Loading ...

Play interactive tourEdit tour

Analysis Report TdX45jQWjj.exe

Overview

General Information

Sample Name:TdX45jQWjj.exe
Analysis ID:356818
MD5:f261164b55c3be5c3c86150ff2a7cc27
SHA1:634a546e3841af29b068c7c6535206695eb704d0
SHA256:b40e22d33523ae869ba4a9a9159d37d61ec056fc14dc3db7406d79620b801816
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Allocates memory in foreign processes
Connects to many ports of the same IP (likely port scanning)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to detect virtual machines (SLDT)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • TdX45jQWjj.exe (PID: 6960 cmdline: 'C:\Users\user\Desktop\TdX45jQWjj.exe' MD5: F261164B55C3BE5C3C86150FF2A7CC27)
    • schtasks.exe (PID: 6004 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RTOqzQABo' /XML 'C:\Users\user\AppData\Local\Temp\tmp84A9.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6224 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 3012 cmdline: {path} MD5: 71369277D09DA0830C8C59F9E22BB23A)
      • schtasks.exe (PID: 6936 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpDEF3.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 6668 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpE1E2.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • RegSvcs.exe (PID: 6716 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe 0 MD5: 71369277D09DA0830C8C59F9E22BB23A)
    • conhost.exe (PID: 6800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 6808 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 71369277D09DA0830C8C59F9E22BB23A)
    • conhost.exe (PID: 6812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • dhcpmon.exe (PID: 3028 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 71369277D09DA0830C8C59F9E22BB23A)
    • conhost.exe (PID: 1868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.395064094.00000000046E5000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xc136d:$x1: NanoCore.ClientPluginHost
  • 0xc13aa:$x2: IClientNetworkHost
  • 0xc4edd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.395064094.00000000046E5000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000000.00000002.395064094.00000000046E5000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xc10d5:$a: NanoCore
    • 0xc10e5:$a: NanoCore
    • 0xc1319:$a: NanoCore
    • 0xc132d:$a: NanoCore
    • 0xc136d:$a: NanoCore
    • 0xc1134:$b: ClientPlugin
    • 0xc1336:$b: ClientPlugin
    • 0xc1376:$b: ClientPlugin
    • 0xc125b:$c: ProjectData
    • 0xc1c62:$d: DESCrypto
    • 0xc962e:$e: KeepAlive
    • 0xc761c:$g: LogClientMessage
    • 0xc3817:$i: get_Connected
    • 0xc1f98:$j: #=q
    • 0xc1fc8:$j: #=q
    • 0xc1fe4:$j: #=q
    • 0xc2014:$j: #=q
    • 0xc2030:$j: #=q
    • 0xc204c:$j: #=q
    • 0xc207c:$j: #=q
    • 0xc2098:$j: #=q
    00000000.00000002.394099052.0000000004251000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x251a25:$x1: NanoCore.ClientPluginHost
    • 0x251a62:$x2: IClientNetworkHost
    • 0x255595:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000000.00000002.394099052.0000000004251000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 20 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      8.2.RegSvcs.exe.2ef16fc.1.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x40c2:$x1: NanoCore.ClientPluginHost
      8.2.RegSvcs.exe.2ef16fc.1.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0x40c2:$x2: NanoCore.ClientPluginHost
      • 0x41a0:$s4: PipeCreated
      • 0x40dc:$s5: IClientLoggingHost
      8.2.RegSvcs.exe.3f2ec9e.5.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x4083:$x1: NanoCore.ClientPluginHost
      8.2.RegSvcs.exe.3f2ec9e.5.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0x4083:$x2: NanoCore.ClientPluginHost
      • 0x4161:$s4: PipeCreated
      • 0x409d:$s5: IClientLoggingHost
      8.2.RegSvcs.exe.5b90000.9.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1646:$x1: NanoCore.ClientPluginHost
      Click to see the 47 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe, ProcessId: 3012, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
      Sigma detected: Scheduled temp file as task from temp locationShow sources
      Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RTOqzQABo' /XML 'C:\Users\user\AppData\Local\Temp\tmp84A9.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RTOqzQABo' /XML 'C:\Users\user\AppData\Local\Temp\tmp84A9.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\TdX45jQWjj.exe' , ParentImage: C:\Users\user\Desktop\TdX45jQWjj.exe, ParentProcessId: 6960, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\RTOqzQABo' /XML 'C:\Users\user\AppData\Local\Temp\tmp84A9.tmp', ProcessId: 6004

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for domain / URLShow sources
      Source: strongodss.ddns.netVirustotal: Detection: 8%Perma Link
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\RTOqzQABo.exeReversingLabs: Detection: 18%
      Multi AV Scanner detection for submitted fileShow sources
      Source: TdX45jQWjj.exeReversingLabs: Detection: 18%
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000000.00000002.395064094.00000000046E5000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.394099052.0000000004251000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.595499721.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.602238562.0000000005BA0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.600580275.0000000003F27000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3012, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: TdX45jQWjj.exe PID: 6960, type: MEMORY
      Source: Yara matchFile source: 8.2.RegSvcs.exe.5ba0000.11.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.RegSvcs.exe.3f33adb.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.TdX45jQWjj.exe.4492898.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.TdX45jQWjj.exe.43917e8.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.RegSvcs.exe.3f2ec9e.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.RegSvcs.exe.3f39511.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.TdX45jQWjj.exe.4492898.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.RegSvcs.exe.5ba0000.11.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.TdX45jQWjj.exe.46e55c0.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.RegSvcs.exe.5ba4629.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.RegSvcs.exe.3f39511.4.unpack, type: UNPACKEDPE
      Source: 8.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 8.2.RegSvcs.exe.5ba0000.11.unpackAvira: Label: TR/NanoCore.fadte

      Compliance:

      barindex
      Uses 32bit PE filesShow sources
      Source: TdX45jQWjj.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Uses new MSVCR DllsShow sources
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
      Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
      Source: TdX45jQWjj.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Binary contains paths to debug symbolsShow sources
      Source: Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.pdb source: RegSvcs.exe, 00000008.00000002.596585124.00000000011C5000.00000004.00000040.sdmp
      Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\NanoProtectPlugin\NanoProtectClient\obj\Debug\NanoProtectClient.pdb source: RegSvcs.exe, 00000008.00000002.598166054.0000000002EE1000.00000004.00000001.sdmp
      Source: Binary string: System.EnterpriseServices.Wrapper.pdb source: RegSvcs.exe, 0000000E.00000002.406605593.0000000004A70000.00000002.00000001.sdmp, dhcpmon.exe, 00000012.00000002.414673187.0000000005020000.00000002.00000001.sdmp
      Source: Binary string: indows\RegSvcs.pdbpdbvcs.pdb source: RegSvcs.exe, 00000008.00000002.596585124.00000000011C5000.00000004.00000040.sdmp
      Source: Binary string: C:\Windows\symbols\exe\RegSvcs.pdb source: RegSvcs.exe, 00000008.00000002.596585124.00000000011C5000.00000004.00000040.sdmp
      Source: Binary string: RegSvcs.pdb source: dhcpmon.exe, dhcpmon.exe.8.dr
      Source: Binary string: mscorrc.pdb source: TdX45jQWjj.exe, 00000000.00000002.406858007.0000000008610000.00000002.00000001.sdmp, RegSvcs.exe, 00000008.00000002.602087565.00000000058A0000.00000002.00000001.sdmp, RegSvcs.exe, 0000000E.00000002.407150676.0000000004B20000.00000002.00000001.sdmp, dhcpmon.exe, 00000010.00000002.407442223.00000000050F0000.00000002.00000001.sdmp
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 4x nop then mov esp, ebp8_2_050A891F

      Networking:

      barindex
      Connects to many ports of the same IP (likely port scanning)Show sources
      Source: global trafficTCP traffic: 79.134.225.43 ports 0,1,3,58103,5,8
      Source: global trafficTCP traffic: 87.237.165.78 ports 0,1,3,58103,5,8
      Uses dynamic DNS servicesShow sources
      Source: unknownDNS query: name: strongodss.ddns.net
      Source: global trafficTCP traffic: 192.168.2.6:49728 -> 87.237.165.78:58103
      Source: global trafficTCP traffic: 192.168.2.6:49733 -> 79.134.225.43:58103
      Source: Joe Sandbox ViewASN Name: FINK-TELECOM-SERVICESCH FINK-TELECOM-SERVICESCH
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.43
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.43
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.43
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.43
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.43
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.43
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.43
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.43
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.43
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.43
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.43
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.43
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.43
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.43
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.43
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.43
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.43
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.43
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.43
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.43
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.43
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.43
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.43
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.43
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.43
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.43
      Source: unknownTCP traffic detected without corresponding DNS query: 79.134.225.43
      Source: unknownDNS traffic detected: queries for: strongodss.ddns.net
      Source: TdX45jQWjj.exeString found in binary or memory: http://code.google.com/feeds/p/topicalmemorysystem/downloads/basic.xml
      Source: TdX45jQWjj.exeString found in binary or memory: http://code.google.com/p/topicalmemorysystem/
      Source: TdX45jQWjj.exe, 00000000.00000003.330218742.000000000559D000.00000004.00000001.sdmp, TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: TdX45jQWjj.exeString found in binary or memory: http://topicalmemorysystem.googlecode.com/files/
      Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: TdX45jQWjj.exeString found in binary or memory: http://www.biblegateway.com/passage/?search=
      Source: TdX45jQWjj.exeString found in binary or memory: http://www.biblija.net/biblija.cgi?m=
      Source: TdX45jQWjj.exeString found in binary or memory: http://www.blueletterbible.org/Bible.cfm?b=
      Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: TdX45jQWjj.exeString found in binary or memory: http://www.esvstudybible.org/search?q=
      Source: TdX45jQWjj.exeString found in binary or memory: http://www.esvstudybible.org/search?q=Whttp://www.blueletterbible.org/Bible.cfm?b=
      Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: TdX45jQWjj.exe, 00000000.00000003.341606484.0000000005566000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com.TTF
      Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: TdX45jQWjj.exe, 00000000.00000003.337840613.000000000557F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/f
      Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: TdX45jQWjj.exe, 00000000.00000003.341606484.0000000005566000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comC
      Source: TdX45jQWjj.exe, 00000000.00000003.341606484.0000000005566000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comH
      Source: TdX45jQWjj.exe, 00000000.00000002.395767153.0000000005560000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
      Source: TdX45jQWjj.exe, 00000000.00000003.341606484.0000000005566000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsF
      Source: TdX45jQWjj.exe, 00000000.00000002.395767153.0000000005560000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comldco
      Source: TdX45jQWjj.exe, 00000000.00000003.341606484.0000000005566000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comsiefd
      Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: TdX45jQWjj.exe, 00000000.00000003.329977481.000000000559D000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comW
      Source: TdX45jQWjj.exe, 00000000.00000003.333029459.0000000005566000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.c
      Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: TdX45jQWjj.exe, 00000000.00000003.331982815.0000000005563000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn4
      Source: TdX45jQWjj.exe, 00000000.00000003.332432427.0000000005571000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnW
      Source: TdX45jQWjj.exe, 00000000.00000003.332121914.0000000005563000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cna-d
      Source: TdX45jQWjj.exe, 00000000.00000003.332432427.0000000005571000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnf
      Source: TdX45jQWjj.exe, 00000000.00000003.332121914.0000000005563000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnr-t
      Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmp, TdX45jQWjj.exe, 00000000.00000003.335447637.0000000005566000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: TdX45jQWjj.exe, 00000000.00000003.335242026.0000000005566000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/C
      Source: TdX45jQWjj.exe, 00000000.00000003.335242026.0000000005566000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/d
      Source: TdX45jQWjj.exe, 00000000.00000003.335242026.0000000005566000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
      Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmp, TdX45jQWjj.exe, 00000000.00000003.329212871.000000000166D000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: TdX45jQWjj.exe, 00000000.00000003.329212871.000000000166D000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com.
      Source: TdX45jQWjj.exe, 00000000.00000003.329212871.000000000166D000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comn-u
      Source: TdX45jQWjj.exe, 00000000.00000003.329212871.000000000166D000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comt-b
      Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: TdX45jQWjj.exe, 00000000.00000003.335896168.0000000005572000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com8
      Source: TdX45jQWjj.exe, 00000000.00000003.336154433.0000000005572000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.comX
      Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: TdX45jQWjj.exe, 00000000.00000003.334600510.000000000557B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com0
      Source: TdX45jQWjj.exe, 00000000.00000003.332995890.000000000556B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com6
      Source: TdX45jQWjj.exe, 00000000.00000003.334600510.000000000557B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comicx
      Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: TdX45jQWjj.exe, 00000000.00000003.342496493.000000000557F000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
      Source: TdX45jQWjj.exe, 00000000.00000003.342118309.000000000557F000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de&
      Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: TdX45jQWjj.exe, 00000000.00000003.342496493.000000000557F000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deF0
      Source: TdX45jQWjj.exe, 00000000.00000003.337611054.000000000557F000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deas
      Source: TdX45jQWjj.exe, 00000000.00000003.337507075.000000000557F000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deq
      Source: TdX45jQWjj.exe, 00000000.00000002.405149050.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: TdX45jQWjj.exe, 00000000.00000002.389051570.0000000001170000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
      Source: RegSvcs.exe, 00000008.00000002.602238562.0000000005BA0000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000000.00000002.395064094.00000000046E5000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.394099052.0000000004251000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.595499721.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.602238562.0000000005BA0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000008.00000002.600580275.0000000003F27000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3012, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: TdX45jQWjj.exe PID: 6960, type: MEMORY
      Source: Yara matchFile source: 8.2.RegSvcs.exe.5ba0000.11.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.RegSvcs.exe.3f33adb.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.TdX45jQWjj.exe.4492898.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.TdX45jQWjj.exe.43917e8.2.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.RegSvcs.exe.3f2ec9e.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.RegSvcs.exe.3f39511.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.TdX45jQWjj.exe.4492898.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.RegSvcs.exe.5ba0000.11.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.TdX45jQWjj.exe.46e55c0.3.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.RegSvcs.exe.5ba4629.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 8.2.RegSvcs.exe.3f39511.4.unpack, type: UNPACKEDPE

      Operating System Destruction:

      barindex
      Protects its processes via BreakOnTermination flagShow sources
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeProcess information set: 01 00 00 00 Jump to behavior

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000000.00000002.395064094.00000000046E5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.395064094.00000000046E5000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000002.394099052.0000000004251000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.394099052.0000000004251000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000008.00000002.602153062.0000000005900000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000008.00000002.595499721.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000008.00000002.595499721.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000008.00000002.602225959.0000000005B90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000008.00000002.602238562.0000000005BA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000008.00000002.600580275.0000000003F27000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: RegSvcs.exe PID: 3012, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: RegSvcs.exe PID: 3012, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: TdX45jQWjj.exe PID: 6960, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: TdX45jQWjj.exe PID: 6960, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 8.2.RegSvcs.exe.2ef16fc.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.RegSvcs.exe.3f2ec9e.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.RegSvcs.exe.5b90000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.RegSvcs.exe.5ba0000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.RegSvcs.exe.3f33adb.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.RegSvcs.exe.3f33adb.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.TdX45jQWjj.exe.4492898.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.TdX45jQWjj.exe.4492898.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.TdX45jQWjj.exe.43917e8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.TdX45jQWjj.exe.43917e8.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 8.2.RegSvcs.exe.3f2ec9e.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.RegSvcs.exe.3f2ec9e.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 8.2.RegSvcs.exe.3f39511.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.TdX45jQWjj.exe.4492898.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.TdX45jQWjj.exe.4492898.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 8.2.RegSvcs.exe.5ba0000.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.TdX45jQWjj.exe.46e55c0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.TdX45jQWjj.exe.46e55c0.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 8.2.RegSvcs.exe.5ba4629.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.RegSvcs.exe.5900000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.RegSvcs.exe.3f39511.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.RegSvcs.exe.2ef16fc.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 8.2.RegSvcs.exe.2ef6578.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 8_2_051D1836 NtQuerySystemInformation,8_2_051D1836
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 8_2_051D1572 NtSetInformationProcess,8_2_051D1572
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 8_2_051D1541 NtSetInformationProcess,8_2_051D1541
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 8_2_051D17FB NtQuerySystemInformation,8_2_051D17FB
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeCode function: 0_2_015DA1500_2_015DA150
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeCode function: 0_2_015D38C00_2_015D38C0
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeCode function: 0_2_015DA1400_2_015DA140
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeCode function: 0_2_015D45F80_2_015D45F8
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeCode function: 0_2_015D483F0_2_015D483F
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeCode function: 0_2_015D38B00_2_015D38B0
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeCode function: 0_2_015D63070_2_015D6307
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeCode function: 0_2_015D46080_2_015D4608
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeCode function: 0_2_06D474840_2_06D47484
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeCode function: 0_2_06D407C40_2_06D407C4
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeCode function: 0_2_015D029F0_2_015D029F
      Source: C:\Users\user\Desktop\TdX45jQWjj.exeCode function: 0_2_015D02B00_2_015D02B0
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 8_2_011E7ABE8_2_011E7ABE
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 8_2_050A38508_2_050A3850
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 8_2_050AB7488_2_050AB748
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 8_2_050A2FA88_2_050A2FA8
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 8_2_050A23A08_2_050A23A0
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 8_2_050A9A788_2_050A9A78
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 8_2_050A8E788_2_050A8E78
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 8_2_050A306F8_2_050A306F
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 8_2_050AA3208_2_050AA320
      Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exeCode function: 8_2_050A9B3F8_2_050A9B3F
      Source: TdX45jQWjj.exe, 00000000.00000002.395064094.00000000046E5000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs TdX45jQWjj.exe
      Source: TdX45jQWjj.exe, 00000000.00000002.394099052.0000000004251000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs TdX45jQWjj.exe
      Source: TdX45jQWjj.exe, 00000000.00000002.405108942.00000000067C0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameBunifu.UI.dll4 vs TdX45jQWjj.exe
      Source: TdX45jQWjj.exe, 00000000.00000002.407955141.0000000008C90000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs TdX45jQWjj.exe
      Source: TdX45jQWjj.exe, 00000000.00000002.406858007.0000000008610000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs TdX45jQWjj.exe
      Source: TdX45jQWjj.exe, 00000000.00000002.408876294.0000000008D80000.00000002.00000001.sdmpBinary or memory string: originalfilename vs TdX45jQWjj.exe
      Source: TdX45jQWjj.exe, 00000000.00000002.408876294.0000000008D80000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs TdX45jQWjj.exe
      Source: TdX45jQWjj.exeBinary or memory string: OriginalFilename vs TdX45jQWjj.exe
      Source: TdX45jQWjj.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: 00000000.00000002.395064094.00000000046E5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.395064094.00000000046E5000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000000.00000002.394099052.0000000004251000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.394099052.0000000004251000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000008.00000002.602153062.0000000005900000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.602153062.0000000005900000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000008.00000002.595499721.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.595499721.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000008.00000002.602225959.0000000005B90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.602225959.0000000005B90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000008.00000002.602238562.0000000005BA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000008.00000002.602238562.0000000005BA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000008.00000002.600580275.0000000003F27000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: RegSvcs.exe PID: 3012, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: RegSvcs.exe PID: 3012, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: TdX45jQWjj.exe PID: 6960, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: TdX45jQWjj.exe PID: 6960, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 8.2.RegSvcs.exe.2ef16fc.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.RegSvcs.exe.2ef16fc.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.RegSvcs.exe.3f2ec9e.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.RegSvcs.exe.3f2ec9e.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.RegSvcs.exe.5b90000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.RegSvcs.exe.5b90000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.RegSvcs.exe.5ba0000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.RegSvcs.exe.5ba0000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.RegSvcs.exe.3f33adb.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 8.2.RegSvcs.exe.3f33adb.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 8.2.RegSvcs.exe.3f33adb.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malware