Antivirus detection for dropped file
Benign windows process drops PE files
Detected Nanocore Rat
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
VBScript performs obfuscated calls to suspicious functions
Yara detected AsyncRAT
Yara detected Nanocore RAT
.NET source code contains potential unpacker
.NET source code contains very large strings
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Potential malicious VBS script found (has network functionality)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match