Play interactive tour

Edit tour

Analysis Report PO_6620200947535257662_Arabico.PDF.exe

Overview

General Information

Sample Name:	PO_6620200947535257662_Arabico.PDF.exe
Analysis ID:	382596
MD5:	b737570f9e9a1bdd794f78e3906e61b9
SHA1:	0dd10acab603b2f1269d05534902b09d38e31ac5
SHA256:	0a3a85fd6964b0cf1b61e41cc7c117ada4c8607a0107ad4921dafa69933ef0ac
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Yara detected Nanocore RAT

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Creates an undocumented autostart registry key

Drops PE files to the user root directory

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Uses an obfuscated file name to hide its real file extension (double extension)

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Binary contains a suspicious time stamp

Contains capabilities to detect virtual machines

Contains functionality to launch a process as a different user

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the user directory

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Yara signature match

Classification

Startup

System is w10x64

PO_6620200947535257662_Arabico.PDF.exe (PID: 6408 cmdline: 'C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe' MD5: B737570F9E9A1BDD794F78E3906E61B9)

cmd.exe (PID: 6780 cmdline: 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' /f /v 'Shell' /t REG_SZ /d 'explorer.exe,C:\Users\user\gvvccsccefghhsnd.exe,' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

reg.exe (PID: 6816 cmdline: REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon' /f /v 'Shell' /t REG_SZ /d 'explorer.exe,C:\Users\user\gvvccsccefghhsnd.exe,' MD5: CEE2A7E57DF2A159A065A34913A055C2)

gvvccsccefghhsnd.exe (PID: 6824 cmdline: 'C:\Users\user\gvvccsccefghhsnd.exe' MD5: B737570F9E9A1BDD794F78E3906E61B9)

InstallUtil.exe (PID: 5596 cmdline: C:\Users\user\AppData\Local\Temp\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "883c2226-d991-4f34-8646-4dd2732a", "Group": "", "Domain1": "185.157.161.86", "Domain2": "nanopc.linkpc.net", "Port": 50005, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Disable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000001C.00000002.601546888.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000001C.00000002.601546888.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001C.00000002.601546888.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000001C.00000002.611212434.0000000005970000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
0000001C.00000002.611212434.0000000005970000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
0000001C.00000002.611212434.0000000005970000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000013.00000002.612087588.00000000039B3000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1111f:$x1: NanoCore.ClientPluginHost 0x56f65:$x1: NanoCore.ClientPluginHost 0x1115c:$x2: IClientNetworkHost 0x56fa2:$x2: IClientNetworkHost 0x14c8f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x5aad5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000013.00000002.612087588.00000000039B3000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000013.00000002.612087588.00000000039B3000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x10e87:$a: NanoCore 0x10e97:$a: NanoCore 0x110cb:$a: NanoCore 0x110df:$a: NanoCore 0x1111f:$a: NanoCore 0x56ccd:$a: NanoCore 0x56cdd:$a: NanoCore 0x56f11:$a: NanoCore 0x56f25:$a: NanoCore 0x56f65:$a: NanoCore 0x10ee6:$b: ClientPlugin 0x110e8:$b: ClientPlugin 0x11128:$b: ClientPlugin 0x56d2c:$b: ClientPlugin 0x56f2e:$b: ClientPlugin 0x56f6e:$b: ClientPlugin 0x1100d:$c: ProjectData 0x44cfe:$c: ProjectData 0x56e53:$c: ProjectData 0x11a14:$d: DESCrypto 0x5785a:$d: DESCrypto
0000001C.00000002.605270680.0000000004179000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000001C.00000002.605270680.0000000004179000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x42f2d:$a: NanoCore 0x42f86:$a: NanoCore 0x42fc3:$a: NanoCore 0x4303c:$a: NanoCore 0x566e7:$a: NanoCore 0x566fc:$a: NanoCore 0x56731:$a: NanoCore 0x6f1b3:$a: NanoCore 0x6f1c8:$a: NanoCore 0x6f1fd:$a: NanoCore 0x42f8f:$b: ClientPlugin 0x42fcc:$b: ClientPlugin 0x438ca:$b: ClientPlugin 0x438d7:$b: ClientPlugin 0x564a3:$b: ClientPlugin 0x564be:$b: ClientPlugin 0x564ee:$b: ClientPlugin 0x56705:$b: ClientPlugin 0x5673a:$b: ClientPlugin 0x6ef6f:$b: ClientPlugin 0x6ef8a:$b: ClientPlugin
0000001C.00000002.610481587.0000000005780000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
0000001C.00000002.610481587.0000000005780000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000013.00000002.611698378.0000000003738000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x31ebd:$x1: NanoCore.ClientPluginHost 0x31efa:$x2: IClientNetworkHost 0x35a2d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000013.00000002.611698378.0000000003738000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000013.00000002.611698378.0000000003738000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x31c25:$a: NanoCore 0x31c35:$a: NanoCore 0x31e69:$a: NanoCore 0x31e7d:$a: NanoCore 0x31ebd:$a: NanoCore 0x31c84:$b: ClientPlugin 0x31e86:$b: ClientPlugin 0x31ec6:$b: ClientPlugin 0x1c776:$c: ProjectData 0x31dab:$c: ProjectData 0x327b2:$d: DESCrypto 0x3a17e:$e: KeepAlive 0x3816c:$g: LogClientMessage 0x34367:$i: get_Connected 0x32ae8:$j: #=q 0x32b18:$j: #=q 0x32b34:$j: #=q 0x32b64:$j: #=q 0x32b80:$j: #=q 0x32b9c:$j: #=q 0x32bcc:$j: #=q
00000000.00000002.466854129.00000000037EA000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x56247:$x1: NanoCore.ClientPluginHost 0x9c0a7:$x1: NanoCore.ClientPluginHost 0xe1ef7:$x1: NanoCore.ClientPluginHost 0x56284:$x2: IClientNetworkHost 0x9c0e4:$x2: IClientNetworkHost 0xe1f34:$x2: IClientNetworkHost 0x59db7:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x9fc17:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xe5a67:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.466854129.00000000037EA000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.466854129.00000000037EA000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x55faf:$a: NanoCore 0x55fbf:$a: NanoCore 0x561f3:$a: NanoCore 0x56207:$a: NanoCore 0x56247:$a: NanoCore 0x9be0f:$a: NanoCore 0x9be1f:$a: NanoCore 0x9c053:$a: NanoCore 0x9c067:$a: NanoCore 0x9c0a7:$a: NanoCore 0xe1c5f:$a: NanoCore 0xe1c6f:$a: NanoCore 0xe1ea3:$a: NanoCore 0xe1eb7:$a: NanoCore 0xe1ef7:$a: NanoCore 0x5600e:$b: ClientPlugin 0x56210:$b: ClientPlugin 0x56250:$b: ClientPlugin 0x9be6e:$b: ClientPlugin 0x9c070:$b: ClientPlugin 0x9c0b0:$b: ClientPlugin
00000000.00000002.467149528.0000000003947000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x10b77:$x1: NanoCore.ClientPluginHost 0x569bd:$x1: NanoCore.ClientPluginHost 0x10bb4:$x2: IClientNetworkHost 0x569fa:$x2: IClientNetworkHost 0x146e7:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x5a52d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.467149528.0000000003947000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.467149528.0000000003947000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x108df:$a: NanoCore 0x108ef:$a: NanoCore 0x10b23:$a: NanoCore 0x10b37:$a: NanoCore 0x10b77:$a: NanoCore 0x56725:$a: NanoCore 0x56735:$a: NanoCore 0x56969:$a: NanoCore 0x5697d:$a: NanoCore 0x569bd:$a: NanoCore 0x1093e:$b: ClientPlugin 0x10b40:$b: ClientPlugin 0x10b80:$b: ClientPlugin 0x56784:$b: ClientPlugin 0x56986:$b: ClientPlugin 0x569c6:$b: ClientPlugin 0x10a65:$c: ProjectData 0x44756:$c: ProjectData 0x568ab:$c: ProjectData 0x1146c:$d: DESCrypto 0x572b2:$d: DESCrypto
00000013.00000002.611940927.0000000003856000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x567ef:$x1: NanoCore.ClientPluginHost 0x9c64f:$x1: NanoCore.ClientPluginHost 0xe249f:$x1: NanoCore.ClientPluginHost 0x5682c:$x2: IClientNetworkHost 0x9c68c:$x2: IClientNetworkHost 0xe24dc:$x2: IClientNetworkHost 0x5a35f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xa01bf:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xe600f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000013.00000002.611940927.0000000003856000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000013.00000002.611940927.0000000003856000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x56557:$a: NanoCore 0x56567:$a: NanoCore 0x5679b:$a: NanoCore 0x567af:$a: NanoCore 0x567ef:$a: NanoCore 0x9c3b7:$a: NanoCore 0x9c3c7:$a: NanoCore 0x9c5fb:$a: NanoCore 0x9c60f:$a: NanoCore 0x9c64f:$a: NanoCore 0xe2207:$a: NanoCore 0xe2217:$a: NanoCore 0xe244b:$a: NanoCore 0xe245f:$a: NanoCore 0xe249f:$a: NanoCore 0x565b6:$b: ClientPlugin 0x567b8:$b: ClientPlugin 0x567f8:$b: ClientPlugin 0x9c416:$b: ClientPlugin 0x9c618:$b: ClientPlugin 0x9c658:$b: ClientPlugin
Process Memory Space: PO_6620200947535257662_Arabico.PDF.exe PID: 6408	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x19d503:$x1: NanoCore.ClientPluginHost 0x1c0678:$x1: NanoCore.ClientPluginHost 0x1f1de7:$x1: NanoCore.ClientPluginHost 0x214f74:$x1: NanoCore.ClientPluginHost 0x238101:$x1: NanoCore.ClientPluginHost 0x19d564:$x2: IClientNetworkHost 0x1c06d9:$x2: IClientNetworkHost 0x1f1e48:$x2: IClientNetworkHost 0x214fd5:$x2: IClientNetworkHost 0x238162:$x2: IClientNetworkHost 0x1a2969:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1b08db:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1c5ade:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1d3a50:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1f724d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2051bf:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x21a3da:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x22834c:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x23d567:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x24b4d9:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: PO_6620200947535257662_Arabico.PDF.exe PID: 6408	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: PO_6620200947535257662_Arabico.PDF.exe PID: 6408	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x19d008:$a: NanoCore 0x19d024:$a: NanoCore 0x19d17f:$a: NanoCore 0x19d18e:$a: NanoCore 0x19d467:$a: NanoCore 0x19d493:$a: NanoCore 0x19d503:$a: NanoCore 0x1acf45:$a: NanoCore 0x1acf57:$a: NanoCore 0x1acf93:$a: NanoCore 0x1c017d:$a: NanoCore 0x1c0199:$a: NanoCore 0x1c02f4:$a: NanoCore 0x1c0303:$a: NanoCore 0x1c05dc:$a: NanoCore 0x1c0608:$a: NanoCore 0x1c0678:$a: NanoCore 0x1d00ba:$a: NanoCore 0x1d00cc:$a: NanoCore 0x1d0108:$a: NanoCore 0x1f18ec:$a: NanoCore
Process Memory Space: gvvccsccefghhsnd.exe PID: 6824	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6c097:$x1: NanoCore.ClientPluginHost 0x8f20c:$x1: NanoCore.ClientPluginHost 0x1cdd83:$x1: NanoCore.ClientPluginHost 0x3c906d:$x1: NanoCore.ClientPluginHost 0x3ec1fa:$x1: NanoCore.ClientPluginHost 0x40f387:$x1: NanoCore.ClientPluginHost 0x6c0f8:$x2: IClientNetworkHost 0x8f26d:$x2: IClientNetworkHost 0x1cdde4:$x2: IClientNetworkHost 0x3c90ce:$x2: IClientNetworkHost 0x3ec25b:$x2: IClientNetworkHost 0x40f3e8:$x2: IClientNetworkHost 0x714fd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7f46f:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x94672:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xa25e4:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1d31e9:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1e115b:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3ce4d3:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3dc445:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3f1660:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: gvvccsccefghhsnd.exe PID: 6824	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: gvvccsccefghhsnd.exe PID: 6824	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x6bb9c:$a: NanoCore 0x6bbb8:$a: NanoCore 0x6bd13:$a: NanoCore 0x6bd22:$a: NanoCore 0x6bffb:$a: NanoCore 0x6c027:$a: NanoCore 0x6c097:$a: NanoCore 0x7bad9:$a: NanoCore 0x7baeb:$a: NanoCore 0x7bb27:$a: NanoCore 0x8ed11:$a: NanoCore 0x8ed2d:$a: NanoCore 0x8ee88:$a: NanoCore 0x8ee97:$a: NanoCore 0x8f170:$a: NanoCore 0x8f19c:$a: NanoCore 0x8f20c:$a: NanoCore 0x9ec4e:$a: NanoCore 0x9ec60:$a: NanoCore 0x9ec9c:$a: NanoCore 0x1cd888:$a: NanoCore
Process Memory Space: InstallUtil.exe PID: 5596	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x27435:$x1: NanoCore.ClientPluginHost 0x50ca3:$x1: NanoCore.ClientPluginHost 0x56862:$x1: NanoCore.ClientPluginHost 0x676f1:$x1: NanoCore.ClientPluginHost 0xa0b5a:$x1: NanoCore.ClientPluginHost 0x27496:$x2: IClientNetworkHost 0x50cc9:$x2: IClientNetworkHost 0x568a7:$x2: IClientNetworkHost 0x67736:$x2: IClientNetworkHost 0xa0b80:$x2: IClientNetworkHost 0x2c89b:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x3a80d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: InstallUtil.exe PID: 5596	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: InstallUtil.exe PID: 5596	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4742:$a: NanoCore 0x47a9:$a: NanoCore 0x484f:$a: NanoCore 0x26f3a:$a: NanoCore 0x26f56:$a: NanoCore 0x270b1:$a: NanoCore 0x270c0:$a: NanoCore 0x27399:$a: NanoCore 0x273c5:$a: NanoCore 0x27435:$a: NanoCore 0x36e77:$a: NanoCore 0x36e89:$a: NanoCore 0x36ec5:$a: NanoCore 0x50b95:$a: NanoCore 0x50c36:$a: NanoCore 0x50ca3:$a: NanoCore 0x50d64:$a: NanoCore 0x51c35:$a: NanoCore 0x51c88:$a: NanoCore 0x51cc1:$a: NanoCore 0x51d34:$a: NanoCore
Click to see the 29 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
19.2.gvvccsccefghhsnd.exe.39f9dd8.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
19.2.gvvccsccefghhsnd.exe.39f9dd8.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
19.2.gvvccsccefghhsnd.exe.39f9dd8.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
19.2.gvvccsccefghhsnd.exe.39f9dd8.7.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.2.PO_6620200947535257662_Arabico.PDF.exe.398d830.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.PO_6620200947535257662_Arabico.PDF.exe.398d830.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.PO_6620200947535257662_Arabico.PDF.exe.398d830.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.PO_6620200947535257662_Arabico.PDF.exe.398d830.8.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
19.2.gvvccsccefghhsnd.exe.3739510.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x309ad:$x1: NanoCore.ClientPluginHost 0x309ea:$x2: IClientNetworkHost 0x3451d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
19.2.gvvccsccefghhsnd.exe.3739510.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x30725:$x1: NanoCore Client.exe 0x309ad:$x2: NanoCore.ClientPluginHost 0x31fe6:$s1: PluginCommand 0x31fda:$s2: FileCommand 0x32e8b:$s3: PipeExists 0x38c42:$s4: PipeCreated 0x309d7:$s5: IClientLoggingHost
19.2.gvvccsccefghhsnd.exe.3739510.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
19.2.gvvccsccefghhsnd.exe.3739510.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x30715:$a: NanoCore 0x30725:$a: NanoCore 0x30959:$a: NanoCore 0x3096d:$a: NanoCore 0x309ad:$a: NanoCore 0x30774:$b: ClientPlugin 0x30976:$b: ClientPlugin 0x309b6:$b: ClientPlugin 0x1b266:$c: ProjectData 0x3089b:$c: ProjectData 0x312a2:$d: DESCrypto 0x38c6e:$e: KeepAlive 0x36c5c:$g: LogClientMessage 0x32e57:$i: get_Connected 0x315d8:$j: #=q 0x31608:$j: #=q 0x31624:$j: #=q 0x31654:$j: #=q 0x31670:$j: #=q 0x3168c:$j: #=q 0x316bc:$j: #=q
0.2.PO_6620200947535257662_Arabico.PDF.exe.397a5ca.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x233f3:$x1: NanoCore.ClientPluginHost 0x23430:$x2: IClientNetworkHost 0x26f63:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.PO_6620200947535257662_Arabico.PDF.exe.397a5ca.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2316b:$x1: NanoCore Client.exe 0x233f3:$x2: NanoCore.ClientPluginHost 0x24a2c:$s1: PluginCommand 0x24a20:$s2: FileCommand 0x258d1:$s3: PipeExists 0x2b688:$s4: PipeCreated 0x2341d:$s5: IClientLoggingHost
0.2.PO_6620200947535257662_Arabico.PDF.exe.397a5ca.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.PO_6620200947535257662_Arabico.PDF.exe.397a5ca.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2315b:$a: NanoCore 0x2316b:$a: NanoCore 0x2339f:$a: NanoCore 0x233b3:$a: NanoCore 0x233f3:$a: NanoCore 0x231ba:$b: ClientPlugin 0x233bc:$b: ClientPlugin 0x233fc:$b: ClientPlugin 0x1118c:$c: ProjectData 0x232e1:$c: ProjectData 0x23ce8:$d: DESCrypto 0x2b6b4:$e: KeepAlive 0x296a2:$g: LogClientMessage 0x2589d:$i: get_Connected 0x2401e:$j: #=q 0x2404e:$j: #=q 0x2406a:$j: #=q 0x2409a:$j: #=q 0x240b6:$j: #=q 0x240d2:$j: #=q 0x24102:$j: #=q
28.2.InstallUtil.exe.41bb14e.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d0af:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d0dc:$x2: IClientNetworkHost
28.2.InstallUtil.exe.41bb14e.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d0af:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e18a:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d0c9:$s5: IClientLoggingHost
28.2.InstallUtil.exe.41bb14e.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
28.2.InstallUtil.exe.41bb14e.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d065:$a: NanoCore 0x2d07a:$a: NanoCore 0x2d0af:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2ce21:$b: ClientPlugin 0x2ce3c:$b: ClientPlugin
28.2.InstallUtil.exe.41bff84.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
28.2.InstallUtil.exe.41bff84.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
28.2.InstallUtil.exe.41bff84.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
28.2.InstallUtil.exe.5970000.9.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
28.2.InstallUtil.exe.5970000.9.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
28.2.InstallUtil.exe.5970000.9.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
19.2.gvvccsccefghhsnd.exe.38e24c2.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x55fdd:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x5601a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x59b4d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
19.2.gvvccsccefghhsnd.exe.38e24c2.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x55d55:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x55fdd:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x57616:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x5760a:$s2: FileCommand 0x1266b:$s3: PipeExists 0x584bb:$s3: PipeExists 0x18422:$s4: PipeCreated 0x5e272:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x56007:$s5: IClientLoggingHost
19.2.gvvccsccefghhsnd.exe.38e24c2.6.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
19.2.gvvccsccefghhsnd.exe.38e24c2.6.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x55d45:$a: NanoCore 0x55d55:$a: NanoCore 0x55f89:$a: NanoCore 0x55f9d:$a: NanoCore 0x55fdd:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x55da4:$b: ClientPlugin 0x55fa6:$b: ClientPlugin 0x55fe6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x43d6c:$c: ProjectData 0x55ecb:$c: ProjectData 0x89bbc:$c: ProjectData 0x10a82:$d: DESCrypto
19.2.gvvccsccefghhsnd.exe.39f9dd8.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
19.2.gvvccsccefghhsnd.exe.39f9dd8.7.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
19.2.gvvccsccefghhsnd.exe.39f9dd8.7.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
19.2.gvvccsccefghhsnd.exe.39f9dd8.7.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
19.2.gvvccsccefghhsnd.exe.38cf242.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2340d:$x1: NanoCore.ClientPluginHost 0x6925d:$x1: NanoCore.ClientPluginHost 0x2344a:$x2: IClientNetworkHost 0x6929a:$x2: IClientNetworkHost 0x26f7d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x6cdcd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
19.2.gvvccsccefghhsnd.exe.38cf242.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
19.2.gvvccsccefghhsnd.exe.38cf242.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x23175:$a: NanoCore 0x23185:$a: NanoCore 0x233b9:$a: NanoCore 0x233cd:$a: NanoCore 0x2340d:$a: NanoCore 0x68fc5:$a: NanoCore 0x68fd5:$a: NanoCore 0x69209:$a: NanoCore 0x6921d:$a: NanoCore 0x6925d:$a: NanoCore 0x231d4:$b: ClientPlugin 0x233d6:$b: ClientPlugin 0x23416:$b: ClientPlugin 0x69024:$b: ClientPlugin 0x69226:$b: ClientPlugin 0x69266:$b: ClientPlugin 0x1118c:$c: ProjectData 0x232fb:$c: ProjectData 0x56fec:$c: ProjectData 0x6914b:$c: ProjectData 0x9ce3c:$c: ProjectData
0.2.PO_6620200947535257662_Arabico.PDF.exe.398d830.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.PO_6620200947535257662_Arabico.PDF.exe.398d830.8.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
0.2.PO_6620200947535257662_Arabico.PDF.exe.398d830.8.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.PO_6620200947535257662_Arabico.PDF.exe.398d830.8.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.2.PO_6620200947535257662_Arabico.PDF.exe.38300ba.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.PO_6620200947535257662_Arabico.PDF.exe.38300ba.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.PO_6620200947535257662_Arabico.PDF.exe.38300ba.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.PO_6620200947535257662_Arabico.PDF.exe.38300ba.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
28.2.InstallUtil.exe.41c45ad.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x23c50:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x23c7d:$x2: IClientNetworkHost
28.2.InstallUtil.exe.41c45ad.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x23c50:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x24d2b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x23c6a:$s5: IClientLoggingHost
28.2.InstallUtil.exe.41c45ad.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.PO_6620200947535257662_Arabico.PDF.exe.3875f1a.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.PO_6620200947535257662_Arabico.PDF.exe.3875f1a.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.PO_6620200947535257662_Arabico.PDF.exe.3875f1a.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.PO_6620200947535257662_Arabico.PDF.exe.3875f1a.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.PO_6620200947535257662_Arabico.PDF.exe.38300ba.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x55fed:$x1: NanoCore.ClientPluginHost 0x9be3d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x5602a:$x2: IClientNetworkHost 0x9be7a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x59b5d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x9f9ad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.PO_6620200947535257662_Arabico.PDF.exe.38300ba.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.PO_6620200947535257662_Arabico.PDF.exe.38300ba.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x55d55:$a: NanoCore 0x55d65:$a: NanoCore 0x55f99:$a: NanoCore 0x55fad:$a: NanoCore 0x55fed:$a: NanoCore 0x9bba5:$a: NanoCore 0x9bbb5:$a: NanoCore 0x9bde9:$a: NanoCore 0x9bdfd:$a: NanoCore 0x9be3d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x55db4:$b: ClientPlugin 0x55fb6:$b: ClientPlugin 0x55ff6:$b: ClientPlugin
28.2.InstallUtil.exe.5970000.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
28.2.InstallUtil.exe.5970000.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
28.2.InstallUtil.exe.5970000.9.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
28.2.InstallUtil.exe.41bff84.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28279:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x282a6:$x2: IClientNetworkHost
28.2.InstallUtil.exe.41bff84.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28279:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29354:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x28293:$s5: IClientLoggingHost
28.2.InstallUtil.exe.41bff84.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
19.2.gvvccsccefghhsnd.exe.389c662.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
19.2.gvvccsccefghhsnd.exe.389c662.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
19.2.gvvccsccefghhsnd.exe.389c662.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
19.2.gvvccsccefghhsnd.exe.389c662.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.PO_6620200947535257662_Arabico.PDF.exe.3875f1a.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x55fdd:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x5601a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x59b4d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.PO_6620200947535257662_Arabico.PDF.exe.3875f1a.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x55d55:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x55fdd:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x57616:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x5760a:$s2: FileCommand 0x1266b:$s3: PipeExists 0x584bb:$s3: PipeExists 0x18422:$s4: PipeCreated 0x5e272:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x56007:$s5: IClientLoggingHost
0.2.PO_6620200947535257662_Arabico.PDF.exe.3875f1a.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.PO_6620200947535257662_Arabico.PDF.exe.3875f1a.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x55d45:$a: NanoCore 0x55d55:$a: NanoCore 0x55f89:$a: NanoCore 0x55f9d:$a: NanoCore 0x55fdd:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x55da4:$b: ClientPlugin 0x55fa6:$b: ClientPlugin 0x55fe6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x43d6c:$c: ProjectData 0x55ecb:$c: ProjectData 0x89bbc:$c: ProjectData 0x10a82:$d: DESCrypto
28.2.InstallUtil.exe.31d9708.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
19.2.gvvccsccefghhsnd.exe.39e6b72.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x233f3:$x1: NanoCore.ClientPluginHost 0x23430:$x2: IClientNetworkHost 0x26f63:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
19.2.gvvccsccefghhsnd.exe.39e6b72.8.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2316b:$x1: NanoCore Client.exe 0x233f3:$x2: NanoCore.ClientPluginHost 0x24a2c:$s1: PluginCommand 0x24a20:$s2: FileCommand 0x258d1:$s3: PipeExists 0x2b688:$s4: PipeCreated 0x2341d:$s5: IClientLoggingHost
19.2.gvvccsccefghhsnd.exe.39e6b72.8.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
19.2.gvvccsccefghhsnd.exe.39e6b72.8.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2315b:$a: NanoCore 0x2316b:$a: NanoCore 0x2339f:$a: NanoCore 0x233b3:$a: NanoCore 0x233f3:$a: NanoCore 0x231ba:$b: ClientPlugin 0x233bc:$b: ClientPlugin 0x233fc:$b: ClientPlugin 0x1118c:$c: ProjectData 0x232e1:$c: ProjectData 0x23ce8:$d: DESCrypto 0x2b6b4:$e: KeepAlive 0x296a2:$g: LogClientMessage 0x2589d:$i: get_Connected 0x2401e:$j: #=q 0x2404e:$j: #=q 0x2406a:$j: #=q 0x2409a:$j: #=q 0x240b6:$j: #=q 0x240d2:$j: #=q 0x24102:$j: #=q
28.2.InstallUtil.exe.5780000.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
28.2.InstallUtil.exe.5780000.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
28.2.InstallUtil.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
28.2.InstallUtil.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
28.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
28.2.InstallUtil.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.2.PO_6620200947535257662_Arabico.PDF.exe.39479ea.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x55fd3:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x56010:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x59b43:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.PO_6620200947535257662_Arabico.PDF.exe.39479ea.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x55d4b:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x55fd3:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x5760c:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x57600:$s2: FileCommand 0x1266b:$s3: PipeExists 0x584b1:$s3: PipeExists 0x18422:$s4: PipeCreated 0x5e268:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x55ffd:$s5: IClientLoggingHost
0.2.PO_6620200947535257662_Arabico.PDF.exe.39479ea.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.PO_6620200947535257662_Arabico.PDF.exe.39479ea.7.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x55d3b:$a: NanoCore 0x55d4b:$a: NanoCore 0x55f7f:$a: NanoCore 0x55f93:$a: NanoCore 0x55fd3:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x55d9a:$b: ClientPlugin 0x55f9c:$b: ClientPlugin 0x55fdc:$b: ClientPlugin 0x1007b:$c: ProjectData 0x43d6c:$c: ProjectData 0x55ec1:$c: ProjectData 0x10a82:$d: DESCrypto 0x568c8:$d: DESCrypto
19.2.gvvccsccefghhsnd.exe.38e24c2.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
19.2.gvvccsccefghhsnd.exe.38e24c2.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
19.2.gvvccsccefghhsnd.exe.38e24c2.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
19.2.gvvccsccefghhsnd.exe.38e24c2.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
28.2.InstallUtil.exe.5974629.10.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
28.2.InstallUtil.exe.5974629.10.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
28.2.InstallUtil.exe.5974629.10.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
19.2.gvvccsccefghhsnd.exe.39b3f92.9.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x55fd3:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x56010:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x59b43:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
19.2.gvvccsccefghhsnd.exe.39b3f92.9.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x55d4b:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x55fd3:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x5760c:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x57600:$s2: FileCommand 0x1266b:$s3: PipeExists 0x584b1:$s3: PipeExists 0x18422:$s4: PipeCreated 0x5e268:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x55ffd:$s5: IClientLoggingHost
19.2.gvvccsccefghhsnd.exe.39b3f92.9.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
19.2.gvvccsccefghhsnd.exe.39b3f92.9.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x55d3b:$a: NanoCore 0x55d4b:$a: NanoCore 0x55f7f:$a: NanoCore 0x55f93:$a: NanoCore 0x55fd3:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x55d9a:$b: ClientPlugin 0x55f9c:$b: ClientPlugin 0x55fdc:$b: ClientPlugin 0x1007b:$c: ProjectData 0x43d6c:$c: ProjectData 0x55ec1:$c: ProjectData 0x10a82:$d: DESCrypto 0x568c8:$d: DESCrypto
0.2.PO_6620200947535257662_Arabico.PDF.exe.39479ea.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.PO_6620200947535257662_Arabico.PDF.exe.39479ea.7.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.PO_6620200947535257662_Arabico.PDF.exe.39479ea.7.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.PO_6620200947535257662_Arabico.PDF.exe.39479ea.7.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
19.2.gvvccsccefghhsnd.exe.39b3f92.9.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
19.2.gvvccsccefghhsnd.exe.39b3f92.9.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
19.2.gvvccsccefghhsnd.exe.39b3f92.9.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
19.2.gvvccsccefghhsnd.exe.39b3f92.9.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
0.2.PO_6620200947535257662_Arabico.PDF.exe.3862c9a.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2340d:$x1: NanoCore.ClientPluginHost 0x6925d:$x1: NanoCore.ClientPluginHost 0x2344a:$x2: IClientNetworkHost 0x6929a:$x2: IClientNetworkHost 0x26f7d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x6cdcd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.PO_6620200947535257662_Arabico.PDF.exe.3862c9a.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.PO_6620200947535257662_Arabico.PDF.exe.3862c9a.5.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x23175:$a: NanoCore 0x23185:$a: NanoCore 0x233b9:$a: NanoCore 0x233cd:$a: NanoCore 0x2340d:$a: NanoCore 0x68fc5:$a: NanoCore 0x68fd5:$a: NanoCore 0x69209:$a: NanoCore 0x6921d:$a: NanoCore 0x6925d:$a: NanoCore 0x231d4:$b: ClientPlugin 0x233d6:$b: ClientPlugin 0x23416:$b: ClientPlugin 0x69024:$b: ClientPlugin 0x69226:$b: ClientPlugin 0x69266:$b: ClientPlugin 0x1118c:$c: ProjectData 0x232fb:$c: ProjectData 0x56fec:$c: ProjectData 0x6914b:$c: ProjectData 0x9ce3c:$c: ProjectData
19.2.gvvccsccefghhsnd.exe.389c662.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x55fed:$x1: NanoCore.ClientPluginHost 0x9be3d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x5602a:$x2: IClientNetworkHost 0x9be7a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x59b5d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x9f9ad:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
19.2.gvvccsccefghhsnd.exe.389c662.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
19.2.gvvccsccefghhsnd.exe.389c662.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x55d55:$a: NanoCore 0x55d65:$a: NanoCore 0x55f99:$a: NanoCore 0x55fad:$a: NanoCore 0x55fed:$a: NanoCore 0x9bba5:$a: NanoCore 0x9bbb5:$a: NanoCore 0x9bde9:$a: NanoCore 0x9bdfd:$a: NanoCore 0x9be3d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x55db4:$b: ClientPlugin 0x55fb6:$b: ClientPlugin 0x55ff6:$b: ClientPlugin
Click to see the 104 entries

Sigma Overview

System Summary:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ProcessId: 5596, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0000001C.00000002.605270680.0000000004179000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "883c2226-d991-4f34-8646-4dd2732a", "Group": "", "Domain1": "185.157.161.86", "Domain2": "nanopc.linkpc.net", "Port": 50005, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Disable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\ghfvjjtjhhjghdgghrba.exe	Metadefender: Detection: 13%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\ghfvjjtjhhjghdgghrba.exe	ReversingLabs: Detection: 25%
Source: C:\Users\user\gvvccsccefghhsnd.exe	ReversingLabs: Detection: 20%

Multi AV Scanner detection for submitted file

Show sources

Source: PO_6620200947535257662_Arabico.PDF.exe

ReversingLabs: Detection: 20%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 0000001C.00000002.601546888.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.611212434.0000000005970000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.612087588.00000000039B3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.605270680.0000000004179000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.611698378.0000000003738000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.466854129.00000000037EA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.467149528.0000000003947000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.611940927.0000000003856000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO_6620200947535257662_Arabico.PDF.exe PID: 6408, type: MEMORY
Source: Yara match	File source: Process Memory Space: gvvccsccefghhsnd.exe PID: 6824, type: MEMORY
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 5596, type: MEMORY
Source: Yara match	File source: 19.2.gvvccsccefghhsnd.exe.39f9dd8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.398d830.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.gvvccsccefghhsnd.exe.3739510.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.397a5ca.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.InstallUtil.exe.41bb14e.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.InstallUtil.exe.41bff84.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.InstallUtil.exe.5970000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.gvvccsccefghhsnd.exe.38e24c2.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.gvvccsccefghhsnd.exe.39f9dd8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.gvvccsccefghhsnd.exe.38cf242.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.398d830.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.38300ba.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.InstallUtil.exe.41c45ad.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.3875f1a.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.38300ba.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.InstallUtil.exe.5970000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.InstallUtil.exe.41bff84.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.gvvccsccefghhsnd.exe.389c662.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.3875f1a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.gvvccsccefghhsnd.exe.39e6b72.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.39479ea.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.gvvccsccefghhsnd.exe.38e24c2.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.InstallUtil.exe.5974629.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.gvvccsccefghhsnd.exe.39b3f92.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.39479ea.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.gvvccsccefghhsnd.exe.39b3f92.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO_6620200947535257662_Arabico.PDF.exe.3862c9a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.gvvccsccefghhsnd.exe.389c662.4.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\gvvccsccefghhsnd.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: PO_6620200947535257662_Arabico.PDF.exe

Joe Sandbox ML: detected

Source: 28.2.InstallUtil.exe.5970000.9.unpack	Avira: Label: TR/NanoCore.fadte
Source: 28.2.InstallUtil.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Source: PO_6620200947535257662_Arabico.PDF.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: PO_6620200947535257662_Arabico.PDF.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 0000001C.00000002.601725662.0000000000C82000.00000002.00020000.sdmp, InstallUtil.exe.0.dr
Source:	Binary string: InstallUtil.pdb source: InstallUtil.exe, InstallUtil.exe.0.dr

Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_04B9B700
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe	Code function: 4x nop then jmp 04B96611h	0_2_04B95D98
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe	Code function: 4x nop then push dword ptr [ebp-24h]	0_2_04B9BDF0
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_04B9BDF0
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_04B9AFF4
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_04B9E0A4
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_04B9B1EC
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe	Code function: 4x nop then jmp 04B96611h	0_2_04B95D8A
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe	Code function: 4x nop then push dword ptr [ebp-24h]	0_2_04B9BDE4
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_04B9BDE4
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe	Code function: 4x nop then xor edx, edx	0_2_04B9BD28
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe	Code function: 4x nop then xor edx, edx	0_2_04B9BD1E
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe	Code function: 4x nop then push dword ptr [ebp-20h]	0_2_04B9BAD0
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_04B9BAD0
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe	Code function: 4x nop then push dword ptr [ebp-20h]	0_2_04B9BAC4
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_04B9BAC4
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_04B9DA74
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_063F4460
Source: C:\Users\user\Desktop\PO_6620200947535257662_Arabico.PDF.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	0_2_063F8090
Source: C:\Users\user\gvvccsccefghhsnd.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	19_2_04D5B700
Source: C:\Users\user\gvvccsccefghhsnd.exe	Code function: 4x nop then push dword ptr [ebp-24h]	19_2_04D5BDF0
Source: C:\Users\user\gvvccsccefghhsnd.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	19_2_04D5BDF0
Source: C:\Users\user\gvvccsccefghhsnd.exe	Code function: 4x nop then jmp 04D56611h	19_2_04D55D98
Source: C:\Users\user\gvvccsccefghhsnd.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	19_2_04D5AFF4
Source: C:\Users\user\gvvccsccefghhsnd.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	19_2_04D5E0A4
Source: C:\Users\user\gvvccsccefghhsnd.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	19_2_04D5B1EC
Source: C:\Users\user\gvvccsccefghhsnd.exe	Code function: 4x nop then push dword ptr [ebp-24h]	19_2_04D5BDE4
Source: C:\Users\user\gvvccsccefghhsnd.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	19_2_04D5BDE4
Source: C:\Users\user\gvvccsccefghhsnd.exe	Code function: 4x nop then jmp 04D56611h	19_2_04D55D8A
Source: C:\Users\user\gvvccsccefghhsnd.exe	Code function: 4x nop then xor edx, edx	19_2_04D5BD1E
Source: C:\Users\user\gvvccsccefghhsnd.exe	Code function: 4x nop then xor edx, edx	19_2_04D5BD28
Source: C:\Users\user\gvvccsccefghhsnd.exe	Code function: 4x nop then push dword ptr [ebp-20h]	19_2_04D5BAD0
Source: C:\Users\user\gvvccsccefghhsnd.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	19_2_04D5BAD0
Source: C:\Users\user\gvvccsccefghhsnd.exe	Code function: 4x nop then push dword ptr [ebp-20h]	19_2_04D5BAC4
Source: C:\Users\user\gvvccsccefghhsnd.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	19_2_04D5BAC4
Source: C:\Users\user\gvvccsccefghhsnd.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	19_2_04D5DA74
Source: C:\Users\user\gvvccsccefghhsnd.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	19_2_065D4460
Source: C:\Users\user\g

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report PO_6620200947535257662_Arabico.PDF.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities: