cWLHF.exe.43e16f0.3.raw.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        0.2.WxTm2cWLHF.exe.43e16f0.3.raw.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xfef5:$a: NanoCore
        • 0xff05:$a: NanoCore
        • 0x10139:$a: NanoCore
        • 0x1014d:$a: NanoCore
        • 0x1018d:$a: NanoCore
        • 0xff54:$b: ClientPlugin
        • 0x10156:$b: ClientPlugin
        • 0x10196:$b: ClientPlugin
        • 0x1007b:$c: ProjectData
        • 0x10a82:$d: DESCrypto
        • 0x1844e:$e: KeepAlive
        • 0x1643c:$g: LogClientMessage
        • 0x12637:$i: get_Connected
        • 0x10db8:$j: #=q
        • 0x10de8:$j: #=q
        • 0x10e04:$j: #=q
        • 0x10e34:$j: #=q
        • 0x10e50:$j: #=q
        • 0x10e6c:$j: #=q
        • 0x10e9c:$j: #=q
        • 0x10eb8:$j: #=q
        7.2.WxTm2cWLHF.exe.6154629.11.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0xb184:$x1: NanoCore.ClientPluginHost
        • 0xb1b1:$x2: IClientNetworkHost
        Click to see the 33 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\WxTm2cWLHF.exe, ProcessId: 6664, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: Scheduled temp file as task from temp locationShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eNEXCeqZvjFuTO' /XML 'C:\Users\user\AppData\Local\Temp\tmp30A3.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eNEXCeqZvjFuTO' /XML 'C:\Users\user\AppData\Local\Temp\tmp30A3.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\WxTm2cWLHF.exe' , ParentImage: C:\Users\user\Desktop\WxTm2cWLHF.exe, ParentProcessId: 5512, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eNEXCeqZvjFuTO' /XML 'C:\Users\user\AppData\Local\Temp\tmp30A3.tmp', ProcessId: 6612

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 00000007.00000002.497750745.0000000003F29000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "0875083a-8885-4a01-8069-09c5a276748c", "Group": "feb16", "Domain1": "amuokuku.duckdns.org", "Domain2": "alliedtrade54321.ddns.net", "Port": 32114, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "amuokuku.duckdns.org", "BackupDNSServer": "alliedtrade54321.ddns.net"}
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\eNEXCeqZvjFuTO.exeMetadefender: Detection: 27%Perma Link
        Source: C:\Users\user\AppData\Roaming\eNEXCeqZvjFuTO.exeReversingLabs: Detection: 60%
        Multi AV Scanner detection for submitted fileShow sources
        Source: WxTm2cWLHF.exeVirustotal: Detection: 49%Perma Link
        Source: WxTm2cWLHF.exeMetadefender: Detection: 27%Perma Link
        Source: WxTm2cWLHF.exeReversingLabs: Detection: 60%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000007.00000002.499194196.0000000006150000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.497750745.0000000003F29000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.491562642.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.494580677.0000000002EE1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.279715040.0000000003EB9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.281914406.00000000043AE000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: WxTm2cWLHF.exe PID: 6664, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: WxTm2cWLHF.exe PID: 5512, type: MEMORY
        Source: Yara matchFile source: 0.2.WxTm2cWLHF.exe.43e16f0.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.WxTm2cWLHF.exe.6154629.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.WxTm2cWLHF.exe.3f34595.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.WxTm2cWLHF.exe.3f2ff6c.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.WxTm2cWLHF.exe.3f2ff6c.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.WxTm2cWLHF.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.WxTm2cWLHF.exe.43e16f0.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.WxTm2cWLHF.exe.6150000.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.WxTm2cWLHF.exe.3f2b136.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.WxTm2cWLHF.exe.6150000.10.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\eNEXCeqZvjFuTO.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: WxTm2cWLHF.exeJoe Sandbox ML: detected
        Source: 7.2.WxTm2cWLHF.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 7.2.WxTm2cWLHF.exe.6150000.10.unpackAvira: Label: TR/NanoCore.fadte

        Compliance:

        barindex
        Uses 32bit PE filesShow sources
        Source: WxTm2cWLHF.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
        Source: WxTm2cWLHF.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

        Networking:

        barindex
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs: amuokuku.duckdns.org
        Source: Malware configuration extractorURLs: alliedtrade54321.ddns.net
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: amuokuku.duckdns.org
        Source: unknownDNS query: name: alliedtrade54321.ddns.net
        Source: global trafficTCP traffic: 192.168.2.5:49718 -> 79.134.225.71:32114
        Source: global trafficTCP traffic: 192.168.2.5:49723 -> 105.112.97.157:32114
        Source: Joe Sandbox ViewIP Address: 79.134.225.71 79.134.225.71
        Source: Joe Sandbox ViewASN Name: VNL1-ASNG VNL1-ASNG
        Source: Joe Sandbox ViewASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH
        Source: unknownDNS traffic detected: queries for: amuokuku.duckdns.org
        Source: WxTm2cWLHF.exe, 00000000.00000002.286567113.0000000007012000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
        Source: WxTm2cWLHF.exe, 00000000.00000002.279546261.0000000002EB1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: WxTm2cWLHF.exe, 00000000.00000002.286567113.0000000007012000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: WxTm2cWLHF.exe, 00000000.00000002.286567113.0000000007012000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: WxTm2cWLHF.exe, 00000000.00000002.286567113.0000000007012000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: WxTm2cWLHF.exe, 00000000.00000002.286567113.0000000007012000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: WxTm2cWLHF.exe, 00000000.00000002.286567113.0000000007012000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: WxTm2cWLHF.exe, 00000000.00000002.286567113.0000000007012000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: WxTm2cWLHF.exe, 00000000.00000002.286567113.0000000007012000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
        Source: WxTm2cWLHF.exe, 00000000.00000002.286567113.0000000007012000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: WxTm2cWLHF.exe, 00000000.00000002.286567113.0000000007012000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: WxTm2cWLHF.exe, 00000000.00000002.286567113.0000000007012000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: WxTm2cWLHF.exe, 00000000.00000002.286567113.0000000007012000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
        Source: WxTm2cWLHF.exe, 00000000.00000002.286567113.0000000007012000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: WxTm2cWLHF.exe, 00000000.00000002.286567113.0000000007012000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: WxTm2cWLHF.exe, 00000000.00000002.286567113.0000000007012000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: WxTm2cWLHF.exe, 00000000.00000002.286567113.0000000007012000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: WxTm2cWLHF.exe, 00000000.00000002.286567113.0000000007012000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: WxTm2cWLHF.exe, 00000000.00000002.286567113.0000000007012000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: WxTm2cWLHF.exe, 00000000.00000002.286567113.0000000007012000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: WxTm2cWLHF.exe, 00000000.00000002.286567113.0000000007012000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: WxTm2cWLHF.exe, 00000000.00000002.286567113.0000000007012000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
        Source: WxTm2cWLHF.exe, 00000000.00000002.286567113.0000000007012000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: WxTm2cWLHF.exe, 00000000.00000002.286567113.0000000007012000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
        Source: WxTm2cWLHF.exe, 00000000.00000002.286567113.0000000007012000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
        Source: WxTm2cWLHF.exe, 00000000.00000002.286567113.0000000007012000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: WxTm2cWLHF.exe, 00000000.00000002.286567113.0000000007012000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
        Source: WxTm2cWLHF.exe, 00000007.00000002.499194196.0000000006150000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000007.00000002.499194196.0000000006150000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.497750745.0000000003F29000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.491562642.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000007.00000002.494580677.0000000002EE1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.279715040.0000000003EB9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.281914406.00000000043AE000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: WxTm2cWLHF.exe PID: 6664, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: WxTm2cWLHF.exe PID: 5512, type: MEMORY
        Source: Yara matchFile source: 0.2.WxTm2cWLHF.exe.43e16f0.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.WxTm2cWLHF.exe.6154629.11.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.WxTm2cWLHF.exe.3f34595.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.WxTm2cWLHF.exe.3f2ff6c.5.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.WxTm2cWLHF.exe.3f2ff6c.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.WxTm2cWLHF.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.WxTm2cWLHF.exe.43e16f0.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.WxTm2cWLHF.exe.6150000.10.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.WxTm2cWLHF.exe.3f2b136.4.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 7.2.WxTm2cWLHF.exe.6150000.10.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000007.00000002.499194196.0000000006150000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000007.00000002.497750745.0000000003F29000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000007.00000002.491562642.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000007.00000002.491562642.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.279715040.0000000003EB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.279715040.0000000003EB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.281914406.00000000043AE000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.281914406.00000000043AE000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000007.00000002.498775362.00000000055D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: WxTm2cWLHF.exe PID: 6664, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: WxTm2cWLHF.exe PID: 6664, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: WxTm2cWLHF.exe PID: 5512, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: WxTm2cWLHF.exe PID: 5512, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.WxTm2cWLHF.exe.43e16f0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.WxTm2cWLHF.exe.43e16f0.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 7.2.WxTm2cWLHF.exe.6154629.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.WxTm2cWLHF.exe.3f34595.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.WxTm2cWLHF.exe.2f0c9f0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.WxTm2cWLHF.exe.55d0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.WxTm2cWLHF.exe.3f2ff6c.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.WxTm2cWLHF.exe.3f2ff6c.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.WxTm2cWLHF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.WxTm2cWLHF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.WxTm2cWLHF.exe.43e16f0.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.WxTm2cWLHF.exe.43e16f0.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 7.2.WxTm2cWLHF.exe.6150000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.WxTm2cWLHF.exe.3f2b136.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 7.2.WxTm2cWLHF.exe.3f2b136.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 7.2.WxTm2cWLHF.exe.6150000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: C:\Users\user\Desktop\WxTm2cWLHF.exeCode function: 0_2_013AC1540_2_013AC154
        Source: C:\Users\user\Desktop\WxTm2cWLHF.exeCode function: 0_2_013AE5980_2_013AE598
        Source: C:\Users\user\Desktop\WxTm2cWLHF.exeCode function: 0_2_013AE5890_2_013AE589
        Source: C:\Users\user\Desktop\WxTm2cWLHF.exeCode function: 0_2_09AE153A0_2_09AE153A
        Source: C:\Users\user\Desktop\WxTm2cWLHF.exeCode function: 7_2_0152E4717_2_0152E471
        Source: C:\Users\user\Desktop\WxTm2cWLHF.exeCode function: 7_2_0152E4807_2_0152E480
        Source: C:\Users\user\Desktop\WxTm2cWLHF.exeCode function: 7_2_0152BBD47_2_0152BBD4
        Source: WxTm2cWLHF.exeBinary or memory string: OriginalFilename vs WxTm2cWLHF.exe
        Source: WxTm2cWLHF.exe, 00000000.00000002.287647872.00000000078C0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs WxTm2cWLHF.exe
        Source: WxTm2cWLHF.exe, 00000000.00000002.287647872.00000000078C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs WxTm2cWLHF.exe
        Source: WxTm2cWLHF.exe, 00000000.00000002.289732815.0000000009750000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs WxTm2cWLHF.exe
        Source: WxTm2cWLHF.exeBinary or memory string: OriginalFilename vs WxTm2cWLHF.exe
        Source: WxTm2cWLHF.exe, 00000007.00000002.499194196.0000000006150000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs WxTm2cWLHF.exe
        Source: WxTm2cWLHF.exe, 00000007.00000002.499194196.0000000006150000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs WxTm2cWLHF.exe
        Source: WxTm2cWLHF.exe, 00000007.00000002.497750745.0000000003F29000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs WxTm2cWLHF.exe
        Source: WxTm2cWLHF.exe, 00000007.00000002.499691551.0000000006ED0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs WxTm2cWLHF.exe
        Source: WxTm2cWLHF.exe, 00000007.00000002.499066058.0000000006060000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs WxTm2cWLHF.exe
        Source: WxTm2cWLHF.exeBinary or memory string: OriginalFilename vs WxTm2cWLHF.exe
        Source: WxTm2cWLHF.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: 00000007.00000002.499194196.0000000006150000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000007.00000002.499194196.0000000006150000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000007.00000002.497750745.0000000003F29000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000007.00000002.491562642.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000007.00000002.491562642.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.279715040.0000000003EB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.279715040.0000000003EB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.281914406.00000000043AE000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.281914406.00000000043AE000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000007.00000002.498775362.00000000055D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000007.00000002.498775362.00000000055D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: Process Memory Space: WxTm2cWLHF.exe PID: 6664, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: WxTm2cWLHF.exe PID: 6664, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: WxTm2cWLHF.exe PID: 5512, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: WxTm2cWLHF.exe PID: 5512, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.WxTm2cWLHF.exe.43e16f0.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.WxTm2cWLHF.exe.43e16f0.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.WxTm2cWLHF.exe.43e16f0.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 7.2.WxTm2cWLHF.exe.6154629.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.WxTm2cWLHF.exe.6154629.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 7.2.WxTm2cWLHF.exe.3f34595.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.WxTm2cWLHF.exe.3f34595.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 7.2.WxTm2cWLHF.exe.2f0c9f0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.WxTm2cWLHF.exe.2f0c9f0.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 7.2.WxTm2cWLHF.exe.55d0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.WxTm2cWLHF.exe.55d0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 7.2.WxTm2cWLHF.exe.3f2ff6c.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.WxTm2cWLHF.exe.3f2ff6c.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 7.2.WxTm2cWLHF.exe.3f2ff6c.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.WxTm2cWLHF.exe.3f2ff6c.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 7.2.WxTm2cWLHF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.WxTm2cWLHF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 7.2.WxTm2cWLHF.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.WxTm2cWLHF.exe.43e16f0.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.WxTm2cWLHF.exe.43e16f0.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 0.2.WxTm2cWLHF.exe.43e16f0.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 7.2.WxTm2cWLHF.exe.6150000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.WxTm2cWLHF.exe.6150000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 7.2.WxTm2cWLHF.exe.3f2b136.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.WxTm2cWLHF.exe.3f2b136.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 7.2.WxTm2cWLHF.exe.3f2b136.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 7.2.WxTm2cWLHF.exe.6150000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 7.2.WxTm2cWLHF.exe.6150000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: WxTm2cWLHF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: eNEXCeqZvjFuTO.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: 7.2.WxTm2cWLHF.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 7.2.WxTm2cWLHF.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 7.2.WxTm2cWLHF.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: classification engineClassification label: mal100.troj.evad.winEXE@6/4@10/3
        Source: C:\Users\user\Desktop\WxTm2cWLHF.exeFile created: C:\Users\user\AppData\Roaming\eNEXCeqZvjFuTO.exeJump to behavior
        Source: C:\Users\user\Desktop\WxTm2cWLHF.exeMutant created: \Sessions\1\BaseNamedObjects\gErHUAiRFLKblIUfeLFvYmo
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6620:120:WilError_01
        Source: C:\Users\user\Desktop\WxTm2cWLHF.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{0875083a-8885-4a01-8069-09c5a276748c}
        Source: C:\Users\user\Desktop\WxTm2cWLHF.exeFile created: C:\Users\user\AppData\Local\Temp\tmp30A3.tmpJump to behavior
        Source: WxTm2cWLHF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\WxTm2cWLHF.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\WxTm2cWLHF.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\WxTm2cWLHF.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\WxTm2cWLHF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: WxTm2cWLHF.exeVirustotal: Detection: 49%
        Source: WxTm2cWLHF.exeMetadefender: Detection: 27%
        Source: WxTm2cWLHF.exeReversingLabs: Detection: 60%
        Source: C:\Users\user\Desktop\WxTm2cWLHF.exeFile read: C:\Users\user\Desktop\WxTm2cWLHF.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\WxTm2cWLHF.exe 'C:\Users\user\Desktop\WxTm2cWLHF.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eNEXCeqZvjFuTO' /XML 'C:\Users\user\AppData\Local\Temp\tmp30A3.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\WxTm2cWLHF.exe {path}
        Source: C:\Users\user\Desktop\WxTm2cWLHF.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eNEXCeqZvjFuTO' /XML 'C:\Users\user\AppData\Local\Temp\tmp30A3.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\WxTm2cWLHF.exeProcess created: C:\Users\user\Desktop\WxTm2cWLHF.exe {path}Jump to behavior
        Source: C:\Users\user\Desktop\WxTm2cWLHF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
        Source: C:\Users\user\Desktop\WxTm2cWLHF.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
        Source: WxTm2cWLHF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: WxTm2cWLHF.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: WxTm2cWLHF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: 7.2.WxTm2cWLHF.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 7.2.WxTm2cWLHF.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Binary contains a suspicious time stampShow sources
        Source: initial sampleStatic PE information: 0xA6400EE4 [Tue May 21 14:12:52 2058 UTC]
        Source: C:\Users\user\Desktop\WxTm2cWLHF.exeCode function: 0_2_09AE6847 push FFFFFF8Bh; iretd 0_2_09AE6857
        Source: C:\Users\user\Desktop\WxTm2cWLHF.exeCode function: 0_2_09AE6740 push dword ptr [ebx+ebp-75h]; iretd 0_2_09AE6765
        Source: initial sampleStatic PE information: section name: .text entropy: 7.91955251095
        Source: initial sampleStatic PE information: section name: .text entropy: 7.91955251095
        Source: 7.2.WxTm2cWLHF.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 7.2.WxTm2cWLHF.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: C:\Users\user\Desktop\WxTm2cWLHF.exeFile created: C:\Users\user\AppData\Roaming\eNEXCeqZvjFuTO.exeJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\eNEXCeqZvjFuTO' /XML 'C:\Users\user\AppData\Local\Temp\tmp30A3.tmp'

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\WxTm2cWLHF.exeFile opened: C:\Users\user\Desktop\WxTm2cWLHF.exe:Zone.Identifier read attributes | deleteJump to behavior
        Source: C:\Users\user\Desktop\WxTm2cWLHF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\WxTm2cWLHF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\WxTm2cWLHF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\WxTm2cWLHF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\WxTm2cWLHF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\WxTm2cWLHF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\WxTm2cWLHF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\WxTm2cWLHF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\WxTm2cWLHF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\WxTm2cWLHF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\WxTm2cWLHF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\WxTm2cWLHF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\WxTm2cWLHF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\WxTm2cWLHF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\WxTm2cWLHF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\WxTm2cWLHF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\WxTm2cWLHF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\WxTm2cWLHF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\WxTm2cWLHF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\WxTm2cWLHF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\WxTm2cWLHF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\WxTm2cWLHF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\WxTm2cWLHF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\WxTm2cWLHF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\WxTm2cWLHF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior<