Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report SviRsoKz6E.exe

Overview

General Information

Sample Name:SviRsoKz6E.exe
Analysis ID:381760
MD5:5d59200d61ba34e07e26132f5acd9619
SHA1:8fb59154fe08e09b2e9c2f817157b5bc0ccf1dae
SHA256:95f117deabf4aeb36402033a7ca35e717f7a31c8bf9330acbf8934fb483c5d3e
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Uses dynamic DNS services
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • SviRsoKz6E.exe (PID: 2212 cmdline: 'C:\Users\user\Desktop\SviRsoKz6E.exe' MD5: 5D59200D61BA34E07E26132F5ACD9619)
    • SviRsoKz6E.exe (PID: 632 cmdline: 'C:\Users\user\Desktop\SviRsoKz6E.exe' MD5: 5D59200D61BA34E07E26132F5ACD9619)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "6a8cfd5d-4b59-4ef3-89b5-b939bcb2", "Group": "Faggy", "Domain1": "justinalwhitedd554.duckdns.org", "Domain2": "paymentmaba.sinsincity.com", "Port": 7632, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000001.198223506.0000000000414000.00000040.00020000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x111e5:$x1: NanoCore.ClientPluginHost
  • 0x11222:$x2: IClientNetworkHost
  • 0x14d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000002.00000001.198223506.0000000000414000.00000040.00020000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000002.00000001.198223506.0000000000414000.00000040.00020000.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x10f4d:$a: NanoCore
    • 0x10f5d:$a: NanoCore
    • 0x11191:$a: NanoCore
    • 0x111a5:$a: NanoCore
    • 0x111e5:$a: NanoCore
    • 0x10fac:$b: ClientPlugin
    • 0x111ae:$b: ClientPlugin
    • 0x111ee:$b: ClientPlugin
    • 0x110d3:$c: ProjectData
    • 0x11ada:$d: DESCrypto
    • 0x194a6:$e: KeepAlive
    • 0x17494:$g: LogClientMessage
    • 0x1368f:$i: get_Connected
    • 0x11e10:$j: #=q
    • 0x11e40:$j: #=q
    • 0x11e5c:$j: #=q
    • 0x11e8c:$j: #=q
    • 0x11ea8:$j: #=q
    • 0x11ec4:$j: #=q
    • 0x11ef4:$j: #=q
    • 0x11f10:$j: #=q
    00000002.00000002.465661471.0000000004940000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1018d:$x1: NanoCore.ClientPluginHost
    • 0x101ca:$x2: IClientNetworkHost
    • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000002.00000002.465661471.0000000004940000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xff05:$x1: NanoCore Client.exe
    • 0x1018d:$x2: NanoCore.ClientPluginHost
    • 0x117c6:$s1: PluginCommand
    • 0x117ba:$s2: FileCommand
    • 0x1266b:$s3: PipeExists
    • 0x18422:$s4: PipeCreated
    • 0x101b7:$s5: IClientLoggingHost
    Click to see the 29 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    2.2.SviRsoKz6E.exe.56a0000.9.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xe75:$x1: NanoCore.ClientPluginHost
    • 0xe8f:$x2: IClientNetworkHost
    2.2.SviRsoKz6E.exe.56a0000.9.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xe75:$x2: NanoCore.ClientPluginHost
    • 0x1261:$s3: PipeExists
    • 0x1136:$s4: PipeCreated
    • 0xeb0:$s5: IClientLoggingHost
    2.2.SviRsoKz6E.exe.4f70000.7.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1018d:$x1: NanoCore.ClientPluginHost
    • 0x101ca:$x2: IClientNetworkHost
    • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    2.2.SviRsoKz6E.exe.4f70000.7.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xff05:$x1: NanoCore Client.exe
    • 0x1018d:$x2: NanoCore.ClientPluginHost
    • 0x117c6:$s1: PluginCommand
    • 0x117ba:$s2: FileCommand
    • 0x1266b:$s3: PipeExists
    • 0x18422:$s4: PipeCreated
    • 0x101b7:$s5: IClientLoggingHost
    2.2.SviRsoKz6E.exe.4f70000.7.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 81 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\SviRsoKz6E.exe, ProcessId: 632, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: 00000002.00000002.463943126.00000000034F3000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "6a8cfd5d-4b59-4ef3-89b5-b939bcb2", "Group": "Faggy", "Domain1": "justinalwhitedd554.duckdns.org", "Domain2": "paymentmaba.sinsincity.com", "Port": 7632, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Local\Temp\nst2F82.tmp\tkmg9lz0c84fk1.dllVirustotal: Detection: 20%Perma Link
      Source: C:\Users\user\AppData\Local\Temp\nst2F82.tmp\tkmg9lz0c84fk1.dllReversingLabs: Detection: 48%
      Source: C:\Users\user\AppData\Roaming\abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz\Adobe.exeVirustotal: Detection: 39%Perma Link
      Source: C:\Users\user\AppData\Roaming\abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz\Adobe.exeReversingLabs: Detection: 72%
      Multi AV Scanner detection for submitted fileShow sources
      Source: SviRsoKz6E.exeVirustotal: Detection: 39%Perma Link
      Source: SviRsoKz6E.exeReversingLabs: Detection: 72%
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000002.00000001.198223506.0000000000414000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.465661471.0000000004940000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.201495847.00000000033A0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.465992786.0000000004F72000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.461711945.0000000002461000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.466862235.00000000056B0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.460275613.000000000064A000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.459577759.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.463943126.00000000034F3000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: SviRsoKz6E.exe PID: 2212, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: SviRsoKz6E.exe PID: 632, type: MEMORY
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.4f70000.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.34ffad1.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.34fb4a8.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.1.SviRsoKz6E.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.415058.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.34fb4a8.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.SviRsoKz6E.exe.33b1458.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.4940000.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.664350.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.1.SviRsoKz6E.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.SviRsoKz6E.exe.33a0000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.1.SviRsoKz6E.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.56b0000.11.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.SviRsoKz6E.exe.33a0000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.56b0000.11.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.400000.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.SviRsoKz6E.exe.33b1458.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.4940000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.415058.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.56b4629.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.664350.2.raw.unpack, type: UNPACKEDPE
      Machine Learning detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz\Adobe.exeJoe Sandbox ML: detected
      Machine Learning detection for sampleShow sources
      Source: SviRsoKz6E.exeJoe Sandbox ML: detected
      Source: 2.2.SviRsoKz6E.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 2.2.SviRsoKz6E.exe.4f70000.7.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 2.1.SviRsoKz6E.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 2.2.SviRsoKz6E.exe.56b0000.11.unpackAvira: Label: TR/NanoCore.fadte
      Source: 0.2.SviRsoKz6E.exe.30f0000.3.unpackAvira: Label: TR/Patched.Ren.Gen

      Compliance:

      barindex
      Detected unpacking (overwrites its own PE header)Show sources
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeUnpacked PE file: 2.2.SviRsoKz6E.exe.400000.1.unpack
      Source: SviRsoKz6E.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: SviRsoKz6E.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: SviRsoKz6E.exe, 00000002.00000002.460484829.00000000006B5000.00000004.00000020.sdmp
      Source: Binary string: wntdll.pdbUGP source: SviRsoKz6E.exe, 00000000.00000003.197706489.00000000035D0000.00000004.00000001.sdmp
      Source: Binary string: wntdll.pdb source: SviRsoKz6E.exe, 00000000.00000003.197706489.00000000035D0000.00000004.00000001.sdmp
      Source: Binary string: ll\System.pdb source: SviRsoKz6E.exe, 00000002.00000003.288689683.0000000005B4B000.00000004.00000001.sdmp
      Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: SviRsoKz6E.exe, 00000002.00000002.460275613.000000000064A000.00000004.00000020.sdmp
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeCode function: 0_2_00406435 FindFirstFileA,FindClose,
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeCode function: 0_2_00405889 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeCode function: 0_2_004027A1 FindFirstFileA,
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeCode function: 2_2_00404A29 FindFirstFileExW,

      Networking:

      barindex
      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49702 -> 104.37.1.32:7632
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49703 -> 104.37.1.32:7632
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49704 -> 104.37.1.32:7632
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49711 -> 104.37.1.32:7632
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49723 -> 104.37.1.32:7632
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49732 -> 104.37.1.32:7632
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49735 -> 104.37.1.32:7632
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49737 -> 104.37.1.32:7632
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49739 -> 104.37.1.32:7632
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49748 -> 104.37.1.32:7632
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49749 -> 104.37.1.32:7632
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49750 -> 104.37.1.32:7632
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49751 -> 104.37.1.32:7632
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49752 -> 104.37.1.32:7632
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49755 -> 104.37.1.32:7632
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49756 -> 104.37.1.32:7632
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49757 -> 104.37.1.32:7632
      Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49758 -> 104.37.1.32:7632
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorURLs: justinalwhitedd554.duckdns.org
      Source: Malware configuration extractorURLs: paymentmaba.sinsincity.com
      Uses dynamic DNS servicesShow sources
      Source: unknownDNS query: name: justinalwhitedd554.duckdns.org
      Source: global trafficTCP traffic: 192.168.2.3:49702 -> 104.37.1.32:7632
      Source: Joe Sandbox ViewASN Name: SOFTLAYERUS SOFTLAYERUS
      Source: unknownDNS traffic detected: queries for: justinalwhitedd554.duckdns.org
      Source: SviRsoKz6E.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
      Source: SviRsoKz6E.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeCode function: 0_2_00405326 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,
      Source: SviRsoKz6E.exe, 00000002.00000002.466862235.00000000056B0000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000002.00000001.198223506.0000000000414000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.465661471.0000000004940000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.201495847.00000000033A0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.465992786.0000000004F72000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.461711945.0000000002461000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.466862235.00000000056B0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.460275613.000000000064A000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.459577759.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.463943126.00000000034F3000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: SviRsoKz6E.exe PID: 2212, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: SviRsoKz6E.exe PID: 632, type: MEMORY
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.4f70000.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.34ffad1.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.34fb4a8.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.1.SviRsoKz6E.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.415058.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.34fb4a8.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.SviRsoKz6E.exe.33b1458.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.4940000.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.664350.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.1.SviRsoKz6E.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.SviRsoKz6E.exe.33a0000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.1.SviRsoKz6E.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.56b0000.11.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.SviRsoKz6E.exe.33a0000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.56b0000.11.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.400000.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.SviRsoKz6E.exe.33b1458.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.4940000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.415058.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.56b4629.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.664350.2.raw.unpack, type: UNPACKEDPE

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000002.00000001.198223506.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000002.00000001.198223506.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000002.465661471.0000000004940000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000002.00000002.465661471.0000000004940000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000002.201495847.00000000033A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.201495847.00000000033A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000002.465992786.0000000004F72000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000002.00000002.465992786.0000000004F72000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000002.466831873.00000000056A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000002.00000002.466862235.00000000056B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000002.00000002.460275613.000000000064A000.00000004.00000020.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000002.00000002.460275613.000000000064A000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000002.00000002.459577759.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000002.00000002.459577759.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: SviRsoKz6E.exe PID: 2212, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: SviRsoKz6E.exe PID: 2212, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: SviRsoKz6E.exe PID: 632, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: SviRsoKz6E.exe PID: 632, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.SviRsoKz6E.exe.56a0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.SviRsoKz6E.exe.4f70000.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.SviRsoKz6E.exe.4f70000.7.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.SviRsoKz6E.exe.34ffad1.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.SviRsoKz6E.exe.34fb4a8.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.1.SviRsoKz6E.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.1.SviRsoKz6E.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.SviRsoKz6E.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.SviRsoKz6E.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.SviRsoKz6E.exe.34fb4a8.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.SviRsoKz6E.exe.33b1458.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.SviRsoKz6E.exe.33b1458.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.SviRsoKz6E.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.SviRsoKz6E.exe.24941a0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.SviRsoKz6E.exe.4940000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.SviRsoKz6E.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.SviRsoKz6E.exe.4940000.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.SviRsoKz6E.exe.664350.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.SviRsoKz6E.exe.664350.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.1.SviRsoKz6E.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.1.SviRsoKz6E.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.SviRsoKz6E.exe.33a0000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.SviRsoKz6E.exe.33a0000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.1.SviRsoKz6E.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.1.SviRsoKz6E.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.SviRsoKz6E.exe.56b0000.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.SviRsoKz6E.exe.33a0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.SviRsoKz6E.exe.33a0000.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.SviRsoKz6E.exe.56b0000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.SviRsoKz6E.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.SviRsoKz6E.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 0.2.SviRsoKz6E.exe.33b1458.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.SviRsoKz6E.exe.33b1458.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.SviRsoKz6E.exe.4940000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.SviRsoKz6E.exe.4940000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.SviRsoKz6E.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.SviRsoKz6E.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 2.2.SviRsoKz6E.exe.56b4629.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.SviRsoKz6E.exe.664350.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 2.2.SviRsoKz6E.exe.664350.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeCode function: 0_2_00403312 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeCode function: 0_2_004067BE
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeCode function: 2_2_0040A2A5
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeCode function: 2_2_0232E47C
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeCode function: 2_2_0232E480
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeCode function: 2_2_0232BBD4
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeCode function: 2_2_051DF5F8
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeCode function: 2_2_051D9788
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeCode function: 2_2_051DA5F8
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeCode function: 2_2_051DA610
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeCode function: 2_2_05386550
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeCode function: 2_2_05383E30
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeCode function: 2_2_0538C380
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeCode function: 2_2_05384A50
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeCode function: 2_2_0538CF98
      Source: SviRsoKz6E.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: Adobe.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: SviRsoKz6E.exe, 00000000.00000003.199417831.00000000036EF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SviRsoKz6E.exe
      Source: SviRsoKz6E.exe, 00000000.00000002.200554273.0000000000A50000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs SviRsoKz6E.exe
      Source: SviRsoKz6E.exe, 00000002.00000002.461711945.0000000002461000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs SviRsoKz6E.exe
      Source: SviRsoKz6E.exe, 00000002.00000002.467548471.0000000006510000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs SviRsoKz6E.exe
      Source: SviRsoKz6E.exe, 00000002.00000002.467152505.00000000058E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs SviRsoKz6E.exe
      Source: SviRsoKz6E.exe, 00000002.00000002.466862235.00000000056B0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs SviRsoKz6E.exe
      Source: SviRsoKz6E.exe, 00000002.00000002.467019757.00000000057F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs SviRsoKz6E.exe
      Source: SviRsoKz6E.exe, 00000002.00000002.466637009.0000000005350000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs SviRsoKz6E.exe
      Source: SviRsoKz6E.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: 00000002.00000001.198223506.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000002.00000001.198223506.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000002.465661471.0000000004940000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000002.00000002.465661471.0000000004940000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000002.00000002.465661471.0000000004940000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000000.00000002.201495847.00000000033A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.201495847.00000000033A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000000.00000002.201495847.00000000033A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000002.465992786.0000000004F72000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000002.00000002.465992786.0000000004F72000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000002.466831873.00000000056A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000002.00000002.466831873.00000000056A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000002.00000002.466862235.00000000056B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000002.00000002.466862235.00000000056B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000002.00000002.460275613.000000000064A000.00000004.00000020.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000002.00000002.460275613.000000000064A000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000002.00000002.459577759.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000002.00000002.459577759.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000002.00000002.459577759.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: SviRsoKz6E.exe PID: 2212, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: SviRsoKz6E.exe PID: 2212, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: SviRsoKz6E.exe PID: 632, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: SviRsoKz6E.exe PID: 632, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.SviRsoKz6E.exe.56a0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.SviRsoKz6E.exe.56a0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.SviRsoKz6E.exe.4f70000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.SviRsoKz6E.exe.4f70000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.SviRsoKz6E.exe.4f70000.7.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.SviRsoKz6E.exe.34ffad1.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.SviRsoKz6E.exe.34ffad1.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.SviRsoKz6E.exe.34fb4a8.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.SviRsoKz6E.exe.34fb4a8.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.1.SviRsoKz6E.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.1.SviRsoKz6E.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.1.SviRsoKz6E.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.SviRsoKz6E.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.SviRsoKz6E.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.SviRsoKz6E.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.SviRsoKz6E.exe.34fb4a8.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.SviRsoKz6E.exe.34fb4a8.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.SviRsoKz6E.exe.33b1458.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.SviRsoKz6E.exe.33b1458.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.SviRsoKz6E.exe.33b1458.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.SviRsoKz6E.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.SviRsoKz6E.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.SviRsoKz6E.exe.24941a0.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.SviRsoKz6E.exe.24941a0.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.SviRsoKz6E.exe.4940000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.SviRsoKz6E.exe.4940000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.SviRsoKz6E.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.SviRsoKz6E.exe.4940000.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.SviRsoKz6E.exe.664350.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.SviRsoKz6E.exe.664350.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.SviRsoKz6E.exe.664350.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.1.SviRsoKz6E.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.1.SviRsoKz6E.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.1.SviRsoKz6E.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.2.SviRsoKz6E.exe.33a0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.SviRsoKz6E.exe.33a0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.SviRsoKz6E.exe.33a0000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.1.SviRsoKz6E.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.1.SviRsoKz6E.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.1.SviRsoKz6E.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.SviRsoKz6E.exe.56b0000.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.SviRsoKz6E.exe.56b0000.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.SviRsoKz6E.exe.33a0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.SviRsoKz6E.exe.33a0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.SviRsoKz6E.exe.33a0000.4.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.SviRsoKz6E.exe.56b0000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.SviRsoKz6E.exe.56b0000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.SviRsoKz6E.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.SviRsoKz6E.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.SviRsoKz6E.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 0.2.SviRsoKz6E.exe.33b1458.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.SviRsoKz6E.exe.33b1458.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.SviRsoKz6E.exe.33b1458.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.SviRsoKz6E.exe.4940000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.SviRsoKz6E.exe.4940000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.SviRsoKz6E.exe.4940000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.SviRsoKz6E.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.SviRsoKz6E.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.SviRsoKz6E.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.SviRsoKz6E.exe.56b4629.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.SviRsoKz6E.exe.56b4629.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.SviRsoKz6E.exe.664350.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 2.2.SviRsoKz6E.exe.664350.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 2.2.SviRsoKz6E.exe.664350.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 2.2.SviRsoKz6E.exe.4f70000.7.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 2.2.SviRsoKz6E.exe.4f70000.7.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 2.2.SviRsoKz6E.exe.4f70000.7.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: classification engineClassification label: mal100.troj.evad.winEXE@3/6@18/1
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeCode function: 0_2_00403312 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeCode function: 0_2_004045D7 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeCode function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar,
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeCode function: 2_2_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess,
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeFile created: C:\Users\user\AppData\Roaming\abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzJump to behavior
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{6a8cfd5d-4b59-4ef3-89b5-b939bcb234ae}
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeFile created: C:\Users\user\AppData\Local\Temp\nsy2F52.tmpJump to behavior
      Source: SviRsoKz6E.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: SviRsoKz6E.exeVirustotal: Detection: 39%
      Source: SviRsoKz6E.exeReversingLabs: Detection: 72%
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeFile read: C:\Users\user\Desktop\SviRsoKz6E.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\SviRsoKz6E.exe 'C:\Users\user\Desktop\SviRsoKz6E.exe'
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeProcess created: C:\Users\user\Desktop\SviRsoKz6E.exe 'C:\Users\user\Desktop\SviRsoKz6E.exe'
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeProcess created: C:\Users\user\Desktop\SviRsoKz6E.exe 'C:\Users\user\Desktop\SviRsoKz6E.exe'
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
      Source: SviRsoKz6E.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: SviRsoKz6E.exe, 00000002.00000002.460484829.00000000006B5000.00000004.00000020.sdmp
      Source: Binary string: wntdll.pdbUGP source: SviRsoKz6E.exe, 00000000.00000003.197706489.00000000035D0000.00000004.00000001.sdmp
      Source: Binary string: wntdll.pdb source: SviRsoKz6E.exe, 00000000.00000003.197706489.00000000035D0000.00000004.00000001.sdmp
      Source: Binary string: ll\System.pdb source: SviRsoKz6E.exe, 00000002.00000003.288689683.0000000005B4B000.00000004.00000001.sdmp
      Source: Binary string: C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: SviRsoKz6E.exe, 00000002.00000002.460275613.000000000064A000.00000004.00000020.sdmp

      Data Obfuscation:

      barindex
      Detected unpacking (changes PE section rights)Show sources
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeUnpacked PE file: 2.2.SviRsoKz6E.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;.reloc:R;
      Detected unpacking (overwrites its own PE header)Show sources
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeUnpacked PE file: 2.2.SviRsoKz6E.exe.400000.1.unpack
      .NET source code contains potential unpackerShow sources
      Source: 2.2.SviRsoKz6E.exe.4f70000.7.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 2.2.SviRsoKz6E.exe.4f70000.7.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeCode function: 2_2_00401F16 push ecx; ret
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeCode function: 2_2_051D7648 push eax; iretd
      Source: 2.2.SviRsoKz6E.exe.4f70000.7.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 2.2.SviRsoKz6E.exe.4f70000.7.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeFile created: C:\Users\user\AppData\Local\Temp\nst2F82.tmp\tkmg9lz0c84fk1.dllJump to dropped file
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeFile created: C:\Users\user\AppData\Roaming\abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz\Adobe.exeJump to dropped file
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run justinalwhitedd554.duckdns.org.exeJump to behavior
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run justinalwhitedd554.duckdns.org.exeJump to behavior

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeFile opened: C:\Users\user\Desktop\SviRsoKz6E.exe:Zone.Identifier read attributes | delete
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeWindow / User API: threadDelayed 962
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeWindow / User API: threadDelayed 8535
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeWindow / User API: foregroundWindowGot 836
      Source: C:\Users\user\Desktop\SviRsoKz6E.exe TID: 4316Thread sleep time: -35000s >= -30000s
      Source: C:\Users\user\Desktop\SviRsoKz6E.exe TID: 4952Thread sleep time: -11068046444225724s >= -30000s
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeCode function: 0_2_00406435 FindFirstFileA,FindClose,
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeCode function: 0_2_00405889 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeCode function: 0_2_004027A1 FindFirstFileA,
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeCode function: 2_2_00404A29 FindFirstFileExW,
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeThread delayed: delay time: 35000
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeThread delayed: delay time: 922337203685477
      Source: SviRsoKz6E.exe, 00000002.00000002.467548471.0000000006510000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: SviRsoKz6E.exe, 00000002.00000003.214806356.0000000005B50000.00000004.00000001.sdmpBinary or memory string: QEMu}
      Source: SviRsoKz6E.exe, 00000002.00000002.467548471.0000000006510000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: SviRsoKz6E.exe, 00000002.00000002.467548471.0000000006510000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: SviRsoKz6E.exe, 00000002.00000002.467230032.0000000005B30000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: SviRsoKz6E.exe, 00000002.00000002.467548471.0000000006510000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeProcess information queried: ProcessInformation
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeCode function: 2_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeCode function: 0_2_00A82394 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeCode function: 0_2_00A82644 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeCode function: 2_2_004035F1 mov eax, dword ptr fs:[00000030h]
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeCode function: 2_2_004067FE GetProcessHeap,
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeCode function: 2_2_00401E1D SetUnhandledExceptionFilter,
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeCode function: 2_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeCode function: 2_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeCode function: 2_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeMemory allocated: page read and write | page guard

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Maps a DLL or memory area into another processShow sources
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeSection loaded: unknown target: C:\Users\user\Desktop\SviRsoKz6E.exe protection: execute and read and write
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeProcess created: C:\Users\user\Desktop\SviRsoKz6E.exe 'C:\Users\user\Desktop\SviRsoKz6E.exe'
      Source: SviRsoKz6E.exe, 00000002.00000002.463739605.0000000002863000.00000004.00000001.sdmpBinary or memory string: Program Manager
      Source: SviRsoKz6E.exe, 00000002.00000002.460934537.0000000000DD0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: SviRsoKz6E.exe, 00000002.00000002.460934537.0000000000DD0000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: SviRsoKz6E.exe, 00000002.00000002.467518966.00000000063CD000.00000004.00000010.sdmpBinary or memory string: Program Managerv
      Source: SviRsoKz6E.exe, 00000002.00000002.460934537.0000000000DD0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeCode function: 2_2_0040208D cpuid
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeCode function: 2_2_00401B74 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeCode function: 0_2_00403312 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
      Source: C:\Users\user\Desktop\SviRsoKz6E.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

      Stealing of Sensitive Information:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000002.00000001.198223506.0000000000414000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.465661471.0000000004940000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.201495847.00000000033A0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.465992786.0000000004F72000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.461711945.0000000002461000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.466862235.00000000056B0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.460275613.000000000064A000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.459577759.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.463943126.00000000034F3000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: SviRsoKz6E.exe PID: 2212, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: SviRsoKz6E.exe PID: 632, type: MEMORY
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.4f70000.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.34ffad1.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.34fb4a8.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.1.SviRsoKz6E.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.415058.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.34fb4a8.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.SviRsoKz6E.exe.33b1458.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.4940000.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.664350.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.1.SviRsoKz6E.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.SviRsoKz6E.exe.33a0000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.1.SviRsoKz6E.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.56b0000.11.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.SviRsoKz6E.exe.33a0000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.56b0000.11.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.400000.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.SviRsoKz6E.exe.33b1458.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.4940000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.415058.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.56b4629.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.664350.2.raw.unpack, type: UNPACKEDPE

      Remote Access Functionality:

      barindex
      Detected Nanocore RatShow sources
      Source: SviRsoKz6E.exe, 00000000.00000002.201495847.00000000033A0000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: SviRsoKz6E.exeString found in binary or memory: NanoCore.ClientPluginHost
      Source: SviRsoKz6E.exe, 00000002.00000002.461711945.0000000002461000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000002.00000001.198223506.0000000000414000.00000040.00020000.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.465661471.0000000004940000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.201495847.00000000033A0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.465992786.0000000004F72000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.461711945.0000000002461000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.466862235.00000000056B0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.460275613.000000000064A000.00000004.00000020.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.459577759.0000000000400000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000002.00000002.463943126.00000000034F3000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: SviRsoKz6E.exe PID: 2212, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: SviRsoKz6E.exe PID: 632, type: MEMORY
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.4f70000.7.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.34ffad1.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.34fb4a8.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.1.SviRsoKz6E.exe.415058.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.415058.0.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.34fb4a8.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.SviRsoKz6E.exe.33b1458.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.400000.1.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.4940000.6.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.664350.2.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.1.SviRsoKz6E.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.SviRsoKz6E.exe.33a0000.4.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.1.SviRsoKz6E.exe.415058.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.56b0000.11.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.SviRsoKz6E.exe.33a0000.4.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.56b0000.11.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.400000.1.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.SviRsoKz6E.exe.33b1458.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.4940000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.415058.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.56b4629.10.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 2.2.SviRsoKz6E.exe.664350.2.raw.unpack, type: UNPACKEDPE

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management InstrumentationRegistry Run Keys / Startup Folder1Access Token Manipulation1Disable or Modify Tools1Input Capture11System Time Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsProcess Injection112Deobfuscate/Decode Files or Information1LSASS MemoryFile and Directory Discovery2Remote Desktop ProtocolInput Capture11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Registry Run Keys / Startup Folder1Obfuscated Files or Information1Security Account ManagerSystem Information Discovery25SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing31NTDSSecurity Software Discovery131Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading1LSA SecretsProcess Discovery2SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol21Manipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion31Cached Domain CredentialsVirtualization/Sandbox Evasion31VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsAccess Token Manipulation1DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection112Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Hidden Files and Directories1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      SviRsoKz6E.exe39%VirustotalBrowse
      SviRsoKz6E.exe14%MetadefenderBrowse
      SviRsoKz6E.exe72%ReversingLabsWin32.Trojan.Predator
      SviRsoKz6E.exe100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Roaming\abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz\Adobe.exe100%Joe Sandbox ML
      C:\Users\user\AppData\Local\Temp\nst2F82.tmp\tkmg9lz0c84fk1.dll21%VirustotalBrowse
      C:\Users\user\AppData\Local\Temp\nst2F82.tmp\tkmg9lz0c84fk1.dll48%ReversingLabsWin32.Trojan.Predator
      C:\Users\user\AppData\Roaming\abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz\Adobe.exe39%VirustotalBrowse
      C:\Users\user\AppData\Roaming\abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz\Adobe.exe14%MetadefenderBrowse
      C:\Users\user\AppData\Roaming\abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz\Adobe.exe72%ReversingLabsWin32.Trojan.Predator

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      2.2.SviRsoKz6E.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      2.0.SviRsoKz6E.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
      2.2.SviRsoKz6E.exe.4f70000.7.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      2.1.SviRsoKz6E.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      0.0.SviRsoKz6E.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
      2.2.SviRsoKz6E.exe.56b0000.11.unpack100%AviraTR/NanoCore.fadteDownload File
      0.2.SviRsoKz6E.exe.30f0000.3.unpack100%AviraTR/Patched.Ren.GenDownload File
      0.2.SviRsoKz6E.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File

      Domains

      SourceDetectionScannerLabelLink
      justinalwhitedd554.duckdns.org2%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      justinalwhitedd554.duckdns.org2%VirustotalBrowse
      justinalwhitedd554.duckdns.org0%Avira URL Cloudsafe
      paymentmaba.sinsincity.com0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      justinalwhitedd554.duckdns.org
      		104.37.1.32
      		truetrueunknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      justinalwhitedd554.duckdns.orgtrue
      • 2%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown
      paymentmaba.sinsincity.comtrue
      • Avira URL Cloud: safe
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://nsis.sf.net/NSIS_ErrorSviRsoKz6E.exefalse
        		high
        http://nsis.sf.net/NSIS_ErrorErrorSviRsoKz6E.exefalse
          		high

          Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public

          IPDomainCountryFlagASNASN NameMalicious
          104.37.1.32
          		justinalwhitedd554.duckdns.orgUnited States
          		36351SOFTLAYERUStrue

          General Information

          Joe Sandbox Version:31.0.0 Emerald
          Analysis ID:381760
          Start date:04.04.2021
          Start time:23:27:00
          Joe Sandbox Product:CloudBasic
          Overall analysis duration:0h 6m 47s
          Hypervisor based Inspection enabled:false
          Report type:light
          Sample file name:SviRsoKz6E.exe
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
          Number of analysed new started processes analysed:25
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • HDC enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Detection:MAL
          Classification:mal100.troj.evad.winEXE@3/6@18/1
          EGA Information:Failed
          HDC Information:
          • Successful, ratio: 8.2% (good quality ratio 7.6%)
          • Quality average: 78.9%
          • Quality standard deviation: 30.2%
          HCA Information:
          • Successful, ratio: 90%
          • Number of executed functions: 0
          • Number of non-executed functions: 0
          Cookbook Comments:
          • Adjust boot time
          • Enable AMSI
          • Found application associated with file extension: .exe
          Warnings:
          Show All
          • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
          • TCP Packets have been reduced to 100
          • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe
          • Excluded IPs from analysis (whitelisted): 13.88.21.125, 104.43.193.48, 20.50.102.62, 184.30.20.56, 168.61.161.212, 92.122.213.194, 92.122.213.247, 2.20.142.209, 2.20.142.210, 20.54.26.129, 20.82.209.183
          • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, fs.microsoft.com, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus15.cloudapp.net, au-bg-shim.trafficmanager.net
          • Report size getting too big, too many NtDeviceIoControlFile calls found.

          Simulations

          Behavior and APIs

          TimeTypeDescription
          23:27:44API Interceptor1029x Sleep call for process: SviRsoKz6E.exe modified
          23:27:45AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run justinalwhitedd554.duckdns.org.exe C:\Users\user\AppData\Roaming\abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrst
          23:27:53AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run justinalwhitedd554.duckdns.org.exe C:\Users\user\AppData\Roaming\abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrst

          Joe Sandbox View / Context

          IPs

          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
          104.37.1.32KyVkwYhS69.exeGet hashmaliciousBrowse
            fL14L0yc4M.exeGet hashmaliciousBrowse
              ws6g7ojmL0.exeGet hashmaliciousBrowse

                Domains

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                justinalwhitedd554.duckdns.orgws6g7ojmL0.exeGet hashmaliciousBrowse
                • 104.37.1.32

                ASN

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                SOFTLAYERUSVdSaL6WCqP.dllGet hashmaliciousBrowse
                • 159.8.59.84
                VdSaL6WCqP.dllGet hashmaliciousBrowse
                • 159.8.59.84
                MuILXZPOKY.dllGet hashmaliciousBrowse
                • 159.8.59.84
                MuILXZPOKY.dllGet hashmaliciousBrowse
                • 159.8.59.84
                csxKgL6Nvi.dllGet hashmaliciousBrowse
                • 159.8.59.84
                csxKgL6Nvi.dllGet hashmaliciousBrowse
                • 159.8.59.84
                ux2cMVoVuT.dllGet hashmaliciousBrowse
                • 159.8.59.84
                ux2cMVoVuT.dllGet hashmaliciousBrowse
                • 159.8.59.84
                mPOtxOC1SV.dllGet hashmaliciousBrowse
                • 159.8.59.84
                y3787j9cJX.dllGet hashmaliciousBrowse
                • 159.8.59.84
                JRtcUI8csG.dllGet hashmaliciousBrowse
                • 159.8.59.84
                uHFobmfQhB.dllGet hashmaliciousBrowse
                • 159.8.59.84
                KilfLPpnGY.dllGet hashmaliciousBrowse
                • 159.8.59.84
                XMybpE2zdJ.dllGet hashmaliciousBrowse
                • 159.8.59.84
                4EZuDvo8vn.dllGet hashmaliciousBrowse
                • 159.8.59.84
                t51PMqFkL8.dllGet hashmaliciousBrowse
                • 159.8.59.84
                aC6KD7nRI6.dllGet hashmaliciousBrowse
                • 159.8.59.84
                aC6KD7nRI6.dllGet hashmaliciousBrowse
                • 159.8.59.84
                pSfdhDwTbN.dllGet hashmaliciousBrowse
                • 159.8.59.84
                pSfdhDwTbN.dllGet hashmaliciousBrowse
                • 159.8.59.84

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\Users\user\AppData\Local\Temp\1bt90noxyykcnf0zwhq
                Process:C:\Users\user\Desktop\SviRsoKz6E.exe
                File Type:data
                Category:dropped
                Size (bytes):282624
                Entropy (8bit):7.999356410033186
                Encrypted:true
                SSDEEP:6144:8WGNpoisfWzTj4+DP0hotN17VlKWhS6Mg1KWozL4aR:8fpguzTj4ThotdlKOMxWozk+
                MD5:D375D7F7DDB26EFA10A4A32A7C48E196
                SHA1:048496CB59D91E55C140CBCE4347B9C0E86A08DA
                SHA-256:386B97655841D8A34270A374B51B309976D0F607D978611BC9B601AF16AA30DC
                SHA-512:8FE2FCBC1E414EDCAD293CD6AC207F6249595EBD6DE4768EE70641C1DE138C84FA4FCAE71F3933E272B2587D8849CAFE6C1E75E01F1797BA6B6B01DF8264EB08
                Malicious:false
                Reputation:low
                Preview: E....1p.%].?.6.0.v[.}..................M..+..gX.si..-=...Z..rS.2..i...M......osr.E....[.........s..!..6.......m.....[+{........Y..M..|Q.g.}......xy..?.4.q.....z...~...\..t.....q.......Ztig.9...l(d..Z.qo......;.C.o.@.d......*N..K*.i*y..`o..: ..Z....'.......x...5..i...c.c.9.[..nm.M.W...M.....'.e.j.. [.ko<.\G............q.P..^.K../......^...f....x=...b...q...(..{.s..zb...m.s\S..Z.o`.w..@..\&.`.rv<...#G{r...L..H.....i.vt.l~.......%cf.....4.4..K.$}.........|*..R..K..q.....K..<.x...(..g.....k....+.~v..w..B..r...c.1DoX.:...nE.b...|.nC..7...2bKi.=..o...X.6.r_wu.:p..j0..y.-..._..&..;.W..u+...p1..1....... .4.1.....1.2..O.J.c.z_v.4...S..(%q..q.A.gaL.T5.T....q3s.@:vvfo~.JP.. .1.dW.:`.29........J{.~.Q.N..z.].....UV..>...v...5Q..s.w...E.0..S...r[..<..%.......k......8.....@...<..y..~.B,......(k,...8.c.....z.u..x.._...5.f3..8V..j+._p..O.f....).$s._.I..........[(!.N'....8N.U....=q{..Q....y....a6.V.....r..+.m...$..hM_..t*I...1a..M..h.....y...l=u..j4D.U
                C:\Users\user\AppData\Local\Temp\3wj5sgysu7cdpeh8
                Process:C:\Users\user\Desktop\SviRsoKz6E.exe
                File Type:data
                Category:dropped
                Size (bytes):10245
                Entropy (8bit):7.970803367763071
                Encrypted:false
                SSDEEP:192:ooCRm5NgSp46ju699IPb2A2ru4qS/wFEIjy+9aP:cm5RU69AyAoHqS/wZy+oP
                MD5:9D1595AB0D85594C14E7CB15A55E3F9E
                SHA1:A098A190102DB36C146E65EFDC08C34113C5C41E
                SHA-256:9FC982652F0A6B5B98D0ED481D9231D3FDECEBC34E98EB6493A849DE9B6B5189
                SHA-512:BD75157A2E8A6DAEADD2ECF690D7A3146BFA41FC1CA673A6675BC7AFF3881DE00E09786D7CE80C291A75CDA36B810EE8B179D364E7C2717B76228DE8C8277F98
                Malicious:false
                Reputation:low
                Preview: ..KC~Q.3.../.;.F...........%Ut....M.)u.}"...1c>.`..[jmh.F...^....K..`".4/.0.p.....T.Z^{5....9.L.^v.;.l-:H....c..$.p3....K@....g.d...E.....R...n..s9.r.X.........C@l<..O.-...e....V.).!.J .......F..i+..wy4E..)13.......M.Q.IC.}C.B.qB..v...T.Z.W..O.>...J.`.2.m.g.\f..T....{...7..p...g5 .U.U.f$VF.....R....o).}6.?.....(a_.g.<..'......e.JF..6.W....j....:....I.$..w....L....._....u.Sz@.lg!....&.W.J.....z4.p/.y.0.,c].....MO.......6Q...i.T.".....R..a....>.2?.k....E.%\..z...G.J.d.=..l6..l.....wu.W.f7....>t2s6w....j$*C.................Nv...d....~z.Y.h.....;v..?y...@.a.e..Z...U.s..H...l.E.............F.\....L.q..eA...Q.7..#e.|.bl.._o......b#r..zSv.3Nq.$Cl.....V... ..E..x+cP...V.'...9.Z..PH......l..Vm7...W.zO.5~.....6.Javx...B.0.yCFWr...!..M..=E...3...D..3.'`a.y6TV.._....b\..z..&.../j..+....wG..j&....?...1r..k<.\^~.9.s..H.....:...p.jk...\..[....sk.....>.au.S.n(.U..Y.O...j........z4..)z.(W&x.]...&.r....E..../..O.h..U...}F.+N....&....
                C:\Users\user\AppData\Local\Temp\nst2F82.tmp\tkmg9lz0c84fk1.dll
                Process:C:\Users\user\Desktop\SviRsoKz6E.exe
                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):4608
                Entropy (8bit):4.224397794265047
                Encrypted:false
                SSDEEP:48:SesgkKfGtShb1aU26crZ26TZZY4ITjG+mAoakbZ7IGRuqS:ME1aPZZxILmxZxFx
                MD5:397C7EA3337C5E01F39D2572A0C5B6E9
                SHA1:3921DDD729F3F69932A12915696EEBEAAEA1238B
                SHA-256:0E36B538B99E7B2AA0E23DD9B2720F56129A8F2FB50A203BB68CF7CCB544E60D
                SHA-512:48BB084F549C65CACD83F4A72A513511509283972FD04BDC92A64862AA782828E4D1FF315AE7C9774C607EE9B8815CCD740B9418659F469F81D99628DFB48D46
                Malicious:true
                Antivirus:
                • Antivirus: Virustotal, Detection: 21%, Browse
                • Antivirus: ReversingLabs, Detection: 48%
                Reputation:low
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................................................................................PE..L....$e`...........!......................... ...............................P.......................................$..M.... .......@............................................................................... ...............................text............................... ..`.rdata....... ......................@..@.data...(....0......................@....rsrc........@......................@..@........................................................................................................................................................................................................................................................................................................................................................................................
                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                Process:C:\Users\user\Desktop\SviRsoKz6E.exe
                File Type:data
                Category:dropped
                Size (bytes):3248
                Entropy (8bit):7.089541637477408
                Encrypted:false
                SSDEEP:96:HjhDjhDjhDjhDjhDjhDjhDjhDjhDjhDjhDjhDjhDjhL:DBBBBBBBBBBBBBp
                MD5:F7F62653B7691175FCE2AF5734050062
                SHA1:7BAA9A5B0A995099E2668BDDE10BED35A680C2CB
                SHA-256:B5D42B27337D1F66323CB7C5EAFD1F7F51EC5E8659D8000754C84F71DC010454
                SHA-512:2608D9E132C9A24855D644701EBB2733004A8DA8811304816735A59209C838627905D00768D3BFC4E6D49140884407AE49936C07D07ECD4DFFF9DDB228406FF8
                Malicious:false
                Reputation:low
                Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.
                C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                Process:C:\Users\user\Desktop\SviRsoKz6E.exe
                File Type:ISO-8859 text, with no line terminators
                Category:dropped
                Size (bytes):8
                Entropy (8bit):3.0
                Encrypted:false
                SSDEEP:3:3bh:d
                MD5:C53647C3CAED5B2931C0893913100D55
                SHA1:CBC8A05184916603B1BBDC70F18C8D830FE4180E
                SHA-256:4019186F62D722272134B955D57FF97C94729D7E548BD62D2500344861B73EE7
                SHA-512:B7A9FE348543F685B6AFAD2C7BB5AA1DE526AF6576714F727474E081AFD3569B11196D3B1DCD649F059FB597909163F7B23A35E14B9CDCCB38D781289AF9D607
                Malicious:true
                Reputation:low
                Preview: ..>....H
                C:\Users\user\AppData\Roaming\abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz\Adobe.exe
                Process:C:\Users\user\Desktop\SviRsoKz6E.exe
                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                Category:dropped
                Size (bytes):700444
                Entropy (8bit):5.894787047059789
                Encrypted:false
                SSDEEP:6144:vqjIDb42WGNpoisfWzTj4+DP0hotN17VlKWhS6Mg1KWozL4ayL:ao42fpguzTj4ThotdlKOMxWozkTL
                MD5:5D59200D61BA34E07E26132F5ACD9619
                SHA1:8FB59154FE08E09B2E9C2F817157B5BC0CCF1DAE
                SHA-256:95F117DEABF4AEB36402033A7CA35E717F7A31C8BF9330ACBF8934FB483C5D3E
                SHA-512:3949898771BD7049990C26320D7C089138DB31294A5B6536E7232D2A32920A5BA6E8B4FBC333899099905ADD59512307E8F311E30F53E145A4364C46CA3C49F2
                Malicious:true
                Antivirus:
                • Antivirus: Joe Sandbox ML, Detection: 100%
                • Antivirus: Virustotal, Detection: 39%, Browse
                • Antivirus: Metadefender, Detection: 14%, Browse
                • Antivirus: ReversingLabs, Detection: 72%
                Reputation:low
                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG.sw..PG..VA..PG.Rich.PG.........PE..L.....$_.................b...r.......3............@.......................................@.................................8.......................................................................................................................text....`.......b.................. ..`.rdata..t............f..............@..@.data...8............z..............@....ndata.......P...........................rsrc..............................@..@................................................................................................................................................................................................................................................................................................................................................................

                Static File Info

                General

                File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                Entropy (8bit):5.894787047059789
                TrID:
                • Win32 Executable (generic) a (10002005/4) 99.96%
                • Generic Win/DOS Executable (2004/3) 0.02%
                • DOS Executable Generic (2002/1) 0.02%
                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                File name:SviRsoKz6E.exe
                File size:700444
                MD5:5d59200d61ba34e07e26132f5acd9619
                SHA1:8fb59154fe08e09b2e9c2f817157b5bc0ccf1dae
                SHA256:95f117deabf4aeb36402033a7ca35e717f7a31c8bf9330acbf8934fb483c5d3e
                SHA512:3949898771bd7049990c26320d7c089138db31294a5b6536e7232d2a32920a5ba6e8b4fbc333899099905add59512307e8f311e30f53e145a4364c46ca3c49f2
                SSDEEP:6144:vqjIDb42WGNpoisfWzTj4+DP0hotN17VlKWhS6Mg1KWozL4ayL:ao42fpguzTj4ThotdlKOMxWozkTL
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG..sw..PG..VA..PG.Rich.PG.........PE..L.....$_.................b...r.......3............@

                File Icon

                Icon Hash:e0d8d8d4d4d8d0e8

                Static PE Info

                General

                Entrypoint:0x403312
                Entrypoint Section:.text
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Time Stamp:0x5F24D6A7 [Sat Aug 1 02:42:47 2020 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:4
                OS Version Minor:0
                File Version Major:4
                File Version Minor:0
                Subsystem Version Major:4
                Subsystem Version Minor:0
                Import Hash:ced282d9b261d1462772017fe2f6972b

                Entrypoint Preview

                Instruction
                sub esp, 00000184h
                push ebx
                push esi
                push edi
                xor ebx, ebx
                push 00008001h
                mov dword ptr [esp+18h], ebx
                mov dword ptr [esp+10h], 0040A198h
                mov dword ptr [esp+20h], ebx
                mov byte ptr [esp+14h], 00000020h
                call dword ptr [004080B8h]
                call dword ptr [004080BCh]
                and eax, BFFFFFFFh
                cmp ax, 00000006h
                mov dword ptr [0042472Ch], eax
                je 00007FFAE4F61A13h
                push ebx
                call 00007FFAE4F64B76h
                cmp eax, ebx
                je 00007FFAE4F61A09h
                push 00000C00h
                call eax
                mov esi, 004082A0h
                push esi
                call 00007FFAE4F64AF2h
                push esi
                call dword ptr [004080CCh]
                lea esi, dword ptr [esi+eax+01h]
                cmp byte ptr [esi], bl
                jne 00007FFAE4F619EDh
                push 0000000Bh
                call 00007FFAE4F64B4Ah
                push 00000009h
                call 00007FFAE4F64B43h
                push 00000007h
                mov dword ptr [00424724h], eax
                call 00007FFAE4F64B37h
                cmp eax, ebx
                je 00007FFAE4F61A11h
                push 0000001Eh
                call eax
                test eax, eax
                je 00007FFAE4F61A09h
                or byte ptr [0042472Fh], 00000040h
                push ebp
                call dword ptr [00408038h]
                push ebx
                call dword ptr [00408288h]
                mov dword ptr [004247F8h], eax
                push ebx
                lea eax, dword ptr [esp+38h]
                push 00000160h
                push eax
                push ebx
                push 0041FCE8h
                call dword ptr [0040816Ch]
                push 0040A188h

                Rich Headers

                Programming Language:
                • [EXP] VC++ 6.0 SP5 build 8804

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0x84380xa0.rdata
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x2d0000x5adc8.rsrc
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x80000x29c.rdata
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x10000x60d50x6200False0.663066007653data6.4176717642IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                .rdata0x80000x12740x1400False0.4337890625data5.06106734837IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .data0xa0000x1a8380x600False0.436197916667data3.99516288039IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                .ndata0x250000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .rsrc0x2d0000x5adc80x5ae00False0.0468051495873data2.65056787048IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                Resources

                NameRVASizeTypeLanguageCountry
                RT_ICON0x2d2800x42028data
                RT_ICON0x6f2a80x468GLS_BINARY_LSB_FIRST
                RT_ICON0x6f7100x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
                RT_ICON0x71cb80x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
                RT_ICON0x72d600x10828dBase III DBT, version number 0, next free block index 40
                RT_ICON0x835880x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
                RT_DIALOG0x877b00x100dataEnglishUnited States
                RT_DIALOG0x878b00x11cdataEnglishUnited States
                RT_DIALOG0x879cc0x60dataEnglishUnited States
                RT_GROUP_ICON0x87a2c0x5adata
                RT_MANIFEST0x87a880x340XML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                Imports

                DLLImport
                ADVAPI32.dllRegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA
                SHELL32.dllSHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA
                ole32.dllIIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree
                COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                USER32.dllSetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, GetSysColor, SetCursor, GetWindowLongA, SetClassLongA, SetWindowPos, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard
                GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, ReadFile, GetTempFileNameA, WriteFile, RemoveDirectoryA, CreateProcessA, CreateFileA, GetLastError, CreateThread, CreateDirectoryA, GlobalUnlock, GetDiskFreeSpaceA, GlobalLock, SetErrorMode, GetVersion, lstrcpynA, GetCommandLineA, GetTempPathA, lstrlenA, SetEnvironmentVariableA, ExitProcess, GetWindowsDirectoryA, GetCurrentProcess, GetModuleFileNameA, CopyFileA, GetTickCount, Sleep, GetFileSize, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv

                Possible Origin

                Language of compilation systemCountry where language is spokenMap
                EnglishUnited States

                Network Behavior

                Snort IDS Alerts

                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                04/04/21-23:27:49.687678TCP2025019ET TROJAN Possible NanoCore C2 60B497027632192.168.2.3104.37.1.32
                04/04/21-23:27:57.046711TCP2025019ET TROJAN Possible NanoCore C2 60B497037632192.168.2.3104.37.1.32
                04/04/21-23:28:04.129392TCP2025019ET TROJAN Possible NanoCore C2 60B497047632192.168.2.3104.37.1.32
                04/04/21-23:28:11.005289TCP2025019ET TROJAN Possible NanoCore C2 60B497117632192.168.2.3104.37.1.32
                04/04/21-23:28:18.233125TCP2025019ET TROJAN Possible NanoCore C2 60B497237632192.168.2.3104.37.1.32
                04/04/21-23:28:25.281606TCP2025019ET TROJAN Possible NanoCore C2 60B497327632192.168.2.3104.37.1.32
                04/04/21-23:28:32.117036TCP2025019ET TROJAN Possible NanoCore C2 60B497357632192.168.2.3104.37.1.32
                04/04/21-23:28:38.186951TCP2025019ET TROJAN Possible NanoCore C2 60B497377632192.168.2.3104.37.1.32
                04/04/21-23:28:45.080473TCP2025019ET TROJAN Possible NanoCore C2 60B497397632192.168.2.3104.37.1.32
                04/04/21-23:28:52.125456TCP2025019ET TROJAN Possible NanoCore C2 60B497487632192.168.2.3104.37.1.32
                04/04/21-23:28:59.094085TCP2025019ET TROJAN Possible NanoCore C2 60B497497632192.168.2.3104.37.1.32
                04/04/21-23:29:06.375320TCP2025019ET TROJAN Possible NanoCore C2 60B497507632192.168.2.3104.37.1.32
                04/04/21-23:29:13.365705TCP2025019ET TROJAN Possible NanoCore C2 60B497517632192.168.2.3104.37.1.32
                04/04/21-23:29:20.214206TCP2025019ET TROJAN Possible NanoCore C2 60B497527632192.168.2.3104.37.1.32
                04/04/21-23:29:27.426250TCP2025019ET TROJAN Possible NanoCore C2 60B497557632192.168.2.3104.37.1.32
                04/04/21-23:29:34.224301TCP2025019ET TROJAN Possible NanoCore C2 60B497567632192.168.2.3104.37.1.32
                04/04/21-23:29:41.276527TCP2025019ET TROJAN Possible NanoCore C2 60B497577632192.168.2.3104.37.1.32
                04/04/21-23:29:49.469679TCP2025019ET TROJAN Possible NanoCore C2 60B497587632192.168.2.3104.37.1.32

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Apr 4, 2021 23:27:49.275635958 CEST497027632192.168.2.3104.37.1.32
                Apr 4, 2021 23:27:49.640242100 CEST763249702104.37.1.32192.168.2.3
                Apr 4, 2021 23:27:49.640615940 CEST497027632192.168.2.3104.37.1.32
                Apr 4, 2021 23:27:49.687678099 CEST497027632192.168.2.3104.37.1.32
                Apr 4, 2021 23:27:50.065958023 CEST763249702104.37.1.32192.168.2.3
                Apr 4, 2021 23:27:50.074054003 CEST497027632192.168.2.3104.37.1.32
                Apr 4, 2021 23:27:50.436144114 CEST763249702104.37.1.32192.168.2.3
                Apr 4, 2021 23:27:50.436258078 CEST497027632192.168.2.3104.37.1.32
                Apr 4, 2021 23:27:50.840785980 CEST763249702104.37.1.32192.168.2.3
                Apr 4, 2021 23:27:50.841037989 CEST497027632192.168.2.3104.37.1.32
                Apr 4, 2021 23:27:51.245646954 CEST763249702104.37.1.32192.168.2.3
                Apr 4, 2021 23:27:51.264710903 CEST763249702104.37.1.32192.168.2.3
                Apr 4, 2021 23:27:51.264766932 CEST763249702104.37.1.32192.168.2.3
                Apr 4, 2021 23:27:51.264810085 CEST763249702104.37.1.32192.168.2.3
                Apr 4, 2021 23:27:51.264849901 CEST763249702104.37.1.32192.168.2.3
                Apr 4, 2021 23:27:51.264889002 CEST763249702104.37.1.32192.168.2.3
                Apr 4, 2021 23:27:51.264941931 CEST763249702104.37.1.32192.168.2.3
                Apr 4, 2021 23:27:51.264950037 CEST497027632192.168.2.3104.37.1.32
                Apr 4, 2021 23:27:51.264986038 CEST763249702104.37.1.32192.168.2.3
                Apr 4, 2021 23:27:51.264995098 CEST497027632192.168.2.3104.37.1.32
                Apr 4, 2021 23:27:51.265002012 CEST497027632192.168.2.3104.37.1.32
                Apr 4, 2021 23:27:51.265026093 CEST763249702104.37.1.32192.168.2.3
                Apr 4, 2021 23:27:51.265065908 CEST763249702104.37.1.32192.168.2.3
                Apr 4, 2021 23:27:51.265105009 CEST763249702104.37.1.32192.168.2.3
                Apr 4, 2021 23:27:51.265125990 CEST497027632192.168.2.3104.37.1.32
                Apr 4, 2021 23:27:51.265947104 CEST497027632192.168.2.3104.37.1.32
                Apr 4, 2021 23:27:51.381675959 CEST497027632192.168.2.3104.37.1.32
                Apr 4, 2021 23:27:51.626720905 CEST763249702104.37.1.32192.168.2.3
                Apr 4, 2021 23:27:51.626779079 CEST763249702104.37.1.32192.168.2.3
                Apr 4, 2021 23:27:51.626863956 CEST497027632192.168.2.3104.37.1.32
                Apr 4, 2021 23:27:51.627043962 CEST763249702104.37.1.32192.168.2.3
                Apr 4, 2021 23:27:51.627084970 CEST763249702104.37.1.32192.168.2.3
                Apr 4, 2021 23:27:51.627115011 CEST763249702104.37.1.32192.168.2.3
                Apr 4, 2021 23:27:51.627157927 CEST497027632192.168.2.3104.37.1.32
                Apr 4, 2021 23:27:51.627204895 CEST763249702104.37.1.32192.168.2.3
                Apr 4, 2021 23:27:51.627206087 CEST497027632192.168.2.3104.37.1.32
                Apr 4, 2021 23:27:51.627250910 CEST763249702104.37.1.32192.168.2.3
                Apr 4, 2021 23:27:51.627288103 CEST497027632192.168.2.3104.37.1.32
                Apr 4, 2021 23:27:51.627290964 CEST763249702104.37.1.32192.168.2.3
                Apr 4, 2021 23:27:51.627348900 CEST497027632192.168.2.3104.37.1.32
                Apr 4, 2021 23:27:51.627388954 CEST763249702104.37.1.32192.168.2.3
                Apr 4, 2021 23:27:51.627403975 CEST497027632192.168.2.3104.37.1.32
                Apr 4, 2021 23:27:51.627430916 CEST763249702104.37.1.32192.168.2.3
                Apr 4, 2021 23:27:51.627465963 CEST497027632192.168.2.3104.37.1.32
                Apr 4, 2021 23:27:51.627469063 CEST763249702104.37.1.32192.168.2.3
                Apr 4, 2021 23:27:51.627496958 CEST497027632192.168.2.3104.37.1.32
                Apr 4, 2021 23:27:51.627507925 CEST763249702104.37.1.32192.168.2.3
                Apr 4, 2021 23:27:51.627542019 CEST497027632192.168.2.3104.37.1.32
                Apr 4, 2021 23:27:51.627548933 CEST763249702104.37.1.32192.168.2.3
                Apr 4, 2021 23:27:51.627572060 CEST497027632192.168.2.3104.37.1.32
                Apr 4, 2021 23:27:51.627588987 CEST763249702104.37.1.32192.168.2.3
                Apr 4, 2021 23:27:51.627630949 CEST497027632192.168.2.3104.37.1.32
                Apr 4, 2021 23:27:51.627636909 CEST763249702104.37.1.32192.168.2.3
                Apr 4, 2021 23:27:51.627679110 CEST497027632192.168.2.3104.37.1.32
                Apr 4, 2021 23:27:51.627681017 CEST763249702104.37.1.32192.168.2.3
                Apr 4, 2021 23:27:51.627723932 CEST763249702104.37.1.32192.168.2.3
                Apr 4, 2021 23:27:51.627738953 CEST497027632192.168.2.3104.37.1.32
                Apr 4, 2021 23:27:51.627763987 CEST763249702104.37.1.32192.168.2.3
                Apr 4, 2021 23:27:51.627803087 CEST763249702104.37.1.32192.168.2.3
                Apr 4, 2021 23:27:51.627813101 CEST497027632192.168.2.3104.37.1.32
                Apr 4, 2021 23:27:51.627842903 CEST763249702104.37.1.32192.168.2.3
                Apr 4, 2021 23:27:51.627882004 CEST497027632192.168.2.3104.37.1.32
                Apr 4, 2021 23:27:51.627918959 CEST497027632192.168.2.3104.37.1.32
                Apr 4, 2021 23:27:51.783688068 CEST763249702104.37.1.32192.168.2.3
                Apr 4, 2021 23:27:51.988962889 CEST763249702104.37.1.32192.168.2.3
                Apr 4, 2021 23:27:51.989027977 CEST763249702104.37.1.32192.168.2.3
                Apr 4, 2021 23:27:51.989296913 CEST497027632192.168.2.3104.37.1.32
                Apr 4, 2021 23:27:51.989691973 CEST763249702104.37.1.32192.168.2.3
                Apr 4, 2021 23:27:51.989733934 CEST763249702104.37.1.32192.168.2.3
                Apr 4, 2021 23:27:51.989773989 CEST763249702104.37.1.32192.168.2.3
                Apr 4, 2021 23:27:51.989813089 CEST763249702104.37.1.32192.168.2.3
                Apr 4, 2021 23:27:51.989862919 CEST763249702104.37.1.32192.168.2.3
                Apr 4, 2021 23:27:51.989911079 CEST763249702104.37.1.32192.168.2.3
                Apr 4, 2021 23:27:51.989936113 CEST497027632192.168.2.3104.37.1.32
                Apr 4, 2021 23:27:51.989949942 CEST763249702104.37.1.32192.168.2.3
                Apr 4, 2021 23:27:51.989963055 CEST497027632192.168.2.3104.37.1.32
                Apr 4, 2021 23:27:51.989995003 CEST763249702104.37.1.32192.168.2.3
                Apr 4, 2021 23:27:51.990010977 CEST497027632192.168.2.3104.37.1.32
                Apr 4, 2021 23:27:51.990036964 CEST763249702104.37.1.32192.168.2.3
                Apr 4, 2021 23:27:51.990076065 CEST763249702104.37.1.32192.168.2.3
                Apr 4, 2021 23:27:51.990097046 CEST497027632192.168.2.3104.37.1.32
                Apr 4, 2021 23:27:51.990117073 CEST763249702104.37.1.32192.168.2.3
                Apr 4, 2021 23:27:51.990170002 CEST497027632192.168.2.3104.37.1.32
                Apr 4, 2021 23:27:51.990492105 CEST763249702104.37.1.32192.168.2.3
                Apr 4, 2021 23:27:51.990535021 CEST763249702104.37.1.32192.168.2.3
                Apr 4, 2021 23:27:51.990585089 CEST763249702104.37.1.32192.168.2.3
                Apr 4, 2021 23:27:51.990612984 CEST497027632192.168.2.3104.37.1.32
                Apr 4, 2021 23:27:51.990627050 CEST763249702104.37.1.32192.168.2.3
                Apr 4, 2021 23:27:51.990669012 CEST763249702104.37.1.32192.168.2.3
                Apr 4, 2021 23:27:51.990710020 CEST763249702104.37.1.32192.168.2.3
                Apr 4, 2021 23:27:51.990727901 CEST497027632192.168.2.3104.37.1.32
                Apr 4, 2021 23:27:51.990750074 CEST763249702104.37.1.32192.168.2.3
                Apr 4, 2021 23:27:51.990765095 CEST497027632192.168.2.3104.37.1.32
                Apr 4, 2021 23:27:51.990789890 CEST763249702104.37.1.32192.168.2.3
                Apr 4, 2021 23:27:51.990829945 CEST763249702104.37.1.32192.168.2.3
                Apr 4, 2021 23:27:51.990869999 CEST763249702104.37.1.32192.168.2.3
                Apr 4, 2021 23:27:51.990879059 CEST497027632192.168.2.3104.37.1.32
                Apr 4, 2021 23:27:51.990920067 CEST763249702104.37.1.32192.168.2.3
                Apr 4, 2021 23:27:51.990942955 CEST497027632192.168.2.3104.37.1.32
                Apr 4, 2021 23:27:51.990966082 CEST763249702104.37.1.32192.168.2.3

                UDP Packets

                TimestampSource PortDest PortSource IPDest IP
                Apr 4, 2021 23:27:49.038294077 CEST4919953192.168.2.38.8.8.8
                Apr 4, 2021 23:27:49.261029005 CEST53491998.8.8.8192.168.2.3
                Apr 4, 2021 23:27:56.445205927 CEST5062053192.168.2.38.8.8.8
                Apr 4, 2021 23:27:56.662151098 CEST53506208.8.8.8192.168.2.3
                Apr 4, 2021 23:28:03.542203903 CEST6493853192.168.2.38.8.8.8
                Apr 4, 2021 23:28:03.761682034 CEST53649388.8.8.8192.168.2.3
                Apr 4, 2021 23:28:04.803078890 CEST6015253192.168.2.38.8.8.8
                Apr 4, 2021 23:28:04.849164963 CEST53601528.8.8.8192.168.2.3
                Apr 4, 2021 23:28:06.741105080 CEST5754453192.168.2.38.8.8.8
                Apr 4, 2021 23:28:06.787158012 CEST53575448.8.8.8192.168.2.3
                Apr 4, 2021 23:28:07.734889984 CEST5598453192.168.2.38.8.8.8
                Apr 4, 2021 23:28:07.792582035 CEST53559848.8.8.8192.168.2.3
                Apr 4, 2021 23:28:09.089135885 CEST6418553192.168.2.38.8.8.8
                Apr 4, 2021 23:28:09.135360003 CEST53641858.8.8.8192.168.2.3
                Apr 4, 2021 23:28:10.585750103 CEST6511053192.168.2.38.8.8.8
                Apr 4, 2021 23:28:10.640908003 CEST53651108.8.8.8192.168.2.3
                Apr 4, 2021 23:28:10.745469093 CEST5836153192.168.2.38.8.8.8
                Apr 4, 2021 23:28:10.791532993 CEST53583618.8.8.8192.168.2.3
                Apr 4, 2021 23:28:11.081908941 CEST6349253192.168.2.38.8.8.8
                Apr 4, 2021 23:28:11.136420965 CEST53634928.8.8.8192.168.2.3
                Apr 4, 2021 23:28:12.037904024 CEST6083153192.168.2.38.8.8.8
                Apr 4, 2021 23:28:12.088419914 CEST53608318.8.8.8192.168.2.3
                Apr 4, 2021 23:28:13.710771084 CEST6010053192.168.2.38.8.8.8
                Apr 4, 2021 23:28:13.758236885 CEST53601008.8.8.8192.168.2.3
                Apr 4, 2021 23:28:14.694706917 CEST5319553192.168.2.38.8.8.8
                Apr 4, 2021 23:28:14.743582964 CEST53531958.8.8.8192.168.2.3
                Apr 4, 2021 23:28:15.735630035 CEST5014153192.168.2.38.8.8.8
                Apr 4, 2021 23:28:15.784890890 CEST53501418.8.8.8192.168.2.3
                Apr 4, 2021 23:28:16.674731970 CEST5302353192.168.2.38.8.8.8
                Apr 4, 2021 23:28:16.732192993 CEST53530238.8.8.8192.168.2.3
                Apr 4, 2021 23:28:17.632543087 CEST4956353192.168.2.38.8.8.8
                Apr 4, 2021 23:28:17.693592072 CEST53495638.8.8.8192.168.2.3
                Apr 4, 2021 23:28:17.743386030 CEST5135253192.168.2.38.8.8.8
                Apr 4, 2021 23:28:17.801120996 CEST53513528.8.8.8192.168.2.3
                Apr 4, 2021 23:28:18.257747889 CEST5934953192.168.2.38.8.8.8
                Apr 4, 2021 23:28:18.306502104 CEST53593498.8.8.8192.168.2.3
                Apr 4, 2021 23:28:19.872931957 CEST5708453192.168.2.38.8.8.8
                Apr 4, 2021 23:28:19.919162989 CEST53570848.8.8.8192.168.2.3
                Apr 4, 2021 23:28:20.815366030 CEST5882353192.168.2.38.8.8.8
                Apr 4, 2021 23:28:20.872797966 CEST53588238.8.8.8192.168.2.3
                Apr 4, 2021 23:28:21.869697094 CEST5756853192.168.2.38.8.8.8
                Apr 4, 2021 23:28:21.926772118 CEST53575688.8.8.8192.168.2.3
                Apr 4, 2021 23:28:22.839046955 CEST5054053192.168.2.38.8.8.8
                Apr 4, 2021 23:28:22.886606932 CEST53505408.8.8.8192.168.2.3
                Apr 4, 2021 23:28:23.839943886 CEST5436653192.168.2.38.8.8.8
                Apr 4, 2021 23:28:23.888782024 CEST53543668.8.8.8192.168.2.3
                Apr 4, 2021 23:28:24.532970905 CEST5303453192.168.2.38.8.8.8
                Apr 4, 2021 23:28:24.589590073 CEST53530348.8.8.8192.168.2.3
                Apr 4, 2021 23:28:24.676455021 CEST5776253192.168.2.38.8.8.8
                Apr 4, 2021 23:28:24.771375895 CEST5543553192.168.2.38.8.8.8
                Apr 4, 2021 23:28:24.817553043 CEST53554358.8.8.8192.168.2.3
                Apr 4, 2021 23:28:24.894534111 CEST53577628.8.8.8192.168.2.3
                Apr 4, 2021 23:28:25.706242085 CEST5071353192.168.2.38.8.8.8
                Apr 4, 2021 23:28:25.752409935 CEST53507138.8.8.8192.168.2.3
                Apr 4, 2021 23:28:27.192620039 CEST5613253192.168.2.38.8.8.8
                Apr 4, 2021 23:28:27.238601923 CEST53561328.8.8.8192.168.2.3
                Apr 4, 2021 23:28:31.679709911 CEST5898753192.168.2.38.8.8.8
                Apr 4, 2021 23:28:31.734234095 CEST53589878.8.8.8192.168.2.3
                Apr 4, 2021 23:28:32.639250040 CEST5657953192.168.2.38.8.8.8
                Apr 4, 2021 23:28:32.697376966 CEST53565798.8.8.8192.168.2.3
                Apr 4, 2021 23:28:37.741369963 CEST6063353192.168.2.38.8.8.8
                Apr 4, 2021 23:28:37.795965910 CEST53606338.8.8.8192.168.2.3
                Apr 4, 2021 23:28:39.832514048 CEST6129253192.168.2.38.8.8.8
                Apr 4, 2021 23:28:39.901659012 CEST53612928.8.8.8192.168.2.3
                Apr 4, 2021 23:28:44.654107094 CEST6361953192.168.2.38.8.8.8
                Apr 4, 2021 23:28:44.702361107 CEST53636198.8.8.8192.168.2.3
                Apr 4, 2021 23:28:46.461860895 CEST6493853192.168.2.38.8.8.8
                Apr 4, 2021 23:28:46.511311054 CEST53649388.8.8.8192.168.2.3
                Apr 4, 2021 23:28:49.176647902 CEST6194653192.168.2.38.8.8.8
                Apr 4, 2021 23:28:49.232676029 CEST53619468.8.8.8192.168.2.3
                Apr 4, 2021 23:28:51.660936117 CEST6491053192.168.2.38.8.8.8
                Apr 4, 2021 23:28:51.716820002 CEST53649108.8.8.8192.168.2.3
                Apr 4, 2021 23:28:58.669763088 CEST5212353192.168.2.38.8.8.8
                Apr 4, 2021 23:28:58.726671934 CEST53521238.8.8.8192.168.2.3
                Apr 4, 2021 23:29:05.785725117 CEST5613053192.168.2.38.8.8.8
                Apr 4, 2021 23:29:06.010046005 CEST53561308.8.8.8192.168.2.3
                Apr 4, 2021 23:29:12.945137978 CEST5633853192.168.2.38.8.8.8
                Apr 4, 2021 23:29:12.999483109 CEST53563388.8.8.8192.168.2.3
                Apr 4, 2021 23:29:19.796566010 CEST5942053192.168.2.38.8.8.8
                Apr 4, 2021 23:29:19.851269960 CEST53594208.8.8.8192.168.2.3
                Apr 4, 2021 23:29:21.402164936 CEST5878453192.168.2.38.8.8.8
                Apr 4, 2021 23:29:21.452594042 CEST53587848.8.8.8192.168.2.3
                Apr 4, 2021 23:29:23.096050024 CEST6397853192.168.2.38.8.8.8
                Apr 4, 2021 23:29:23.159303904 CEST53639788.8.8.8192.168.2.3
                Apr 4, 2021 23:29:26.843811989 CEST6293853192.168.2.38.8.8.8
                Apr 4, 2021 23:29:27.060240030 CEST53629388.8.8.8192.168.2.3
                Apr 4, 2021 23:29:33.802197933 CEST5570853192.168.2.38.8.8.8
                Apr 4, 2021 23:29:33.857985020 CEST53557088.8.8.8192.168.2.3
                Apr 4, 2021 23:29:40.857156992 CEST5680353192.168.2.38.8.8.8
                Apr 4, 2021 23:29:40.911663055 CEST53568038.8.8.8192.168.2.3
                Apr 4, 2021 23:29:49.050914049 CEST5714553192.168.2.38.8.8.8
                Apr 4, 2021 23:29:49.105664015 CEST53571458.8.8.8192.168.2.3

                DNS Queries

                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                Apr 4, 2021 23:27:49.038294077 CEST192.168.2.38.8.8.80xb115Standard query (0)justinalwhitedd554.duckdns.orgA (IP address)IN (0x0001)
                Apr 4, 2021 23:27:56.445205927 CEST192.168.2.38.8.8.80x1578Standard query (0)justinalwhitedd554.duckdns.orgA (IP address)IN (0x0001)
                Apr 4, 2021 23:28:03.542203903 CEST192.168.2.38.8.8.80x7c8bStandard query (0)justinalwhitedd554.duckdns.orgA (IP address)IN (0x0001)
                Apr 4, 2021 23:28:10.585750103 CEST192.168.2.38.8.8.80x50b7Standard query (0)justinalwhitedd554.duckdns.orgA (IP address)IN (0x0001)
                Apr 4, 2021 23:28:17.743386030 CEST192.168.2.38.8.8.80x5bbcStandard query (0)justinalwhitedd554.duckdns.orgA (IP address)IN (0x0001)
                Apr 4, 2021 23:28:24.676455021 CEST192.168.2.38.8.8.80x4f37Standard query (0)justinalwhitedd554.duckdns.orgA (IP address)IN (0x0001)
                Apr 4, 2021 23:28:31.679709911 CEST192.168.2.38.8.8.80x6998Standard query (0)justinalwhitedd554.duckdns.orgA (IP address)IN (0x0001)
                Apr 4, 2021 23:28:37.741369963 CEST192.168.2.38.8.8.80x525bStandard query (0)justinalwhitedd554.duckdns.orgA (IP address)IN (0x0001)
                Apr 4, 2021 23:28:44.654107094 CEST192.168.2.38.8.8.80xdf66Standard query (0)justinalwhitedd554.duckdns.orgA (IP address)IN (0x0001)
                Apr 4, 2021 23:28:51.660936117 CEST192.168.2.38.8.8.80x8befStandard query (0)justinalwhitedd554.duckdns.orgA (IP address)IN (0x0001)
                Apr 4, 2021 23:28:58.669763088 CEST192.168.2.38.8.8.80x16fcStandard query (0)justinalwhitedd554.duckdns.orgA (IP address)IN (0x0001)
                Apr 4, 2021 23:29:05.785725117 CEST192.168.2.38.8.8.80x34b5Standard query (0)justinalwhitedd554.duckdns.orgA (IP address)IN (0x0001)
                Apr 4, 2021 23:29:12.945137978 CEST192.168.2.38.8.8.80x3293Standard query (0)justinalwhitedd554.duckdns.orgA (IP address)IN (0x0001)
                Apr 4, 2021 23:29:19.796566010 CEST192.168.2.38.8.8.80x2acfStandard query (0)justinalwhitedd554.duckdns.orgA (IP address)IN (0x0001)
                Apr 4, 2021 23:29:26.843811989 CEST192.168.2.38.8.8.80x162dStandard query (0)justinalwhitedd554.duckdns.orgA (IP address)IN (0x0001)
                Apr 4, 2021 23:29:33.802197933 CEST192.168.2.38.8.8.80xd4cfStandard query (0)justinalwhitedd554.duckdns.orgA (IP address)IN (0x0001)
                Apr 4, 2021 23:29:40.857156992 CEST192.168.2.38.8.8.80xc41eStandard query (0)justinalwhitedd554.duckdns.orgA (IP address)IN (0x0001)
                Apr 4, 2021 23:29:49.050914049 CEST192.168.2.38.8.8.80x4242Standard query (0)justinalwhitedd554.duckdns.orgA (IP address)IN (0x0001)

                DNS Answers

                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                Apr 4, 2021 23:27:49.261029005 CEST8.8.8.8192.168.2.30xb115No error (0)justinalwhitedd554.duckdns.org104.37.1.32A (IP address)IN (0x0001)
                Apr 4, 2021 23:27:56.662151098 CEST8.8.8.8192.168.2.30x1578No error (0)justinalwhitedd554.duckdns.org104.37.1.32A (IP address)IN (0x0001)
                Apr 4, 2021 23:28:03.761682034 CEST8.8.8.8192.168.2.30x7c8bNo error (0)justinalwhitedd554.duckdns.org104.37.1.32A (IP address)IN (0x0001)
                Apr 4, 2021 23:28:10.640908003 CEST8.8.8.8192.168.2.30x50b7No error (0)justinalwhitedd554.duckdns.org104.37.1.32A (IP address)IN (0x0001)
                Apr 4, 2021 23:28:17.801120996 CEST8.8.8.8192.168.2.30x5bbcNo error (0)justinalwhitedd554.duckdns.org104.37.1.32A (IP address)IN (0x0001)
                Apr 4, 2021 23:28:24.894534111 CEST8.8.8.8192.168.2.30x4f37No error (0)justinalwhitedd554.duckdns.org104.37.1.32A (IP address)IN (0x0001)
                Apr 4, 2021 23:28:31.734234095 CEST8.8.8.8192.168.2.30x6998No error (0)justinalwhitedd554.duckdns.org104.37.1.32A (IP address)IN (0x0001)
                Apr 4, 2021 23:28:37.795965910 CEST8.8.8.8192.168.2.30x525bNo error (0)justinalwhitedd554.duckdns.org104.37.1.32A (IP address)IN (0x0001)
                Apr 4, 2021 23:28:44.702361107 CEST8.8.8.8192.168.2.30xdf66No error (0)justinalwhitedd554.duckdns.org104.37.1.32A (IP address)IN (0x0001)
                Apr 4, 2021 23:28:51.716820002 CEST8.8.8.8192.168.2.30x8befNo error (0)justinalwhitedd554.duckdns.org104.37.1.32A (IP address)IN (0x0001)
                Apr 4, 2021 23:28:58.726671934 CEST8.8.8.8192.168.2.30x16fcNo error (0)justinalwhitedd554.duckdns.org104.37.1.32A (IP address)IN (0x0001)
                Apr 4, 2021 23:29:06.010046005 CEST8.8.8.8192.168.2.30x34b5No error (0)justinalwhitedd554.duckdns.org104.37.1.32A (IP address)IN (0x0001)
                Apr 4, 2021 23:29:12.999483109 CEST8.8.8.8192.168.2.30x3293No error (0)justinalwhitedd554.duckdns.org104.37.1.32A (IP address)IN (0x0001)
                Apr 4, 2021 23:29:19.851269960 CEST8.8.8.8192.168.2.30x2acfNo error (0)justinalwhitedd554.duckdns.org104.37.1.32A (IP address)IN (0x0001)
                Apr 4, 2021 23:29:27.060240030 CEST8.8.8.8192.168.2.30x162dNo error (0)justinalwhitedd554.duckdns.org104.37.1.32A (IP address)IN (0x0001)
                Apr 4, 2021 23:29:33.857985020 CEST8.8.8.8192.168.2.30xd4cfNo error (0)justinalwhitedd554.duckdns.org104.37.1.32A (IP address)IN (0x0001)
                Apr 4, 2021 23:29:40.911663055 CEST8.8.8.8192.168.2.30xc41eNo error (0)justinalwhitedd554.duckdns.org104.37.1.32A (IP address)IN (0x0001)
                Apr 4, 2021 23:29:49.105664015 CEST8.8.8.8192.168.2.30x4242No error (0)justinalwhitedd554.duckdns.org104.37.1.32A (IP address)IN (0x0001)

                Code Manipulations

                Statistics

                Behavior

                Click to jump to process

                System Behavior

                Analysis Process: SviRsoKz6E.exe PID: 2212 Parent PID: 5724

                General

                Start time:23:27:43
                Start date:04/04/2021
                Path:C:\Users\user\Desktop\SviRsoKz6E.exe
                Wow64 process (32bit):true
                Commandline:'C:\Users\user\Desktop\SviRsoKz6E.exe'
                Imagebase:0x400000
                File size:700444 bytes
                MD5 hash:5D59200D61BA34E07E26132F5ACD9619
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.201495847.00000000033A0000.00000004.00000001.sdmp, Author: Florian Roth
                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000000.00000002.201495847.00000000033A0000.00000004.00000001.sdmp, Author: Florian Roth
                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.201495847.00000000033A0000.00000004.00000001.sdmp, Author: Joe Security
                • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.201495847.00000000033A0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                Reputation:low

                Analysis Process: SviRsoKz6E.exe PID: 632 Parent PID: 2212

                General

                Start time:23:27:44
                Start date:04/04/2021
                Path:C:\Users\user\Desktop\SviRsoKz6E.exe
                Wow64 process (32bit):true
                Commandline:'C:\Users\user\Desktop\SviRsoKz6E.exe'
                Imagebase:0x400000
                File size:700444 bytes
                MD5 hash:5D59200D61BA34E07E26132F5ACD9619
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:.Net C# or VB.NET
                Yara matches:
                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000001.198223506.0000000000414000.00000040.00020000.sdmp, Author: Florian Roth
                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000001.198223506.0000000000414000.00000040.00020000.sdmp, Author: Joe Security
                • Rule: NanoCore, Description: unknown, Source: 00000002.00000001.198223506.0000000000414000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.465661471.0000000004940000.00000004.00000001.sdmp, Author: Florian Roth
                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.465661471.0000000004940000.00000004.00000001.sdmp, Author: Florian Roth
                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.465661471.0000000004940000.00000004.00000001.sdmp, Author: Joe Security
                • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.465661471.0000000004940000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.465992786.0000000004F72000.00000040.00000001.sdmp, Author: Florian Roth
                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.465992786.0000000004F72000.00000040.00000001.sdmp, Author: Joe Security
                • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.465992786.0000000004F72000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.461711945.0000000002461000.00000004.00000001.sdmp, Author: Joe Security
                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.466831873.00000000056A0000.00000004.00000001.sdmp, Author: Florian Roth
                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.466831873.00000000056A0000.00000004.00000001.sdmp, Author: Florian Roth
                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.466862235.00000000056B0000.00000004.00000001.sdmp, Author: Florian Roth
                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.466862235.00000000056B0000.00000004.00000001.sdmp, Author: Florian Roth
                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.466862235.00000000056B0000.00000004.00000001.sdmp, Author: Joe Security
                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.460275613.000000000064A000.00000004.00000020.sdmp, Author: Florian Roth
                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.460275613.000000000064A000.00000004.00000020.sdmp, Author: Joe Security
                • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.460275613.000000000064A000.00000004.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000002.00000002.459577759.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000002.00000002.459577759.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.459577759.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                • Rule: NanoCore, Description: unknown, Source: 00000002.00000002.459577759.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000002.00000002.463943126.00000000034F3000.00000004.00000001.sdmp, Author: Joe Security
                Reputation:low

                Disassembly

                Code Analysis

                Reset < >