Play interactive tour

Edit tour

Analysis Report hbvo9thTAX.exe

Overview

General Information

Sample Name:	hbvo9thTAX.exe
Analysis ID:	381486
MD5:	0d646c6e6c2666f24b9e65cd1322fa86
SHA1:	9e7bfc67a55d697ec2dc7779737e4bc4793fcce8
SHA256:	cb19133e564f301e0b3bcba9f0cd81dd21ab65aaf5a4d506c29e70159b2c26bc
Tags:	exeNanoCoreRAT
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AntiVM3

Yara detected Nanocore RAT

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

hbvo9thTAX.exe (PID: 5108 cmdline: 'C:\Users\user\Desktop\hbvo9thTAX.exe' MD5: 0D646C6E6C2666F24B9E65CD1322FA86)

powershell.exe (PID: 2148 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\hbvo9thTAX.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 3040 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\QeANuFTFqbK.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 5508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 4556 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\QeANuFTFqbK' /XML 'C:\Users\user\AppData\Local\Temp\tmpABAD.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 4644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 6240 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\QeANuFTFqbK.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

hbvo9thTAX.exe (PID: 6264 cmdline: C:\Users\user\Desktop\hbvo9thTAX.exe MD5: 0D646C6E6C2666F24B9E65CD1322FA86)

dhcpmon.exe (PID: 6768 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 0D646C6E6C2666F24B9E65CD1322FA86)

powershell.exe (PID: 6848 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

schtasks.exe (PID: 6892 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\QeANuFTFqbK' /XML 'C:\Users\user\AppData\Local\Temp\tmp3FE.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 6964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

powershell.exe (PID: 7068 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\QeANuFTFqbK.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 7120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

dhcpmon.exe (PID: 7128 cmdline: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe MD5: 0D646C6E6C2666F24B9E65CD1322FA86)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "282cf72b-8a92-4c1b-b768-b591a1e0", "Group": "jobo", "Domain1": "james12.ddns.net", "Domain2": "127.0.0.1", "Port": 6060, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "", "BackupDNSServer": ""}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000C.00000002.514853524.0000000005470000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
0000000C.00000002.514853524.0000000005470000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
0000000C.00000002.514853524.0000000005470000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.517643399.0000000006D20000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5fee:$x1: NanoCore.ClientPluginHost 0x602b:$x2: IClientNetworkHost
0000000C.00000002.517643399.0000000006D20000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5fee:$x2: NanoCore.ClientPluginHost 0x9441:$s4: PipeCreated 0x6018:$s5: IClientLoggingHost
0000000C.00000002.516144108.0000000005930000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
0000000C.00000002.516144108.0000000005930000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost
0000000C.00000002.517491421.0000000006BB0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
0000000C.00000002.517491421.0000000006BB0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
0000000C.00000003.343510515.0000000003EB2000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.515742718.0000000005810000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost
0000000C.00000002.515742718.0000000005810000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x6a6b:$s4: PipeCreated
0000000C.00000002.515782747.0000000005820000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
0000000C.00000002.515782747.0000000005820000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0xe576:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost
00000001.00000002.223329539.0000000003189000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000C.00000003.348639945.0000000003F5E000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000003.348639945.0000000003F5E000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1d61:$a: NanoCore 0x1dba:$a: NanoCore 0x1df7:$a: NanoCore 0x1e70:$a: NanoCore 0x1551b:$a: NanoCore 0x15530:$a: NanoCore 0x15565:$a: NanoCore 0x2317a:$a: NanoCore 0x2319f:$a: NanoCore 0x231f8:$a: NanoCore 0x33395:$a: NanoCore 0x333bb:$a: NanoCore 0x33417:$a: NanoCore 0x4026c:$a: NanoCore 0x402c5:$a: NanoCore 0x402f8:$a: NanoCore 0x40524:$a: NanoCore 0x405a0:$a: NanoCore 0x40bb9:$a: NanoCore 0x40d02:$a: NanoCore 0x411d6:$a: NanoCore
0000000C.00000002.508469986.0000000003DC7000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x5877:$a: NanoCore 0x589c:$a: NanoCore 0x58f5:$a: NanoCore 0x15a94:$a: NanoCore 0x15aba:$a: NanoCore 0x15b16:$a: NanoCore 0x2296d:$a: NanoCore 0x229c6:$a: NanoCore 0x229f9:$a: NanoCore 0x22c25:$a: NanoCore 0x22ca1:$a: NanoCore 0x232ba:$a: NanoCore 0x23403:$a: NanoCore 0x238d7:$a: NanoCore 0x23bbe:$a: NanoCore 0x23bd5:$a: NanoCore 0x2ca79:$a: NanoCore 0x2caf5:$a: NanoCore 0x2f3d8:$a: NanoCore 0x349a1:$a: NanoCore 0x34a1b:$a: NanoCore
0000000C.00000002.467114300.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000C.00000002.467114300.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000002.467114300.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000C.00000002.506841236.0000000003BFF000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000003.343562311.0000000003EE9000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000C.00000003.343562311.0000000003EE9000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1431:$a: NanoCore 0x148a:$a: NanoCore 0x14c7:$a: NanoCore 0x1540:$a: NanoCore 0x14beb:$a: NanoCore 0x14c00:$a: NanoCore 0x14c35:$a: NanoCore 0x2284a:$a: NanoCore 0x2286f:$a: NanoCore 0x228c8:$a: NanoCore 0x32a65:$a: NanoCore 0x32a8b:$a: NanoCore 0x32ae7:$a: NanoCore 0x3f93c:$a: NanoCore 0x3f995:$a: NanoCore 0x3f9c8:$a: NanoCore 0x3fbf4:$a: NanoCore 0x3fc70:$a: NanoCore 0x40289:$a: NanoCore 0x403d2:$a: NanoCore 0x408a6:$a: NanoCore
0000000C.00000002.486077888.0000000000E50000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
0000000C.00000002.486077888.0000000000E50000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2205:$x2: NanoCore.ClientPluginHost 0x2320:$s4: PipeCreated 0x221f:$s5: IClientLoggingHost
0000000C.00000002.472485718.0000000000980000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost
0000000C.00000002.472485718.0000000000980000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0x1800:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost
0000000C.00000002.517454654.0000000006BA0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
0000000C.00000002.517454654.0000000006BA0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost
0000000C.00000002.514058225.0000000004FC0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
0000000C.00000002.514058225.0000000004FC0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
0000000D.00000002.274402875.0000000002CA9000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000C.00000002.500809445.0000000002BF5000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x36f5a:$a: NanoCore 0x36f7f:$a: NanoCore 0x36fd8:$a: NanoCore 0x4714f:$a: NanoCore 0x47175:$a: NanoCore 0x471d1:$a: NanoCore 0x5402f:$a: NanoCore 0x54088:$a: NanoCore 0x540bb:$a: NanoCore 0x542e7:$a: NanoCore 0x54363:$a: NanoCore 0x5497c:$a: NanoCore 0x54ac5:$a: NanoCore 0x54f99:$a: NanoCore 0x55280:$a: NanoCore 0x55297:$a: NanoCore 0x5e167:$a: NanoCore 0x5e1e3:$a: NanoCore 0x60ac6:$a: NanoCore 0x6606d:$a: NanoCore 0x660e7:$a: NanoCore
00000001.00000002.226895307.0000000004229000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xa8e55:$x1: NanoCore.ClientPluginHost 0xdb675:$x1: NanoCore.ClientPluginHost 0xa8e92:$x2: IClientNetworkHost 0xdb6b2:$x2: IClientNetworkHost 0xac9c5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xdf1e5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000002.226895307.0000000004229000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000002.226895307.0000000004229000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xa8bbd:$a: NanoCore 0xa8bcd:$a: NanoCore 0xa8e01:$a: NanoCore 0xa8e15:$a: NanoCore 0xa8e55:$a: NanoCore 0xdb3dd:$a: NanoCore 0xdb3ed:$a: NanoCore 0xdb621:$a: NanoCore 0xdb635:$a: NanoCore 0xdb675:$a: NanoCore 0xa8c1c:$b: ClientPlugin 0xa8e1e:$b: ClientPlugin 0xa8e5e:$b: ClientPlugin 0xdb43c:$b: ClientPlugin 0xdb63e:$b: ClientPlugin 0xdb67e:$b: ClientPlugin 0xa8d43:$c: ProjectData 0xdb563:$c: ProjectData 0xa974a:$d: DESCrypto 0xdbf6a:$d: DESCrypto 0xb1116:$e: KeepAlive
0000000D.00000002.283486958.0000000003D6B000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xa841d:$x1: NanoCore.ClientPluginHost 0xdac3d:$x1: NanoCore.ClientPluginHost 0xa845a:$x2: IClientNetworkHost 0xdac7a:$x2: IClientNetworkHost 0xabf8d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xde7ad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000D.00000002.283486958.0000000003D6B000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000D.00000002.283486958.0000000003D6B000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xa8185:$a: NanoCore 0xa8195:$a: NanoCore 0xa83c9:$a: NanoCore 0xa83dd:$a: NanoCore 0xa841d:$a: NanoCore 0xda9a5:$a: NanoCore 0xda9b5:$a: NanoCore 0xdabe9:$a: NanoCore 0xdabfd:$a: NanoCore 0xdac3d:$a: NanoCore 0xa81e4:$b: ClientPlugin 0xa83e6:$b: ClientPlugin 0xa8426:$b: ClientPlugin 0xdaa04:$b: ClientPlugin 0xdac06:$b: ClientPlugin 0xdac46:$b: ClientPlugin 0xa830b:$c: ProjectData 0xdab2b:$c: ProjectData 0xa8d12:$d: DESCrypto 0xdb532:$d: DESCrypto 0xb06de:$e: KeepAlive
00000016.00000002.276582938.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000016.00000002.276582938.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000016.00000002.276582938.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000016.00000002.299151920.00000000041C1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000016.00000002.299151920.00000000041C1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x493dd:$a: NanoCore 0x49436:$a: NanoCore 0x49473:$a: NanoCore 0x494ec:$a: NanoCore 0x5cb97:$a: NanoCore 0x5cbac:$a: NanoCore 0x5cbe1:$a: NanoCore 0x75663:$a: NanoCore 0x75678:$a: NanoCore 0x756ad:$a: NanoCore 0x4943f:$b: ClientPlugin 0x4947c:$b: ClientPlugin 0x49d7a:$b: ClientPlugin 0x49d87:$b: ClientPlugin 0x5c953:$b: ClientPlugin 0x5c96e:$b: ClientPlugin 0x5c99e:$b: ClientPlugin 0x5cbb5:$b: ClientPlugin 0x5cbea:$b: ClientPlugin 0x7541f:$b: ClientPlugin 0x7543a:$b: ClientPlugin
0000000C.00000002.516018940.00000000058D0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
0000000C.00000002.516018940.00000000058D0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost
0000000C.00000002.485331770.0000000000DF0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b0b:$x1: NanoCore.ClientPluginHost 0x5b44:$x2: IClientNetworkHost
0000000C.00000002.485331770.0000000000DF0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b0b:$x2: NanoCore.ClientPluginHost 0x5c0f:$s4: PipeCreated 0x5b25:$s5: IClientLoggingHost
0000000C.00000002.515952602.00000000058C0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
0000000C.00000002.515952602.00000000058C0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x59eb:$x2: NanoCore.ClientPluginHost 0x6941:$s3: PipeExists 0x5be1:$s4: PipeCreated 0x5a05:$s5: IClientLoggingHost
0000000C.00000002.486392047.0000000000EA0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost
0000000C.00000002.486392047.0000000000EA0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x13a8:$x2: NanoCore.ClientPluginHost 0x1486:$s4: PipeCreated 0x13c2:$s5: IClientLoggingHost
Process Memory Space: dhcpmon.exe PID: 6768	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: hbvo9thTAX.exe PID: 6264	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1b471:$x1: NanoCore.ClientPluginHost 0x370ad:$x1: NanoCore.ClientPluginHost 0x5a21d:$x1: NanoCore.ClientPluginHost 0x68bf1:$x1: NanoCore.ClientPluginHost 0x9e534:$x1: NanoCore.ClientPluginHost 0xa40f3:$x1: NanoCore.ClientPluginHost 0xb1dc0:$x1: NanoCore.ClientPluginHost 0xbc6da:$x1: NanoCore.ClientPluginHost 0xcf255:$x1: NanoCore.ClientPluginHost 0xd1c3f:$x1: NanoCore.ClientPluginHost 0xd5094:$x1: NanoCore.ClientPluginHost 0xd7c7f:$x1: NanoCore.ClientPluginHost 0xdee23:$x1: NanoCore.ClientPluginHost 0xe3c7e:$x1: NanoCore.ClientPluginHost 0xf0458:$x1: NanoCore.ClientPluginHost 0x10bdf8:$x1: NanoCore.ClientPluginHost 0x11a7b3:$x1: NanoCore.ClientPluginHost 0x141773:$x1: NanoCore.ClientPluginHost 0x14f440:$x1: NanoCore.ClientPluginHost 0x162234:$x1: NanoCore.ClientPluginHost 0x16cb4e:$x1: NanoCore.ClientPluginHost
Process Memory Space: hbvo9thTAX.exe PID: 6264	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: hbvo9thTAX.exe PID: 6264	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1b3eb:$a: NanoCore 0x1b418:$a: NanoCore 0x1b471:$a: NanoCore 0x22c80:$a: NanoCore 0x22c93:$a: NanoCore 0x22cc5:$a: NanoCore 0x37040:$a: NanoCore 0x37070:$a: NanoCore 0x370ad:$a: NanoCore 0x3d8df:$a: NanoCore 0x3d8f5:$a: NanoCore 0x3d918:$a: NanoCore 0x5a1ac:$a: NanoCore 0x5a1dc:$a: NanoCore 0x5a21d:$a: NanoCore 0x61f38:$a: NanoCore 0x61f4e:$a: NanoCore 0x61f75:$a: NanoCore 0x68bb0:$a: NanoCore 0x68bf1:$a: NanoCore 0x6f596:$a: NanoCore
Click to see the 52 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
12.2.hbvo9thTAX.exe.3dc7ce1.17.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
12.2.hbvo9thTAX.exe.3dc7ce1.17.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
13.2.dhcpmon.exe.3e03290.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
13.2.dhcpmon.exe.3e03290.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
13.2.dhcpmon.exe.3e03290.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.dhcpmon.exe.3e03290.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
12.2.hbvo9thTAX.exe.6d20000.34.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x41ee:$x1: NanoCore.ClientPluginHost 0x422b:$x2: IClientNetworkHost
12.2.hbvo9thTAX.exe.6d20000.34.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x41ee:$x2: NanoCore.ClientPluginHost 0x7641:$s4: PipeCreated 0x4218:$s5: IClientLoggingHost
12.2.hbvo9thTAX.exe.3cb28fe.14.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x170b:$x1: NanoCore.ClientPluginHost 0x1725:$x2: IClientNetworkHost
12.2.hbvo9thTAX.exe.3cb28fe.14.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x170b:$x2: NanoCore.ClientPluginHost 0x34b6:$s4: PipeCreated 0x16f8:$s5: IClientLoggingHost
12.2.hbvo9thTAX.exe.2c335d0.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
12.2.hbvo9thTAX.exe.2c335d0.7.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
12.2.hbvo9thTAX.exe.5930000.28.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3d99:$x1: NanoCore.ClientPluginHost 0x3db3:$x2: IClientNetworkHost
12.2.hbvo9thTAX.exe.5930000.28.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3d99:$x2: NanoCore.ClientPluginHost 0x4dce:$s4: PipeCreated 0x3d86:$s5: IClientLoggingHost
12.3.hbvo9thTAX.exe.3f63db8.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
12.3.hbvo9thTAX.exe.3f63db8.7.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
12.3.hbvo9thTAX.exe.3f63db8.7.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.hbvo9thTAX.exe.58c0000.26.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3deb:$x1: NanoCore.ClientPluginHost 0x3f48:$x2: IClientNetworkHost
12.2.hbvo9thTAX.exe.58c0000.26.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3deb:$x2: NanoCore.ClientPluginHost 0x4d41:$s3: PipeExists 0x3fe1:$s4: PipeCreated 0x3e05:$s5: IClientLoggingHost
12.2.hbvo9thTAX.exe.3dd3f15.15.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
12.2.hbvo9thTAX.exe.3dd3f15.15.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
12.2.hbvo9thTAX.exe.4fc0000.20.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
12.2.hbvo9thTAX.exe.4fc0000.20.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
12.2.hbvo9thTAX.exe.5470000.22.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
12.2.hbvo9thTAX.exe.5470000.22.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
12.2.hbvo9thTAX.exe.5470000.22.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.hbvo9thTAX.exe.e50000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x605:$x1: NanoCore.ClientPluginHost 0x63e:$x2: IClientNetworkHost
12.2.hbvo9thTAX.exe.e50000.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x605:$x2: NanoCore.ClientPluginHost 0x720:$s4: PipeCreated 0x61f:$s5: IClientLoggingHost
12.3.hbvo9thTAX.exe.3ee9652.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2221d:$x1: NanoCore.ClientPluginHost 0x32439:$x1: NanoCore.ClientPluginHost 0x3f5a2:$x1: NanoCore.ClientPluginHost 0x45af0:$x1: NanoCore.ClientPluginHost 0x4bac1:$x1: NanoCore.ClientPluginHost 0x5552d:$x1: NanoCore.ClientPluginHost 0x5f958:$x1: NanoCore.ClientPluginHost 0x6a935:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x22247:$x2: IClientNetworkHost 0x32466:$x2: IClientNetworkHost 0x3f5db:$x2: IClientNetworkHost 0x45b29:$x2: IClientNetworkHost 0x5568a:$x2: IClientNetworkHost 0x5f991:$x2: IClientNetworkHost 0x6a94f:$x2: IClientNetworkHost
12.3.hbvo9thTAX.exe.3ee9652.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2221d:$x2: NanoCore.ClientPluginHost 0x32439:$x2: NanoCore.ClientPluginHost 0x3f5a2:$x2: NanoCore.ClientPluginHost 0x45af0:$x2: NanoCore.ClientPluginHost 0x4bac1:$x2: NanoCore.ClientPluginHost 0x5552d:$x2: NanoCore.ClientPluginHost 0x5f958:$x2: NanoCore.ClientPluginHost 0x6a935:$x2: NanoCore.ClientPluginHost 0x33408:$s2: FileCommand 0x1261:$s3: PipeExists 0x56483:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x240cd:$s4: PipeCreated 0x37e0a:$s4: PipeCreated 0x3f6bf:$s4: PipeCreated 0x45c0b:$s4: PipeCreated 0x4bb9f:$s4: PipeCreated 0x55723:$s4: PipeCreated
12.3.hbvo9thTAX.exe.3ee9652.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.3.hbvo9thTAX.exe.3ee9652.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x221f8:$a: NanoCore 0x2221d:$a: NanoCore 0x22276:$a: NanoCore 0x32413:$a: NanoCore 0x32439:$a: NanoCore 0x32495:$a: NanoCore 0x3f2ea:$a: NanoCore 0x3f343:$a: NanoCore 0x3f376:$a: NanoCore 0x3f5a2:$a: NanoCore 0x3f61e:$a: NanoCore 0x3fc37:$a: NanoCore 0x3fd80:$a: NanoCore 0x40254:$a: NanoCore
12.2.hbvo9thTAX.exe.e50000.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
12.2.hbvo9thTAX.exe.e50000.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2205:$x2: NanoCore.ClientPluginHost 0x2320:$s4: PipeCreated 0x221f:$s5: IClientLoggingHost
12.2.hbvo9thTAX.exe.3cbbb32.13.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x2e61b:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost 0x2e658:$x2: IClientNetworkHost
12.2.hbvo9thTAX.exe.3cbbb32.13.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x2e61b:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x31a6e:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost 0x2e645:$s5: IClientLoggingHost
12.2.hbvo9thTAX.exe.5820000.25.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost
12.2.hbvo9thTAX.exe.5820000.25.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0xe576:$s4: PipeCreated 0x8bbf:$s5: IClientLoggingHost
13.2.dhcpmon.exe.3e03290.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x429ad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x429ea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4651d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
13.2.dhcpmon.exe.3e03290.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x42725:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x429ad:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x43fe6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x43fda:$s2: FileCommand 0x1266b:$s3: PipeExists 0x44e8b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x4ac42:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x429d7:$s5: IClientLoggingHost
13.2.dhcpmon.exe.3e03290.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
13.2.dhcpmon.exe.3e03290.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42715:$a: NanoCore 0x42725:$a: NanoCore 0x42959:$a: NanoCore 0x4296d:$a: NanoCore 0x429ad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42774:$b: ClientPlugin 0x42976:$b: ClientPlugin 0x429b6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x4289b:$c: ProjectData 0x10a82:$d: DESCrypto 0x432a2:$d: DESCrypto 0x1844e:$e: KeepAlive
12.2.hbvo9thTAX.exe.5810000.24.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
12.2.hbvo9thTAX.exe.5810000.24.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
12.2.hbvo9thTAX.exe.3cb28fe.14.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x2840f:$x1: NanoCore.ClientPluginHost 0x3784f:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost 0x28429:$x2: IClientNetworkHost 0x3788c:$x2: IClientNetworkHost
12.2.hbvo9thTAX.exe.3cb28fe.14.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x2840f:$x2: NanoCore.ClientPluginHost 0x3784f:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x2b74c:$s4: PipeCreated 0x3aca2:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost 0x283fc:$s5: IClientLoggingHost 0x37879:$s5: IClientLoggingHost
12.2.hbvo9thTAX.exe.6ba0000.30.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
12.2.hbvo9thTAX.exe.6ba0000.30.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost
12.3.hbvo9thTAX.exe.3ef2ab1.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x18dbe:$x1: NanoCore.ClientPluginHost 0x28fda:$x1: NanoCore.ClientPluginHost 0x36143:$x1: NanoCore.ClientPluginHost 0x3c691:$x1: NanoCore.ClientPluginHost 0x42662:$x1: NanoCore.ClientPluginHost 0x4c0ce:$x1: NanoCore.ClientPluginHost 0x564f9:$x1: NanoCore.ClientPluginHost 0x614d6:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x18de8:$x2: IClientNetworkHost 0x29007:$x2: IClientNetworkHost 0x3617c:$x2: IClientNetworkHost 0x3c6ca:$x2: IClientNetworkHost 0x4c22b:$x2: IClientNetworkHost 0x56532:$x2: IClientNetworkHost 0x614f0:$x2: IClientNetworkHost
12.3.hbvo9thTAX.exe.3ef2ab1.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x18dbe:$x2: NanoCore.ClientPluginHost 0x28fda:$x2: NanoCore.ClientPluginHost 0x36143:$x2: NanoCore.ClientPluginHost 0x3c691:$x2: NanoCore.ClientPluginHost 0x42662:$x2: NanoCore.ClientPluginHost 0x4c0ce:$x2: NanoCore.ClientPluginHost 0x564f9:$x2: NanoCore.ClientPluginHost 0x614d6:$x2: NanoCore.ClientPluginHost 0x29fa9:$s2: FileCommand 0x4d024:$s3: PipeExists 0xc25f:$s4: PipeCreated 0x1ac6e:$s4: PipeCreated 0x2e9ab:$s4: PipeCreated 0x36260:$s4: PipeCreated 0x3c7ac:$s4: PipeCreated 0x42740:$s4: PipeCreated 0x4c2c4:$s4: PipeCreated 0x56644:$s4: PipeCreated 0x6250b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
12.3.hbvo9thTAX.exe.3ef2ab1.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.3.hbvo9thTAX.exe.3ef2ab1.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xb13a:$a: NanoCore 0xb14f:$a: NanoCore 0xb184:$a: NanoCore 0x18d99:$a: NanoCore 0x18dbe:$a: NanoCore 0x18e17:$a: NanoCore 0x28fb4:$a: NanoCore 0x28fda:$a: NanoCore 0x29036:$a: NanoCore 0x35e8b:$a: NanoCore 0x35ee4:$a: NanoCore 0x35f17:$a: NanoCore 0x36143:$a: NanoCore 0x361bf:$a: NanoCore 0x367d8:$a: NanoCore 0x36921:$a: NanoCore 0x36df5:$a: NanoCore 0x370dc:$a: NanoCore 0x370f3:$a: NanoCore 0x3c691:$a: NanoCore 0x3c70b:$a: NanoCore
12.2.hbvo9thTAX.exe.6ba0000.30.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x170b:$x1: NanoCore.ClientPluginHost 0x1725:$x2: IClientNetworkHost
12.2.hbvo9thTAX.exe.6ba0000.30.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x170b:$x2: NanoCore.ClientPluginHost 0x34b6:$s4: PipeCreated 0x16f8:$s5: IClientLoggingHost
12.2.hbvo9thTAX.exe.df0000.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x3f0b:$x1: NanoCore.ClientPluginHost 0x3f44:$x2: IClientNetworkHost
12.2.hbvo9thTAX.exe.df0000.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x3f0b:$x2: NanoCore.ClientPluginHost 0x400f:$s4: PipeCreated 0x3f25:$s5: IClientLoggingHost
12.2.hbvo9thTAX.exe.58c0000.26.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
12.2.hbvo9thTAX.exe.58c0000.26.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x59eb:$x2: NanoCore.ClientPluginHost 0x6941:$s3: PipeExists 0x5be1:$s4: PipeCreated 0x5a05:$s5: IClientLoggingHost
12.2.hbvo9thTAX.exe.2c47c04.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x16e3:$x1: NanoCore.ClientPluginHost 0xb563:$x1: NanoCore.ClientPluginHost 0x13469:$x1: NanoCore.ClientPluginHost 0x19444:$x1: NanoCore.ClientPluginHost 0x22edf:$x1: NanoCore.ClientPluginHost 0x2d2eb:$x1: NanoCore.ClientPluginHost 0x38305:$x1: NanoCore.ClientPluginHost 0x44083:$x1: NanoCore.ClientPluginHost 0x50046:$x1: NanoCore.ClientPluginHost 0x171c:$x2: IClientNetworkHost 0xb59c:$x2: IClientNetworkHost 0x134a2:$x2: IClientNetworkHost 0x2303c:$x2: IClientNetworkHost 0x2d324:$x2: IClientNetworkHost 0x3831f:$x2: IClientNetworkHost 0x4409d:$x2: IClientNetworkHost 0x50083:$x2: IClientNetworkHost
12.2.hbvo9thTAX.exe.2c47c04.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x16e3:$x2: NanoCore.ClientPluginHost 0xb563:$x2: NanoCore.ClientPluginHost 0x13469:$x2: NanoCore.ClientPluginHost 0x19444:$x2: NanoCore.ClientPluginHost 0x22edf:$x2: NanoCore.ClientPluginHost 0x2d2eb:$x2: NanoCore.ClientPluginHost 0x38305:$x2: NanoCore.ClientPluginHost 0x44083:$x2: NanoCore.ClientPluginHost 0x50046:$x2: NanoCore.ClientPluginHost 0x23e35:$s3: PipeExists 0x1800:$s4: PipeCreated 0xb667:$s4: PipeCreated 0x13584:$s4: PipeCreated 0x19522:$s4: PipeCreated 0x230d5:$s4: PipeCreated 0x2d436:$s4: PipeCreated 0x3933a:$s4: PipeCreated 0x45e2e:$s4: PipeCreated 0x53499:$s4: PipeCreated 0x16fd:$s5: IClientLoggingHost 0xb57d:$s5: IClientLoggingHost
12.2.hbvo9thTAX.exe.2c47c04.9.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x142b:$a: NanoCore 0x1484:$a: NanoCore 0x14b7:$a: NanoCore 0x16e3:$a: NanoCore 0x175f:$a: NanoCore 0x1d78:$a: NanoCore 0x1ec1:$a: NanoCore 0x2395:$a: NanoCore 0x267c:$a: NanoCore 0x2693:$a: NanoCore 0xb563:$a: NanoCore 0xb5df:$a: NanoCore 0xdec2:$a: NanoCore 0x13469:$a: NanoCore 0x134e3:$a: NanoCore 0x19444:$a: NanoCore 0x1948e:$a: NanoCore 0x1a0e8:$a: NanoCore 0x22edf:$a: NanoCore 0x22fc9:$a: NanoCore 0x23e40:$a: NanoCore
22.2.dhcpmon.exe.42095fe.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d0af:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d0dc:$x2: IClientNetworkHost
22.2.dhcpmon.exe.42095fe.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d0af:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e18a:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d0c9:$s5: IClientLoggingHost
22.2.dhcpmon.exe.42095fe.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
22.2.dhcpmon.exe.42095fe.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d065:$a: NanoCore 0x2d07a:$a: NanoCore 0x2d0af:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2ce21:$b: ClientPlugin 0x2ce3c:$b: ClientPlugin
12.2.hbvo9thTAX.exe.df0000.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b0b:$x1: NanoCore.ClientPluginHost 0x5b44:$x2: IClientNetworkHost
12.2.hbvo9thTAX.exe.df0000.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b0b:$x2: NanoCore.ClientPluginHost 0x5c0f:$s4: PipeCreated 0x5b25:$s5: IClientLoggingHost
12.3.hbvo9thTAX.exe.3eee488.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
12.3.hbvo9thTAX.exe.3eee488.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
12.3.hbvo9thTAX.exe.3eee488.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.hbvo9thTAX.exe.2c273c4.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x14db1:$x1: NanoCore.ClientPluginHost 0x21f23:$x1: NanoCore.ClientPluginHost 0x2bda3:$x1: NanoCore.ClientPluginHost 0x33ca9:$x1: NanoCore.ClientPluginHost 0x39c84:$x1: NanoCore.ClientPluginHost 0x4371f:$x1: NanoCore.ClientPluginHost 0x4db2b:$x1: NanoCore.ClientPluginHost 0x58b45:$x1: NanoCore.ClientPluginHost 0x648c3:$x1: NanoCore.ClientPluginHost 0x70886:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost 0x14dde:$x2: IClientNetworkHost 0x21f5c:$x2: IClientNetworkHost 0x2bddc:$x2: IClientNetworkHost 0x33ce2:$x2: IClientNetworkHost 0x4387c:$x2: IClientNetworkHost 0x4db64:$x2: IClientNetworkHost 0x58b5f:$x2: IClientNetworkHost 0x648dd:$x2: IClientNetworkHost 0x708c3:$x2: IClientNetworkHost
12.2.hbvo9thTAX.exe.2c273c4.8.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x14db1:$x2: NanoCore.ClientPluginHost 0x21f23:$x2: NanoCore.ClientPluginHost 0x2bda3:$x2: NanoCore.ClientPluginHost 0x33ca9:$x2: NanoCore.ClientPluginHost 0x39c84:$x2: NanoCore.ClientPluginHost 0x4371f:$x2: NanoCore.ClientPluginHost 0x4db2b:$x2: NanoCore.ClientPluginHost 0x58b45:$x2: NanoCore.ClientPluginHost 0x648c3:$x2: NanoCore.ClientPluginHost 0x70886:$x2: NanoCore.ClientPluginHost 0x15d80:$s2: FileCommand 0x44675:$s3: PipeExists 0x6a6b:$s4: PipeCreated 0x1a782:$s4: PipeCreated 0x22040:$s4: PipeCreated 0x2bea7:$s4: PipeCreated 0x33dc4:$s4: PipeCreated 0x39d62:$s4: PipeCreated 0x43915:$s4: PipeCreated 0x4dc76:$s4: PipeCreated
12.2.hbvo9thTAX.exe.2c273c4.8.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4b96:$a: NanoCore 0x4bbb:$a: NanoCore 0x4c14:$a: NanoCore 0x14d8b:$a: NanoCore 0x14db1:$a: NanoCore 0x14e0d:$a: NanoCore 0x21c6b:$a: NanoCore 0x21cc4:$a: NanoCore 0x21cf7:$a: NanoCore 0x21f23:$a: NanoCore 0x21f9f:$a: NanoCore 0x225b8:$a: NanoCore 0x22701:$a: NanoCore 0x22bd5:$a: NanoCore 0x22ebc:$a: NanoCore 0x22ed3:$a: NanoCore 0x2bda3:$a: NanoCore 0x2be1f:$a: NanoCore 0x2e702:$a: NanoCore 0x33ca9:$a: NanoCore 0x33d23:$a: NanoCore
22.2.dhcpmon.exe.31e3ac8.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
22.2.dhcpmon.exe.31e3ac8.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
12.2.hbvo9thTAX.exe.3c0b529.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
12.2.hbvo9thTAX.exe.3c0b529.10.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
12.2.hbvo9thTAX.exe.3c0b529.10.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.3.hbvo9thTAX.exe.3ecc004.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
12.3.hbvo9thTAX.exe.3ecc004.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
12.2.hbvo9thTAX.exe.3dc7ce1.17.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x14dd9:$x1: NanoCore.ClientPluginHost 0x21f44:$x1: NanoCore.ClientPluginHost 0x2bd98:$x1: NanoCore.ClientPluginHost 0x33cc0:$x1: NanoCore.ClientPluginHost 0x39c93:$x1: NanoCore.ClientPluginHost 0x43701:$x1: NanoCore.ClientPluginHost 0x4db2e:$x1: NanoCore.ClientPluginHost 0x58b0d:$x1: NanoCore.ClientPluginHost 0x648b1:$x1: NanoCore.ClientPluginHost 0x897b7:$x1: NanoCore.ClientPluginHost 0x98bf9:$x1: NanoCore.ClientPluginHost 0xc0202:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost 0x14e06:$x2: IClientNetworkHost 0x21f7d:$x2: IClientNetworkHost 0x2bdd1:$x2: IClientNetworkHost 0x33cf9:$x2: IClientNetworkHost 0x4385e:$x2: IClientNetworkHost 0x4db67:$x2: IClientNetworkHost 0x58b27:$x2: IClientNetworkHost
12.2.hbvo9thTAX.exe.3dc7ce1.17.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4b96:$a: NanoCore 0x4bbb:$a: NanoCore 0x4c14:$a: NanoCore 0x14db3:$a: NanoCore 0x14dd9:$a: NanoCore 0x14e35:$a: NanoCore 0x21c8c:$a: NanoCore 0x21ce5:$a: NanoCore 0x21d18:$a: NanoCore 0x21f44:$a: NanoCore 0x21fc0:$a: NanoCore 0x225d9:$a: NanoCore 0x22722:$a: NanoCore 0x22bf6:$a: NanoCore 0x22edd:$a: NanoCore 0x22ef4:$a: NanoCore 0x2bd98:$a: NanoCore 0x2be14:$a: NanoCore 0x2e6f7:$a: NanoCore 0x33cc0:$a: NanoCore 0x33d3a:$a: NanoCore
12.2.hbvo9thTAX.exe.5810000.24.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost
12.2.hbvo9thTAX.exe.5810000.24.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x6a6b:$s4: PipeCreated
12.2.hbvo9thTAX.exe.58d0000.27.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
12.2.hbvo9thTAX.exe.58d0000.27.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost
12.2.hbvo9thTAX.exe.5470000.22.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
12.2.hbvo9thTAX.exe.5470000.22.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
12.2.hbvo9thTAX.exe.5470000.22.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.hbvo9thTAX.exe.42c1cc8.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.hbvo9thTAX.exe.42c1cc8.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
1.2.hbvo9thTAX.exe.42c1cc8.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.hbvo9thTAX.exe.42c1cc8.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
12.2.hbvo9thTAX.exe.3cc07d1.12.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1a53c:$x1: NanoCore.ClientPluginHost 0x2997c:$x1: NanoCore.ClientPluginHost 0x1a556:$x2: IClientNetworkHost 0x299b9:$x2: IClientNetworkHost
12.2.hbvo9thTAX.exe.3cc07d1.12.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1a53c:$x2: NanoCore.ClientPluginHost 0x2997c:$x2: NanoCore.ClientPluginHost 0x1d879:$s4: PipeCreated 0x2cdcf:$s4: PipeCreated 0x1a529:$s5: IClientLoggingHost 0x299a6:$s5: IClientLoggingHost
22.2.dhcpmon.exe.31d14d0.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
22.2.dhcpmon.exe.31d14d0.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
12.3.hbvo9thTAX.exe.3f63db8.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.3.hbvo9thTAX.exe.3f63db8.7.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xf763:$a: NanoCore 0xf778:$a: NanoCore 0xf7ad:$a: NanoCore 0x1d3c2:$a: NanoCore 0x1d3e7:$a: NanoCore 0x1d440:$a: NanoCore 0x2d5dd:$a: NanoCore 0x2d603:$a: NanoCore 0x2d65f:$a: NanoCore 0x3a4b4:$a: NanoCore 0x3a50d:$a: NanoCore 0x3a540:$a: NanoCore 0x3a76c:$a: NanoCore 0x3a7e8:$a: NanoCore 0x3ae01:$a: NanoCore 0x3af4a:$a: NanoCore 0x3b41e:$a: NanoCore 0x3b705:$a: NanoCore 0x3b71c:$a: NanoCore 0x40cba:$a: NanoCore 0x40d34:$a: NanoCore
12.3.hbvo9thTAX.exe.3eb37d8.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x1d3e7:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x1d411:$x2: IClientNetworkHost
12.3.hbvo9thTAX.exe.3eb37d8.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x1d3e7:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x1f297:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
12.3.hbvo9thTAX.exe.3eb37d8.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
22.2.dhcpmon.exe.4212a5d.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x23c50:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x23c7d:$x2: IClientNetworkHost
22.2.dhcpmon.exe.4212a5d.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x23c50:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x24d2b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x23c6a:$s5: IClientLoggingHost
22.2.dhcpmon.exe.4212a5d.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.hbvo9thTAX.exe.5930000.28.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x5b99:$x1: NanoCore.ClientPluginHost 0x5bb3:$x2: IClientNetworkHost
12.2.hbvo9thTAX.exe.5930000.28.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x5b99:$x2: NanoCore.ClientPluginHost 0x6bce:$s4: PipeCreated 0x5b86:$s5: IClientLoggingHost
12.2.hbvo9thTAX.exe.3dd3f15.15.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x15d10:$x1: NanoCore.ClientPluginHost 0x1fb64:$x1: NanoCore.ClientPluginHost 0x27a8c:$x1: NanoCore.ClientPluginHost 0x2da5f:$x1: NanoCore.ClientPluginHost 0x374cd:$x1: NanoCore.ClientPluginHost 0x418fa:$x1: NanoCore.ClientPluginHost 0x4c8d9:$x1: NanoCore.ClientPluginHost 0x5867d:$x1: NanoCore.ClientPluginHost 0x7d583:$x1: NanoCore.ClientPluginHost 0x8c9c5:$x1: NanoCore.ClientPluginHost 0xb3fce:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost 0x15d49:$x2: IClientNetworkHost 0x1fb9d:$x2: IClientNetworkHost 0x27ac5:$x2: IClientNetworkHost 0x3762a:$x2: IClientNetworkHost 0x41933:$x2: IClientNetworkHost 0x4c8f3:$x2: IClientNetworkHost 0x58697:$x2: IClientNetworkHost 0x7d59d:$x2: IClientNetworkHost
12.2.hbvo9thTAX.exe.3dd3f15.15.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15a58:$a: NanoCore 0x15ab1:$a: NanoCore 0x15ae4:$a: NanoCore 0x15d10:$a: NanoCore 0x15d8c:$a: NanoCore 0x163a5:$a: NanoCore 0x164ee:$a: NanoCore 0x169c2:$a: NanoCore 0x16ca9:$a: NanoCore 0x16cc0:$a: NanoCore 0x1fb64:$a: NanoCore 0x1fbe0:$a: NanoCore 0x224c3:$a: NanoCore 0x27a8c:$a: NanoCore 0x27b06:$a: NanoCore 0x2c6a3:$a: NanoCore 0x2da5f:$a: NanoCore 0x2daa9:$a: NanoCore
12.2.hbvo9thTAX.exe.3cbbb32.13.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1d3db:$x1: NanoCore.ClientPluginHost 0x1d3f5:$x2: IClientNetworkHost
12.2.hbvo9thTAX.exe.3cbbb32.13.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1d3db:$x2: NanoCore.ClientPluginHost 0x20718:$s4: PipeCreated 0x1d3c8:$s5: IClientLoggingHost
22.2.dhcpmon.exe.420e434.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28279:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x282a6:$x2: IClientNetworkHost
22.2.dhcpmon.exe.420e434.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28279:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29354:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x28293:$s5: IClientLoggingHost
22.2.dhcpmon.exe.420e434.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
12.2.hbvo9thTAX.exe.2c273c4.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
12.2.hbvo9thTAX.exe.2c273c4.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
12.2.hbvo9thTAX.exe.6bb0000.31.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
12.2.hbvo9thTAX.exe.6bb0000.31.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
12.2.hbvo9thTAX.exe.58d0000.27.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1deb:$x1: NanoCore.ClientPluginHost 0x1e24:$x2: IClientNetworkHost
12.2.hbvo9thTAX.exe.58d0000.27.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1deb:$x2: NanoCore.ClientPluginHost 0x1f36:$s4: PipeCreated 0x1e05:$s5: IClientLoggingHost
12.2.hbvo9thTAX.exe.ea0000.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x13a8:$x1: NanoCore.ClientPluginHost

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report hbvo9thTAX.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs