Play interactive tour

Edit tour

Analysis Report RFQ.exe

Overview

General Information

Sample Name:	RFQ.exe
Analysis ID:	358327
MD5:	6733e06c6be5ca14ffc33763202f53c8
SHA1:	9412d3147b30a873b94e2d0f495eafdea1479ee1
SHA256:	72f30e8884110e06b133ecabfdbf523aef8cc5533273aa3e12afee785a5a45bc
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AntiVM_3

Yara detected Nanocore RAT

.NET source code contains very large array initializations

Drops PE files to the startup folder

Hides that the sample has been downloaded from the Internet (zone.identifier)

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Yara signature match

Classification

Startup

System is w10x64

RFQ.exe (PID: 6876 cmdline: 'C:\Users\user\Desktop\RFQ.exe' MD5: 6733E06C6BE5CA14FFC33763202F53C8)

cmd.exe (PID: 6032 cmdline: 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'audiomac' /t REG_SZ /d 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july\enrnus.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 1428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

reg.exe (PID: 6188 cmdline: REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'audiomac' /t REG_SZ /d 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july\enrnus.exe' MD5: CEE2A7E57DF2A159A065A34913A055C2)

enrnus.exe (PID: 2288 cmdline: 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july\enrnus.exe' MD5: 6733E06C6BE5CA14FFC33763202F53C8)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.476175749.000000000488C000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10b97:$x1: NanoCore.ClientPluginHost 0x43755:$x1: NanoCore.ClientPluginHost 0x10bd4:$x2: IClientNetworkHost 0x43792:$x2: IClientNetworkHost 0x14707:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x472c5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.476175749.000000000488C000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.476175749.000000000488C000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x108ff:$a: NanoCore 0x1090f:$a: NanoCore 0x10b43:$a: NanoCore 0x10b57:$a: NanoCore 0x10b97:$a: NanoCore 0x434bd:$a: NanoCore 0x434cd:$a: NanoCore 0x43701:$a: NanoCore 0x43715:$a: NanoCore 0x43755:$a: NanoCore 0x1095e:$b: ClientPlugin 0x10b60:$b: ClientPlugin 0x10ba0:$b: ClientPlugin 0x4351c:$b: ClientPlugin 0x4371e:$b: ClientPlugin 0x4375e:$b: ClientPlugin 0x10a85:$c: ProjectData 0x43643:$c: ProjectData 0x1148c:$d: DESCrypto 0x4404a:$d: DESCrypto 0x18e58:$e: KeepAlive
00000000.00000002.475624148.000000000478E000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x43ca7:$x1: NanoCore.ClientPluginHost 0x76877:$x1: NanoCore.ClientPluginHost 0xa9437:$x1: NanoCore.ClientPluginHost 0x43ce4:$x2: IClientNetworkHost 0x768b4:$x2: IClientNetworkHost 0xa9474:$x2: IClientNetworkHost 0x47817:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7a3e7:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xacfa7:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.475624148.000000000478E000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.475624148.000000000478E000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x43a0f:$a: NanoCore 0x43a1f:$a: NanoCore 0x43c53:$a: NanoCore 0x43c67:$a: NanoCore 0x43ca7:$a: NanoCore 0x765df:$a: NanoCore 0x765ef:$a: NanoCore 0x76823:$a: NanoCore 0x76837:$a: NanoCore 0x76877:$a: NanoCore 0xa919f:$a: NanoCore 0xa91af:$a: NanoCore 0xa93e3:$a: NanoCore 0xa93f7:$a: NanoCore 0xa9437:$a: NanoCore 0x43a6e:$b: ClientPlugin 0x43c70:$b: ClientPlugin 0x43cb0:$b: ClientPlugin 0x7663e:$b: ClientPlugin 0x76840:$b: ClientPlugin 0x76880:$b: ClientPlugin
00000014.00000002.601490451.00000000045D9000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4339f:$x1: NanoCore.ClientPluginHost 0x75f6f:$x1: NanoCore.ClientPluginHost 0xa8b2f:$x1: NanoCore.ClientPluginHost 0x433dc:$x2: IClientNetworkHost 0x75fac:$x2: IClientNetworkHost 0xa8b6c:$x2: IClientNetworkHost 0x46f0f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x79adf:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xac69f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000014.00000002.601490451.00000000045D9000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000014.00000002.601490451.00000000045D9000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x43107:$a: NanoCore 0x43117:$a: NanoCore 0x4334b:$a: NanoCore 0x4335f:$a: NanoCore 0x4339f:$a: NanoCore 0x75cd7:$a: NanoCore 0x75ce7:$a: NanoCore 0x75f1b:$a: NanoCore 0x75f2f:$a: NanoCore 0x75f6f:$a: NanoCore 0xa8897:$a: NanoCore 0xa88a7:$a: NanoCore 0xa8adb:$a: NanoCore 0xa8aef:$a: NanoCore 0xa8b2f:$a: NanoCore 0x43166:$b: ClientPlugin 0x43368:$b: ClientPlugin 0x433a8:$b: ClientPlugin 0x75d36:$b: ClientPlugin 0x75f38:$b: ClientPlugin 0x75f78:$b: ClientPlugin
00000014.00000002.601634040.00000000046D7000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1028f:$x1: NanoCore.ClientPluginHost 0x42e4d:$x1: NanoCore.ClientPluginHost 0x7566d:$x1: NanoCore.ClientPluginHost 0x102cc:$x2: IClientNetworkHost 0x42e8a:$x2: IClientNetworkHost 0x756aa:$x2: IClientNetworkHost 0x13dff:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x469bd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x791dd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000014.00000002.601634040.00000000046D7000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000014.00000002.601634040.00000000046D7000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfff7:$a: NanoCore 0x10007:$a: NanoCore 0x1023b:$a: NanoCore 0x1024f:$a: NanoCore 0x1028f:$a: NanoCore 0x42bb5:$a: NanoCore 0x42bc5:$a: NanoCore 0x42df9:$a: NanoCore 0x42e0d:$a: NanoCore 0x42e4d:$a: NanoCore 0x753d5:$a: NanoCore 0x753e5:$a: NanoCore 0x75619:$a: NanoCore 0x7562d:$a: NanoCore 0x7566d:$a: NanoCore 0x10056:$b: ClientPlugin 0x10258:$b: ClientPlugin 0x10298:$b: ClientPlugin 0x42c14:$b: ClientPlugin 0x42e16:$b: ClientPlugin 0x42e56:$b: ClientPlugin
Process Memory Space: RFQ.exe PID: 6876	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xc372d:$x1: NanoCore.ClientPluginHost 0xe23cf:$x1: NanoCore.ClientPluginHost 0x125bb1:$x1: NanoCore.ClientPluginHost 0x144857:$x1: NanoCore.ClientPluginHost 0x1634fd:$x1: NanoCore.ClientPluginHost 0xc378e:$x2: IClientNetworkHost 0xe2430:$x2: IClientNetworkHost 0x125c12:$x2: IClientNetworkHost 0x1448b8:$x2: IClientNetworkHost 0x16355e:$x2: IClientNetworkHost 0xc8b93:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xd6b05:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xe7835:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xf57a7:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x12b017:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x138f89:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x149cbd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x157c2f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x168963:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1768d5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: RFQ.exe PID: 6876	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RFQ.exe PID: 6876	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: RFQ.exe PID: 6876	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xc3232:$a: NanoCore 0xc324e:$a: NanoCore 0xc33a9:$a: NanoCore 0xc33b8:$a: NanoCore 0xc3691:$a: NanoCore 0xc36bd:$a: NanoCore 0xc372d:$a: NanoCore 0xd316f:$a: NanoCore 0xd3181:$a: NanoCore 0xd31bd:$a: NanoCore 0xe1ed4:$a: NanoCore 0xe1ef0:$a: NanoCore 0xe204b:$a: NanoCore 0xe205a:$a: NanoCore 0xe2333:$a: NanoCore 0xe235f:$a: NanoCore 0xe23cf:$a: NanoCore 0xf1e11:$a: NanoCore 0xf1e23:$a: NanoCore 0xf1e5f:$a: NanoCore 0x1256b6:$a: NanoCore
Process Memory Space: enrnus.exe PID: 2288	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1bd096:$x1: NanoCore.ClientPluginHost 0x1dbd3c:$x1: NanoCore.ClientPluginHost 0x1fa9e2:$x1: NanoCore.ClientPluginHost 0x224925:$x1: NanoCore.ClientPluginHost 0x2435c7:$x1: NanoCore.ClientPluginHost 0x261f34:$x1: NanoCore.ClientPluginHost 0x1bd0f7:$x2: IClientNetworkHost 0x1dbd9d:$x2: IClientNetworkHost 0x1faa43:$x2: IClientNetworkHost 0x224986:$x2: IClientNetworkHost 0x243628:$x2: IClientNetworkHost 0x261f95:$x2: IClientNetworkHost 0x1c24fc:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1d046e:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1e11a2:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1ef114:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1ffe48:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x20ddba:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x229d8b:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x237cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x248a2d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: enrnus.exe PID: 2288	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: enrnus.exe PID: 2288	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1bcb9b:$a: NanoCore 0x1bcbb7:$a: NanoCore 0x1bcd12:$a: NanoCore 0x1bcd21:$a: NanoCore 0x1bcffa:$a: NanoCore 0x1bd026:$a: NanoCore 0x1bd096:$a: NanoCore 0x1ccad8:$a: NanoCore 0x1ccaea:$a: NanoCore 0x1ccb26:$a: NanoCore 0x1db841:$a: NanoCore 0x1db85d:$a: NanoCore 0x1db9b8:$a: NanoCore 0x1db9c7:$a: NanoCore 0x1dbca0:$a: NanoCore 0x1dbccc:$a: NanoCore 0x1dbd3c:$a: NanoCore 0x1eb77e:$a: NanoCore 0x1eb790:$a: NanoCore 0x1eb7cc:$a: NanoCore 0x1fa4e7:$a: NanoCore
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.RFQ.exe.48272aa.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.RFQ.exe.48272aa.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.RFQ.exe.48272aa.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.RFQ.exe.48272aa.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.RFQ.exe.48bf5c8.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.RFQ.exe.48bf5c8.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0.2.RFQ.exe.48bf5c8.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.RFQ.exe.48bf5c8.7.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
20.2.enrnus.exe.46719a2.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
20.2.enrnus.exe.46719a2.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
20.2.enrnus.exe.46719a2.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
20.2.enrnus.exe.46719a2.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.2.RFQ.exe.488ca0a.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.RFQ.exe.488ca0a.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.RFQ.exe.488ca0a.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.RFQ.exe.488ca0a.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
20.2.enrnus.exe.460c212.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
20.2.enrnus.exe.460c212.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
20.2.enrnus.exe.460c212.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
20.2.enrnus.exe.460c212.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
20.2.enrnus.exe.46719a2.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
20.2.enrnus.exe.46719a2.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
20.2.enrnus.exe.46719a2.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
20.2.enrnus.exe.46719a2.5.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.RFQ.exe.47c1b1a.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.RFQ.exe.47c1b1a.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.RFQ.exe.47c1b1a.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.RFQ.exe.47c1b1a.5.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.RFQ.exe.47f46ea.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.RFQ.exe.47f46ea.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.RFQ.exe.47f46ea.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.RFQ.exe.47f46ea.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.RFQ.exe.47f46ea.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42d4d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42d8a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x468bd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.RFQ.exe.47f46ea.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x42ac5:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x42d4d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x44386:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x4437a:$s2: FileCommand 0x1266b:$s3: PipeExists 0x4522b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x4afe2:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x42d77:$s5: IClientLoggingHost
0.2.RFQ.exe.47f46ea.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.RFQ.exe.47f46ea.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42ab5:$a: NanoCore 0x42ac5:$a: NanoCore 0x42cf9:$a: NanoCore 0x42d0d:$a: NanoCore 0x42d4d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42b14:$b: ClientPlugin 0x42d16:$b: ClientPlugin 0x42d56:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42c3b:$c: ProjectData 0x10a82:$d: DESCrypto 0x43642:$d: DESCrypto 0x1844e:$e: KeepAlive
0.2.RFQ.exe.47c1b1a.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42d5d:$x1: NanoCore.ClientPluginHost 0x7591d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42d9a:$x2: IClientNetworkHost 0x7595a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x468cd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7948d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.RFQ.exe.47c1b1a.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.RFQ.exe.47c1b1a.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42ac5:$a: NanoCore 0x42ad5:$a: NanoCore 0x42d09:$a: NanoCore 0x42d1d:$a: NanoCore 0x42d5d:$a: NanoCore 0x75685:$a: NanoCore 0x75695:$a: NanoCore 0x758c9:$a: NanoCore 0x758dd:$a: NanoCore 0x7591d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42b24:$b: ClientPlugin 0x42d26:$b: ClientPlugin 0x42d66:$b: ClientPlugin
20.2.enrnus.exe.4709cc0.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
20.2.enrnus.exe.4709cc0.7.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
20.2.enrnus.exe.4709cc0.7.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
20.2.enrnus.exe.4709cc0.7.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
20.2.enrnus.exe.460c212.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42d5d:$x1: NanoCore.ClientPluginHost 0x7591d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42d9a:$x2: IClientNetworkHost 0x7595a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x468cd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7948d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
20.2.enrnus.exe.460c212.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
20.2.enrnus.exe.460c212.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42ac5:$a: NanoCore 0x42ad5:$a: NanoCore 0x42d09:$a: NanoCore 0x42d1d:$a: NanoCore 0x42d5d:$a: NanoCore 0x75685:$a: NanoCore 0x75695:$a: NanoCore 0x758c9:$a: NanoCore 0x758dd:$a: NanoCore 0x7591d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42b24:$b: ClientPlugin 0x42d26:$b: ClientPlugin 0x42d66:$b: ClientPlugin
20.2.enrnus.exe.463ede2.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
20.2.enrnus.exe.463ede2.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
20.2.enrnus.exe.463ede2.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
20.2.enrnus.exe.463ede2.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
20.2.enrnus.exe.463ede2.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42d4d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42d8a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x468bd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
20.2.enrnus.exe.463ede2.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x42ac5:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x42d4d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x44386:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x4437a:$s2: FileCommand 0x1266b:$s3: PipeExists 0x4522b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x4afe2:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x42d77:$s5: IClientLoggingHost
20.2.enrnus.exe.4709cc0.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x429ad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x429ea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4651d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
20.2.enrnus.exe.4709cc0.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x42725:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x429ad:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x43fe6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x43fda:$s2: FileCommand 0x1266b:$s3: PipeExists 0x44e8b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x4ac42:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x429d7:$s5: IClientLoggingHost
20.2.enrnus.exe.4709cc0.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
20.2.enrnus.exe.4709cc0.7.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42715:$a: NanoCore 0x42725:$a: NanoCore 0x42959:$a: NanoCore 0x4296d:$a: NanoCore 0x429ad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42774:$b: ClientPlugin 0x42976:$b: ClientPlugin 0x429b6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x4289b:$c: ProjectData 0x10a82:$d: DESCrypto 0x432a2:$d: DESCrypto 0x1844e:$e: KeepAlive
20.2.enrnus.exe.463ede2.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
20.2.enrnus.exe.463ede2.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42ab5:$a: NanoCore 0x42ac5:$a: NanoCore 0x42cf9:$a: NanoCore 0x42d0d:$a: NanoCore 0x42d4d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42b14:$b: ClientPlugin 0x42d16:$b: ClientPlugin 0x42d56:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42c3b:$c: ProjectData 0x10a82:$d: DESCrypto 0x43642:$d: DESCrypto 0x1844e:$e: KeepAlive
0.2.RFQ.exe.48272aa.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.RFQ.exe.48272aa.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0.2.RFQ.exe.48272aa.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.RFQ.exe.48272aa.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.2.RFQ.exe.48bf5c8.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.RFQ.exe.48bf5c8.7.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.RFQ.exe.48bf5c8.7.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.RFQ.exe.48bf5c8.7.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.RFQ.exe.488ca0a.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42d4b:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42d88:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x468bb:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.RFQ.exe.488ca0a.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x42ac3:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x42d4b:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x44384:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x44378:$s2: FileCommand 0x1266b:$s3: PipeExists 0x45229:$s3: PipeExists 0x18422:$s4: PipeCreated 0x4afe0:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x42d75:$s5: IClientLoggingHost
0.2.RFQ.exe.488ca0a.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.RFQ.exe.488ca0a.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42ab3:$a: NanoCore 0x42ac3:$a: NanoCore 0x42cf7:$a: NanoCore 0x42d0b:$a: NanoCore 0x42d4b:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42b12:$b: ClientPlugin 0x42d14:$b: ClientPlugin 0x42d54:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42c39:$c: ProjectData 0x10a82:$d: DESCrypto 0x43640:$d: DESCrypto 0x1844e:$e: KeepAlive
20.2.enrnus.exe.46d7102.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
20.2.enrnus.exe.46d7102.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
20.2.enrnus.exe.46d7102.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
20.2.enrnus.exe.46d7102.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
20.2.enrnus.exe.46d7102.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42d4b:$x1: NanoCore.ClientPluginHost 0x7556b:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42d88:$x2: IClientNetworkHost 0x755a8:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x468bb:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x790db:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
20.2.enrnus.exe.46d7102.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
20.2.enrnus.exe.46d7102.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42ab3:$a: NanoCore 0x42ac3:$a: NanoCore 0x42cf7:$a: NanoCore 0x42d0b:$a: NanoCore 0x42d4b:$a: NanoCore 0x752d3:$a: NanoCore 0x752e3:$a: NanoCore 0x75517:$a: NanoCore 0x7552b:$a: NanoCore 0x7556b:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42b12:$b: ClientPlugin 0x42d14:$b: ClientPlugin 0x42d54:$b: ClientPlugin
Click to see the 72 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for dropped file

Show sources

Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe

ReversingLabs: Detection: 14%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.476175749.000000000488C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.475624148.000000000478E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.601490451.00000000045D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.601634040.00000000046D7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ.exe PID: 6876, type: MEMORY
Source: Yara match	File source: Process Memory Space: enrnus.exe PID: 2288, type: MEMORY
Source: Yara match	File source: 0.2.RFQ.exe.48272aa.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.48bf5c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46719a2.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.488ca0a.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.460c212.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46719a2.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47c1b1a.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47f46ea.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47f46ea.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47c1b1a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.4709cc0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.460c212.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.463ede2.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.4709cc0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.463ede2.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.48272aa.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.48bf5c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.488ca0a.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46d7102.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46d7102.6.raw.unpack, type: UNPACKEDPE

Compliance:

Uses 32bit PE files

Show sources

Source: RFQ.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: RFQ.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Binary contains paths to debug symbols

Show sources

Source:	Binary string: RegAsm.pdb source: RegAsm.exe.0.dr
Source:	Binary string: RegAsm.pdb4 source: RegAsm.exe.0.dr

Software Vulnerabilities:

Source: C:\Users\user\Desktop\RFQ.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 4x nop then xor edx, edx
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 4x nop then xor edx, edx
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.6:49756 -> 185.244.30.161:1985

Source: enrnus.exe, 00000014.00000002.593387777.00000000010AC000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: RFQ.exe, 00000000.00000002.474429338.0000000002ED3000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000002.593387777.00000000010AC000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: enrnus.exe, 00000014.00000002.593387777.00000000010AC000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: enrnus.exe, 00000014.00000002.593387777.00000000010AC000.00000004.00000020.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: RFQ.exe, 00000000.00000003.347926461.00000000098E4000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000003.494057230.00000000096F4000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adb
Source: RFQ.exe, 00000000.00000003.347926461.00000000098E4000.00000004.00000001.sdmp, RFQ.exe, 00000000.00000003.471130439.00000000098E5000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000003.494393505.00000000096F4000.00000004.00000001.sdmp	String found in binary or memory: http://ns.ado/1
Source: RFQ.exe, 00000000.00000003.347926461.00000000098E4000.00000004.00000001.sdmp, RFQ.exe, 00000000.00000003.471130439.00000000098E5000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000003.494393505.00000000096F4000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.c/g
Source: RFQ.exe, 00000000.00000003.347926461.00000000098E4000.00000004.00000001.sdmp, RFQ.exe, 00000000.00000003.471130439.00000000098E5000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000003.494393505.00000000096F4000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.cobj
Source: enrnus.exe, 00000014.00000002.593387777.00000000010AC000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: RFQ.exe, 00000000.00000002.474479540.0000000002F01000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000002.593387777.00000000010AC000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: enrnus.exe, 00000014.00000002.593387777.00000000010AC000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: RFQ.exe, 00000000.00000002.474429338.0000000002ED3000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000002.593387777.00000000010AC000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: RFQ.exe, 00000000.00000002.474429338.0000000002ED3000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000002.593387777.00000000010AC000.00000004.00000020.sdmp	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: RFQ.exe, 00000000.00000002.474462948.0000000002EEB000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000002.595053339.0000000002D3A000.00000004.00000001.sdmp	String found in binary or memory: http://schema.org/WebPage
Source: RFQ.exe, 00000000.00000002.474404366.0000000002EA1000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000002.594984683.0000000002CF1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: enrnus.exe, 00000014.00000002.593387777.00000000010AC000.00000004.00000020.sdmp	String found in binary or memory: https://pki.goog/repository/0
Source: RFQ.exe, 00000000.00000002.474404366.0000000002EA1000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000002.594984683.0000000002CF1000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com
Source: RFQ.exe, 00000000.00000002.474404366.0000000002EA1000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000002.594984683.0000000002CF1000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: enrnus.exe, 00000014.00000002.593139988.000000000102B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.476175749.000000000488C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.475624148.000000000478E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.601490451.00000000045D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.601634040.00000000046D7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ.exe PID: 6876, type: MEMORY
Source: Yara match	File source: Process Memory Space: enrnus.exe PID: 2288, type: MEMORY
Source: Yara match	File source: 0.2.RFQ.exe.48272aa.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.48bf5c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46719a2.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.488ca0a.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.460c212.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46719a2.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47c1b1a.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47f46ea.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47f46ea.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47c1b1a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.4709cc0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.460c212.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.463ede2.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.4709cc0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.463ede2.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.48272aa.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.48bf5c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.488ca0a.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46d7102.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46d7102.6.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000000.00000002.476175749.000000000488C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.476175749.000000000488C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.475624148.000000000478E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.475624148.000000000478E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000014.00000002.601490451.00000000045D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000014.00000002.601490451.00000000045D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000014.00000002.601634040.00000000046D7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000014.00000002.601634040.00000000046D7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: RFQ.exe PID: 6876, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RFQ.exe PID: 6876, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: enrnus.exe PID: 2288, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: enrnus.exe PID: 2288, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.RFQ.exe.48272aa.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.RFQ.exe.48272aa.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.RFQ.exe.48bf5c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.RFQ.exe.48bf5c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.enrnus.exe.46719a2.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.enrnus.exe.46719a2.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.RFQ.exe.488ca0a.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.RFQ.exe.488ca0a.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.enrnus.exe.460c212.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.enrnus.exe.460c212.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.enrnus.exe.46719a2.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.enrnus.exe.46719a2.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.RFQ.exe.47c1b1a.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.RFQ.exe.47c1b1a.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.RFQ.exe.47f46ea.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.RFQ.exe.47f46ea.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.RFQ.exe.47f46ea.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.RFQ.exe.47f46ea.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.RFQ.exe.47c1b1a.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.RFQ.exe.47c1b1a.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.enrnus.exe.4709cc0.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.enrnus.exe.4709cc0.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.enrnus.exe.460c212.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.enrnus.exe.460c212.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.enrnus.exe.463ede2.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.enrnus.exe.463ede2.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.enrnus.exe.463ede2.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.enrnus.exe.4709cc0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.enrnus.exe.4709cc0.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.enrnus.exe.463ede2.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.RFQ.exe.48272aa.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.RFQ.exe.48272aa.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.RFQ.exe.48bf5c8.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.RFQ.exe.48bf5c8.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.RFQ.exe.488ca0a.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.RFQ.exe.488ca0a.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.enrnus.exe.46d7102.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.enrnus.exe.46d7102.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 20.2.enrnus.exe.46d7102.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 20.2.enrnus.exe.46d7102.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

.NET source code contains very large array initializations

Show sources

Source: RFQ.exe, Zz97/w6DE.cs	Large array initialization: .cctor: array initializer size 3785
Source: RFQ.exe, Zz97/w6DE.cs	Large array initialization: .cctor: array initializer size 2501
Source: RFQ.exe, Zz97/w6DE.cs	Large array initialization: .cctor: array initializer size 2389

Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_02D0C8F0
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_06897767
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_068964A8
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_06894410
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_068985E8
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689EE98
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_06896D08
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689492F
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689E690
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689A758
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689A768
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_06896421
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689647D
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_068985BF
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_06899500
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_06899510
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_06897208
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689A0BA
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689A0C8
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689AC18
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689AC17
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689ADF0
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689D8F8
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689A992
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689A9A0
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_06895927
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0953B980
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_09531BC1
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0953EF88
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_09532408
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0953A9D2
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_01269028
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_052885E8
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_05284410
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_052864A8
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528775B
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_05287208
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_05286D08
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528EE98
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_05284920
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_05289500
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_05288503
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_05289510
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_05288583
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528640D
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528647D
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528A768
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528A763
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528E690
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528A0BB
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528A0C8
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528ADF3
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528AC0B
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528AC18
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_05285918
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528A9A0
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528A993
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528D8F8
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0930B98B
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_09301C54
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0930EF88
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_09302408
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0930A9BD
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0930A9D2
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_093028B0
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_093028A1
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_093088E8
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_093088DB
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0930AB00
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_09301BD5
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0930CA3A
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0930AA76
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0930AA61
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0930AAEB
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_09302DF9
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0930CDCE
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_09302E08
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_09300013
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_09300040
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_09308338
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0930832B
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_09303468

Source: RFQ.exe, 00000000.00000002.473701970.0000000001180000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs RFQ.exe
Source: RFQ.exe, 00000000.00000002.475260216.0000000003EA8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSHCore1.dll0 vs RFQ.exe
Source: RFQ.exe, 00000000.00000002.471971758.0000000000AF2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameagain.exeT vs RFQ.exe
Source: RFQ.exe, 00000000.00000002.479695620.00000000068A0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs RFQ.exe
Source: RFQ.exe, 00000000.00000002.479258486.0000000005EA0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs RFQ.exe
Source: RFQ.exe	Binary or memory string: OriginalFilenameagain.exeT vs RFQ.exe

Source: RFQ.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: unknown

Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'audiomac' /t REG_SZ /d 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july\enrnus.exe'

Source: 00000000.00000002.476175749.000000000488C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.476175749.000000000488C000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.475624148.000000000478E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.475624148.000000000478E000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000014.00000002.601490451.00000000045D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000014.00000002.601490451.00000000045D9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000014.00000002.601634040.00000000046D7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000014.00000002.601634040.00000000046D7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: RFQ.exe PID: 6876, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: RFQ.exe PID: 6876, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: enrnus.exe PID: 2288, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: enrnus.exe PID: 2288, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.RFQ.exe.48272aa.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.RFQ.exe.48272aa.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.RFQ.exe.48272aa.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.RFQ.exe.48bf5c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.RFQ.exe.48bf5c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.RFQ.exe.48bf5c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.enrnus.exe.46719a2.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.enrnus.exe.46719a2.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.enrnus.exe.46719a2.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.RFQ.exe.488ca0a.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.RFQ.exe.488ca0a.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.RFQ.exe.488ca0a.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.enrnus.exe.460c212.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.enrnus.exe.460c212.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.enrnus.exe.460c212.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.enrnus.exe.46719a2.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.enrnus.exe.46719a2.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.enrnus.exe.46719a2.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.RFQ.exe.47c1b1a.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.RFQ.exe.47c1b1a.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.RFQ.exe.47c1b1a.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.RFQ.exe.47f46ea.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.RFQ.exe.47f46ea.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.RFQ.exe.47f46ea.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.RFQ.exe.47f46ea.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.RFQ.exe.47f46ea.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.RFQ.exe.47f46ea.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.RFQ.exe.47c1b1a.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.RFQ.exe.47c1b1a.5.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.enrnus.exe.4709cc0.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.enrnus.exe.4709cc0.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.enrnus.exe.4709cc0.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.enrnus.exe.460c212.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.enrnus.exe.460c212.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.enrnus.exe.463ede2.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.enrnus.exe.463ede2.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.enrnus.exe.463ede2.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.enrnus.exe.463ede2.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.enrnus.exe.463ede2.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.enrnus.exe.4709cc0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.enrnus.exe.4709cc0.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.enrnus.exe.4709cc0.7.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.enrnus.exe.463ede2.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.RFQ.exe.48272aa.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.RFQ.exe.48272aa.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.RFQ.exe.48272aa.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.RFQ.exe.48bf5c8.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.RFQ.exe.48bf5c8.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.RFQ.exe.48bf5c8.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.RFQ.exe.488ca0a.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.RFQ.exe.488ca0a.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.RFQ.exe.488ca0a.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.enrnus.exe.46d7102.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.enrnus.exe.46d7102.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 20.2.enrnus.exe.46d7102.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 20.2.enrnus.exe.46d7102.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 20.2.enrnus.exe.46d7102.6.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: classification engine

Classification label: mal100.troj.adwa.evad.winEXE@8/4@0/0

Source: C:\Users\user\Desktop\RFQ.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1428:120:WilError_01

Source: C:\Users\user\Desktop\RFQ.exe

File created: C:\Users\user\AppData\Local\Temp\RegAsm.exe

Jump to behavior

Source: RFQ.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\RFQ.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\RFQ.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\RFQ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\RFQ.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\RFQ.exe

File read: C:\Users\user\Desktop\RFQ.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\RFQ.exe 'C:\Users\user\Desktop\RFQ.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'audiomac' /t REG_SZ /d 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july\enrnus.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'audiomac' /t REG_SZ /d 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july\enrnus.exe'
Source: unknown	Process created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july\enrnus.exe'
Source: C:\Users\user\Desktop\RFQ.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'audiomac' /t REG_SZ /d 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july\enrnus.exe'
Source: C:\Users\user\Desktop\RFQ.exe	Process created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july\enrnus.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'audiomac' /t REG_SZ /d 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july\enrnus.exe'

Source: C:\Users\user\Desktop\RFQ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F324E4F9-8496-40b2-A1FF-9617C1C9AFFE}\InProcServer32

Source: C:\Users\user\Desktop\RFQ.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: RFQ.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: RFQ.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: RegAsm.pdb source: RegAsm.exe.0.dr
Source:	Binary string: RegAsm.pdb4 source: RegAsm.exe.0.dr

Data Obfuscation:

Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_009F86A3 push edi; ret
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_009F42C7 push edi; ret
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_009F261E push ebx; iretd
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_009F743D pushad ; ret
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_009F8673 push edi; ret
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_009F7DA4 pushad ; ret
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_009F73E4 pushad ; ret
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_009F7B07 push ecx; retf
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_009F5900 push es; iretd
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_009F675C push ss; retf
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_009F857E push ecx; retf
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689A612 push es; iretd
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689854F push es; ret
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_06899211 pushfd ; iretd
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689525A push ecx; ret
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_0689B0FC push ecx; iretd
Source: C:\Users\user\Desktop\RFQ.exe	Code function: 0_2_068961DC pushad ; iretd
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_007C8673 push edi; ret
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_007C743D pushad ; ret
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_007C261E push ebx; iretd
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_007C42C7 push edi; ret
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_007C86A3 push edi; ret
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_007C857E push ecx; retf
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_007C675C push ss; retf
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_007C7B07 push ecx; retf
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_007C5900 push es; iretd
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_007C73E4 pushad ; ret
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_007C7DA4 pushad ; ret
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_052861DC pushad ; iretd
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528B0FC push ecx; iretd
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Code function: 20_2_0528525A push ecx; ret

Persistence and Installation Behavior:

Source: C:\Users\user\Desktop\RFQ.exe	File created: C:\Users\user\AppData\Local\Temp\RegAsm.exe			Jump to dropped file
Source: C:\Users\user\Desktop\RFQ.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe			Jump to dropped file

Source: C:\Users\user\Desktop\RFQ.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe

Jump to dropped file

Boot Survival:

Drops PE files to the startup folder

Show sources

Source: C:\Users\user\Desktop\RFQ.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe

Jump to dropped file

Source: C:\Users\user\Desktop\RFQ.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july

Jump to behavior

Source: C:\Users\user\Desktop\RFQ.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july\enrnus.exe	Jump to behavior
Source: C:\Users\user\Desktop\RFQ.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe\:Zone.Identifier:$DATA	Jump to behavior

Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run audiomac			Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run audiomac			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\RFQ.exe	File opened: C:\Users\user\Desktop\RFQ.exe\:Zone.Identifier read attributes \| delete
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	File opened: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july\enrnus.exe\:Zone.Identifier read attributes \| delete

Source: C:\Users\user\Desktop\RFQ.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\RFQ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Yara detected AntiVM_3

Show sources

Source: Yara match

File source: Process Memory Space: RFQ.exe PID: 6876, type: MEMORY

Source: C:\Users\user\Desktop\RFQ.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\RFQ.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\RFQ.exe	Window / User API: threadDelayed 885
Source: C:\Users\user\Desktop\RFQ.exe	Window / User API: threadDelayed 8833
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Window / User API: threadDelayed 834
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Window / User API: threadDelayed 8921

Source: C:\Users\user\Desktop\RFQ.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\RegAsm.exe

Jump to dropped file

Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -15679732462653109s >= -30000s
Source: C:\Users\user\Desktop\RFQ.exe TID: 7156	Thread sleep count: 885 > 30
Source: C:\Users\user\Desktop\RFQ.exe TID: 7156	Thread sleep count: 8833 > 30
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -45000s >= -30000s
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -44859s >= -30000s
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -44750s >= -30000s
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -44640s >= -30000s
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -44531s >= -30000s
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -44422s >= -30000s
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -44312s >= -30000s
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -44203s >= -30000s
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -44094s >= -30000s
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -43984s >= -30000s
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -43875s >= -30000s
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -43765s >= -30000s
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -43656s >= -30000s
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -43547s >= -30000s
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -43437s >= -30000s
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -43328s >= -30000s
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -43219s >= -30000s
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -43109s >= -30000s
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -43000s >= -30000s
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -42890s >= -30000s
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -42781s >= -30000s
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -42672s >= -30000s
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -42562s >= -30000s
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -42453s >= -30000s
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -42344s >= -30000s
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -42234s >= -30000s
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -42125s >= -30000s
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -42015s >= -30000s
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -41906s >= -30000s
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -41797s >= -30000s
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -41687s >= -30000s
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -41578s >= -30000s
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -41469s >= -30000s
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -41359s >= -30000s
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -41250s >= -30000s
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -41125s >= -30000s
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -40984s >= -30000s
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -40875s >= -30000s
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -40765s >= -30000s
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -40656s >= -30000s
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -40547s >= -30000s
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -40406s >= -30000s
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -40297s >= -30000s
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -40187s >= -30000s
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -40078s >= -30000s
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -39969s >= -30000s
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -39859s >= -30000s
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -39750s >= -30000s
Source: C:\Users\user\Desktop\RFQ.exe TID: 7020	Thread sleep time: -39640s >= -30000s
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -22136092888451448s >= -30000s
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6720	Thread sleep count: 834 > 30
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6720	Thread sleep count: 8921 > 30
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -45000s >= -30000s
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -44828s >= -30000s
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -44719s >= -30000s
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -44594s >= -30000s
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -44484s >= -30000s
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -44375s >= -30000s
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -44266s >= -30000s
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -44156s >= -30000s
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -44047s >= -30000s
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -43938s >= -30000s
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -43797s >= -30000s
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -43625s >= -30000s
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -43516s >= -30000s
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -43406s >= -30000s
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -43297s >= -30000s
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -43178s >= -30000s
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -43063s >= -30000s
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -42953s >= -30000s
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -42531s >= -30000s
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -42406s >= -30000s
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -42297s >= -30000s
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -42141s >= -30000s
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -41485s >= -30000s
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -41344s >= -30000s
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -41234s >= -30000s
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -41125s >= -30000s
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -41016s >= -30000s
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -40891s >= -30000s
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -40750s >= -30000s
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -40641s >= -30000s
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -40500s >= -30000s
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -40391s >= -30000s
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -40250s >= -30000s
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -40141s >= -30000s
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -40031s >= -30000s
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -39922s >= -30000s
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -39813s >= -30000s
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -39703s >= -30000s
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -39594s >= -30000s
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -39485s >= -30000s
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -39344s >= -30000s
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -39234s >= -30000s
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -39125s >= -30000s
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -39016s >= -30000s
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -38906s >= -30000s
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -38797s >= -30000s
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -38672s >= -30000s
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe TID: 6716	Thread sleep time: -38563s >= -30000s

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: enrnus.exe, 00000014.00000002.595123439.0000000002DAC000.00000004.00000001.sdmp	Binary or memory string: VMware
Source: enrnus.exe, 00000014.00000002.595123439.0000000002DAC000.00000004.00000001.sdmp	Binary or memory string: vmware vmci bus device!vmware virtual s scsi disk device
Source: enrnus.exe, 00000014.00000002.595123439.0000000002DAC000.00000004.00000001.sdmp	Binary or memory string: vmware svga
Source: enrnus.exe, 00000014.00000002.595123439.0000000002DAC000.00000004.00000001.sdmp	Binary or memory string: vboxservice
Source: RFQ.exe, 00000000.00000002.474828984.000000000311C000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000002.595123439.0000000002DAC000.00000004.00000001.sdmp	Binary or memory string: Microsoft Hyper-Vmicrosoft
Source: RFQ.exe, 00000000.00000002.479258486.0000000005EA0000.00000002.00000001.sdmp, reg.exe, 00000007.00000002.351516586.0000000003520000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: enrnus.exe, 00000014.00000002.595123439.0000000002DAC000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: enrnus.exe, 00000014.00000002.595123439.0000000002DAC000.00000004.00000001.sdmp	Binary or memory string: vmware usb pointing device
Source: RFQ.exe, 00000000.00000002.474828984.000000000311C000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000002.595123439.0000000002DAC000.00000004.00000001.sdmp	Binary or memory string: vmusrvc
Source: enrnus.exe, 00000014.00000002.595123439.0000000002DAC000.00000004.00000001.sdmp	Binary or memory string: vmware pointing device
Source: enrnus.exe, 00000014.00000002.595123439.0000000002DAC000.00000004.00000001.sdmp	Binary or memory string: vmware sata
Source: RFQ.exe, 00000000.00000003.470481099.000000000699D000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Pb
Source: enrnus.exe, 00000014.00000002.595123439.0000000002DAC000.00000004.00000001.sdmp	Binary or memory string: vmsrvc
Source: enrnus.exe, 00000014.00000002.595123439.0000000002DAC000.00000004.00000001.sdmp	Binary or memory string: vmtools
Source: RFQ.exe, 00000000.00000002.474828984.000000000311C000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000002.595123439.0000000002DAC000.00000004.00000001.sdmp	Binary or memory string: Microsoft Hyper-V
Source: RFQ.exe, 00000000.00000002.479258486.0000000005EA0000.00000002.00000001.sdmp, reg.exe, 00000007.00000002.351516586.0000000003520000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: RFQ.exe, 00000000.00000002.479258486.0000000005EA0000.00000002.00000001.sdmp, reg.exe, 00000007.00000002.351516586.0000000003520000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: enrnus.exe, 00000014.00000002.595123439.0000000002DAC000.00000004.00000001.sdmp	Binary or memory string: vmware virtual s scsi disk device
Source: RFQ.exe, 00000000.00000003.470481099.000000000699D000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: enrnus.exe, 00000014.00000002.595123439.0000000002DAC000.00000004.00000001.sdmp	Binary or memory string: vmware vmci bus device
Source: enrnus.exe, 00000014.00000002.593271485.000000000105D000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: RFQ.exe, 00000000.00000002.479258486.0000000005EA0000.00000002.00000001.sdmp, reg.exe, 00000007.00000002.351516586.0000000003520000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\RFQ.exe

Process information queried: ProcessInformation

Anti Debugging:

Source: C:\Users\user\Desktop\RFQ.exe	Process token adjusted: Debug
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\RFQ.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

Source: C:\Users\user\Desktop\RFQ.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'audiomac' /t REG_SZ /d 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july\enrnus.exe'
Source: C:\Users\user\Desktop\RFQ.exe	Process created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july\enrnus.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'audiomac' /t REG_SZ /d 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july\enrnus.exe'

Source: enrnus.exe, 00000014.00000002.594827399.0000000001730000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: enrnus.exe, 00000014.00000002.594827399.0000000001730000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: enrnus.exe, 00000014.00000002.594827399.0000000001730000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: enrnus.exe, 00000014.00000002.594827399.0000000001730000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\RFQ.exe	Queries volume information: C:\Users\user\Desktop\RFQ.exe VolumeInformation
Source: C:\Users\user\Desktop\RFQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\RFQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\RFQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\Desktop\RFQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\Desktop\RFQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\Desktop\RFQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\RFQ.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.DataSetExtensions\v4.0_4.0.0.0__b77a5c561934e089\System.Data.DataSetExtensions.dll VolumeInformation
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe VolumeInformation
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.DataSetExtensions\v4.0_4.0.0.0__b77a5c561934e089\System.Data.DataSetExtensions.dll VolumeInformation

Source: C:\Users\user\Desktop\RFQ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.476175749.000000000488C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.475624148.000000000478E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.601490451.00000000045D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.601634040.00000000046D7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ.exe PID: 6876, type: MEMORY
Source: Yara match	File source: Process Memory Space: enrnus.exe PID: 2288, type: MEMORY
Source: Yara match	File source: 0.2.RFQ.exe.48272aa.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.48bf5c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46719a2.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.488ca0a.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.460c212.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46719a2.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47c1b1a.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47f46ea.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47f46ea.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47c1b1a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.4709cc0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.460c212.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.463ede2.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.4709cc0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.463ede2.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.48272aa.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.48bf5c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.488ca0a.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46d7102.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46d7102.6.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: RFQ.exe, 00000000.00000002.476175749.000000000488C000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: enrnus.exe, 00000014.00000002.601490451.00000000045D9000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000000.00000002.476175749.000000000488C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.475624148.000000000478E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.601490451.00000000045D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.601634040.00000000046D7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RFQ.exe PID: 6876, type: MEMORY
Source: Yara match	File source: Process Memory Space: enrnus.exe PID: 2288, type: MEMORY
Source: Yara match	File source: 0.2.RFQ.exe.48272aa.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.48bf5c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46719a2.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.488ca0a.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.460c212.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46719a2.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47c1b1a.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47f46ea.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47f46ea.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.47c1b1a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.4709cc0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.460c212.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.463ede2.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.4709cc0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.463ede2.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.48272aa.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.48bf5c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.RFQ.exe.488ca0a.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46d7102.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.enrnus.exe.46d7102.6.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Startup Items1	Startup Items1	Masquerading1	Input Capture1	Query Registry1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Registry Run Keys / Startup Folder121	Process Injection12	Modify Registry1	LSASS Memory	Security Software Discovery111	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Remote Access Software1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Registry Run Keys / Startup Folder121	Virtualization/Sandbox Evasion3	Security Account Manager	Virtualization/Sandbox Evasion3	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Disable or Modify Tools1	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Process Injection12	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Hidden Files and Directories1	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information2	DCSync	File and Directory Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery12	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

Source	Detection	Scanner	Label	Link
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe	15%	ReversingLabs	Win32.Trojan.Wacatac
C:\Users\user\AppData\Local\Temp\RegAsm.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\RegAsm.exe	0%	ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://ns.adb	0%	Avira URL Cloud	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://ns.adobe.c/g	0%	URL Reputation	safe
http://ns.adobe.c/g	0%	URL Reputation	safe
http://ns.adobe.c/g	0%	URL Reputation	safe
http://ns.adobe.c/g	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://ocsp.pki.goog/gsr202	0%	URL Reputation	safe
http://ocsp.pki.goog/gsr202	0%	URL Reputation	safe
http://ocsp.pki.goog/gsr202	0%	URL Reputation	safe
http://ocsp.pki.goog/gsr202	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
http://ns.adobe.cobj	0%	URL Reputation	safe
http://ns.adobe.cobj	0%	URL Reputation	safe
http://ns.adobe.cobj	0%	URL Reputation	safe
http://ns.adobe.cobj	0%	URL Reputation	safe
http://ocsp.pki.goog/gts1o1core0	0%	URL Reputation	safe
http://ocsp.pki.goog/gts1o1core0	0%	URL Reputation	safe
http://ocsp.pki.goog/gts1o1core0	0%	URL Reputation	safe
http://ocsp.pki.goog/gts1o1core0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://ns.ado/1	0%	URL Reputation	safe
http://ns.ado/1	0%	URL Reputation	safe
http://ns.ado/1	0%	URL Reputation	safe
http://ns.ado/1	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ns.adb	RFQ.exe, 00000000.00000003.347926461.00000000098E4000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000003.494057230.00000000096F4000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://pki.goog/gsr2/GTS1O1.crt0	RFQ.exe, 00000000.00000002.474429338.0000000002ED3000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000002.593387777.00000000010AC000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ns.adobe.c/g	RFQ.exe, 00000000.00000003.347926461.00000000098E4000.00000004.00000001.sdmp, RFQ.exe, 00000000.00000003.471130439.00000000098E5000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000003.494393505.00000000096F4000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.pki.goog/gsr2/gsr2.crl0?	enrnus.exe, 00000014.00000002.593387777.00000000010AC000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ocsp.pki.goog/gsr202	enrnus.exe, 00000014.00000002.593387777.00000000010AC000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://pki.goog/repository/0	enrnus.exe, 00000014.00000002.593387777.00000000010AC000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ns.adobe.cobj	RFQ.exe, 00000000.00000003.347926461.00000000098E4000.00000004.00000001.sdmp, RFQ.exe, 00000000.00000003.471130439.00000000098E5000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000003.494393505.00000000096F4000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ocsp.pki.goog/gts1o1core0	RFQ.exe, 00000000.00000002.474429338.0000000002ED3000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000002.593387777.00000000010AC000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RFQ.exe, 00000000.00000002.474404366.0000000002EA1000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000002.594984683.0000000002CF1000.00000004.00000001.sdmp	false		high
http://schema.org/WebPage	RFQ.exe, 00000000.00000002.474462948.0000000002EEB000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000002.595053339.0000000002D3A000.00000004.00000001.sdmp	false		high
http://crl.pki.goog/GTS1O1core.crl0	RFQ.exe, 00000000.00000002.474429338.0000000002ED3000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000002.593387777.00000000010AC000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://ns.ado/1	RFQ.exe, 00000000.00000003.347926461.00000000098E4000.00000004.00000001.sdmp, RFQ.exe, 00000000.00000003.471130439.00000000098E5000.00000004.00000001.sdmp, enrnus.exe, 00000014.00000003.494393505.00000000096F4000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	358327
Start date:	25.02.2021
Start time:	12:15:39
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 20s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	RFQ.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.adwa.evad.winEXE@8/4@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 3.1% (good quality ratio 1.5%) Quality average: 26.8% Quality standard deviation: 33.7%
HCA Information:	Successful, ratio: 85% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 13.64.90.137, 23.211.6.115, 168.61.161.212, 13.88.21.125, 142.250.185.164, 131.253.33.200, 13.107.22.200, 104.43.193.48, 51.11.168.160, 205.185.216.10, 205.185.216.42, 51.103.5.186, 52.155.217.156, 20.54.26.129, 92.122.213.247, 92.122.213.194, 184.30.20.56, 51.104.139.180 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, www.google.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, cds.d2s7q6s2.hwcdn.net, skypedataprdcolcus15.cloudapp.net, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:16:42	API Interceptor	306x Sleep call for process: RFQ.exe modified
12:16:45	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run audiomac C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july\enrnus.exe
12:16:54	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run audiomac C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july\enrnus.exe
12:17:49	API Interceptor	318x Sleep call for process: enrnus.exe modified
12:18:37	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\RegAsm.exe	CI & PL 2021 shipment for correction,pdf.exe	Get hash	malicious	Browse
	BL COPY.exe	Get hash	malicious	Browse
	IDS_ScanCopy6754588899.exe	Get hash	malicious	Browse
	Order 01001O02.exe	Get hash	malicious	Browse
	PAYMENT DETAILS.exe	Get hash	malicious	Browse
	PAYMENT ADVICE 09680820210111091448.exe	Get hash	malicious	Browse
	CN-Invoice-XXXXX9808-19011143287989.exe	Get hash	malicious	Browse
	qsiEm04k63.exe	Get hash	malicious	Browse
	Payment slip.exe	Get hash	malicious	Browse
	2Dd20YdQDR.exe	Get hash	malicious	Browse
	atikmdag-patcher 1.4.7.exe	Get hash	malicious	Browse
	Scan_00059010189_ ref. 004118379411_ pdf.exe	Get hash	malicious	Browse
	hfix.exe	Get hash	malicious	Browse
	atikmdag-patcher 1.4.8.exe	Get hash	malicious	Browse
	Client1.exe	Get hash	malicious	Browse
	miner.exe	Get hash	malicious	Browse
	PhoenixMiner_5.4c_Windows.exe	Get hash	malicious	Browse
	74725794.exe	Get hash	malicious	Browse
	PO-498475-ORDER.vbs	Get hash	malicious	Browse
	Payment Advice Note from 19.11.2020.exe	Get hash	malicious	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe Download File
Process:	C:\Users\user\Desktop\RFQ.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1045504
Entropy (8bit):	6.571163294446179
Encrypted:	false
SSDEEP:	24576:fMjaXzO4jx8swe2M14J8bLMN86APmFsnIBaOhYvO4LPjlDy4XBc+:fMjaXzO4l8swe2k4J8bLMN86APmFNBWO
MD5:	6733E06C6BE5CA14FFC33763202F53C8
SHA1:	9412D3147B30A873B94E2D0F495EAFDEA1479EE1
SHA-256:	72F30E8884110E06B133ECABFDBF523AEF8CC5533273AA3E12AFEE785A5A45BC
SHA-512:	95E4B792853D583ACB7C2BCC1AF974CCBD20EAD31A917208F7BF070E71C15D226EF1A0D61C7E18D8679C33E07A9E9739EDD858F450B00B13C2433758AAAAB143
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 15%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....H.X................................. ... ....@.. .......................`............`.....................................W.... .......................@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H........\.........(....I..............................................E.<y...y&..Y..~W.[..2...,.Z..C .+..J..GD..k...da...y....d.@..[...b.....(...y>...\|f.U...S..L...v..C}_......M..`S#`..k...........p.>.Gn8...RO.X.i.mz.f.....M...#.x..!9...{......c......^....o.......W.7..s...-[..s.s..oi.X....n6.........Z.....Q.y./.r....c^."N..'yp...]...0..W...BQ..0..."{y..R.d..E.-...-....)...<...6.M..8.b.^.*".......E.rR...p5..IaDF.O)4h&P...>A...S.<.u...=.n.o.$..7..C.....X

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\RFQ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ.exe.log Download File
Process:	C:\Users\user\Desktop\RFQ.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1318
Entropy (8bit):	5.35748495629225
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4bE4K5AE4Kzr7K84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoyE4P:MIHK5HKXE1qHbHK5AHKzvKviYHKhQnov
MD5:	C752BC4289E47E13AECB02FB0A525249
SHA1:	FA76430425B22B6D1BB8F737DE9F36DA996FFD9C
SHA-256:	19F546CEC9D3F9217584617117869E36A742D78D070D78212C64518317C0E45F
SHA-512:	98F2B88340F01B00FDB2EDAEFFB4AE9454B7F87E542CD827538D91A70B3EF59CD6B8E6FB63CA94D7750829D12415599C3B6D0C932CBDDCB33F10D887ACF59187
Malicious:	false
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Co

C:\Users\user\AppData\Local\Temp\RegAsm.exe Download File
Process:	C:\Users\user\Desktop\RFQ.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	64616
Entropy (8bit):	6.037264560032456
Encrypted:	false
SSDEEP:	768:J8XcJiMjm2ieHlPyCsSuJbn8dBhFVBSMQ6Iq8TSYDKpgLaDViRLNdr:9YMaNylPYSAb8dBnTHv8DKKaDVkX
MD5:	6FD7592411112729BF6B1F2F6C34899F
SHA1:	5E5C839726D6A43C478AB0B95DBF52136679F5EA
SHA-256:	FFE4480CCC81B061F725C54587E9D1BA96547D27FE28083305D75796F2EB3E74
SHA-512:	21EFCC9DEE3960F1A64C6D8A44871742558666BB792D77ACE91236C7DBF42A6CA77086918F363C4391D9C00904C55A952E2C18BE5FA1A67A509827BFC630070D
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: CI & PL 2021 shipment for correction,pdf.exe, Detection: malicious, Browse Filename: BL COPY.exe, Detection: malicious, Browse Filename: IDS_ScanCopy6754588899.exe, Detection: malicious, Browse Filename: Order 01001O02.exe, Detection: malicious, Browse Filename: PAYMENT DETAILS.exe, Detection: malicious, Browse Filename: PAYMENT ADVICE 09680820210111091448.exe, Detection: malicious, Browse Filename: CN-Invoice-XXXXX9808-19011143287989.exe, Detection: malicious, Browse Filename: qsiEm04k63.exe, Detection: malicious, Browse Filename: Payment slip.exe, Detection: malicious, Browse Filename: 2Dd20YdQDR.exe, Detection: malicious, Browse Filename: atikmdag-patcher 1.4.7.exe, Detection: malicious, Browse Filename: Scan_00059010189_ ref. 004118379411_ pdf.exe, Detection: malicious, Browse Filename: hfix.exe, Detection: malicious, Browse Filename: atikmdag-patcher 1.4.8.exe, Detection: malicious, Browse Filename: Client1.exe, Detection: malicious, Browse Filename: miner.exe, Detection: malicious, Browse Filename: PhoenixMiner_5.4c_Windows.exe, Detection: malicious, Browse Filename: 74725794.exe, Detection: malicious, Browse Filename: PO-498475-ORDER.vbs, Detection: malicious, Browse Filename: Payment Advice Note from 19.11.2020.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...xX.Z..............0.............^.... ........@.. ....................... ............`.....................................O.......8...............h>........................................................... ............... ..H............text...d.... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B................@.......H........A...p..........T................................................~P...-.r...p.....(....(....s.....P.....0.."........(......-.r...p.rI..p(....s....z....0..........(....~P.....o........(....n(.....(..........%...(....~(.....(..........%...%...(.....(.....(..........%...%...%...(....V.(......}Q.....}R.....{Q.....{R......0...........(.......i.=...}S......i.@...}T......i.@...}U.....+m...(....o .....r]..p.o!...,..{T.......{U........o"....+(.ra..p.o!...,..{T.......

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.571163294446179
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	RFQ.exe
File size:	1045504
MD5:	6733e06c6be5ca14ffc33763202f53c8
SHA1:	9412d3147b30a873b94e2d0f495eafdea1479ee1
SHA256:	72f30e8884110e06b133ecabfdbf523aef8cc5533273aa3e12afee785a5a45bc
SHA512:	95e4b792853d583acb7c2bcc1af974ccbd20ead31a917208f7bf070e71c15d226ef1a0d61c7e18d8679c33e07a9e9739edd858f450b00b13c2433758aaaab143
SSDEEP:	24576:fMjaXzO4jx8swe2M14J8bLMN86APmFsnIBaOhYvO4LPjlDy4XBc+:fMjaXzO4l8swe2k4J8bLMN86APmFNBWO
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....H.X................................. ... ....@.. .......................`............`................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x5001de
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:	0x588848B6 [Wed Jan 25 06:41:58 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x100184	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x102000	0xcdf	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x104000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xfe1e4	0xfe200	False	0.608103018938	data	6.57523758898	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x102000	0xcdf	0xe00	False	0.378348214286	data	4.77533741669	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x104000	0xc	0x200	False	0.044921875	data	0.0815394123432	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x1020a0	0x39c	data
RT_MANIFEST	0x10243c	0x8a3	XML 1.0 document, UTF-8 Unicode (with BOM) text

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2005 3H<7C?IA<6FJJE:;5HGJ
Assembly Version	1.0.0.0
InternalName	again.exe
FileVersion	5.8.10.13
CompanyName	3H<7C?IA<6FJJE:;5HGJ
Comments	@EA=>IGI=9H:3@A2AA3
ProductName	EH@8<G955B73@B88=;GA@@2D
ProductVersion	5.8.10.13
FileDescription	EH@8<G955B73@B88=;GA@@2D
OriginalFilename	again.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
02/25/21-12:18:37.423575	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49756	1985	192.168.2.6	185.244.30.161

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 25, 2021 12:16:22.727293015 CET	62044	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:16:22.787478924 CET	53	62044	8.8.8.8	192.168.2.6
Feb 25, 2021 12:16:24.581695080 CET	63791	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:16:25.595849991 CET	63791	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:16:25.658751965 CET	53	63791	8.8.8.8	192.168.2.6
Feb 25, 2021 12:16:26.008734941 CET	64267	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:16:26.069957972 CET	53	64267	8.8.8.8	192.168.2.6
Feb 25, 2021 12:16:27.122786999 CET	49448	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:16:27.174323082 CET	53	49448	8.8.8.8	192.168.2.6
Feb 25, 2021 12:16:28.655915976 CET	60342	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:16:28.706482887 CET	53	60342	8.8.8.8	192.168.2.6
Feb 25, 2021 12:16:29.786921978 CET	61346	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:16:29.835741997 CET	53	61346	8.8.8.8	192.168.2.6
Feb 25, 2021 12:16:31.028070927 CET	51774	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:16:31.089288950 CET	53	51774	8.8.8.8	192.168.2.6
Feb 25, 2021 12:16:31.176573038 CET	56023	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:16:31.234807968 CET	53	56023	8.8.8.8	192.168.2.6
Feb 25, 2021 12:16:31.465831041 CET	58384	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:16:31.514385939 CET	53	58384	8.8.8.8	192.168.2.6
Feb 25, 2021 12:16:31.522681952 CET	60261	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:16:31.571381092 CET	53	60261	8.8.8.8	192.168.2.6
Feb 25, 2021 12:16:32.461899996 CET	56061	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:16:32.513628960 CET	53	56061	8.8.8.8	192.168.2.6
Feb 25, 2021 12:16:33.671749115 CET	58336	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:16:33.720500946 CET	53	58336	8.8.8.8	192.168.2.6
Feb 25, 2021 12:16:34.625479937 CET	53781	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:16:34.675333023 CET	53	53781	8.8.8.8	192.168.2.6
Feb 25, 2021 12:16:35.717607021 CET	54064	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:16:35.766388893 CET	53	54064	8.8.8.8	192.168.2.6
Feb 25, 2021 12:16:36.702701092 CET	52811	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:16:36.752760887 CET	53	52811	8.8.8.8	192.168.2.6
Feb 25, 2021 12:16:37.699152946 CET	55299	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:16:37.750910044 CET	53	55299	8.8.8.8	192.168.2.6
Feb 25, 2021 12:16:38.874150038 CET	63745	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:16:38.924274921 CET	53	63745	8.8.8.8	192.168.2.6
Feb 25, 2021 12:16:39.996886969 CET	50055	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:16:40.054152012 CET	53	50055	8.8.8.8	192.168.2.6
Feb 25, 2021 12:16:43.821738958 CET	61374	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:16:43.920892000 CET	53	61374	8.8.8.8	192.168.2.6
Feb 25, 2021 12:16:45.225033045 CET	50339	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:16:45.275497913 CET	53	50339	8.8.8.8	192.168.2.6
Feb 25, 2021 12:16:46.519507885 CET	63307	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:16:46.568161011 CET	53	63307	8.8.8.8	192.168.2.6
Feb 25, 2021 12:16:58.320008993 CET	49694	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:16:58.368999958 CET	53	49694	8.8.8.8	192.168.2.6
Feb 25, 2021 12:17:17.857564926 CET	54982	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:17:17.909198046 CET	53	54982	8.8.8.8	192.168.2.6
Feb 25, 2021 12:17:19.028069973 CET	50010	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:17:19.076870918 CET	53	50010	8.8.8.8	192.168.2.6
Feb 25, 2021 12:17:21.776122093 CET	63718	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:17:21.836282969 CET	53	63718	8.8.8.8	192.168.2.6
Feb 25, 2021 12:17:22.491647959 CET	62116	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:17:22.548764944 CET	53	62116	8.8.8.8	192.168.2.6
Feb 25, 2021 12:17:23.113923073 CET	63816	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:17:23.170830965 CET	53	63816	8.8.8.8	192.168.2.6
Feb 25, 2021 12:17:23.596215963 CET	55014	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:17:23.648888111 CET	53	55014	8.8.8.8	192.168.2.6
Feb 25, 2021 12:17:24.043178082 CET	62208	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:17:24.115250111 CET	57574	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:17:24.121511936 CET	53	62208	8.8.8.8	192.168.2.6
Feb 25, 2021 12:17:24.179927111 CET	53	57574	8.8.8.8	192.168.2.6
Feb 25, 2021 12:17:24.800698042 CET	51818	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:17:24.857887983 CET	53	51818	8.8.8.8	192.168.2.6
Feb 25, 2021 12:17:25.413422108 CET	56628	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:17:25.465018034 CET	53	56628	8.8.8.8	192.168.2.6
Feb 25, 2021 12:17:26.684542894 CET	60778	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:17:26.737323999 CET	53	60778	8.8.8.8	192.168.2.6
Feb 25, 2021 12:17:28.095009089 CET	53799	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:17:28.152288914 CET	53	53799	8.8.8.8	192.168.2.6
Feb 25, 2021 12:17:28.723160982 CET	54683	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:17:28.784219027 CET	53	54683	8.8.8.8	192.168.2.6
Feb 25, 2021 12:17:29.805085897 CET	59329	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:17:29.863773108 CET	53	59329	8.8.8.8	192.168.2.6
Feb 25, 2021 12:17:38.610966921 CET	64021	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:17:38.661577940 CET	53	64021	8.8.8.8	192.168.2.6
Feb 25, 2021 12:17:39.065171957 CET	56129	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:17:39.116597891 CET	53	56129	8.8.8.8	192.168.2.6
Feb 25, 2021 12:17:39.137428045 CET	58177	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:17:39.186067104 CET	53	58177	8.8.8.8	192.168.2.6
Feb 25, 2021 12:17:58.726459026 CET	50700	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:17:58.779820919 CET	53	50700	8.8.8.8	192.168.2.6
Feb 25, 2021 12:18:00.975207090 CET	54069	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:18:01.036456108 CET	53	54069	8.8.8.8	192.168.2.6
Feb 25, 2021 12:18:01.730922937 CET	61178	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:18:01.782592058 CET	53	61178	8.8.8.8	192.168.2.6
Feb 25, 2021 12:18:19.645900011 CET	57017	53	192.168.2.6	8.8.8.8
Feb 25, 2021 12:18:19.695908070 CET	53	57017	8.8.8.8	192.168.2.6

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: RFQ.exe PID: 6876 Parent PID: 5912

General

Start time:	12:16:30
Start date:	25/02/2021
Path:	C:\Users\user\Desktop\RFQ.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\RFQ.exe'
Imagebase:	0x9f0000
File size:	1045504 bytes
MD5 hash:	6733E06C6BE5CA14FFC33763202F53C8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.476175749.000000000488C000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.476175749.000000000488C000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.476175749.000000000488C000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.475624148.000000000478E000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.475624148.000000000478E000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.475624148.000000000478E000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: cmd.exe PID: 6032 Parent PID: 6876

General

Start time:	12:16:40
Start date:	25/02/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'audiomac' /t REG_SZ /d 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july\enrnus.exe'
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 1428 Parent PID: 6032

General

Start time:	12:16:41
Start date:	25/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: reg.exe PID: 6188 Parent PID: 6032

General

Start time:	12:16:41
Start date:	25/02/2021
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'audiomac' /t REG_SZ /d 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july\enrnus.exe'
Imagebase:	0xaf0000
File size:	59392 bytes
MD5 hash:	CEE2A7E57DF2A159A065A34913A055C2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: enrnus.exe PID: 2288 Parent PID: 6876

General

Start time:	12:17:36
Start date:	25/02/2021
Path:	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\july\enrnus.exe
Wow64 process (32bit):	true
Commandline:	'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\july\enrnus.exe'
Imagebase:	0x7c0000
File size:	1045504 bytes
MD5 hash:	6733E06C6BE5CA14FFC33763202F53C8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000002.601490451.00000000045D9000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000002.601490451.00000000045D9000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000014.00000002.601490451.00000000045D9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000002.601634040.00000000046D7000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000002.601634040.00000000046D7000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000014.00000002.601634040.00000000046D7000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Antivirus matches:	Detection: 15%, ReversingLabs
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report RFQ.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

UDP Packets

Code Manipulations

Statistics

Behavior

System Behavior