Play interactive tour

Edit tour

Analysis Report e92b274943f4a3a557881ee0dd57772d.exe

Overview

General Information

Sample Name:	e92b274943f4a3a557881ee0dd57772d.exe
Analysis ID:	356808
MD5:	1f2b71c462d73dcdcc69a707a18c38d6
SHA1:	98957c96b7c2dd066b6c5108f8ded53983427472
SHA256:	c6e001729b8abc3d321756d6964e1a84148f19004f03606953ebba32081f4c75
Tags:	exeNanoCoreRAT
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM_3

Yara detected Nanocore RAT

.NET source code contains potential unpacker

.NET source code contains very large strings

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Antivirus or Machine Learning detection for unpacked file

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

e92b274943f4a3a557881ee0dd57772d.exe (PID: 5900 cmdline: 'C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exe' MD5: 1F2B71C462D73DCDCC69A707A18C38D6)

e92b274943f4a3a557881ee0dd57772d.exe (PID: 6108 cmdline: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exe MD5: 1F2B71C462D73DCDCC69A707A18C38D6)

schtasks.exe (PID: 2336 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp22EF.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 4012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 2880 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmp266B.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 4860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

e92b274943f4a3a557881ee0dd57772d.exe (PID: 6200 cmdline: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exe 0 MD5: 1F2B71C462D73DCDCC69A707A18C38D6)

e92b274943f4a3a557881ee0dd57772d.exe (PID: 6460 cmdline: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exe MD5: 1F2B71C462D73DCDCC69A707A18C38D6)

dhcpmon.exe (PID: 6296 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 1F2B71C462D73DCDCC69A707A18C38D6)

dhcpmon.exe (PID: 6468 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 1F2B71C462D73DCDCC69A707A18C38D6)

dhcpmon.exe (PID: 6720 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 1F2B71C462D73DCDCC69A707A18C38D6)

dhcpmon.exe (PID: 7024 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 1F2B71C462D73DCDCC69A707A18C38D6)

backgroundTaskHost.exe (PID: 7024 cmdline: 'C:\Windows\system32\backgroundTaskHost.exe' -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca MD5: B7FC4A29431D4F795BBAB1FB182B759A)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "94----", "Group": "V-HASH", "Domain1": "cloudhost.myfirewall.org", "Domain2": "cloudhost.myfirewall.org", "Port": 5654, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "cloudhost.myfirewall.org", "BackupDNSServer": "cloudhost.myfirewall.org", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000C.00000002.289277143.0000000002BF1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000014.00000002.310042790.00000000033F1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.252323083.0000000002BC7000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000009.00000002.275215575.0000000002FD4000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000009.00000002.275177741.0000000002FB1000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000A.00000002.275680850.00000000033D6000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000C.00000002.289384974.0000000003BF1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.289384974.0000000003BF1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x49a5d:$a: NanoCore 0x49ab6:$a: NanoCore 0x49af3:$a: NanoCore 0x49b6c:$a: NanoCore 0x5d217:$a: NanoCore 0x5d22c:$a: NanoCore 0x5d261:$a: NanoCore 0x76233:$a: NanoCore 0x76248:$a: NanoCore 0x7627d:$a: NanoCore 0x49abf:$b: ClientPlugin 0x49afc:$b: ClientPlugin 0x4a3fa:$b: ClientPlugin 0x4a407:$b: ClientPlugin 0x5cfd3:$b: ClientPlugin 0x5cfee:$b: ClientPlugin 0x5d01e:$b: ClientPlugin 0x5d235:$b: ClientPlugin 0x5d26a:$b: ClientPlugin 0x75fef:$b: ClientPlugin 0x7600a:$b: ClientPlugin
00000002.00000002.499071538.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000002.00000002.499071538.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000002.00000002.499071538.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000B.00000002.290065986.0000000003EF1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000B.00000002.290065986.0000000003EF1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x49a5d:$a: NanoCore 0x49ab6:$a: NanoCore 0x49af3:$a: NanoCore 0x49b6c:$a: NanoCore 0x5d217:$a: NanoCore 0x5d22c:$a: NanoCore 0x5d261:$a: NanoCore 0x76233:$a: NanoCore 0x76248:$a: NanoCore 0x7627d:$a: NanoCore 0x49abf:$b: ClientPlugin 0x49afc:$b: ClientPlugin 0x4a3fa:$b: ClientPlugin 0x4a407:$b: ClientPlugin 0x5cfd3:$b: ClientPlugin 0x5cfee:$b: ClientPlugin 0x5d01e:$b: ClientPlugin 0x5d235:$b: ClientPlugin 0x5d26a:$b: ClientPlugin 0x75fef:$b: ClientPlugin 0x7600a:$b: ClientPlugin
0000000B.00000002.289889933.0000000002EF1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000B.00000002.287315536.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000B.00000002.287315536.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000B.00000002.287315536.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000000.00000002.252271147.0000000002BA1000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000010.00000002.292745387.0000000002A27000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000014.00000002.304832264.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000014.00000002.304832264.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000014.00000002.304832264.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000010.00000002.293020224.0000000003A01000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2bf9bd:$x1: NanoCore.ClientPluginHost 0x2f23dd:$x1: NanoCore.ClientPluginHost 0x2bf9fa:$x2: IClientNetworkHost 0x2f241a:$x2: IClientNetworkHost 0x2c352d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2f5f4d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000010.00000002.293020224.0000000003A01000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000010.00000002.293020224.0000000003A01000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2bf725:$a: NanoCore 0x2bf735:$a: NanoCore 0x2bf969:$a: NanoCore 0x2bf97d:$a: NanoCore 0x2bf9bd:$a: NanoCore 0x2f2145:$a: NanoCore 0x2f2155:$a: NanoCore 0x2f2389:$a: NanoCore 0x2f239d:$a: NanoCore 0x2f23dd:$a: NanoCore 0x2bf784:$b: ClientPlugin 0x2bf986:$b: ClientPlugin 0x2bf9c6:$b: ClientPlugin 0x2f21a4:$b: ClientPlugin 0x2f23a6:$b: ClientPlugin 0x2f23e6:$b: ClientPlugin 0x18059a:$c: ProjectData 0x1da3ba:$c: ProjectData 0x2bf8ab:$c: ProjectData 0x2f22cb:$c: ProjectData 0x2c02b2:$d: DESCrypto
00000000.00000002.252610124.0000000003BA1000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2bf9bd:$x1: NanoCore.ClientPluginHost 0x2f23dd:$x1: NanoCore.ClientPluginHost 0x2bf9fa:$x2: IClientNetworkHost 0x2f241a:$x2: IClientNetworkHost 0x2c352d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2f5f4d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.252610124.0000000003BA1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.252610124.0000000003BA1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2bf725:$a: NanoCore 0x2bf735:$a: NanoCore 0x2bf969:$a: NanoCore 0x2bf97d:$a: NanoCore 0x2bf9bd:$a: NanoCore 0x2f2145:$a: NanoCore 0x2f2155:$a: NanoCore 0x2f2389:$a: NanoCore 0x2f239d:$a: NanoCore 0x2f23dd:$a: NanoCore 0x2bf784:$b: ClientPlugin 0x2bf986:$b: ClientPlugin 0x2bf9c6:$b: ClientPlugin 0x2f21a4:$b: ClientPlugin 0x2f23a6:$b: ClientPlugin 0x2f23e6:$b: ClientPlugin 0x18059a:$c: ProjectData 0x1da3ba:$c: ProjectData 0x2bf8ab:$c: ProjectData 0x2f22cb:$c: ProjectData 0x2c02b2:$d: DESCrypto
00000014.00000002.310443660.00000000043F1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000014.00000002.310443660.00000000043F1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x49a5d:$a: NanoCore 0x49ab6:$a: NanoCore 0x49af3:$a: NanoCore 0x49b6c:$a: NanoCore 0x5d217:$a: NanoCore 0x5d22c:$a: NanoCore 0x5d261:$a: NanoCore 0x76233:$a: NanoCore 0x76248:$a: NanoCore 0x7627d:$a: NanoCore 0x49abf:$b: ClientPlugin 0x49afc:$b: ClientPlugin 0x4a3fa:$b: ClientPlugin 0x4a407:$b: ClientPlugin 0x5cfd3:$b: ClientPlugin 0x5cfee:$b: ClientPlugin 0x5d01e:$b: ClientPlugin 0x5d235:$b: ClientPlugin 0x5d26a:$b: ClientPlugin 0x75fef:$b: ClientPlugin 0x7600a:$b: ClientPlugin
00000010.00000002.292697027.0000000002A01000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000A.00000002.275574869.00000000033B1000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000A.00000002.276093432.00000000043B1000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2bf9bd:$x1: NanoCore.ClientPluginHost 0x2f23dd:$x1: NanoCore.ClientPluginHost 0x2bf9fa:$x2: IClientNetworkHost 0x2f241a:$x2: IClientNetworkHost 0x2c352d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2f5f4d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000A.00000002.276093432.00000000043B1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000A.00000002.276093432.00000000043B1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2bf725:$a: NanoCore 0x2bf735:$a: NanoCore 0x2bf969:$a: NanoCore 0x2bf97d:$a: NanoCore 0x2bf9bd:$a: NanoCore 0x2f2145:$a: NanoCore 0x2f2155:$a: NanoCore 0x2f2389:$a: NanoCore 0x2f239d:$a: NanoCore 0x2f23dd:$a: NanoCore 0x2bf784:$b: ClientPlugin 0x2bf986:$b: ClientPlugin 0x2bf9c6:$b: ClientPlugin 0x2f21a4:$b: ClientPlugin 0x2f23a6:$b: ClientPlugin 0x2f23e6:$b: ClientPlugin 0x18059a:$c: ProjectData 0x1da3ba:$c: ProjectData 0x2bf8ab:$c: ProjectData 0x2f22cb:$c: ProjectData 0x2c02b2:$d: DESCrypto
0000000C.00000002.287530922.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000002.287530922.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.287530922.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000009.00000002.275575320.0000000003FB1000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2bf9bd:$x1: NanoCore.ClientPluginHost 0x2f23dd:$x1: NanoCore.ClientPluginHost 0x2bf9fa:$x2: IClientNetworkHost 0x2f241a:$x2: IClientNetworkHost 0x2c352d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2f5f4d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000009.00000002.275575320.0000000003FB1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000009.00000002.275575320.0000000003FB1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2bf725:$a: NanoCore 0x2bf735:$a: NanoCore 0x2bf969:$a: NanoCore 0x2bf97d:$a: NanoCore 0x2bf9bd:$a: NanoCore 0x2f2145:$a: NanoCore 0x2f2155:$a: NanoCore 0x2f2389:$a: NanoCore 0x2f239d:$a: NanoCore 0x2f23dd:$a: NanoCore 0x2bf784:$b: ClientPlugin 0x2bf986:$b: ClientPlugin 0x2bf9c6:$b: ClientPlugin 0x2f21a4:$b: ClientPlugin 0x2f23a6:$b: ClientPlugin 0x2f23e6:$b: ClientPlugin 0x18059a:$c: ProjectData 0x1da3ba:$c: ProjectData 0x2bf8ab:$c: ProjectData 0x2f22cb:$c: ProjectData 0x2c02b2:$d: DESCrypto
Process Memory Space: e92b274943f4a3a557881ee0dd57772d.exe PID: 6108	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4c905:$x1: NanoCore.ClientPluginHost 0x1a6796:$x1: NanoCore.ClientPluginHost 0x4c92b:$x2: IClientNetworkHost 0x1a67f7:$x2: IClientNetworkHost 0x1abbfc:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1b9b6e:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: e92b274943f4a3a557881ee0dd57772d.exe PID: 6108	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: e92b274943f4a3a557881ee0dd57772d.exe PID: 6108	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4c7f7:$a: NanoCore 0x4c898:$a: NanoCore 0x4c905:$a: NanoCore 0x4c9c6:$a: NanoCore 0x4d897:$a: NanoCore 0x4d8ea:$a: NanoCore 0x4d923:$a: NanoCore 0x4d996:$a: NanoCore 0x7ed69:$a: NanoCore 0x1a629b:$a: NanoCore 0x1a62b7:$a: NanoCore 0x1a6412:$a: NanoCore 0x1a6421:$a: NanoCore 0x1a66fa:$a: NanoCore 0x1a6726:$a: NanoCore 0x1a6796:$a: NanoCore 0x1b61d8:$a: NanoCore 0x1b61ea:$a: NanoCore 0x1b6226:$a: NanoCore 0x44654:$b: ClientPlugin 0x44679:$b: ClientPlugin
Process Memory Space: dhcpmon.exe PID: 7024	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2a8f:$x1: NanoCore.ClientPluginHost 0x9d0f:$x1: NanoCore.ClientPluginHost 0x2d25f:$x1: NanoCore.ClientPluginHost 0x5287c:$x1: NanoCore.ClientPluginHost 0x5843b:$x1: NanoCore.ClientPluginHost 0x69814:$x1: NanoCore.ClientPluginHost 0x2ab5:$x2: IClientNetworkHost 0x9d35:$x2: IClientNetworkHost 0x2d2c0:$x2: IClientNetworkHost 0x528a2:$x2: IClientNetworkHost 0x58480:$x2: IClientNetworkHost 0x69859:$x2: IClientNetworkHost 0x326c5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x40637:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: dhcpmon.exe PID: 7024	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dhcpmon.exe PID: 7024	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2981:$a: NanoCore 0x2a22:$a: NanoCore 0x2a8f:$a: NanoCore 0x2b50:$a: NanoCore 0x3a21:$a: NanoCore 0x3a74:$a: NanoCore 0x3aad:$a: NanoCore 0x3b20:$a: NanoCore 0x569b:$a: NanoCore 0x619f:$a: NanoCore 0x61bf:$a: NanoCore 0x61ff:$a: NanoCore 0x6237:$a: NanoCore 0x6257:$a: NanoCore 0x794c:$a: NanoCore 0x79b5:$a: NanoCore 0x7b18:$a: NanoCore 0x9c01:$a: NanoCore 0x9ca2:$a: NanoCore 0x9d0f:$a: NanoCore 0x9dd0:$a: NanoCore
Process Memory Space: e92b274943f4a3a557881ee0dd57772d.exe PID: 6460	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x18509:$x1: NanoCore.ClientPluginHost 0x1e0c8:$x1: NanoCore.ClientPluginHost 0x2f4a1:$x1: NanoCore.ClientPluginHost 0x3f021:$x1: NanoCore.ClientPluginHost 0x5e47c:$x1: NanoCore.ClientPluginHost 0x84989:$x1: NanoCore.ClientPluginHost 0x1852f:$x2: IClientNetworkHost 0x1e10d:$x2: IClientNetworkHost 0x2f4e6:$x2: IClientNetworkHost 0x3f047:$x2: IClientNetworkHost 0x5e4dd:$x2: IClientNetworkHost 0x849af:$x2: IClientNetworkHost 0x638e2:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x71854:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: e92b274943f4a3a557881ee0dd57772d.exe PID: 6460	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: e92b274943f4a3a557881ee0dd57772d.exe PID: 6460	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x183fb:$a: NanoCore 0x1849c:$a: NanoCore 0x18509:$a: NanoCore 0x185ca:$a: NanoCore 0x1949b:$a: NanoCore 0x194ee:$a: NanoCore 0x19527:$a: NanoCore 0x1959a:$a: NanoCore 0x1e042:$a: NanoCore 0x1e06f:$a: NanoCore 0x1e0c8:$a: NanoCore 0x258d7:$a: NanoCore 0x258ea:$a: NanoCore 0x2591c:$a: NanoCore 0x2f41b:$a: NanoCore 0x2f448:$a: NanoCore 0x2f4a1:$a: NanoCore 0x36cb0:$a: NanoCore 0x36cc3:$a: NanoCore 0x36cf5:$a: NanoCore 0x3cd2d:$a: NanoCore
Process Memory Space: e92b274943f4a3a557881ee0dd57772d.exe PID: 6200	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: dhcpmon.exe PID: 6296	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: dhcpmon.exe PID: 6720	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: dhcpmon.exe PID: 6468	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf125:$x1: NanoCore.ClientPluginHost 0x53d07:$x1: NanoCore.ClientPluginHost 0x598c6:$x1: NanoCore.ClientPluginHost 0x6acc5:$x1: NanoCore.ClientPluginHost 0x917ff:$x1: NanoCore.ClientPluginHost 0xa3f3f:$x1: NanoCore.ClientPluginHost 0xf14b:$x2: IClientNetworkHost 0x53d2d:$x2: IClientNetworkHost 0x5990b:$x2: IClientNetworkHost 0x6ad0a:$x2: IClientNetworkHost 0x91825:$x2: IClientNetworkHost 0xa3fa0:$x2: IClientNetworkHost 0xa93a5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xb7317:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: dhcpmon.exe PID: 6468	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: dhcpmon.exe PID: 6468	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xce35:$a: NanoCore 0xce9e:$a: NanoCore 0xcfeb:$a: NanoCore 0xf017:$a: NanoCore 0xf0b8:$a: NanoCore 0xf125:$a: NanoCore 0xf1e6:$a: NanoCore 0x100b7:$a: NanoCore 0x1010a:$a: NanoCore 0x10143:$a: NanoCore 0x101b6:$a: NanoCore 0x53bf9:$a: NanoCore 0x53c9a:$a: NanoCore 0x53d07:$a: NanoCore 0x53dc8:$a: NanoCore 0x54c99:$a: NanoCore 0x54cec:$a: NanoCore 0x54d25:$a: NanoCore 0x54d98:$a: NanoCore 0x59840:$a: NanoCore 0x5986d:$a: NanoCore
Process Memory Space: e92b274943f4a3a557881ee0dd57772d.exe PID: 5900	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 52 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
12.2.dhcpmon.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
12.2.dhcpmon.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
12.2.dhcpmon.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.dhcpmon.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
12.2.dhcpmon.exe.3c430dd.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x241a0:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x241cd:$x2: IClientNetworkHost
12.2.dhcpmon.exe.3c430dd.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x241a0:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x2527b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x241ba:$s5: IClientLoggingHost
12.2.dhcpmon.exe.3c430dd.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
20.2.dhcpmon.exe.44430dd.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x241a0:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x241cd:$x2: IClientNetworkHost
20.2.dhcpmon.exe.44430dd.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x241a0:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x2527b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x241ba:$s5: IClientLoggingHost
20.2.dhcpmon.exe.44430dd.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.e92b274943f4a3a557881ee0dd57772d.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
11.2.e92b274943f4a3a557881ee0dd57772d.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
11.2.e92b274943f4a3a557881ee0dd57772d.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.e92b274943f4a3a557881ee0dd57772d.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
12.2.dhcpmon.exe.3c39c7e.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5ff:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d62c:$x2: IClientNetworkHost
12.2.dhcpmon.exe.3c39c7e.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5ff:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e6da:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d619:$s5: IClientLoggingHost
12.2.dhcpmon.exe.3c39c7e.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.dhcpmon.exe.3c39c7e.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d5b5:$a: NanoCore 0x2d5ca:$a: NanoCore 0x2d5ff:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d371:$b: ClientPlugin 0x2d38c:$b: ClientPlugin
11.2.e92b274943f4a3a557881ee0dd57772d.exe.3f430dd.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x241a0:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x241cd:$x2: IClientNetworkHost
11.2.e92b274943f4a3a557881ee0dd57772d.exe.3f430dd.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x241a0:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x2527b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x241ba:$s5: IClientLoggingHost
11.2.e92b274943f4a3a557881ee0dd57772d.exe.3f430dd.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.2.e92b274943f4a3a557881ee0dd57772d.exe.4260830.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42bad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42bea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4671d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
9.2.e92b274943f4a3a557881ee0dd57772d.exe.4260830.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x42925:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x42bad:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x441e6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x441da:$s2: FileCommand 0x1266b:$s3: PipeExists 0x4508b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x4ae42:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x42bd7:$s5: IClientLoggingHost
9.2.e92b274943f4a3a557881ee0dd57772d.exe.4260830.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.2.e92b274943f4a3a557881ee0dd57772d.exe.4260830.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42915:$a: NanoCore 0x42925:$a: NanoCore 0x42b59:$a: NanoCore 0x42b6d:$a: NanoCore 0x42bad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42974:$b: ClientPlugin 0x42b76:$b: ClientPlugin 0x42bb6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42a9b:$c: ProjectData 0x10a82:$d: DESCrypto 0x434a2:$d: DESCrypto 0x1844e:$e: KeepAlive
12.2.dhcpmon.exe.2c13ac8.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
12.2.dhcpmon.exe.2c13ac8.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
2.2.e92b274943f4a3a557881ee0dd57772d.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
2.2.e92b274943f4a3a557881ee0dd57772d.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
2.2.e92b274943f4a3a557881ee0dd57772d.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
2.2.e92b274943f4a3a557881ee0dd57772d.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
10.2.dhcpmon.exe.4660830.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
10.2.dhcpmon.exe.4660830.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
10.2.dhcpmon.exe.4660830.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
10.2.dhcpmon.exe.4660830.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
20.2.dhcpmon.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
20.2.dhcpmon.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
20.2.dhcpmon.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
20.2.dhcpmon.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
2.2.e92b274943f4a3a557881ee0dd57772d.exe.2ad1338.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
2.2.e92b274943f4a3a557881ee0dd57772d.exe.2ad1338.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
9.2.e92b274943f4a3a557881ee0dd57772d.exe.2fc3ed0.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
10.2.dhcpmon.exe.4660830.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42bad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42bea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4671d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
10.2.dhcpmon.exe.4660830.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x42925:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x42bad:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x441e6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x441da:$s2: FileCommand 0x1266b:$s3: PipeExists 0x4508b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x4ae42:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x42bd7:$s5: IClientLoggingHost
10.2.dhcpmon.exe.4660830.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
10.2.dhcpmon.exe.4660830.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42915:$a: NanoCore 0x42925:$a: NanoCore 0x42b59:$a: NanoCore 0x42b6d:$a: NanoCore 0x42bad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42974:$b: ClientPlugin 0x42b76:$b: ClientPlugin 0x42bb6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42a9b:$c: ProjectData 0x10a82:$d: DESCrypto 0x434a2:$d: DESCrypto 0x1844e:$e: KeepAlive
20.2.dhcpmon.exe.443eab4.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x287c9:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287f6:$x2: IClientNetworkHost
20.2.dhcpmon.exe.443eab4.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x287c9:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x298a4:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287e3:$s5: IClientLoggingHost
20.2.dhcpmon.exe.443eab4.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.e92b274943f4a3a557881ee0dd57772d.exe.2f13acc.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
11.2.e92b274943f4a3a557881ee0dd57772d.exe.2f13acc.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
0.2.e92b274943f4a3a557881ee0dd57772d.exe.3d04760.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x15c25d:$x1: NanoCore.ClientPluginHost 0x18ec7d:$x1: NanoCore.ClientPluginHost 0x15c29a:$x2: IClientNetworkHost 0x18ecba:$x2: IClientNetworkHost 0x15fdcd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1927ed:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.e92b274943f4a3a557881ee0dd57772d.exe.3d04760.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.e92b274943f4a3a557881ee0dd57772d.exe.3d04760.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x15bfc5:$a: NanoCore 0x15bfd5:$a: NanoCore 0x15c209:$a: NanoCore 0x15c21d:$a: NanoCore 0x15c25d:$a: NanoCore 0x18e9e5:$a: NanoCore 0x18e9f5:$a: NanoCore 0x18ec29:$a: NanoCore 0x18ec3d:$a: NanoCore 0x18ec7d:$a: NanoCore 0x15c024:$b: ClientPlugin 0x15c226:$b: ClientPlugin 0x15c266:$b: ClientPlugin 0x18ea44:$b: ClientPlugin 0x18ec46:$b: ClientPlugin 0x18ec86:$b: ClientPlugin 0x1ce3a:$c: ProjectData 0x76c5a:$c: ProjectData 0x15c14b:$c: ProjectData 0x18eb6b:$c: ProjectData 0x15cb52:$d: DESCrypto
0.2.e92b274943f4a3a557881ee0dd57772d.exe.3e50830.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42bad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42bea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4671d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.e92b274943f4a3a557881ee0dd57772d.exe.3e50830.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x42925:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x42bad:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x441e6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x441da:$s2: FileCommand 0x1266b:$s3: PipeExists 0x4508b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x4ae42:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x42bd7:$s5: IClientLoggingHost
0.2.e92b274943f4a3a557881ee0dd57772d.exe.3e50830.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.e92b274943f4a3a557881ee0dd57772d.exe.3e50830.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42915:$a: NanoCore 0x42925:$a: NanoCore 0x42b59:$a: NanoCore 0x42b6d:$a: NanoCore 0x42bad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42974:$b: ClientPlugin 0x42b76:$b: ClientPlugin 0x42bb6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42a9b:$c: ProjectData 0x10a82:$d: DESCrypto 0x434a2:$d: DESCrypto 0x1844e:$e: KeepAlive
9.2.e92b274943f4a3a557881ee0dd57772d.exe.4114760.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x15c25d:$x1: NanoCore.ClientPluginHost 0x18ec7d:$x1: NanoCore.ClientPluginHost 0x15c29a:$x2: IClientNetworkHost 0x18ecba:$x2: IClientNetworkHost 0x15fdcd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1927ed:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
9.2.e92b274943f4a3a557881ee0dd57772d.exe.4114760.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.2.e92b274943f4a3a557881ee0dd57772d.exe.4114760.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x15bfc5:$a: NanoCore 0x15bfd5:$a: NanoCore 0x15c209:$a: NanoCore 0x15c21d:$a: NanoCore 0x15c25d:$a: NanoCore 0x18e9e5:$a: NanoCore 0x18e9f5:$a: NanoCore 0x18ec29:$a: NanoCore 0x18ec3d:$a: NanoCore 0x18ec7d:$a: NanoCore 0x15c024:$b: ClientPlugin 0x15c226:$b: ClientPlugin 0x15c266:$b: ClientPlugin 0x18ea44:$b: ClientPlugin 0x18ec46:$b: ClientPlugin 0x18ec86:$b: ClientPlugin 0x1ce3a:$c: ProjectData 0x76c5a:$c: ProjectData 0x15c14b:$c: ProjectData 0x18eb6b:$c: ProjectData 0x15cb52:$d: DESCrypto
11.2.e92b274943f4a3a557881ee0dd57772d.exe.3f3eab4.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
11.2.e92b274943f4a3a557881ee0dd57772d.exe.3f3eab4.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
11.2.e92b274943f4a3a557881ee0dd57772d.exe.3f3eab4.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.e92b274943f4a3a557881ee0dd57772d.exe.2f01794.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
11.2.e92b274943f4a3a557881ee0dd57772d.exe.2f01794.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
16.2.dhcpmon.exe.3bbe580.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10243d:$x1: NanoCore.ClientPluginHost 0x134e5d:$x1: NanoCore.ClientPluginHost 0x10247a:$x2: IClientNetworkHost 0x134e9a:$x2: IClientNetworkHost 0x105fad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1389cd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.2.dhcpmon.exe.3bbe580.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.dhcpmon.exe.3bbe580.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1021a5:$a: NanoCore 0x1021b5:$a: NanoCore 0x1023e9:$a: NanoCore 0x1023fd:$a: NanoCore 0x10243d:$a: NanoCore 0x134bc5:$a: NanoCore 0x134bd5:$a: NanoCore 0x134e09:$a: NanoCore 0x134e1d:$a: NanoCore 0x134e5d:$a: NanoCore 0x102204:$b: ClientPlugin 0x102406:$b: ClientPlugin 0x102446:$b: ClientPlugin 0x134c24:$b: ClientPlugin 0x134e26:$b: ClientPlugin 0x134e66:$b: ClientPlugin 0x1ce3a:$c: ProjectData 0x10232b:$c: ProjectData 0x134d4b:$c: ProjectData 0x102d32:$d: DESCrypto 0x135752:$d: DESCrypto
16.2.dhcpmon.exe.3b64760.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x15c25d:$x1: NanoCore.ClientPluginHost 0x18ec7d:$x1: NanoCore.ClientPluginHost 0x15c29a:$x2: IClientNetworkHost 0x18ecba:$x2: IClientNetworkHost 0x15fdcd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1927ed:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.2.dhcpmon.exe.3b64760.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.dhcpmon.exe.3b64760.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x15bfc5:$a: NanoCore 0x15bfd5:$a: NanoCore 0x15c209:$a: NanoCore 0x15c21d:$a: NanoCore 0x15c25d:$a: NanoCore 0x18e9e5:$a: NanoCore 0x18e9f5:$a: NanoCore 0x18ec29:$a: NanoCore 0x18ec3d:$a: NanoCore 0x18ec7d:$a: NanoCore 0x15c024:$b: ClientPlugin 0x15c226:$b: ClientPlugin 0x15c266:$b: ClientPlugin 0x18ea44:$b: ClientPlugin 0x18ec46:$b: ClientPlugin 0x18ec86:$b: ClientPlugin 0x1ce3a:$c: ProjectData 0x76c5a:$c: ProjectData 0x15c14b:$c: ProjectData 0x18eb6b:$c: ProjectData 0x15cb52:$d: DESCrypto
0.2.e92b274943f4a3a557881ee0dd57772d.exe.3d5e580.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10243d:$x1: NanoCore.ClientPluginHost 0x134e5d:$x1: NanoCore.ClientPluginHost 0x10247a:$x2: IClientNetworkHost 0x134e9a:$x2: IClientNetworkHost 0x105fad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1389cd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.e92b274943f4a3a557881ee0dd57772d.exe.3d5e580.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.e92b274943f4a3a557881ee0dd57772d.exe.3d5e580.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1021a5:$a: NanoCore 0x1021b5:$a: NanoCore 0x1023e9:$a: NanoCore 0x1023fd:$a: NanoCore 0x10243d:$a: NanoCore 0x134bc5:$a: NanoCore 0x134bd5:$a: NanoCore 0x134e09:$a: NanoCore 0x134e1d:$a: NanoCore 0x134e5d:$a: NanoCore 0x102204:$b: ClientPlugin 0x102406:$b: ClientPlugin 0x102446:$b: ClientPlugin 0x134c24:$b: ClientPlugin 0x134e26:$b: ClientPlugin 0x134e66:$b: ClientPlugin 0x1ce3a:$c: ProjectData 0x10232b:$c: ProjectData 0x134d4b:$c: ProjectData 0x102d32:$d: DESCrypto 0x135752:$d: DESCrypto
10.2.dhcpmon.exe.33c3ed0.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
9.2.e92b274943f4a3a557881ee0dd57772d.exe.4260830.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
9.2.e92b274943f4a3a557881ee0dd57772d.exe.4260830.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
9.2.e92b274943f4a3a557881ee0dd57772d.exe.4260830.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.2.e92b274943f4a3a557881ee0dd57772d.exe.4260830.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
16.2.dhcpmon.exe.3cb0830.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42bad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42bea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4671d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.2.dhcpmon.exe.3cb0830.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x42925:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x42bad:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x441e6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x441da:$s2: FileCommand 0x1266b:$s3: PipeExists 0x4508b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x4ae42:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x42bd7:$s5: IClientLoggingHost
16.2.dhcpmon.exe.3cb0830.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.dhcpmon.exe.3cb0830.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42915:$a: NanoCore 0x42925:$a: NanoCore 0x42b59:$a: NanoCore 0x42b6d:$a: NanoCore 0x42bad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42974:$b: ClientPlugin 0x42b76:$b: ClientPlugin 0x42bb6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42a9b:$c: ProjectData 0x10a82:$d: DESCrypto 0x434a2:$d: DESCrypto 0x1844e:$e: KeepAlive
0.2.e92b274943f4a3a557881ee0dd57772d.exe.3e50830.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.e92b274943f4a3a557881ee0dd57772d.exe.3e50830.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.e92b274943f4a3a557881ee0dd57772d.exe.3e50830.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.e92b274943f4a3a557881ee0dd57772d.exe.3e50830.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
16.2.dhcpmon.exe.2a141d0.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
11.2.e92b274943f4a3a557881ee0dd57772d.exe.3f39c7e.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5ff:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d62c:$x2: IClientNetworkHost
11.2.e92b274943f4a3a557881ee0dd57772d.exe.3f39c7e.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5ff:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e6da:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d619:$s5: IClientLoggingHost
11.2.e92b274943f4a3a557881ee0dd57772d.exe.3f39c7e.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
11.2.e92b274943f4a3a557881ee0dd57772d.exe.3f39c7e.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d5b5:$a: NanoCore 0x2d5ca:$a: NanoCore 0x2d5ff:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d371:$b: ClientPlugin 0x2d38c:$b: ClientPlugin
12.2.dhcpmon.exe.3c3eab4.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x287c9:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287f6:$x2: IClientNetworkHost
12.2.dhcpmon.exe.3c3eab4.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x287c9:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x298a4:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287e3:$s5: IClientLoggingHost
12.2.dhcpmon.exe.3c3eab4.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
20.2.dhcpmon.exe.443eab4.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
20.2.dhcpmon.exe.443eab4.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
20.2.dhcpmon.exe.443eab4.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.dhcpmon.exe.3cb0830.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
16.2.dhcpmon.exe.3cb0830.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
16.2.dhcpmon.exe.3cb0830.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
16.2.dhcpmon.exe.3cb0830.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
10.2.dhcpmon.exe.4514760.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x15c25d:$x1: NanoCore.ClientPluginHost 0x18ec7d:$x1: NanoCore.ClientPluginHost 0x15c29a:$x2: IClientNetworkHost 0x18ecba:$x2: IClientNetworkHost 0x15fdcd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1927ed:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
10.2.dhcpmon.exe.4514760.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
10.2.dhcpmon.exe.4514760.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x15bfc5:$a: NanoCore 0x15bfd5:$a: NanoCore 0x15c209:$a: NanoCore 0x15c21d:$a: NanoCore 0x15c25d:$a: NanoCore 0x18e9e5:$a: NanoCore 0x18e9f5:$a: NanoCore 0x18ec29:$a: NanoCore 0x18ec3d:$a: NanoCore 0x18ec7d:$a: NanoCore 0x15c024:$b: ClientPlugin 0x15c226:$b: ClientPlugin 0x15c266:$b: ClientPlugin 0x18ea44:$b: ClientPlugin 0x18ec46:$b: ClientPlugin 0x18ec86:$b: ClientPlugin 0x1ce3a:$c: ProjectData 0x76c5a:$c: ProjectData 0x15c14b:$c: ProjectData 0x18eb6b:$c: ProjectData 0x15cb52:$d: DESCrypto
20.2.dhcpmon.exe.4439c7e.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5ff:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d62c:$x2: IClientNetworkHost
20.2.dhcpmon.exe.4439c7e.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5ff:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e6da:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d619:$s5: IClientLoggingHost
20.2.dhcpmon.exe.4439c7e.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
20.2.dhcpmon.exe.4439c7e.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d5b5:$a: NanoCore 0x2d5ca:$a: NanoCore 0x2d5ff:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d371:$b: ClientPlugin 0x2d38c:$b: ClientPlugin
20.2.dhcpmon.exe.3413ac8.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
20.2.dhcpmon.exe.3413ac8.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
20.2.dhcpmon.exe.34017ac.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
20.2.dhcpmon.exe.34017ac.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
11.2.e92b274943f4a3a557881ee0dd57772d.exe.3f3eab4.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x287c9:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287f6:$x2: IClientNetworkHost
11.2.e92b274943f4a3a557881ee0dd57772d.exe.3f3eab4.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x287c9:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x298a4:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287e3:$s5: IClientLoggingHost
11.2.e92b274943f4a3a557881ee0dd57772d.exe.3f3eab4.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.dhcpmon.exe.2c017ac.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
12.2.dhcpmon.exe.2c017ac.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
12.2.dhcpmon.exe.3c3eab4.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
12.2.dhcpmon.exe.3c3eab4.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
12.2.dhcpmon.exe.3c3eab4.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.e92b274943f4a3a557881ee0dd57772d.exe.2bb41d0.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
9.2.e92b274943f4a3a557881ee0dd57772d.exe.416e580.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10243d:$x1: NanoCore.ClientPluginHost 0x134e5d:$x1: NanoCore.ClientPluginHost 0x10247a:$x2: IClientNetworkHost 0x134e9a:$x2: IClientNetworkHost 0x105fad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1389cd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
9.2.e92b274943f4a3a557881ee0dd57772d.exe.416e580.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
9.2.e92b274943f4a3a557881ee0dd57772d.exe.416e580.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1021a5:$a: NanoCore 0x1021b5:$a: NanoCore 0x1023e9:$a: NanoCore 0x1023fd:$a: NanoCore 0x10243d:$a: NanoCore 0x134bc5:$a: NanoCore 0x134bd5:$a: NanoCore 0x134e09:$a: NanoCore 0x134e1d:$a: NanoCore 0x134e5d:$a: NanoCore 0x102204:$b: ClientPlugin 0x102406:$b: ClientPlugin 0x102446:$b: ClientPlugin 0x134c24:$b: ClientPlugin 0x134e26:$b: ClientPlugin 0x134e66:$b: ClientPlugin 0x1ce3a:$c: ProjectData 0x10232b:$c: ProjectData 0x134d4b:$c: ProjectData 0x102d32:$d: DESCrypto 0x135752:$d: DESCrypto
10.2.dhcpmon.exe.456e580.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10243d:$x1: NanoCore.ClientPluginHost 0x134e5d:$x1: NanoCore.ClientPluginHost 0x10247a:$x2: IClientNetworkHost 0x134e9a:$x2: IClientNetworkHost 0x105fad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1389cd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
10.2.dhcpmon.exe.456e580.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
10.2.dhcpmon.exe.456e580.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1021a5:$a: NanoCore 0x1021b5:$a: NanoCore 0x1023e9:$a: NanoCore 0x1023fd:$a: NanoCore 0x10243d:$a: NanoCore 0x134bc5:$a: NanoCore 0x134bd5:$a: NanoCore 0x134e09:$a: NanoCore 0x134e1d:$a: NanoCore 0x134e5d:$a: NanoCore 0x102204:$b: ClientPlugin 0x102406:$b: ClientPlugin 0x102446:$b: ClientPlugin 0x134c24:$b: ClientPlugin 0x134e26:$b: ClientPlugin 0x134e66:$b: ClientPlugin 0x1ce3a:$c: ProjectData 0x10232b:$c: ProjectData 0x134d4b:$c: ProjectData 0x102d32:$d: DESCrypto 0x135752:$d: DESCrypto
Click to see the 124 entries

Sigma Overview

System Summary:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exe, ProcessId: 6108, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp22EF.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp22EF.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exe, ParentImage: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exe, ParentProcessId: 6108, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp22EF.tmp', ProcessId: 2336

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0000000C.00000002.289384974.0000000003BF1000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "94----", "Group": "V-HASH", "Domain1": "cloudhost.myfirewall.org", "Domain2": "cloudhost.myfirewall.org", "Port": 5654, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "cloudhost.myfirewall.org", "BackupDNSServer": "cloudhost.myfirewall.org", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

ReversingLabs: Detection: 10%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000000C.00000002.289277143.0000000002BF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.310042790.00000000033F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.289384974.0000000003BF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.499071538.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.290065986.0000000003EF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.289889933.0000000002EF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.287315536.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.304832264.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.293020224.0000000003A01000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.252610124.0000000003BA1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.310443660.00000000043F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.276093432.00000000043B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.287530922.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.275575320.0000000003FB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: e92b274943f4a3a557881ee0dd57772d.exe PID: 6108, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 7024, type: MEMORY
Source: Yara match	File source: Process Memory Space: e92b274943f4a3a557881ee0dd57772d.exe PID: 6460, type: MEMORY
Source: Yara match	File source: Process Memory Space: dhcpmon.exe PID: 6468, type: MEMORY
Source: Yara match	File source: 12.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.dhcpmon.exe.3c430dd.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.dhcpmon.exe.44430dd.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.dhcpmon.exe.3c39c7e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.3f430dd.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.e92b274943f4a3a557881ee0dd57772d.exe.4260830.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.e92b274943f4a3a557881ee0dd57772d.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.dhcpmon.exe.4660830.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.dhcpmon.exe.4660830.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.dhcpmon.exe.443eab4.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.e92b274943f4a3a557881ee0dd57772d.exe.3d04760.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.e92b274943f4a3a557881ee0dd57772d.exe.3e50830.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.e92b274943f4a3a557881ee0dd57772d.exe.4114760.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.3f3eab4.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.3bbe580.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.3b64760.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.e92b274943f4a3a557881ee0dd57772d.exe.3d5e580.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.e92b274943f4a3a557881ee0dd57772d.exe.4260830.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.3cb0830.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.e92b274943f4a3a557881ee0dd57772d.exe.3e50830.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.3f39c7e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.dhcpmon.exe.3c3eab4.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.dhcpmon.exe.443eab4.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.dhcpmon.exe.3cb0830.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.dhcpmon.exe.4514760.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.dhcpmon.exe.4439c7e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.3f3eab4.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.dhcpmon.exe.3c3eab4.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.e92b274943f4a3a557881ee0dd57772d.exe.416e580.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.dhcpmon.exe.456e580.2.raw.unpack, type: UNPACKEDPE

Source: 20.2.dhcpmon.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 2.2.e92b274943f4a3a557881ee0dd57772d.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 12.2.dhcpmon.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 11.2.e92b274943f4a3a557881ee0dd57772d.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

Uses 32bit PE files

Show sources

Source: e92b274943f4a3a557881ee0dd57772d.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Uses new MSVCR Dlls

Show sources

Source: C:\Users\user\Desktop\e92b274943f4a3a557881ee0dd57772d.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: e92b274943f4a3a557881ee0dd57772d.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Show sources

Source:	Binary string: indows\mscorlib.pdbpdblib.pdb source: e92b274943f4a3a557881ee0dd57772d.exe, 00000002.00000002.500217236.0000000000955000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: e92b274943f4a3a557881ee0dd57772d.exe, 00000000.00000002.257690003.0000000006680000.00000002.00000001.sdmp, e92b274943f4a3a557881ee0dd57772d.exe, 00000009.00000002.279859695.00000000066E0000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.281624150.0000000006B30000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.296987366.00000000077D0000.00000002.00000001.sdmp

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report e92b274943f4a3a557881ee0dd57772d.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities: